Network Security Topologies

1
Network Security Topologies

• Chapter 11

2
Learning Objectives

• Identify place and role of the demilitarized zone
• NAT and PAT
• Tunneling in network security
• Describe security features of VLANS
• Network perimeters importance to an
  organizations security policies

3
Perimeter Security Topologies

• Any network that is connected (directly or
  indirectly) to your organization, but is not
  controlled by your organization, represents a
  risk.
• Firewalls deployed on the network edge enforce
  security policies and create choke points on
  network perimeters.
• Include demilitarized zones (DMZs) extranets, and
  intranets

continued
4
Perimeter Security Topologies

• The firewall must be the gateway for all
  communications between trusted networks,
  untrusted and unknown networks.
• The firewall should selectively admit or deny
  data flows from other networks based on several
  criteria
• Type (protocol)
• Source
• Destination
• Content

5
Three-tiered Architecture

• Outermost perimeter
• Router used to separate network from ISPs
  network
• Identifies separation point between assets you
  control and those you do not
• Most insecure area of a network infrastructure
• Normally reserved for routers, firewalls, public
  Internet servers (HTTP, FTP, Gopher)
• Not for sensitive company information that is for
  internal use only

6
Three-tiered Architecture

• Outermost perimeter
• Internal perimeters
• Represent additional boundaries where other
  security measures are in place
• multiple internal perimeters are relative to a
  particular asset, such as the internal perimeter
  that is just inside the firewall.
• Innermost perimeter

7
Network Classifications

• When a network manager creates a network security
  policy, each network that makes up the topology
  must be classified as one of three types of
  networks
• Trusted
• Semi-trusted
• Untrusted

8
Trusted Networks

• When you set up the firewall, you explicitly
  identify the type of networks via network adapter
  cards. After the initial configuration, the
  trusted networks include the firewall and all
  networks behind it.
• VPNs are exceptions - security mechanisms must
  exist by which the firewall can authenticate the
  origin, data integrity, and other security
  principles contained within the network traffic
  according to the same security principles
  enforced on your trusted networks.

9
Semi-Trusted Networks

• Allow access to some database materials and
  e-mail
• May include DNS, proxy, and modem servers
• Not for confidential or proprietary information
• Referred to as the demilitarized zone (DMZ)

10
Untrusted Networks

• Outside your security perimeter and control,
  however you may still need and want to
  communicate with these networks.
• When you set up the firewall, you explicitly
  identify the untrusted networks from which that
  firewall can accept requests.

11
Unknown Networks

• Unknown networks are neither trusted nor
  untrusted
• By default, all nontrusted networks are
  considered unknown networks
• You can identify unknown networks below the
  Internet node and apply more specialized policies
  to those untrusted networks.

12
Two Perimeter Networks

• Positioning your firewall between an internal and
  external router provides little additional
  protection from attacks on either side, but it
  greatly reduces the amount of traffic that the
  firewall must evaluate, which can increase the
  firewall's performance.

13
Creating and Developing Your Security Design

• Know your enemy
• Security measures cant stop all unauthorized
  tasks they can only make it harder.
• The goal is to make sure that security controls
  are beyond the attacker's ability or motivation.
• Know the costs and weigh those costs against the
  potential benefits.
• Identify assumptions - For example, you might
  assume that your network is not tapped, that
  attackers know less than you do, that they are
  using standard software, or that a locked room is
  safe.

14
Creating and Developing Your Security Design

• Control secrets - What knowledge would enable
  someone to circumvent your system?
• Know your weaknesses and how it can be exploited
• Limit the scope of access - create appropriate
  barriers in your system so that if intruders
  access one part of the system, they do not
  automatically have access to the rest of the
  system.
• Understand your environment - Auditing tools can
  help you detect those unusual events.
• Limit your trust people, software and hardware

15
DMZ

• Used by a company to host its own Internet
  services without sacrificing unauthorized access
  to its private network
• Sits between Internet and internal networks line
  of defense, usually some combination of firewalls
  and bastion hosts
• Traffic originating from it should be filtered

continued
16
DMZ

• Typically contains devices accessible to Internet
  traffic
• Web (HTTP) servers
• FTP servers
• SMTP (e-mail) servers
• DNS servers
• Optional, more secure approach to a simple
  firewall may include a proxy server

17
DMZ Design Goals

• Minimize scope of damage
• Protect sensitive data on the server
• Detect the compromise as soon as possible
• Minimize effect of the compromise on other
  organizations
• The bastion host is not able to initiate a
  session back into the private network. It can
  only forward packets that have already been
  requested.

18
DMZ Design Goals

• A useful mechanism to meet goals is to add the
  filtering of traffic initiated from the DMZ
  network to the Internet, impairs an attacker's
  ability to have a vulnerable host communicate to
  the attacker's host
• keep the vulnerable host from being exploited
  altogether
• keep a compromised host from being used as a
  traffic-generating agent in distributed
  denial-of-service attacks.
• The key is to limit traffic to only what is
  needed, and to drop what is not required, even if
  the traffic is not a direct threat to your
  internal network

19
DMZ Design Goals

• Filtering DMZ traffic would identify
• traffic coming in from the DMZ interface of the
  firewall or
• router that appears to have a source IP address
  on a network other the DMZ network number
  (spoofed traffic).
• the firewall or router should be configured to
  initiate a log message or rule alert to notify
  administrator

20
(No Transcript)
21
Intranet

• Typically a collection of all LANs inside the
  firewall (campus network.)
• Either a network topology or application (usually
  a Web portal) used as a single point of access to
  deliver services to employees
• Shares company information and computing
  resources among employees
• Allows access to public Internet through
  firewalls that screen communications in both
  directions to maintain company security

continued
22
Extranet

• Private network that uses Internet protocol and
  public telecommunication system to provide
  various levels of accessibility to outsiders
• Requires security and privacy
• Firewall management
• Issuance and use of digital certificates or other
  user authentication
• Encryption of messages
• Use of VPNs that tunnel through the public network

23
Extranet

• Companies can use an extranet to
• Exchange large volumes of data
• Share product catalogs exclusively with
  wholesalers or those in the trade
• Collaborate with other companies on joint
  development efforts
• Jointly develop and use training programs with
  other companies
• Provide or access services provided by one
  company to a group of other companies, such as an
  online banking application managed by one company
  on behalf of affiliated banks
• Share news of common interest exclusively with
  partner companies

24
Network Address Translation (NAT)

• Internet standard that enables a LAN to use one
  set of IP addresses for internal traffic and a
  second set for external traffic
• Provides a type of firewall by hiding internal IP
  addresses
• Enables a company to use more internal IP
  addresses.

25
NAT

• Most often used to map IPs from nonroutable
  private address spaces defined by RFC 1918 that
  either do not require external access or require
  limited access to outside services
• A 10.0.0.0 10.255.255.255
• B 172.16.0.0 172.31.255.255
• C 192.168.0.0 192.168.255.255

26
NAT

• Static NAT and dynamic NAT
• Dynamic NAT is more complex because state must be
  maintained, and connections must be rejected when
  the pool is exhausted.
• Unlike static NAT, dynamic NAT enables address
  reuse, reducing the demand for legally registered
  public addresses.

27
PAT

• Port Address Translation (PAT)
• Variation of dynamic NAT
• Allows many hosts to share a single IP address by
  multiplexing streams differentiated by TCP/UDP
  port numbers
• suppose private hosts 192.168.0.2 and 192.168.0.3
  both send packets from source port 1108. A PAT
  router might translate these to a single public
  IP address 206.245.160.1 and two different source
  ports, say 61001 and 61002.
• Because PAT maps individual ports, it is not
  possible to "reverse map" incoming connections
  for other ports unless another table is
  configured

28
PAT and NAT

• In some cases, static NAT, dynamic NAT, PAT, and
  even bidirectional NAT or PAT may be used
  together
• Web servers can be reached from the Internet
  without NAT, because they live in public address
  space.
• Simple Mail Transfer Protocol (SMTP) must be
  continuously accessible through a public address
  associated with DNS entry, the mail server
  requires static mapping (either a limited-purpose
  virtual server table or static NAT).
• For most clients, public address sharing is
  usually practical through dynamically acquired
  addresses (either dynamic NAT with a correctly
  sized address pool, or PAT).
• Applications that hold onto dynamically acquired
  addresses for long periods could exhaust a
  dynamic NAT address pool and block access by
  other clients. To prevent this, PAT is used
  because it enables higher concurrency (thousands
  of port mappings per IP address)

29
Tunneling

• Enables a network to securely send its data
  through untrusted/shared network infrastructure
• Encrypts and encapsulates a network protocol
  within packets carried by second network
• Replacing WAN links because of security and low
  cost
• An option for most IP connectivity requirements

30
Example of a Tunnel

• a router with Internet Protocol Security (IPSec)
  encryption capabilities is deployed as a gateway
  on each LAN's Internet connection.
• The routers are configured for a point-to-point
  VPN tunnel, which uses encryption to build a
  virtual connection between the two offices.
• When a router sees traffic on its LAN that is
  destined for the VPN, it communicates to the
  other side instructing it to build the tunnel
• Once the two routers have negotiated a secure
  encrypted connection, traffic from the
  originating host is encrypted using the
  agreed-upon settings and sent to the peer router.

31
Virtual Local Area Networks (VLANs)

• Deployed using network switches
• Used throughout networks to segment different
  hosts from each other
• Often coupled with a trunk, which allows switches
  to share many VLANs over a single physical link

32
Benefits of VLANs

• Network flexibility
• Scalability
• Increased performance
• Some security features

33
Security Features of VLANs

• Can be configured to group together users in same
  group or team, no matter the location
• Offer some protection when sniffers are inserted
• Protect unused switch ports by moving them all to
  a separate VLAN
• Use an air gap to separate trusted from untrusted
  networks
• Do not allow the same switch or network of
  switches to provide connectivity to networks
  segregated by firewalls.
• A switch that has direct connections to untrusted
  networks (Internet) or semitrusted networks
  (DMZs), should never be used to contain trusted
  network segments as well.

34
Vulnerabilities of VLAN Trunks

• Trunk traffic does not pass through the router,
  therefore no packet filtering.
• Trunk autonegotiation on by default
• Prevention Disable autonegotiation on all ports
  and only allow trunk traffic on trunk ports
• By default, trunk links are permitted to carry
  traffic from all VLANs
• Prevention Manually configure all trunk links
  with the VLANs that are permitted to traverse
  them (Pruning)

35
Chapter Summary

• Technologies used to create network topologies
  that secure data and networked resources
• Perimeter networks
• Network address translation (NAT)
• Virtual local area networks (VLANs)