Embed Size (px)
Citation preview
11
SECURING YOUR NETWORK PERIMETER
Chapter 10
Chapter 10: SECURING YOUR NETWORK PERIMETER 2
CHAPTER OBJECTIVES
Establish secure topologies.
Secure network perimeters.
Implement firewalls.
Chapter 10: SECURING YOUR NETWORK PERIMETER 3
SECURING YOUR NETWORK PERIMETER
Secure the network perimeter, not just individual components.
Secure connections between components.
Use security zones.
Manage network traffic between security zones.
The most important zone or boundary is the Internet.
Firewalls are boundary control devices.
Chapter 10: SECURING YOUR NETWORK PERIMETER 4
ESTABLISHING SECURE TOPOLOGIES
Secure topology is a network design.
Group devices in security zones.
Segregate network traffic.
Control the information flow.
Chapter 10: SECURING YOUR NETWORK PERIMETER 5
SECURITY ZONES
Security zones group assets with similar security requirements.
They segregate mission critical systems.
Access control mechanisms define what access is allowed between zones.
Security zones reduce the attack surface of network resources.
Security zones focus your attention on possible threats and vulnerabilities.
Chapter 10: SECURING YOUR NETWORK PERIMETER 6
VIRTUAL LOCAL AREA NETWORKS (VLANS)
Used to segment a network into smaller subnetworks
Used to create security zones
Are virtual subnets
Are created by using switches
Are supported by routers
Chapter 10: SECURING YOUR NETWORK PERIMETER 7
VIRTUAL LOCAL AREA NETWORKS (VLANS) (CONT.)
Restrict broadcast traffic
Are flexible and scalable
Hide the physical configuration of network
Need secure and physically protected switches
Chapter 10: SECURING YOUR NETWORK PERIMETER 8
SECURING NETWORK PERIMETERS
Establish boundaries between security zones.
Separate the private network from the Internet.
Define allowed traffic that can cross the perimeter.
Use routers and firewalls to control perimeter traffic.
Filter for malicious code.
Monitor for intrusion activities.
Chapter 10: SECURING YOUR NETWORK PERIMETER 9
ESTABLISHING NETWORK SECURITY ZONES
Place firewalls between internal and external networks.
Use multiple firewalls if you need to create multiple layers of protection.
Put Internet-accessible resources in separate network segments.
The segment between firewalls is called a perimeter network, demilitarized zone (DMZ), or screened subnet
Chapter 10: SECURING YOUR NETWORK PERIMETER 10
COMMON SECURITY ZONES
Intranet
Perimeter network
Extranet
Internet
Chapter 10: SECURING YOUR NETWORK PERIMETER 11
CONFIGURATION OF SECURITY ZONES
Chapter 10: SECURING YOUR NETWORK PERIMETER 12
INTRANET
Is the primary and most sensitive security zone of an organization
Is also known as an internal network, private network, or LAN
Contains all private internal resources
Is considered a trusted network
Is vulnerable to internal attackers
Chapter 10: SECURING YOUR NETWORK PERIMETER 13
SECURING AN INTRANET
Deploy firewalls against all other networks.
Install and update antivirus solutions.
Audit and monitor online activity.
Secure systems hosting confidential data.
Manage the security of the physical infrastructure.
Chapter 10: SECURING YOUR NETWORK PERIMETER 14
SECURING AN INTRANET (CONT.)
Check for unauthorized devices.
Restrict access to critical systems.
Control physical access.
Remove all unnecessary services from server systems.
Chapter 10: SECURING YOUR NETWORK PERIMETER 15
PERIMETER NETWORK
Grant controlled access to public resources
Prevent external traffic from entering intranet
Are also called DMZs or screened subnets
Are used to provide a buffer between the private trusted network and the Internet or untrusted network segments
Chapter 10: SECURING YOUR NETWORK PERIMETER 16
SECURING A PERIMETER NETWORK
Use firewalls to provide protection from external untrusted networks.
Remove all unnecessary services. Audit all online activity. Separate name resolution services. Remove or restrict remote management
services. Carefully document and audit all physical
and logical configurations. Frequently back up data and configurations.
Chapter 10: SECURING YOUR NETWORK PERIMETER 17
EXTRANET
Is used for partner access to controlled resources
Is used to share information between members of multiple organizations
Requires authenticated external connections
Is often directly accessible from the Internet
Might use virtual private networks (VPNs)
Chapter 10: SECURING YOUR NETWORK PERIMETER 18
METHODS OF EXTRANET ACCESS
Chapter 10: SECURING YOUR NETWORK PERIMETER 19
SECURING AN EXTRANET
Use firewalls to provide protection from the external network.
Authenticate all access.
Remove all unnecessary services.
Audit all network and service access.
Chapter 10: SECURING YOUR NETWORK PERIMETER 20
PERIMETER NETWORK TYPES
Perimeter networks are established by means of firewalls.
Firewalls manage traffic across the boundaries of different security zones.
There are two common perimeter networks designs: Three-pronged design
Back-to-back design
Chapter 10: SECURING YOUR NETWORK PERIMETER 21
THREE-PRONGED PERIMETER NETWORK DESIGN
Uses a single firewall
Connects the Internet, an intranet, and a perimeter network
Can be a single point of failure
Chapter 10: SECURING YOUR NETWORK PERIMETER 22
THREE-PRONGED PERIMETER NETWORK
Chapter 10: SECURING YOUR NETWORK PERIMETER 23
BACK-TO-BACK PERIMETER NETWORK DESIGN
Uses two firewalls
Is also called buffer network or screened subnet
Has no single point of failure
Supports more restrictive security rules
Increases the security of the intranet
Provides defense-in-depth protection
Chapter 10: SECURING YOUR NETWORK PERIMETER 24
BACK-TO-BACK PERIMETER NETWORK
Chapter 10: SECURING YOUR NETWORK PERIMETER 25
USING AN N-TIER ARCHITECTURE
An n-tier architecture provides multiple tiers of security zones.
Each tier supports a portion of a business operation.
Traffic is controlled between each tier.
Compromise of one tier does not imply complete failure.
Chapter 10: SECURING YOUR NETWORK PERIMETER 26
A 3-TIER NETWORK DESIGN
Chapter 10: SECURING YOUR NETWORK PERIMETER 27
BASTION HOSTS
A bastion host is a single host that provides all externally accessible services.
A single firewall routes external traffic to the bastion host.
All access is tightly controlled and monitored.
This is the least secure network design.
Chapter 10: SECURING YOUR NETWORK PERIMETER 28
A BASTION HOST DESIGN
Chapter 10: SECURING YOUR NETWORK PERIMETER 29
NETWORK PERIMETER SECURITY AND TRAFFIC CONTROL
Block all traffic by default.
Define exceptions for authorized traffic.
Allow only required network traffic.
Don't trust all outgoing traffic by default.
Inspect blocked traffic and track down the source.
Chapter 10: SECURING YOUR NETWORK PERIMETER 30
FIREWALL FUNCTIONS
Protect a network from malicious hackers and software
Block external threats
Filter inbound and outbound traffic
Separate private networks from the Internet
Separate subnets or individual systems
Chapter 10: SECURING YOUR NETWORK PERIMETER 31
FIREWALL TYPES
Packet filtering
Application filtering
Circuit-level inspection
Stateful inspection
Content inspection
Proxy server functionality
Chapter 10: SECURING YOUR NETWORK PERIMETER 32
USING PACKET FILTERING
A packet filtering firewall inspects the header of each packet.
The firewall forwards or drops each packet based on rules.
Packet filter rules focus on inbound or outbound packets.
Packet filter rules judge source or destination address, other header field content, or packet size.
Most firewalls and routers can perform packet filtering.
Chapter 10: SECURING YOUR NETWORK PERIMETER 33
COMMON FILTER-FOCUSED HEADER FIELDS
Source IP Address
Destination IP Address
IP Protocol ID
Source TCP or UDP Port Number
Destination TCP or UDP Port Number
Chapter 10: SECURING YOUR NETWORK PERIMETER 34
COMMON FILTER-FOCUSED HEADER FIELDS (CONT.)
Protocol and Port Numbers
ICMP Message Type
Fragmentation Flags
IP Options
Chapter 10: SECURING YOUR NETWORK PERIMETER 35
A PACKET FILTERING FIREWALL
Chapter 10: SECURING YOUR NETWORK PERIMETER 36
CIRCUIT-LEVEL INSPECTION
This type of inspection does not examine each packet.
Circuit-level inspection monitors connection establishment.
If a connection is allowed, no further restrictions are imposed.
Circuit-level inspection is more efficient than packet-filtering.
Many firewalls can perform circuit-level inspection.
Chapter 10: SECURING YOUR NETWORK PERIMETER 37
STATEFUL INSPECTION
Combines features of packet-filtering and circuit-level firewalls
First, restricts connections only to authorized users
Second, inspects subsequent packets to restrict traffic based on context
Chapter 10: SECURING YOUR NETWORK PERIMETER 38
APPLICATION LAYER FILTERING
Examines the content or payload of packets
Inspects packets based on the application used
Requires complex rules
Can detect a wide range of attacks and malicious code
Has slower performance than other methods
Chapter 10: SECURING YOUR NETWORK PERIMETER 39
TUNNELING
Tunneling is a technique used to bypass a firewall’s inspection mechanisms.
Tunneling encapsulates network packets in allowed network traffic.
Encryption is a common tunneling option.
If content inspection is not possible, an intrusion detection system (IDS) might be needed.
Chapter 10: SECURING YOUR NETWORK PERIMETER 40
PROXY SERVERS
Is a circuit-level or application layer operation
Accepts connections from clients
Establishes a distinct connection to external servers
Has no direct connection between client and server
Supports content checking and resource caching
Chapter 10: SECURING YOUR NETWORK PERIMETER 41
A PROXY SERVER
Chapter 10: SECURING YOUR NETWORK PERIMETER 42
NETWORK ADDRESS TRANSLATION (NAT)
Allows multiple internal clients to access the Internet over a few public leased addresses
Converts and manages traffic through translation of IP addresses and port numbers
Allows use of the private IP addresses (10.x.x.x, 172.16.x.x–172.31.x.x, and 192.168.x.x)
Hides the internal network structure and address scheme
Prevents external entities from directly accessing internal clients
Chapter 10: SECURING YOUR NETWORK PERIMETER 43
NAT VARIATIONS
Static NAT
Dynamic NAT
Port address translation (PAT)
Chapter 10: SECURING YOUR NETWORK PERIMETER 44
FIREWALL ISSUES
Misconfiguration is a common cause of firewall failure.
Avoid default-allow and a default-deny rules.
Manage the rule execution order.
Keep firewalls patched and updated.
Chapter 10: SECURING YOUR NETWORK PERIMETER 45
FIREWALL VULNERABILITIES
Compromising the firewall management console or password
Circumventing the firewall
Physically tampering with the firewall
Creating outbound connections
Chapter 10: SECURING YOUR NETWORK PERIMETER 46
SECURING FIREWALLS
Keep current on vendor-released information on your firewall.
Keep the firewall patched and updated.
Keep virus scanners updated.
Maintain physical access control.
Document the firewall configuration.
Chapter 10: SECURING YOUR NETWORK PERIMETER 47
SECURING FIREWALLS (CONT.)
Restrict management access.
Use complex passwords.
Test the firewall's filters and rules.
Look for bypasses or circumventions of the firewall's security.
Chapter 10: SECURING YOUR NETWORK PERIMETER 48
SUMMARY
Security zones divide parts of the network that have different security requirements.
VLANs are a method for dividing a single physical network into separate broadcast domains.
Typical security zones are intranets, extranets, perimeter networks, and the Internet. Firewalls are often used to control traffic between these security zones.
Chapter 10: SECURING YOUR NETWORK PERIMETER 49
SUMMARY (CONT.)
The two most commonly used firewall topologies are the back-to-back design and the three-pronged design. A back-to-back design provides multiple layers of protection. The bastion host design provides the lowest level of security.
Firewalls differ in the features that they provide. Common features are packet filtering, circuit-level inspection, stateful inspection, application layer filtering, and proxy server functionality.
NAT allows multiple computers to communicate with the Internet by using a single routable IP address or a range of IP addresses. The main security benefit of NAT is that it hides hosts from the Internet.
