Embed Size (px)
Citation preview
Module 11:Designing Security for
Network Perimeters
Overview
Creating a Security Plan for the Perimeter of a Network
Creating a Design for Security of Network Perimeters
Lesson 1: Creating a Security Plan for the Perimeter of a Network
MSF and Security of Network Perimeters
Defense in Depth and Security of Network Perimeters
Resources to Protect with Network Perimeters Security
STRIDE Threat Model and Security of Network Perimeters
MSF and Security of Network Perimeters
The MSF envisioning and planning phases help you to:The MSF envisioning and planning phases help you to:
Decide which locations your plan will help to protect
Ensure that appropriate countermeasures are applied
Identify your perimeter points. These can include:
Direct Internet connections
Dedicated WAN links
Perimeter Networks
VPN client computers
Applications
Wireless connections
Decide which locations your plan will help to protect
Ensure that appropriate countermeasures are applied
Identify your perimeter points. These can include:
Direct Internet connections
Dedicated WAN links
Perimeter Networks
VPN client computers
Applications
Wireless connections 3344
55Plan
Envision
Defense in Depth and Security of Network Perimeters
Policies, Procedures, and Awareness
Physical Security
Internal Network
Application
Host
Data
Perimeter
Resources to Protect with Network Perimeters Security
Attacker Threat Example
External Information disclosure
An attacker runs a series of port scans on a network and creates a network diagram and vulnerability list.
The attacker uses this information to systematically attack the network.
Internal Denial of service
An employee opens an e-mail from an external Web-based e-mail account that contains a new worm virus.
The virus infects the internal network from inside the perimeter.
STRIDE Threat Model and Security of Network Perimeters
Exposure of account information Exposure of account information Spoofing
Unauthorized access to dataUnauthorized access to dataTampering
Unmanaged VPN client computersUnmanaged VPN client computersRepudiation
Forgotten connections to the InternetForgotten connections to the InternetInformation disclosure
E-mail worms E-mail worms Denial of service
Unauthorized Web serversUnauthorized Web serversElevation of privilege
Lesson 2: Creating a Design for Security of Network Perimeters
Methods for Securing Network Perimeters
Process for Designing Secure Perimeter Networks
Methods for Securing Perimeter Networks
Guidelines for Protecting Computers on the Perimeter
Methods for Securing Network Perimeters
Type Description
Bastion host
Three-pronged configuration
Back-to-back configuration
When designing secure screened subnets, determine:When designing secure screened subnets, determine:
The services that you must provide
How each service communicates with systems
How each service authenticates users
How you will manage each service
How you will monitor and audit each service
How you will configure firewall and router rules to secure the network
The services that you must provide
How each service communicates with systems
How each service authenticates users
How you will manage each service
How you will monitor and audit each service
How you will configure firewall and router rules to secure the network
11
33
44
55
66
22
Process for Designing Secure Perimeter Networks
Implement the following security mechanisms on routers and firewalls:Implement the following security mechanisms on routers and firewalls:
Methods for Securing Perimeter Networks
Packet filtering
Routing rules
Stateful packet inspection
Application gateway
Server publishing
User-based authentication
Intrusion detection
Packet filtering
Routing rules
Stateful packet inspection
Application gateway
Server publishing
User-based authentication
Intrusion detection
For traveling computers or traveling users, follow these guidelines: For traveling computers or traveling users, follow these guidelines:
Use and maintain antivirus software
Use personal firewall applications
Do not persistently store passwords
Consider preventing third-party e-mail applications
Educate users about security
Use and maintain antivirus software
Use personal firewall applications
Do not persistently store passwords
Consider preventing third-party e-mail applications
Educate users about security
Guidelines for Protecting Computers on the Perimeter
Lab: Designing Security for Network Perimeters
Exercise 1Identifying Potential Perimeter Network Vulnerabilities
Exercise 2Implementing Countermeasures
