Chapter 8 - Network security topologies. Objectives in this chapter: Explain network perimeter’s importance to an organization’s security policies, identify place and role of the demilitarized zone in the network, explain how network address translation is used to help secure networks, spell out the role of tunneling in network security, describe security features of virtual local area networks.
Chapter Network Security Topologies Objectives in this Chapter ATHENA Explain network perimeter’s importance to an organization’s security policies Identify place and role of the demilitarized zone in the network Explain how network address translation is used to help secure networks Spell out the role of tunneling in network security Describe security features of virtual local area networks Perimeter Security Topologies The whole goal of connecting networks is so that people can share information The goal of perimeter security is to selectively admit or deny data flows based on: • • • • ATHENA Protocol Source Destination Content Perimeter Security Topologies Put in place using firewalls and routers on network edge Permit secure communications between the organization and third parties Key enablers for many mission-critical network services Include demilitarized zones (DMZs) extranets, and intranets ATHENA continued… Perimeter Security Topologies ATHENA The data flows that are allowed to enter, and those that aren’t, are defined in an organization’s security policy The security policy describes what type of activities are permitted and what types are not Security Policies and Firewalls ATHENA These security policies are enforced primarily with firewalls deployed at key boundaries in the network, including the network perimeter Every packet entering or leaving is forced to pass through a firewall, which checks it for compliance with its rule set, discarding those that don’t comply Multiple Perimeters A network may contain multiple perimeters, with different security levels: • Outermost perimeter • Internal perimeters • Innermost perimeter ATHENA ATHENA Outermost Perimeter ATHENA A router is used to separate network from ISP’s network Identifies separation point between assets you control and those you not Most insecure area of a network infrastructure Normally reserved for routers, firewalls, public Internet servers (HTTP, FTP, DNS) (usually on the DMZ) Not for sensitive company information that is for internal use only Internal Perimeters ATHENA Represent additional boundaries where other security measures are in place Usually separated by firewalls Used to separate areas with different security levels and needs Extranet ATHENA Private network that uses Internet protocol and public telecommunication system to provide various levels of accessibility to outsiders (partners, customers, etc.) Can be accessed only with a valid username and password Identity determines which parts of the extranet you can view continued… Extranet Requires security and privacy (some combination of these below:) • Firewall management • Issuance and use of digital certificates or other user authentication • Encryption of messages • Use of VPNs that tunnel through the public network ATHENA Network Address Translation (NAT) ATHENA Internet standard that enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic Able to translate addresses contained in an IP packet Main Purposes of NAT ATHENA Provide a type of firewall by hiding internal IP addresses Enable a company to use more internal IP addresses than they have public IP addresses Conserves supply of public IP addresses NAT Most often used to map IPs from nonroutable private address spaces defined by RFC 1918 Static NAT and dynamic NAT Port Address Translation (PAT) • Variation of dynamic NAT • Allows many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers • Commonly implemented on SOHO routers ATHENA Tunneling ATHENA Enables a network to securely send its data through untrusted/shared network infrastructure Encrypts and encapsulates a network protocol within packets carried by second network Best-known example: virtual private networks Replacing WAN links because of security and low cost An option for most IP connectivity requirements Example of a Tunnel ATHENA Virtual Local Area Networks (VLANs) ATHENA Deployed using network switches Used throughout networks to segment different hosts from each other Often coupled with a trunk, which allows switches to share many VLANs over a single physical link Benefits of VLANs ATHENA Network flexibility Scalability Increased performance Some security features ATHENA ATHENA Security Features of VLANs ATHENA Can be configured to group together users in same group or team, while segmenting the network Offer some protection when sniffers are inserted into the network Protect unused switch ports by turning them off Put unused ports in a separate VLAN that’s not routed Security Features of VLANs ATHENA Use an air gap to separate trusted from untrusted networks – use separate switch for the DMZ or other untrusted network (a separate hub may be more appropriate) Vulnerabilities of VLAN Trunks Trunk autonegotiation • Prevention: Disable autonegotiation on all ports Trunk VLAN membership and pruning • Prevention: Manually configure all trunk links with the VLANs that are permitted to traverse them ATHENA Summary Technologies used to create network topologies that secure data and networked resources • Perimeter networks • Network address translation (NAT) • Virtual local area networks (VLANs) ATHENA ... Classifications ATHENA Trusted Semi-trusted Untrusted Trusted Networks ATHENA Inside network security perimeter The networks you are trying to protect Semi-Trusted Networks ATHENA Allow... servers • FTP servers • SMTP (e-mail) servers • DNS servers ATHENA Optional, more secure approach to a simple firewall; may include a proxy server ATHENA DMZ Design Goals ATHENA Isolate internal... Key enablers for many mission-critical network services Include demilitarized zones (DMZs) extranets, and intranets ATHENA continued… Perimeter Security Topologies ATHENA The data flows that