Professional Documents
Culture Documents
Perimeter .
It is critical to create a strong network perimeter that protects internal resources from threats outside the org. Problems can occur from:
The internet (no power to enforce security) External networks (business partners, customers, suppliers)
Perimeter
Goal is to selectively admit or deny traffic (or data flows) from other networks based on a number of criteria, such as:
Type of protocol Source of request Destination Content
Firewall inspects each packet for compliance with the security policy.
Three-tier Architecture
To have a successful network security perimeter, the firewall must be the gateway for all communications between trusted networks and untrusted and unknown networks. Each network can contain multiple perimeter networks. Three types:
The outermost perimeter Internal perimeter The innermost perimeter
Three-tier Architecture
Outermost
Identifies the separation point between the assets you control and the assets you dont control. This is the router you use to separate your network from your ISPs network.
Internal
Represent additional boundaries where you have other security mechanisms in place. Ex. When a manager creates a new policy, each network that makes up that topology must be classified as one of three types of networks:
Trusted Semi trusted Untrusted
Three-tier Architecture
Trusted networks
Networks inside you network security perimeter What you are trying to protect.
Semi Trusted
Networks that allow users to gain access to some important database materials and email, and may include DNS, proxy, and modem servers. Confident and proprietary info does not reside here. Referred to as Demilitarized Zones (DMZ) (discuss later)
Untrusted Networks
Networks that are known to be outside of your security perimeter. External to your firewall. No control over the administration or security policies.
Three-tier Architecture
The Outermost perimeter is the most insecure area of your network infrastructure. Normally reserved for routers, firewalls, and public Internet servers, such as HTTP, FTP, and Gopher services The easiest area to gain access to and therefore the most frequently attacked. Sensitive company info should not be put in this area.
5.
6.
Use filtering to impair an attackers ability to have a vulnerable host communicate to the attackers host.
Extranet
Private network that uses the Internet protocol and the public telecommunication system to securely share part of a businesss info or operations with suppliers, vendors, partners, customers, or other businesses. For users outside of the company. Requires firewall mgt., the use of digital certificates, encryption, and the use of VPNs.
NAT.
Serves two main purposes:
1. 2. Provides a type of firewall by hiding internal IP addresses Enables a company to use more internal IP addresses.
When communication between a privately addressed host and a public network (the Internet) is needed, address translation is required. This is where NAT comes in.
NAT Analogy
NAT is like the receptionist in a large office Lets say you left instructions with the receptionist not to forward any calls to you unless you request it. Later on, you call a potential client and leave a message for that client to call you back. You tell the receptionist that you are expecting a call from this client and to put the client through when he/she calls back. The client calls the main number to your office, which is the only number the client knows. When the client tells the receptionist that he/she is looking for you, the receptionist checks the lookup table that matches your name with your extension. The receptionist knows that you requested this call, and forwards you the call (message).
NAT
NAT routers sit on the border between public and private networks. NAT works by creating bindings between addresses. Static NAT a one to one mapping between public and private addresses. Dynamic NAT maps an unregistered IP address to a registered IP address from a group of registered IP addresses.
Static NAT
In static NAT, the computer with the IP address of 192.168.32.10 will always translate to 213.18.123.110
Dynamic NAT
Edge devices that run dynamic NAT create binding on the fly by building a NAT table. Connections initiated by private hosts are assigned a public address from a pool. As long as the private hosts has an outgoing connection, it can be reached by incoming packets sent to this public address. When the connection expires, the binding expires, and the address is returned to the pool for REUSE.
Dynamic NAT
In dynamic NAT, the computer with the IP address 192.168.32.10 will translate to the first available address in the range from 213.18.123.100 to 213.18.123.150.
Tunneling
Technology that enables a network to securely send its data through an untrusted or shared network infrastructure. Works by encrypting and encapsulating the secured traffic within packets carried by the second network. VPN is the best known example of tunneling Tunnel is actually an agreement between routers on how the data is encrypted.
VLAN
Virtual local area networks
A way of dividing a single physical network switch among multiple network segments or broadcast domains. Ability to configure multiple LANs on a single switch
Trunk allows switches to share many VLANs over a single physical link Routers needed to make different VLANs talk
Any Questions?