Lecture Security+ Certification: Chapter 8 - Trung tâm Athena

Chapter 8 - Network security topologies. Objectives in this chapter: Explain network perimeter’s importance to an organization’s security policies, identify place and role of the demilitarized zone in the network, explain how network address translation is used to help secure networks, spell out the role of tunneling in network security, describe security features of virtual local area networks.

Chapter 8 Network Security

Topologies

Objectives in this Chapter

 Explain network perimeter’s importance to an

organization’s security policies

 Identify place and role of the demilitarized zone in the network

 Explain how network address translation is used to help secure networks

 Spell out the role of tunneling in network security

 Describe security features of virtual local area networks

ATHENA

 Explain network perimeter’s importance to an

organization’s security policies

 Identify place and role of the demilitarized zone in the network

 Explain how network address translation is used to help secure networks

 Spell out the role of tunneling in network security

 Describe security features of virtual local area networks

Perimeter Security Topologies

 The whole goal of connecting networks is sothat people can share information

 The goal of perimeter security is to selectivelyadmit or deny data flows based on:

Perimeter Security Topologies

 Put in place using firewalls and routers on network edge

 Permit secure communications between the

organization and third parties

 Key enablers for many mission-critical network services

 Include demilitarized zones (DMZs) extranets, and

intranets

ATHENA

 Put in place using firewalls and routers on network edge

 Permit secure communications between the

organization and third parties

 Key enablers for many mission-critical network services

 Include demilitarized zones (DMZs) extranets, and

intranets

continued…

Perimeter Security Topologies

 The data flows that are allowed to enter, andthose that aren’t, are defined in an

organization’s security policy

 The security policy describes what type of

activities are permitted and what types are not

ATHENA

 The data flows that are allowed to enter, andthose that aren’t, are defined in an

organization’s security policy

 The security policy describes what type of

activities are permitted and what types are not

Security Policies and Firewalls

 These security policies are enforced primarilywith firewalls deployed at key boundaries inthe network, including the network perimeter

 Every packet entering or leaving is forced topass through a firewall, which checks it forcompliance with its rule set, discarding thosethat don’t comply

ATHENA

 These security policies are enforced primarilywith firewalls deployed at key boundaries inthe network, including the network perimeter

 Every packet entering or leaving is forced topass through a firewall, which checks it forcompliance with its rule set, discarding thosethat don’t comply

ATHENA

 Most insecure area of a network infrastructure

 Normally reserved for routers, firewalls, public

Internet servers (HTTP, FTP, DNS) (usually on the DMZ)

 Not for sensitive company information that is for

internal use only

 Most insecure area of a network infrastructure

 Normally reserved for routers, firewalls, public

Internet servers (HTTP, FTP, DNS) (usually on the DMZ)

 Not for sensitive company information that is for

internal use only

Internal Perimeters

 Represent additional boundaries where othersecurity measures are in place

 Usually separated by firewalls

 Used to separate areas with different securitylevels and needs

ATHENA

 Represent additional boundaries where othersecurity measures are in place

 Usually separated by firewalls

 Used to separate areas with different securitylevels and needs

Trusted Networks

 Inside network security perimeter

 The networks you are trying to protect

ATHENA

Semi-Trusted Networks

 Allow access to some database materials ande-mail

servers, also DNS, web, and ftp

 Not for confidential or proprietary

servers, also DNS, web, and ftp

 Not for confidential or proprietary

information

 Referred to as the demilitarized zone (DMZ)

Untrusted Networks

 Outside your security perimeter

 Outside your control

these networks – you configure your router,firewall, and VPN (in some cases) to do this assecurely as possible

ATHENA

 Outside your security perimeter

 Outside your control

these networks – you configure your router,firewall, and VPN (in some cases) to do this assecurely as possible

ATHENA

Creating and Developing Your Security Design

classes/workshops, visit hacker web sites

 Count the cost – cost vs the value of what youare protecting

 Identify assumptions – we all know what

happens when we assume

ATHENA

classes/workshops, visit hacker web sites

 Count the cost – cost vs the value of what youare protecting

 Identify assumptions – we all know what

happens when we assume

Creating and Developing Your

Security Design

 Control secrets (passwords, encryption keys,etc.)

 Limit the scope of access by creating barriers

at multiple places

the network usually works

 Limit your trust

ATHENA

 Control secrets (passwords, encryption keys,etc.)

 Limit the scope of access by creating barriers

at multiple places

the network usually works

 Limit your trust

 Used by a company to host its own Internet

services without sacrificing unauthorizedaccess to its private network (while

minimizing access)

 Sits between Internet and internal network’s

line of defense, usually some combination offirewalls and bastion hosts

 Traffic originating from it should be filtered

ATHENA

 Used by a company to host its own Internet

services without sacrificing unauthorizedaccess to its private network (while

minimizing access)

 Sits between Internet and internal network’s

line of defense, usually some combination offirewalls and bastion hosts

 Traffic originating from it should be filtered

continued…

ATHENA

DMZ Design Goals

 Isolate internal networks

 Protect sensitive data on the servers

 Detect the compromise as soon as possible

 Minimize effect of the compromise on otherorganizations

ATHENA

 Isolate internal networks

 Protect sensitive data on the servers

 Detect the compromise as soon as possible

 Minimize effect of the compromise on otherorganizations

 You filter traffic (using routers and/or

firewalls) coming from the external network

to the DMZ, and from the DMZ to the internalnetwork

 You also filter traffic from the internal

network to the DMZ, and from the DMZ tothe external (although not as strictly)

ATHENA

 You filter traffic (using routers and/or

firewalls) coming from the external network

to the DMZ, and from the DMZ to the internalnetwork

 You also filter traffic from the internal

network to the DMZ, and from the DMZ tothe external (although not as strictly)

ATHENA

 Either a network topology or application

(usually a Web portal) used as a single point

of access to deliver services to employees

 Typically a collection of all LANs inside the

firewall

resources among employees

ATHENA

 Either a network topology or application

(usually a Web portal) used as a single point

of access to deliver services to employees

 Typically a collection of all LANs inside the

firewall

resources among employees

continued…

 Allows access to public Internet through

firewalls that screen communications in bothdirections to maintain company security

 Also called a campus network

ATHENA

 Private network that uses Internet protocol

and public telecommunication system toprovide various levels of accessibility tooutsiders (partners, customers, etc.)

 Can be accessed only with a valid username

and password

 Identity determines which parts of the

extranet you can view

ATHENA

 Private network that uses Internet protocol

and public telecommunication system toprovide various levels of accessibility tooutsiders (partners, customers, etc.)

 Can be accessed only with a valid username

and password

 Identity determines which parts of the

extranet you can view

continued…

 Requires security and privacy (some

combination of these below:)

 Requires security and privacy (some

combination of these below:)

Network Address Translation (NAT)

 Internet standard that enables a LAN to useone set of IP addresses for internal traffic and

a second set for external traffic

 Able to translate addresses contained in an IPpacket

ATHENA

 Internet standard that enables a LAN to useone set of IP addresses for internal traffic and

a second set for external traffic

 Able to translate addresses contained in an IPpacket

Main Purposes of NAT

 Provide a type of firewall by hiding internal IPaddresses

 Enable a company to use more internal IP

addresses than they have public IP addresses

 Conserves supply of public IP addresses

ATHENA

 Provide a type of firewall by hiding internal IPaddresses

 Enable a company to use more internal IP

addresses than they have public IP addresses

 Conserves supply of public IP addresses

 Most often used to map IPs from nonroutableprivate address spaces defined by RFC 1918

 Port Address Translation (PAT)

• Variation of dynamic NAT

• Allows many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers

ATHENA

 Most often used to map IPs from nonroutableprivate address spaces defined by RFC 1918

 Port Address Translation (PAT)

• Variation of dynamic NAT

• Allows many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers

 Enables a network to securely send its data through untrusted/shared network infrastructure

 Encrypts and encapsulates a network protocol

within packets carried by second network

 Best-known example: virtual private networks

 Replacing WAN links because of security and low cost

 An option for most IP connectivity requirements

ATHENA

 Enables a network to securely send its data through untrusted/shared network infrastructure

 Encrypts and encapsulates a network protocol

within packets carried by second network

 Best-known example: virtual private networks

 Replacing WAN links because of security and low cost

 An option for most IP connectivity requirements

Example of a Tunnel

ATHENA

Virtual Local Area Networks (VLANs)

 Used throughout networks to segment differenthosts from each other

 Often coupled with a trunk, which allows

switches to share many VLANs over a singlephysical link

ATHENA

 Used throughout networks to segment differenthosts from each other

 Often coupled with a trunk, which allows

switches to share many VLANs over a singlephysical link

ATHENA

Security Features of VLANs

 Can be configured to group together users insame group or team, while segmenting thenetwork

 Offer some protection when sniffers are

inserted into the network

 Protect unused switch ports by turning themoff Put unused ports in a separate VLAN

that’s not routed

ATHENA

 Can be configured to group together users insame group or team, while segmenting thenetwork

 Offer some protection when sniffers are

inserted into the network

 Protect unused switch ports by turning themoff Put unused ports in a separate VLAN

that’s not routed

Security Features of VLANs

 Use an air gap to separate trusted from

untrusted networks – use separate switch forthe DMZ or other untrusted network (a

separate hub may be more appropriate)

ATHENA

Vulnerabilities of VLAN Trunks

 Trunk autonegotiation

• Prevention: Disable autonegotiation on all ports

• Prevention: Manually configure all trunk links with the VLANs that are permitted to traverse them

ATHENA

 Trunk autonegotiation

• Prevention: Disable autonegotiation on all ports

• Prevention: Manually configure all trunk links with the VLANs that are permitted to traverse them

 Technologies used to create network topologiesthat secure data and networked resources

• Perimeter networks

• Network address translation (NAT)

• Virtual local area networks (VLANs)

ATHENA

 Technologies used to create network topologiesthat secure data and networked resources

• Perimeter networks

• Network address translation (NAT)

• Virtual local area networks (VLANs)