Embed Size (px)
Citation preview
Security fundamentals
Topic 10Securing the network perimeter
Agenda
• Secure network topologies and security zones
• Network perimeter security and models
• Implementing firewalls
Secure topologies
• Goal is to separate network traffic so that no network segment carries traffic not required on the segment
• Performance will also be more efficient• Security zones:– Areas of the network that contain resources with similar
security requirements– Group computers and devices according to security needs– Reduce the attack surface of your resources– Builds a network security framework
• What are the threats?• What can be used to protect?
Security zones
• VLANs– Create security zones with VLANs: subnets created by
switches and joined by routers• 802.1q tagging• Servers can sit on many VLANS• Limits broadcast domains• Flexible for adding, moving and changing port VLANs• Hides physical configuration• Fast isolation of devices that are the source of threats• Vulnerable to Layer 2 attacks
Security zones
• Create security zones by placing firewalls between internal and external networks
• Perimeter network, screened subnet, DMZ: a separate security zone for Internet facing resources.
• Intranet (trusted)• Extranet (partners)• Perimeter network (access from internet)• Internet (untrusted)
Intranets• Internal network, private network, LAN• Typically trusted but not safe from disgruntled
employees and contractors• Protection:
– Firewall protection from internet and DMZ– Antivirus on all network hosts– Audit critical resources and confidential data– Use firewalls on hosts with confidential data– Document and audit physical infrastructure and critical
systems for unauthorised devices and connections– Restrict and monitor access to critical systems– Remove unnecessary services from mission critical servers
Perimeter networks
• Deploy public resources such as DNS, mail and web servers
• Also use for untrusted networks (eg wireless)• Protection:
– Firewall external network– Limit services and remove unnecessary services– Audit all services– Name resolution is separated from internal network– Remove or restrict remote management service– Document and audit all physical and logical configurations– Perform frequent data and configuration backups
Extranets
• Partner access to resources• Partners must authenticate and then get access to
non public resources• Access can be provided by a VPN• Protection:– Firewall from external network– Authenticate all access– Limit services and remove unnecessary services– Audit all network and service access
Perimeter network types• Three-pronged firewall– Single firewall with three interfaces for internet, internal
network and DMZ– Small organisations and branch offices– Weakness is if firewall fails all networks are vulnerable
• Back-to-back firewalls– Two firewalls with DMZ behind the first firewall and
internal network behind the first and second firewalls.– Defence in depth strategy: Two firewalls to break to reach
the internal network– More restrictive rules on the 2nd firewall.– Security by diversity by using different brands of firewalls
N-Tier architecture & bastion hosts• For e-business operations• Business function servers each have separate tiers:
web tier, middle tier, data tier.• Each tier is protected by a firewall and traffic between
tiers is controlled, thereby reducing the attack surface• Bastion hosts:– Single host provides external services– Single firewall protects internal network and only allows
traffic to bastion host– If the bastion is compromised the attacker is on the
internal network– Least secure design
Perimeter security and traffic
• By default block network traffic and then make exceptions for required network traffic
• Allow only required traffic: block by protocol, port and destination
• Don’t automatically trust outgoing traffic (may be confidential data on the way out)
• Review network traffic that was blocked and investigate the source of this traffic
Firewalls
• Packet filtering• Application filtering• Circuit level inspection• Stateful inspection• Content inspection• Proxy
Packet filtering• Inspects the IP header of each packet• Applies rules, permit or deny, inbound or outbound– Source IP– Destination IP– Layer 4 protocol TCP/UDP– Source port number– Destination port number– ICMP message type (eg echo request)– Fragmentation flags– IP Options (mostly used for diagnostics)– Packet size– No inspection of payload
Circuit level inspection
• Monitors for hosts establishing connections• If the connection is allowed, then all following
traffic is allowed without further inspection• Does not inspect payload• More efficient than packet filtering
Stateful inspection
• Monitors for hosts establishing connections• If the connection is allowed, then all following
traffic is allowed• Continues to monitor the packets within the
connection and checks that the packets are valid – sequence numbers are checked
• Each connection is tracked using a state table• Does not inspect payload• Initially a feature of checkpoint firewalls
Application layer filtering/Gateway
• Examines the payload of network packets• Inspection depends on the application layer protocol– Will inspect HTTP, SMTP, FTP and other protocol
commands– Will inspect Microsoft® ActiveX, Java® etc– Used to check email for viruses– Used to inspect web requests for signs of attack– ISA server– Can be slow as it is deep packet inspection and multiple
packets in a sequence can be examined in context
Tunnelling
• Used to bypass firewall inspection by encapsulating traffic with a header that will pass inspection
• Also used to bypass firewall inspection by encapsulating encrypted traffic that can’t be inspected
• To protect from tunnel traffic:– Perform application layer filtering– Block encrypted traffic– Implement Intrusion detection
Proxy servers
• Accepts a connection from a client and then creates a separate connection to the server/destination
• No direct connection between client and server
• Application layer proxy will also filter content and cache web content
• May require the clients to be configured to use the proxy
NAT• RFC 3022• Changes IP addresses and port numbers• Allows a network to use a single external IP• Private addresses are not routable on the
internet• Hides internal addresses• No payload inspection• Static NAT one-to-one IPs• Dynamic NAT many-to-many IPs• PAT using up to 64,000 port numbers per IP
Protecting firewalls• Rules:
– Start with a default deny any– Put specific rules first– Permit only required ports, protocols, applications
• Keep the firewall updated – watch security announcements• Update virus definition files routinely• Physically protect the firewall• Document firewall configuration and review• Limit and authenticate remote management• Use complex passwords• Know and test rules• Ensure no connections circumvent the firewall
Lesson summary
• Learned about the concept of secure network topologies, segmented logically into security zones, with different trust levels
• How to use models and zones to secure the network perimeter
• How to go about implementing and using firewalls for network security, and different types
