Presentation is loading. Please wait.

Presentation is loading. Please wait.

S ECURITY APPLIANCES Module 2 Unit 2. S ECURE NETWORK TOPOLOGIES A topology is a description of how a computer network is physically or logically organized.

Published byShanon Brooks Modified over 7 years ago

Similar presentations

Presentation on theme: "S ECURITY APPLIANCES Module 2 Unit 2. S ECURE NETWORK TOPOLOGIES A topology is a description of how a computer network is physically or logically organized."— Presentation transcript:

1 S ECURITY APPLIANCES Module 2 Unit 2

2 S ECURE NETWORK TOPOLOGIES A topology is a description of how a computer network is physically or logically organized. It is essential to define the topology when designing a computer network and to update the map when any changes or additions are made to it. The logical and physical network topology should be analysed to identify points to vulnerability an To ensure that the goals of confidentiality, integrity and availability are met by the design. 2

3 Z ONES AND ACCESS CONTROL LISTS The main unit of a security topology is a zone. a zone is an area of the network (or of a connected network) where security configuration is the same for all hosts within it. Network traffic between zones is strictly controlled, using a security device – firewall. 3

4 Z ONES AND ACCESS CONTROL LISTS C ONT ’ D … A firewall is a software or hardware that filters traffic passing into and out of the network. The firewall bases its decision on a set of rules called an Access Control List (ACL). Dividing a network into zones implies that each zone has different security configuration. 4

5 M AIN ZONES Private network (intranet)- this is a network of trusted hosts owned and controlled by the organization. Extranet – this is a network of semi-trusted host, typically representing business partners, suppliers or customers. Hosts must authenticate to join extranet. Internet – this is a zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the internet. 5

6 N ETWORK SECURITY ZONES 6

7 D EMILITARIZED ZONES (DMZ) DMZ is a computer host or small network inserted as a “neutral zone” between a company’s private network and the outside public network. It prevents outside users from getting direct access to a sever that has company data. Bastion is a device in a DMZ that is built to withstand attacks 7

8 8

9 N ETWORK ADDRESS TRANSLATION NAT uses a one-to-one mapping or one-to-many mapping method To allow one or more private IP clients to gain access to the Internet by mapping the private IP addresses to public IP addresses NAT is a method that enables hosts on private networks to communicate with hosts on the Internet 9

10 N ETWORK ADDRESS TRANSLATION CONT ’ D … 10

11 Type of AddressDestination Inside localPrivate IP address that is being translated into Public IP address Inside globalPublic IP address that the private IP address is being translated in to. Outside globalThe destination’s/ outside’s public IP address Outside localThe destination’s/outside’s private IP address NAT device has address translation table One to one address translation 11

12 STATIC NAT In static NAT manual translation is performed by an address translation device, translating one IP address to a different one. Static NAT The simplest form of NAT A single private IP address is mapped to a single public IP address NAT router must maintain a table in memory Table maps internal IP addresses to addresses presented to the Internet 12

13 13

14 D YNAMIC NAT Dynamic NAT The NAT router automatically maps a group of valid local IP addresses to a group of Internet IP addresses, as needed The network administrator is not concerned about which IP address the internal clients use Any private IP address will automatically be translated to one of the available Internet IP addresses by the NAT router Addresses for dynamic NAT are pulled out of a predefined pool of public addresses 14

15 P ORT A DDRESS T RANSLATION Port address translation (PAT) Also known as overloading Is a special form of dynamic NAT Allows multiple internal, private IP addresses to use a single external registered address To differentiate between the connections, PAT uses multiple public TCP and UDP ports To create unique sockets that map to internal IP addresses 15

16 P ORT A DDRESS T RANSLATION CONT ’ D … 16

17 D ESTINATION NAT/ PORT FORWARDING The NAT server uses port forwarding To send connections from external clients to the Web server on the internal network Router takes requests from the internet for a particular application (say, HTTP/port 80) sends them to a designated host and port on the LAN. 17

18 FIREWALL A firewall is a network security system that controls the incoming and outgoing network traffic based on an applied rule set. A firewall establishes a barrier between a trusted, secure internal network and another network (e.g., the Internet) that is assumed not to be secure and trusted 18

19 P ACKET FILTERING FIREWALL Packet filtering firewall can inspect the headers of IP packets. Uses transport-layer information only IP Source Address, Destination Address Protocol/Next Header (TCP, UDP, ICMP, etc) TCP or UDP source & destination ports ICMP message type 19

20 20 IP adress of origin IP target adress The used protocoll ICMP message type TCP/UDP target port TCP/UDP origin port Receiving network device Sending network device Uses the following header information as criteria for every data package for filtering:

21 S TATEFUL INSPECTION FIREWALL Traditional packet filters do not examine transport layer context ie matching return packets with outgoing flow Stateful packet filters address this need They examine each IP packet in context Keep track of client-server sessions Check each packet validly belongs to one Hence are better able to detect bogus packets out of context 21

22 A PPLICATION LAYER GATEWAY Application proxy or application-level proxy, an application gateway is an application program that runs on a firewall system between two networks. When a client program establishes a connection to a destination service, it connects to an application gateway, or proxy. 22

23 P ROXY SERVERS AND GATEWAYS Filters unwanted services There is no direct data exchange between internal and external computers 23

24 R EVERSE PROXY SERVERS Monitor inbound traffic Prevent direct, unmonitored access to server’s data from outside the company Advantages Performance Privacy 24

25 E MAIL GATEWAYS AND SPAM Spam is a junk email or unsolicited email. Most new email application software has spam filtering built-in. This is an appropriate solution for home users But on enterprise networks, if spam has already reached the user’s mailbox then it has already wasted bandwidth and taken up space on the server. A secure configuration for email is to install an email relay server in a DMZ. 25

26 M ETHODS TO REDUCE SPAM Whitelist – if an an organization only deals with limited number of correspondents, they can set up a whitelist of permitted domains. SMTP standard checking – rejecting email that is not strictly RFC rDNS lookup – rejecting mail from servers where the IP address does not match the domain in the message header or is dynamically assigned address 26

27 Tarppitting – introducing a delayed response to SMTP session. This makes the spammer’s server less efficient Recipient filtering – block mail that is not addressed to a valid recipient email address 27

Download ppt "S ECURITY APPLIANCES Module 2 Unit 2. S ECURE NETWORK TOPOLOGIES A topology is a description of how a computer network is physically or logically organized."

Similar presentations

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)

Fred P. Baker CCIE, CCIP(security), CCSA, MCSE+I, MCSE(2000)
DMZ (De-Militarized Zone)

DMZ (De-Militarized Zone)
Network Security Essentials Chapter 11

Network Security Essentials Chapter 11
CST 415 - Computer Networks NAT CST 415 4/10/2017 CST 415 - Computer Networks.

CST Computer Networks NAT CST 415 4/10/2017 CST Computer Networks.
Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.

Lecture slides for “Computer Security: Principles and Practice”, 2/e, by William Stallings and Lawrie Brown, Chapter 9 “Firewalls and Intrusion Prevention.
Firewalls By Tahaei Fall 2012. What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.

Firewalls By Tahaei Fall What is a firewall? a choke point of control and monitoring interconnects networks with differing trust imposes restrictions.
Firewalls 2014.04.07 Uyanga Tserengombo

Firewalls Uyanga Tserengombo
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.

Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.

Access Control for Networks Problems: –Enforce an access control policy Allow trust relationships among machines –Protect local internet from outsiders.
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.

Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Firewalls and Intrusion Detection Systems

Firewalls and Intrusion Detection Systems
J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.

J. Wang. Computer Network Security Theory and Practice. Springer 2008 Chapter 7 Network Perimeter Security.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.

CCNA Guide to Cisco Networking Fundamentals Fourth Edition Chapter 9 Network Services.
FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.

FIREWALL TECHNOLOGIES Tahani al jehani. Firewall benefits  A firewall functions as a choke point – all traffic in and out must pass through this single.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: 93036 Term: Spring 2001.

Network Security (Firewall) Instructor: Professor Morteza Anvari Student: Xiuxian Chen ID: Term: Spring 2001.
A Brief Taxonomy of Firewalls

A Brief Taxonomy of Firewalls

Similar presentations

Ads by Google