Presentation is loading. Please wait.

Presentation is loading. Please wait.

Guide to Network Defense and Countermeasures Second Edition Chapter 10 Firewall Topology.

Published byTamsin Bradford Modified over 8 years ago

Similar presentations

Presentation on theme: "Guide to Network Defense and Countermeasures Second Edition Chapter 10 Firewall Topology."— Presentation transcript:

1 Guide to Network Defense and Countermeasures Second Edition Chapter 10 Firewall Topology

2 Guide to Network Defense and Countermeasures, Second Edition2 Objectives Explain the goal of securing the network perimeter Describe factors in choosing a bastion host Explain how to supplement a firewall with a proxy server Set up Network Address Translation (NAT) Decide when to use user, session, or client authentication

3 Guide to Network Defense and Countermeasures, Second Edition3 Securing Network Perimeters Goal is to provide adequate access without jeopardizing confidential or mission-critical areas You need –Firewalls, IDSs, bastion host, Network Address Translation (NAT), proxy servers Combined with authentication mechanisms Bastion host –Provides Web, FTP, e-mail, or other services running on a specially secured server

4 Guide to Network Defense and Countermeasures, Second Edition4 Choosing a Bastion Host Security software does not operate on its own –You install it on a computer Bastion host –Computer that sits on the network perimeter –Has been specially protected through OS patches, authentication, and encryption

5 Guide to Network Defense and Countermeasures, Second Edition5 General Requirements Steps in creating a bastion host –Select sufficient memory and processor speed –Choose and install OS and any patches or updates –Determine where the bastion host will fit in the network configuration –Install services you want to provide –Remove services and accounts that aren’t needed. –Back up the system and all data on it –Run a security audit –Connect the machine to the network

6 Guide to Network Defense and Countermeasures, Second Edition6 Selecting the Bastion Host Machine Select familiar hardware and software Ideal situation –One bastion host for each service you want to provide –Can be prohibitively expensive Operating system –Pick a version that is stable and secure –Check OS Web site for patches and updates

7 Guide to Network Defense and Countermeasures, Second Edition7 Selecting the Bastion Host Machine (continued) Memory and processor speed –Memory is always important when operating a server –Bastion host might provide only a single service Does not need gigabytes of RAM –Match processing power to server load You might have to add processor Location on the network –Typically located outside the internal network Combined with packet-filtering devices –Multiple bastion hosts are set up in the DMZ

8 Guide to Network Defense and Countermeasures, Second Edition8

9 9

10 10 Hardening the Bastion Host Selecting services to provide –Close unnecessary ports –Disable unnecessary user accounts and services Reduces chances of being attacked –Disable routing or IP forwarding services –Do not remove dependency services System needs them to function correctly

11 Guide to Network Defense and Countermeasures, Second Edition11 Hardening the Bastion Host (continued) Using honeypots –Honeypot Computer placed on the network perimeter Attracts attackers away from critical servers Appears real –Network security experts are divided about honeypots –Laws on the use of honeypots are confusing at best –Another goal of a honeypot is logging Logs are used to learn about attackers techniques

12 Guide to Network Defense and Countermeasures, Second Edition12

13 Guide to Network Defense and Countermeasures, Second Edition13 Hardening the Bastion Host (continued) Disabling user accounts –Default accounts are created during OS installation –Disable all user accounts from the bastion host Users should not be able to connect to it –Rename the Administrator account –Passwords at least 6-8 alphanumeric characters

14 Guide to Network Defense and Countermeasures, Second Edition14 Handling Backups and Auditing Essential steps in hardening a computer –Backups –Detailed recordkeeping –Auditing Copy log files to other computers in your network –Check these files for viruses Audit all failed and successful attempts to log on to the bastion host –And any attempts to access or change files

15 Guide to Network Defense and Countermeasures, Second Edition15 Working with Proxy Servers Proxy server –Software product –Forwards packets to and from the network being protected –Caches Web pages to speed up network performance

16 Guide to Network Defense and Countermeasures, Second Edition16 Goals of Proxy Servers Original goal –Speed up network communications –Information is retrieved from proxy cache instead of the Internet If information has not changed at all Other goals –Provide security at the application layer –Shield hosts on the internal network –Control Web sites users are allowed to visit

17 Guide to Network Defense and Countermeasures, Second Edition17

18 Guide to Network Defense and Countermeasures, Second Edition18 How Proxy Servers Work Proxy server goal –Prevent a direct connection between an external computer and an internal computer Proxy servers work at the application layer –Opens the packet and examines the data –Decides to which application it should forward the packet –Reconstructs the packet and forwards it Replace the original header with a new header –Containing proxy’s own IP address

19 Guide to Network Defense and Countermeasures, Second Edition19

20 Guide to Network Defense and Countermeasures, Second Edition20 How Proxy Servers Work (continued) Proxy server receives traffic before it goes to the Internet Client programs are configured to connect to the proxy server instead of the Internet –Web browser –E-mail applications

21 Guide to Network Defense and Countermeasures, Second Edition21

22 Guide to Network Defense and Countermeasures, Second Edition22

23 Guide to Network Defense and Countermeasures, Second Edition23 Choosing a Proxy Server Different proxy servers perform different functions Freeware proxy servers –Often described as content filters –Do not have features for business applications –Example: Squid Commercial proxy servers –Offer Web page caching, source and destination IP addresses translation, content filtering, and NAT –Example: Microsoft ISA Server

24 Guide to Network Defense and Countermeasures, Second Edition24 Choosing a Proxy Server (continued) Proxy servers that can include firewall functions –Having an all-in-one program simplifies life –Disadvantages Single point of failure –Try to use several software and hardware products to protect your network

25 Guide to Network Defense and Countermeasures, Second Edition25 Filtering Content Proxy servers can open packets and examine data Proxy servers can filter out content –That would otherwise appear in a user’s Web browser –Can block Web sites with content your users should not be viewing –Can also drop executable programs Java applets ActiveX controls

26 Guide to Network Defense and Countermeasures, Second Edition26 Using Network Address Translation (NAT) Network Address Translation (NAT) –Go-between –Receives requests at its own IP address and forwards them to the correct IP address A NAT-enable device is the only one that needs a public IP address Essential functions many firewalls or routers perform –Shields IP addresses of internal hosts NAT modes –Hide-mode and static mapping

27 Guide to Network Defense and Countermeasures, Second Edition27 Hide-Mode Mapping Process of having multiple IP addresses behind one public IP address Dynamic Host Configuration Protocol (DHCP) –Enables IP addresses to be assigned dynamically among hosts on a network Disadvantages –Cannot hide all clients behind a single IP address –Does not work with some types of VPNs –Cannot provide more than one service with a single IP address

28 Guide to Network Defense and Countermeasures, Second Edition28

29 Guide to Network Defense and Countermeasures, Second Edition29 Static Mapping Internal IP addresses are mapped to external, routable IP addresses –On a one-to-one basis Internal IP addresses are still hidden –Computers appear to have public addresses All addresses are static

30 Guide to Network Defense and Countermeasures, Second Edition30

31 Guide to Network Defense and Countermeasures, Second Edition31 Authenticating Users Authentication –Identify users authorized to access the network –Important role in firewall or other security configurations Depends on the exchange of information –Password –Key –Checksum –Smart card

32 Guide to Network Defense and Countermeasures, Second Edition32 Step 1: Deciding What to Authenticate User authentication –Identify person authorized to access network –Users submit credentials and log on to the network –Can be automatic and based on key exchange –Define an user and assign it to a group Set access rules for that group –Other restrictions IP addresses Time-based restrictions

33 Guide to Network Defense and Countermeasures, Second Edition33

34 Guide to Network Defense and Countermeasures, Second Edition34

35 Guide to Network Defense and Countermeasures, Second Edition35 Step 1: Deciding What to Authenticate (continued) Client authentication –Grant access to network resources based on Source IP address Computer MAC address Computer name –Identification can be automatic or manual Manual requires extra effort but offers more security –Knowing a username and password is not enough User must log on from an authorized IP address

36 Guide to Network Defense and Countermeasures, Second Edition36

37 Guide to Network Defense and Countermeasures, Second Edition37 Step 1: Deciding What to Authenticate (continued) Session authentication –Authorize user or computer on a per-connection basis –Uses special authentication software on the client Exchanges information with the firewall –Gives the user more flexibility than user or client authentication

38 Guide to Network Defense and Countermeasures, Second Edition38

39 Guide to Network Defense and Countermeasures, Second Edition39 Step 2: Deciding How to Authenticate Password Security –User name and password compared against a database of approved users –Simplest and most straightforward authentication –Password systems OS password Firewall password S/Key password SecureID

40 Guide to Network Defense and Countermeasures, Second Edition40

41 Guide to Network Defense and Countermeasures, Second Edition41 Step 2: Deciding How to Authenticate (continued) Smart cards and tokens –Two-factor authentication Combines objects the user posses with passwords –Most common objects used in authentication Smart cards Tokens –Smart cards Similar to ATM cards –Tokens Objects that enable users to authenticate themselves Examples :Smart cards, handhelds, key fobs

42 Guide to Network Defense and Countermeasures, Second Edition42 Step 2: Deciding How to Authenticate (continued) Exchanging public and private keys –Password is a code used to authenticate yourself –Computers can also authenticate each other Exchanging codes Code can be long and complicated Called keys –Keys Blocks of encrypted code generated by algorithms –Public key cryptography Authenticates by exchanging public and private keys

43 Guide to Network Defense and Countermeasures, Second Edition43

44 Guide to Network Defense and Countermeasures, Second Edition44 Step 2: Deciding How to Authenticate (continued) Digital signatures –Message recipient can authenticate sender’s identity –One-way hash function Called a message digest Code of fixed-length Results from processing a message through a mathematical function –One-way hash function characteristics Value is unique for the hashed data Data cannot be deduced from the hash

45 Guide to Network Defense and Countermeasures, Second Edition45 Step 2: Deciding How to Authenticate (continued) Digital signatures –Signing software creates a hash of the message And encrypts it using your private key –Validation process Recipient uses signer’s public key to decrypt the hash Computes hash value of received message –Using same hashing algorithm as the sender Compares hash values

46 Guide to Network Defense and Countermeasures, Second Edition46 Step 3: Putting It All Together S-HTTP –Secure Hypertext Transfer Protocol (S-HTTP) Encrypts communication between a Web server and a Web browser –Using Secure Socket Layer (SSL) or Transport Layer Security (TLS) SSL encrypts data portion of a packet not the header –Firewall can still filter and route it SSL does not provide user authentication

47 Guide to Network Defense and Countermeasures, Second Edition47 Step 3: Putting It All Together (continued) IPSec/IKE –IPSec encrypts communications at network layer of OSI model –Widely used –NAT can interfere with IPSec –Internet Key Exchange (IKE) Allows exchange of public and private keys –Internet Security Association Key Management Protocol (ISAKMP) Enables two computers to agree on security settings

48 Guide to Network Defense and Countermeasures, Second Edition48 Step 3: Putting It All Together (continued) Dial-in Authentication: RADIUS and TACACS+ –Terminal Access Controller Access Control System (TACACS+) Called “Tac-plus” Authentication protocols developed by Cisco Systems Uses MD5 to produce an encrypted digest version of transmitted data

49 Guide to Network Defense and Countermeasures, Second Edition49 Step 3: Putting It All Together (continued) Dial-in Authentication: RADIUS and TACACS+ –Remote Authentication Dial-In User Service (RADIUS) Provides less security than TACACS+ More widely supported Transmits authentication packets unencrypted across the network Vulnerable to packet sniffing

50 Guide to Network Defense and Countermeasures, Second Edition50 Summary Modern networks require a variety of services Firewalls cannot secure a network alone Bastion host –Computer on the network perimeter –Specially protected through OS patches, authentication, and encryption Proxy server –Forwards packets to and from the network –Caches Web pages to speed up network performance

51 Guide to Network Defense and Countermeasures, Second Edition51 Summary (continued) Network Address Translation (NAT) –Conceals the IP addresses of computers on the internal network from external locations Authentication types –Client authentication –User authentication –Session authentication Encryption schemes –Secure Socket Layer (SSL) –Internet Protocol Security (IPSec)

Download ppt "Guide to Network Defense and Countermeasures Second Edition Chapter 10 Firewall Topology."

Similar presentations

Enabling Secure Internet Access with ISA Server

Enabling Secure Internet Access with ISA Server
Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.

ITIS 1210 Introduction to Web-Based Information Systems Chapter 44 How Firewalls Work How Firewalls Work.
FIREWALLS Chapter 11.

FIREWALLS Chapter 11.
Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)

Setting Up a Virtual Private Network Chapter 9. Learning Objectives Understand the components and essential operations of virtual private networks (VPNs)
5-Network Defenses Dr. John P. Abraham Professor UTPA.

5-Network Defenses Dr. John P. Abraham Professor UTPA.
Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.

Information Security 1 Information Security: Security Tools Jeffy Mwakalinga.
FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.

FIREWALLS. What is a Firewall? A firewall is hardware or software (or a combination of hardware and software) that monitors the transmission of packets.
FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.

FIREWALLS The function of a strong position is to make the forces holding it practically unassailable —On War, Carl Von Clausewitz On the day that you.
SCSC 455 Computer Security Virtual Private Network (VPN)

SCSC 455 Computer Security Virtual Private Network (VPN)
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 7 Working with Proxy Servers & Application-Level Firewalls By Whitman, Mattord,
Working with Proxy Servers and Application-Level Firewalls Chapter 5.

Working with Proxy Servers and Application-Level Firewalls Chapter 5.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 13: Planning Server and Network Security.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.

Building Your Own Firewall Chapter 10. Learning Objectives List and define the two categories of firewalls Explain why desktop firewalls are used Explain.
Firewall Configuration Strategies

Firewall Configuration Strategies
Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
Part 5:Security Network Security (Access Control, Encryption, Firewalls)

Part 5:Security Network Security (Access Control, Encryption, Firewalls)
Guide to Network Defense and Countermeasures Third Edition

Guide to Network Defense and Countermeasures Third Edition

Similar presentations

Ads by Google