Lesson 18-Internet Architecture. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address.

Slides:



Advertisements
Similar presentations
DMZ (De-Militarized Zone)
Advertisements

DMZ (De-Militarized Zone)
Standards Certification Education & Training Publishing Conferences & Exhibits Using Outbound IP Connections for Remote Access EXPO 2005 Chicago, IL.
Cosc 4765 Network Security: Routers, Firewall, filtering, NAT, and VPN.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Firewalls : usage Data encryption Access control : usage restriction on some protocols/ports/services Authentication : only authorized users and hosts.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
Firewall Configuration Strategies
Principles of Information Security, 2nd Edition1 Firewalls and VPNs.
Controlling access with packet filters and firewalls.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Lesson 11-Virtual Private Networks. Overview Define Virtual Private Networks (VPNs). Deploy User VPNs. Deploy Site VPNs. Understand standard VPN techniques.
Lesson 20 – OTHER WINDOWS 2000 SERVER SERVICES. DHCP server DNS RAS and RRAS Internet Information Server Cluster services Windows terminal services OVERVIEW.
Wi-Fi Structures.
Chapter 2 Internet Protocol DoD Model Four layers: – Process/Application layer – Host-to-Host layer – Internet layer – Network Access layer.
FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. 6 Packet Filtering By Whitman, Mattord, & Austin© 2008 Course Technology.
Installing and Maintaining ISA Server. Planning an ISA Server Deployment Understand the current network infrastructure Review company security policies.
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
TCP/IP Addressing Design. Objectives Choose an appropriate IP addressing scheme based on business and technical requirements Identify IP addressing problems.
Lecture slides prepared for “Business Data Communications”, 7/e, by William Stallings and Tom Case, Chapter 8 “TCP/IP”.
IST 228\Ch3\IP Addressing1 TCP/IP and DoD Model (TCP/IP Model)
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Chapter Eleven An Introduction to TCP/IP. Objectives To compare TCP/IP’s layered structure to OSI To review the structure of an IP address To look at.
Network LANscape Servers & Equipment Found In a Typical Local Area Network (LAN) By George Squillace New Horizons of MichiganGeorge Squillace MCT, MCSE,
? INTERNET WHAT, WHY, HOW. DEFINITION The Internet is a massive public spiderweb of computer connections. It connects personal computers, laptops, tablets,
Packet Filtering. 2 Objectives Describe packets and packet filtering Explain the approaches to packet filtering Recommend specific filtering rules.
Chapter 7: Using Windows Servers to Share Information.
PC Maintenance: Preparing for A+ Certification Chapter 25: The Internet.
CHAPTER 2 PCs on the Internet Suraya Alias. The TCP/IP Suite of Protocols Internet applications – client/server applications The client requested data.
SMTP PROTOCOL CONFIGURATION AND MANAGEMENT Chapter 8.
Network Protocols. Why Protocols?  Rules and procedures to govern communication Some for transferring data Some for transferring data Some for route.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter Four Configuring Outlook and Outlook Web Access.
Firewalls Paper By: Vandana Bhardwaj. What this paper covers? Why you need a firewall? What is firewall? How does a network firewall interact with OSI.
Chapter 6: Packet Filtering
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.1 ISP Services Working at a Small-to-Medium Business or ISP – Chapter 7.
Objectives Configure routing in Windows Server 2008 Configure Network Address Translation 1.
© MMII JW RyderCS 428 Computer Networking1 Private Network Interconnection  VPN - Virtual Private Networks  NAT - Network Address Translation  Describe.
Jaringan Komputer Dasar OSI Transport Layer Aurelio Rahmadian.
© 2007 Cisco Systems, Inc. All rights reserved.Cisco Public 1 Version 4.0 Application Layer Functionality and Protocols.
Objectives Configure routing in Windows Server 2008 Configure Routing and Remote Access Services in Windows Server 2008 Network Address Translation 1.
1 The Firewall Menu. 2 Firewall Overview The GD eSeries appliance provides multiple pre-defined firewall components/sections which you can configure uniquely.
11 SECURING YOUR NETWORK PERIMETER Chapter 10. Chapter 10: SECURING YOUR NETWORK PERIMETER2 CHAPTER OBJECTIVES  Establish secure topologies.  Secure.
Linux+ Guide to Linux Certification, Second Edition Chapter 14 Network Configuration.
Packet Filtering Chapter 4. Learning Objectives Understand packets and packet filtering Understand approaches to packet filtering Set specific filtering.
1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch
Network Security. 2 SECURITY REQUIREMENTS Privacy (Confidentiality) Data only be accessible by authorized parties Authenticity A host or service be able.
© 2006 Cisco Systems, Inc. All rights reserved. Cisco IOS Threat Defense Features.
Module 6: Integrating ISA Server 2004 and Microsoft Exchange Server.
1 Chapter 8 – TCP/IP Fundamentals TCP/IP Protocols IP Addressing.
Data Communications and Networks
TCP/IP (Transmission Control Protocol / Internet Protocol)
Security and Firewalls Ref: Keeping Your Site Comfortably Secure: An Introduction to Firewalls John P. Wack and Lisa J. Carnahan NIST Special Publication.
Security fundamentals Topic 10 Securing the network perimeter.
Overview of Firewalls. Outline Objective Background Firewalls Software Firewall Hardware Firewall Demilitarized Zone (DMZ) Firewall Types Firewall Configuration.
Wavetrix Changing the Paradigm: Remote Access Using Outbound Connections Remote Monitoring, Control & Automation Orlando, FL October 6, 2005.
MCSE Guide to Microsoft Exchange Server 2003 Administration Chapter One Introduction to Exchange Server 2003.
Computer Network Architecture Lecture 6: OSI Model Layers Examples 1 20/12/2012.
Firewalls. Overview of Firewalls As the name implies, a firewall acts to provide secured access between two networks A firewall may be implemented as.
Chapter 8.  Upon completion of this chapter, you should be able to:  Understand the purpose of a firewall  Name two types of firewalls  Identify common.
Network Overview. Protocol Protocol (network protocols) - a special set of rules that define communication between two or more devices on a network.
IST 201 Chapter 11 Lecture 2. Ports Used by TCP & UDP Keep track of different types of transmissions crossing the network simultaneously. Combination.
Firewalls Definition: Device that interconnects two or more networks and manages the network traffic between those interfaces. Maybe used to: Protect a.
Security fundamentals
Chapter 7: Using Windows Servers
Working at a Small-to-Medium Business or ISP – Chapter 7
Working at a Small-to-Medium Business or ISP – Chapter 7
Working at a Small-to-Medium Business or ISP – Chapter 7
دیواره ی آتش.
AbbottLink™ - IP Address Overview
Presentation transcript:

Lesson 18-Internet Architecture

Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address translation. Design partner networks.

Internet Services Services to offer. Services not to offer.

Services to Offer The organization may provide the following services through Internet: Mail. Encrypted . Web. Internal access to Internet. External access to internal systems. Control services.

Mail Mail service is generally offered to internal employees to send and receive messages. It requires that at least one server be established to receive inbound mail. Outbound mail can move through the same server or directly through desktop systems. Organization may choose to establish relays for public mail to be sent to discussion groups.

Encrypted It is better to encrypt the contents of the to protect any sensitive information. Systems like desktop software and network appliances placed in mail stream provide encrypted .

Web To publish information via Web, the organization needs to establish a Web server. Web servers can provide static content or dynamic content. HTTPS is used for Web pages that contain sensitive information or require authentication. File Transfer Protocol (FTP) server allows external individuals to get or send files.

Internal Access to Internet Most common services that employees are allowed to access are: HTTP (port 80) and HTTPS (port 443) FTP (ports 21 and 20) Telnet (port 23) and SSH (port 22) POP-3 (port 110) and IMAP (port 143) NNTP (port 119)

External Access to Internal Systems External access to sensitive internal systems is a delicate matter. The two forms of external access are employee access or non-employee access. External access may be accomplished through VPNs, dial- up lines, leased lines, or unencrypted access over the Internet.

Control Services These services are required for smooth function of network and Internet connection. DNS - Domain Name Service is used to resolve system names into IP addresses.

Control Services ICMP - Internet Control Message Protocol provides services such as ping and messages that help the network function efficiently. NTP - Network Time Protocol is used to synchronize time between various systems.

Services Not to Offer Internet architecture should be designed to accommodate the services that are required by the organization. Services not to be offered due to security risk are NetBIOS, Unix RPC, NFS, “r” services, TFTP, Remote Control Protocols, and SNMP.

Develop a Communications Architecture Primary issues for establishing an organization’s Internet connection are throughput requirements and availability. Availability requirements of the connection should be set by the organization.

Develop a Communications Architecture Single-line access Multiple-line access to a single ISP Multiple-line access to multiple ISPs

Single-Line Access Standard single-line access architecture

Single-Line Access The following potential failures make single-line access suitable for non-business-critical Internet connections: Router failure. CSU failure. Cut local loop. Damage to the telephone company’s CO (central office). POP failure at the ISP.

Multiple-Line Access to a Single ISP They are used to overcome the single point of failure issues with the single ISP architecture. Shadow link or redundant circuit services offered by different ISPs provide a second communication link in case of failure. Multiple-line access to a single ISP has Single-POP access or Multiple-POP access.

Multiple-Line Access to a Single ISP Single-POP access: An ISP can provide fail-over access by setting up a redundant circuit to the same POP. It addresses failures in router, CSU, phone company circuit to CO, and ISP equipment. Benefit to this architecture is the low cost of the redundant circuit.

Multiple-Line Access to a Single ISP Multiple-POP access: Running second connection to a second POP additional availability and reliability can be obtained. Border Gateway Protocol (BGP) protocol, run by ISP, specifies routes between entities with such dual connections. Single point failures of local loop and CO can be overcome if the organization’s facility has two local loop connections.

Multiple-line Access to Multiple ISPs If architected correctly, use of multiple ISPs can reduce the risk of loss of service dramatically. Issues that occur in choosing ISPs are complexity of using different ISPs, thorough knowledge in ISPs, and physical routing of connections. Working with multiple ISPs also involve routing and IP address space issues that must be resolved.

Design a Demilitarized Zone Defining the DMZ. Systems to place in DMZ. Appropriate DMZ architectures.

Defining the DMZ A DMZ is created by providing a semi-protected network zone. The DMZ is delineated with network access controls, such as firewalls or heavily filtered routers. Any system that can be directly contacted by an external user should be placed in a DMZ since they can be attacked. External system’s access to sensitive systems must be avoided.

Systems to Place in DMZ Layout of systems between the DMZ and the internal network

Systems to Place in DMZ DMZ can have either both internal and external mail servers or a single firewall mail server. Using Web server for receiving user’s input and application server for processing it provides protection to the database server. All externally accessible systems should be placed in the DMZ. The organization’s ISP can provide alternate DNS services.

Appropriate DMZ Architectures The three common architectures are router and firewall, single firewall, and dual firewall. These architectures have their own advantages and disadvantages; hence organizations must choose the appropriate one.

Appropriate DMZ Architectures Router and firewall architecture: Router and firewall architecture involves risk to systems on the Internet. The risk can be reduced using filters on the router. Risk to systems can also be reduced by locking them so that only services offered by DMZ run on them.

Appropriate DMZ Architectures Single firewall architecture: A single firewall can be used to create a DMZ using a third interface. The single firewall becomes a single point of failure and a potential bottleneck for traffic, unless in fail-over configuration. Single firewall architecture is simple compared to the router and firewall architecture.

Appropriate DMZ Architectures Dual firewall architecture: Dual firewall architecture uses two firewalls to separate DMZ from external and internal networks. Dual firewalls increase cost of architecture and require additional management and configuration.

Understand Network Address Translation Any organization that plans to install a firewall will have to deal with addressing issues. In most networks, the firewall performs the NAT function of translating one or more addresses into other addresses. NAT can also provide a security function as hidden addresses of internal systems are not visible to the Internet.

Understand Network Address Translation Private class addresses are used on internal networks behind a firewall that performs NAT. These addresses provide an organization with flexibility in designing its internal addressing scheme. Static NAT is a one- to-one configuration that allows accessing internal network addresses from the Internet. Static NAT maps a single real address from the organization’s external network to a system on the DMZ.

Understand Network Address Translation Dynamic NAT maps many internal addresses to a single real address. Dynamic NAT creates a practical limit of about 64,000 simultaneous connections. Dynamic NAT is useful for desktop clients who use the Dynamic Host Configuration Protocol (DHCP).

Design Partner Networks Partner networks are generally established to exchange certain files or pieces of data between organizations. Architectures and methodologies of Internet connection can be used for partner networks as their requirements do not differ much. Rules must be added to firewall to allow systems at the partner organization and internal systems to access partner DMZ systems. NAT should be used when connecting to partner networks.

Summary Organizations can offer services like mail, encrypted , Web, internal access to Internet, external access to internal systems, and control services. Control services include DNS, ICMP, and NTP. To reduce security risks, services that are not required should not be offered. Types of Internet architectures are single-line access, multiple-line access to a single ISP, and multiple-line access to multiple ISPs.

Summary Establishing a not truly trusted, semi-secure zone outside of the trusted network creates a DMZ. Router and firewall, single firewall, and dual firewall are the three DMZ architectures. Firewall performs the NAT function of translating one or more addresses into other addresses. Partner networks are generally established to exchange data between organizations.

Feedback: Privacy Policy Feedback
Do Not Sell My Personal Information
About project: SlidePlayer Terms of Service

© 2024 SlidePlayer.com Inc. All rights reserved.