Presentation is loading. Please wait.

Presentation is loading. Please wait.

VLAN-Based Security for Modern Service-Provision Networks Version 0.9 October, 2000 Bill Woodcock Packet Clearing House.

Published byRhoda Cook Modified over 8 years ago

Similar presentations

Presentation on theme: "VLAN-Based Security for Modern Service-Provision Networks Version 0.9 October, 2000 Bill Woodcock Packet Clearing House."— Presentation transcript:

1 VLAN-Based Security for Modern Service-Provision Networks Version 0.9 October, 2000 Bill Woodcock Packet Clearing House

2 We Have Linguistic Problems, not Technological Problems  The technology is much, much more flexible than most people’s ability to comprehend the problem-space.  The problem is in finding a mental model which allows users to comprehend the problems and their solutions, not in finding a technology to solve the problem.

3 Legacy Firewall Terminology  Historical distinction between “packet filtering firewalls” and “stateful- inspection firewalls” no longer very useful in the real world.  “inside,” “outside” and “DMZ” nomenclature limits lay-people’s ability to understand security.

4 Old Enterprise Solution:  Stateful-inspection box  Usually an application on top of Windows.  Immense differential between the complexity of the system and what’s exposed to the operator.  Usually very slow.  Usually very low MTBF.  Three 10/100 Ethernet interfaces.  No protection against stepping-stone attacks.  No protection against untrusted users.

5 Stepping-Stone Attack Attacker Vulnerable Server Normal Server “Outside” “Inside”Allowed Port

6 Stepping-Stone Attack Attacker Vulnerable Server Normal Server Attack Channel“Outside” “Inside” Allowed Port

7 Stepping-Stone Attack Attacker Compromised Server Normal Server Now At Risk Control Channel“Outside” “Inside” Allowed Port

8 Stepping-Stone Attack Attacker Compromised Server Normal Server Now At Risk Stepping-Stone Attack “Outside” “Inside”

9 Stepping-Stone Attack Attacker Compromised Server Normal Server Compromised “Outside” “Inside” Control Channel

10 Untrusted User Attack Intranet Server Untrusted User “DMZ” “Inside” “Outside” Many Allowed Ports Allowed Ports Normal User

11 Untrusted User Attack Intranet Server Untrusted User “DMZ” “Inside” “Outside” Many Allowed Ports Allowed Ports Normal User Attack Channel

12 Untrusted User Attack Compromised Server Untrusted User “DMZ” “Inside” “Outside” Many Allowed Ports Normal User Control Channel Allowed Ports

13 Modern Firewalling  Don’t add points of failure. Make full use of the high-MTBF equipment you already have.  Don’t slow things down.  Don’t invite Bill Gates into your network.  Security needs should define your security policy, not some coincidental number of physical interfaces on a box.

14 Simple Packet Filter Router “Inside” Switch Fabric “Outside” One Large Packet Filter

15 Simple Packet Filter Router “Inside” Switch Fabric “Outside” One Large Packet Filter

16 VLAN-Based Firewalling Router 802.1Q VLAN Trunk Switch Fabric “Outside” Many “Insides” Many Small Packet Filters

17 VLAN-Based Firewalling Router 802.1Q Switch Fabric “Outside” “Insides” Many Small Packet Filters

18 Relative Processing Speed One large packet filter (40 lines) Average exit after 20 lines

19 Relative Processing Speed Ten small packet filters (4 lines each) Average exit after 2 lines Routing is cheap, ruleset processing is expensive. Use the router for what it’s good at. Routing process selects output ruleset

20 What This Looks Like: Switch hostname OAK-Switch-3 ! interface FastEthernet0/41 description VLAN_341-OAK_DNS-131.161.2.0/30 switchport access vlan 341 speed 100 full-duplex OAK-Switch-3# vlan database OAK-Switch-3(vlan)# vlan 341 name VLAN_341-OAK_DNS-131.161.2.0/30 OAK-Switch-3(vlan)# exit APPLY completed. Exiting....

21 What This Looks Like: Router hostname OAK-Firewall ! interface FastEthernet0/0 description 802.1Q VLAN Trunk to OAK-Switch-1 no ip address speed 100 full-duplex ! interface FastEthernet0/0.341 description VLAN_341-OAK_DNS-131.161.2.0/30 encapsulation dot1Q 341 ip address 131.161.2.2 255.255.255.252 ip access-group ACL-341-OAK_DNS-IN in ip access-group ACL-341-OAK_DNS-OUT out ! ip access-list extended ACL-341-OAK_DNS-IN permit udp host 131.161.2.1 eq domain any permit udp host 131.161.2.1 any eq domain permit tcp host 131.161.2.1 any eq domain permit tcp host 131.161.2.1 eq domain any deny icmp any any port-unreachable deny udp any any gt 0 log-input deny tcp any any gt 0 log-input deny ip any any log-input ip access-list extended ACL-341-OAK_DNS-OUT permit udp any host 131.161.2.1 eq domain permit udp any eq domain host 131.161.2.1 gt 1023 permit tcp any any established permit tcp any host 131.161.2.1 eq domain deny udp any any eq netbios-ns deny icmp any any deny udp any any gt 0 log deny tcp any any gt 0 log deny ip any any log

22 Example With VPN Endpoint Router 802.1Q Trunk Switch “Outside” VPN Endpoint Access Ports Server Rulesets

23 Example With VPN Endpoint Traffic enters network from the commodity network Rulesets

24 Example With VPN Endpoint Rulesets First ruleset guarantees that only IPSec traffic will reach the VPN endpoint VPN endpoint is protected against non-IPSec attack

25 Example With VPN Endpoint Rulesets IPSec traffic enters “outside” of VPN endpoint

26 Example With VPN Endpoint Rulesets Decrypted IP traffic leaves “inside” of VPN endpoint

27 Example With VPN Endpoint Rulesets Second ruleset defines which internal resources VPN users are allowed access to Users who have undergone visual authentication are differentiated from those who may have left a home terminal logged in

28 Example With VPN Endpoint Third ruleset defines which services are accessible on each particular server

Download ppt "VLAN-Based Security for Modern Service-Provision Networks Version 0.9 October, 2000 Bill Woodcock Packet Clearing House."

Similar presentations

Guide to Network Defense and Countermeasures Second Edition

Guide to Network Defense and Countermeasures Second Edition
IUT– Network Security Course 1 Network Security Firewalls.

IUT– Network Security Course 1 Network Security Firewalls.
Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.

Network Security Topologies Chapter 11. Learning Objectives Explain network perimeter’s importance to an organization’s security policies Identify place.
A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.

A Security Pattern for a Virtual Private Network Ajoy Kumar and Eduardo B. Fernandez Dept. of Computer Science and Eng. Florida Atlantic University Boca.
Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.

Standard, Extended and Named ACL.  In this lesson, you will learn: ◦ Purpose of ACLs  Its application to an enterprise network ◦ How ACLs are used to.
This work is supported by the National Science Foundation under Grant Number DUE-0302909. Any opinions, findings and conclusions or recommendations expressed.

This work is supported by the National Science Foundation under Grant Number DUE Any opinions, findings and conclusions or recommendations expressed.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.
Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.

Access Lists 1 Network traffic flow and security influence the design and management of computer networks Access lists are permit or deny statements that.
Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.

Firewall 2 * Essential Network Security Book Slides. IT352 | Network Security |Najwa AlGhamdi 1.
Networking Components

Networking Components
1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.

1 Lecture 20: Firewalls motivation ingredients –packet filters –application gateways –bastion hosts and DMZ example firewall design using firewalls – virtual.
© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.

© 2006 Cisco Systems, Inc. All rights reserved. Implementing Secure Converged Wide Area Networks (ISCW) Module 6: Cisco IOS Threat Defense Features.


Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.

Network Perimeter Security Yu Wang. Main Topics Border Router Firewall IPS/IDS VLAN SPAM AAA Q/A.
Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.

Internet/Intranet firewall security – policy, architecture and transaction services Written by Ray Hunt This presentation will Examines Policies that influence.
1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.

1 © 2005 Cisco Systems, Inc. All rights reserved. 111 © 2004, Cisco Systems, Inc. All rights reserved.
CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.

CISCO PIX FIREWALL Configuration for DCSL Tuan Anh Nguyen CSCI 5234 University of Houston Clear Lake Fall Semester, 2005.
Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.

Firewalls CS432. Overview  What are firewalls?  Types of firewalls Packet filtering firewalls Packet filtering firewalls Sateful firewalls Sateful firewalls.
Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.

Hafez Barghouthi. Model for Network Access Security (our concern) Patrick BoursAuthentication Course 2007/20082.
January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

January 2009Prof. Reuven Aviv: Firewalls1 Firewalls.

Similar presentations

Ads by Google