Network perimeter’s importance to an organization’s security policies
Perimeter Security Topologies
Any network that is connected (directly or indirectly) to your organization, but is not controlled by your organization, represents a risk.
Firewalls deployed on the network edge enforce security policies and create choke points on network perimeters.
Include demilitarized zones (DMZs) extranets, and intranets
Perimeter Security Topologies
The firewall must be the gateway for all communications between trusted networks, untrusted and unknown networks.
The firewall should selectively admit or deny data flows from other networks based on several criteria:
Router used to separate network from ISP’s network
Identifies separation point between assets you control and those you do not
Most insecure area of a network infrastructure
Normally reserved for routers, firewalls, public Internet servers (HTTP, FTP, Gopher)
Not for sensitive company information that is for internal use only
Represent additional boundaries where other security measures are in place
multiple internal perimeters are relative to a particular asset, such as the internal perimeter that is just inside the firewall.
When a network manager creates a network security policy, each network that makes up the topology must be classified as one of three types of networks:
When you set up the firewall, you explicitly identify the type of networks via network adapter cards. After the initial configuration, the trusted networks include the firewall and all networks behind it.
VPNs are exceptions - security mechanisms must exist by which the firewall can authenticate the origin, data integrity, and other security principles contained within the network traffic according to the same security principles enforced on your trusted networks.
Allow access to some database materials and e-mail
May include DNS, proxy, and modem servers
Not for confidential or proprietary information
Referred to as the demilitarized zone (DMZ)
Outside your security perimeter and control, however you may still need and want to communicate with these networks.
When you set up the firewall, you explicitly identify the untrusted networks from which that firewall can accept requests.
Unknown networks are neither trusted nor untrusted
By default, all nontrusted networks are considered unknown networks
You can identify unknown networks below the Internet node and apply more specialized policies to those untrusted networks.
Two Perimeter Networks
Positioning your firewall between an internal and external router provides little additional protection from attacks on either side, but it greatly reduces the amount of traffic that the firewall must evaluate, which can increase the firewall's performance.
Creating and Developing Your Security Design
Know your enemy
Security measures can’t stop all unauthorized tasks; they can only make it harder.
The goal is to make sure that security controls are beyond the attacker's ability or motivation.
Know the costs and weigh those costs against the potential benefits.
Identify assumptions - For example, you might assume that your network is not tapped, that attackers know less than you do, that they are using standard software, or that a locked room is safe.
Creating and Developing Your Security Design
Control secrets - What knowledge would enable someone to circumvent your system?
Know your weaknesses and how it can be exploited
Limit the scope of access - create appropriate barriers in your system so that if intruders access one part of the system, they do not automatically have access to the rest of the system.
Understand your environment - Auditing tools can help you detect those unusual events.
Limit your trust: people, software and hardware
Used by a company to host its own Internet services without sacrificing unauthorized access to its private network
Sits between Internet and internal network’s line of defense, usually some combination of firewalls and bastion hosts
Traffic originating from it should be filtered
Typically contains devices accessible to Internet traffic
Web (HTTP) servers
SMTP (e-mail) servers
Optional, more secure approach to a simple firewall; may include a proxy server
DMZ Design Goals
Minimize scope of damage
Protect sensitive data on the server
Detect the compromise as soon as possible
Minimize effect of the compromise on other organizations
The bastion host is not able to initiate a session back into the private network. It can only forward packets that have already been requested.
DMZ Design Goals
A useful mechanism to meet goals is to add the filtering of traffic initiated from the DMZ network to the Internet, impairs an attacker's ability to have a vulnerable host communicate to the attacker's host
keep the vulnerable host from being exploited altogether
keep a compromised host from being used as a traffic-generating agent in distributed denial-of-service attacks.
The key is to limit traffic to only what is needed, and to drop what is not required, even if the traffic is not a direct threat to your internal network
DMZ Design Goals
Filtering DMZ traffic would identify
traffic coming in from the DMZ interface of the firewall or
router that appears to have a source IP address on a network other the DMZ network number (spoofed traffic).
the firewall or router should be configured to initiate a log message or rule alert to notify administrator
Typically a collection of all LANs inside the firewall ( campus network .)
Either a network topology or application (usually a Web portal) used as a single point of access to deliver services to employees
Shares company information and computing resources among employees
Allows access to public Internet through firewalls that screen communications in both directions to maintain company security
Private network that uses Internet protocol and public telecommunication system to provide various levels of accessibility to outsiders
Requires security and privacy
Issuance and use of digital certificates or other user authentication
Encryption of messages
Use of VPNs that tunnel through the public network
Companies can use an extranet to:
Exchange large volumes of data
Share product catalogs exclusively with wholesalers or those in the trade
Collaborate with other companies on joint development efforts
Jointly develop and use training programs with other companies
Provide or access services provided by one company to a group of other companies, such as an online banking application managed by one company on behalf of affiliated banks
Share news of common interest exclusively with partner companies
Network Address Translation (NAT)
Internet standard that enables a LAN to use one set of IP addresses for internal traffic and a second set for external traffic
Provides a type of firewall by hiding internal IP addresses
Enables a company to use more internal IP addresses.
Most often used to map IPs from nonroutable private address spaces defined by RFC 1918 that either do not require external access or require limited access to outside services
A 10.0.0.0 … 10.255.255.255
B 172.16.0.0 … 172.31.255.255
C 192.168.0.0 … 192.168.255.255
Static NAT and dynamic NAT
Dynamic NAT is more complex because state must be maintained, and connections must be rejected when the pool is exhausted.
Unlike static NAT, dynamic NAT enables address reuse, reducing the demand for legally registered public addresses.
Port Address Translation (PAT)
Variation of dynamic NAT
Allows many hosts to share a single IP address by multiplexing streams differentiated by TCP/UDP port numbers
suppose private hosts 192.168.0.2 and 192.168.0.3 both send packets from source port 1108. A PAT router might translate these to a single public IP address 184.108.40.206 and two different source ports, say 61001 and 61002.
Because PAT maps individual ports, it is not possible to "reverse map" incoming connections for other ports unless another table is configured
PAT and NAT
In some cases, static NAT, dynamic NAT, PAT, and even bidirectional NAT or PAT may be used together
Web servers can be reached from the Internet without NAT, because they live in public address space.
Simple Mail Transfer Protocol (SMTP) must be continuously accessible through a public address associated with DNS entry, the mail server requires static mapping (either a limited-purpose virtual server table or static NAT).
For most clients, public address sharing is usually practical through dynamically acquired addresses (either dynamic NAT with a correctly sized address pool, or PAT).
Applications that hold onto dynamically acquired addresses for long periods could exhaust a dynamic NAT address pool and block access by other clients. To prevent this, PAT is used because it enables higher concurrency (thousands of port mappings per IP address)
Enables a network to securely send its data through untrusted/shared network infrastructure
Encrypts and encapsulates a network protocol within packets carried by second network
Replacing WAN links because of security and low cost
An option for most IP connectivity requirements
Example of a Tunnel
a router with Internet Protocol Security (IPSec) encryption capabilities is deployed as a gateway on each LAN's Internet connection.
The routers are configured for a point-to-point VPN tunnel, which uses encryption to build a virtual connection between the two offices.
When a router sees traffic on its LAN that is destined for the VPN, it communicates to the other side instructing it to build the tunnel
Once the two routers have negotiated a secure encrypted connection, traffic from the originating host is encrypted using the agreed-upon settings and sent to the peer router.
Virtual Local Area Networks (VLANs)
Deployed using network switches
Used throughout networks to segment different hosts from each other
Often coupled with a trunk, which allows switches to share many VLANs over a single physical link
Benefits of VLANs
Some security features
Security Features of VLANs
Can be configured to group together users in same group or team, no matter the location
Offer some protection when sniffers are inserted
Protect unused switch ports by moving them all to a separate VLAN
Use an air gap to separate trusted from untrusted networks:
Do not allow the same switch or network of switches to provide connectivity to networks segregated by firewalls.
A switch that has direct connections to untrusted networks (Internet) or semitrusted networks (DMZs), should never be used to contain trusted network segments as well.
Vulnerabilities of VLAN Trunks
Trunk traffic does not pass through the router, therefore no packet filtering.
Trunk autonegotiation – on by default
Prevention: Disable autonegotiation on all ports and only allow trunk traffic on trunk ports
By default, trunk links are permitted to carry traffic from all VLANs
Prevention: Manually configure all trunk links with the VLANs that are permitted to traverse them (Pruning)
Technologies used to create network topologies that secure data and networked resources