SlideShare a Scribd company logo

Ch18 Internet Security

P
phanleson

This document discusses internet architecture and security best practices. It covers topics like internet services to offer and not offer, developing communications architectures using single or multiple lines, designing demilitarized zones and appropriate architectures, understanding network address translation, and designing partner networks.

Technology
1 of 33
Download to read offline
Lesson 18-Internet Architecture
Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address translation. Design partner networks.
Internet Services Services to offer. Services not to offer. Mail. NetBIOS, Unix RPC, NFS, Encrypted e-mail. Web. “r” services, TFTP, Internal access to Remote Control Internet. Protocols, and SNMP. External access to internal systems. Control services.
Mail Mail service is generally offered to internal employees to send and receive messages. It requires that at least one server be established to receive inbound mail. Outbound mail can move through the same server or directly through desktop systems. Organization may choose to establish relays for public mail to be sent to discussion groups.
Encrypted E-mail It is better to encrypt the contents of the e-mail to protect any sensitive information. Systems like desktop software and network appliances placed in mail stream provide encrypted e-mail.
Web To publish information via Web, the organization needs to establish a Web server. Web servers can provide static content or dynamic content. HTTPS is used for Web pages that contain sensitive information or require authentication. File Transfer Protocol (FTP) server allows external individuals to get or send files.
Internal Access to Internet Most common services that employees are allowed to access are: HTTP (port 80) and HTTPS (port 443) FTP (ports 21 and 20) Telnet (port 23) and SSH (port 22) POP-3 (port 110) and IMAP (port 143) NNTP (port 119)
External Access to Internal Systems External access to sensitive internal systems is a delicate matter. The two forms of external access are employee access or non-employee access. External access may be accomplished through VPNs, dial- up lines, leased lines, or unencrypted access over the Internet.
Control Services These services are required for smooth function of network and Internet connection. DNS - Domain Name Service is used to resolve system names into IP addresses. ICMP - Internet Control Message Protocol provides services such as ping and messages that help the network function efficiently. NTP - Network Time Protocol is used to synchronize time between various systems.
Develop a Communications Architecture Primary issues for establishing an organization’s Internet connection are throughput requirements and availability. Availability requirements of the connection should be set by the organization.
Develop a Communications Architecture Single-line access Multiple-line access to a single ISP Multiple-line access to multiple ISPs
Single-Line Access Standard single-line access architecture
Single-Line Access The following potential failures make single-line access suitable for non-business-critical Internet connections: Router failure. CSU failure. Cut local loop. Damage to the telephone company’s CO (central office). POP failure at the ISP.
Multiple-Line Access to a Single ISP They are used to overcome the single point of failure issues with the single ISP architecture. Shadow link or redundant circuit services offered by different ISPs provide a second communication link in case of failure. Multiple-line access to a single ISP has Single-POP access or Multiple-POP access.
Multiple-Line Access to a Single ISP Single-POP access: An ISP can provide fail-over access by setting up a redundant circuit to the same POP. It addresses failures in router, CSU, phone company circuit to CO, and ISP equipment. Benefit to this architecture is the low cost of the redundant circuit.
Multiple-Line Access to a Single ISP Multiple-POP access: Running second connection to a second POP additional availability and reliability can be obtained. Border Gateway Protocol (BGP) protocol, run by ISP, specifies routes between entities with such dual connections. Single point failures of local loop and CO can be overcome if the organization’s facility has two local loop connections.
Multiple-line Access to Multiple ISPs If architected correctly, use of multiple ISPs can reduce the risk of loss of service dramatically. Issues that occur in choosing ISPs are complexity of using different ISPs, thorough knowledge in ISPs, and physical routing of connections. Working with multiple ISPs also involve routing and IP address space issues that must be resolved.
Design a Demilitarized Zone Defining the DMZ. Systems to place in DMZ. Appropriate DMZ architectures.
Defining the DMZ A DMZ is created by providing a semi-protected network zone. The DMZ is delineated with network access controls, such as firewalls or heavily filtered routers. Any system that can be directly contacted by an external user should be placed in a DMZ since they can be attacked. External system’s access to sensitive systems must be avoided.
Systems to Place in DMZ Layout of systems between the DMZ and the internal network
Systems to Place in DMZ DMZ can have either both internal and external mail servers or a single firewall mail server. Using Web server for receiving user’s input and application server for processing it provides protection to the database server. All externally accessible systems should be placed in the DMZ. The organization’s ISP can provide alternate DNS services.
Appropriate DMZ Architectures The three common architectures are router and firewall, single firewall, and dual firewall. These architectures have their own advantages and disadvantages; hence organizations must choose the appropriate one.
Appropriate DMZ Architectures Router and firewall architecture: Router and firewall architecture involves risk to systems on the Internet. The risk can be reduced using filters on the router. Risk to systems can also be reduced by locking them so that only services offered by DMZ run on them.
Appropriate DMZ Architectures Single firewall architecture: A single firewall can be used to create a DMZ using a third interface. The single firewall becomes a single point of failure and a potential bottleneck for traffic, unless in fail-over configuration. Single firewall architecture is simple compared to the router and firewall architecture.
Appropriate DMZ Architectures Dual firewall architecture: Dual firewall architecture uses two firewalls to separate DMZ from external and internal networks. Dual firewalls increase cost of architecture and require additional management and configuration.
Understand Network Address Translation Any organization that plans to install a firewall will have to deal with addressing issues. In most networks, the firewall performs the NAT function of translating one or more addresses into other addresses. NAT can also provide a security function as hidden addresses of internal systems are not visible to the Internet.
Understand Network Address Translation Private class addresses are used on internal networks behind a firewall that performs NAT. These addresses provide an organization with flexibility in designing its internal addressing scheme. Static NAT is a one- to-one configuration that allows accessing internal network addresses from the Internet. Static NAT maps a single real address from the organization’s external network to a system on the DMZ.
Understand Network Address Translation Dynamic NAT maps many internal addresses to a single real address. Dynamic NAT creates a practical limit of about 64,000 simultaneous connections. Dynamic NAT is useful for desktop clients who use the Dynamic Host Configuration Protocol (DHCP).
Design Partner Networks Partner networks are generally established to exchange certain files or pieces of data between organizations. Architectures and methodologies of Internet connection can be used for partner networks as their requirements do not differ much. Rules must be added to firewall to allow systems at the partner organization and internal systems to access partner DMZ systems. NAT should be used when connecting to partner networks.
Summary Organizations can offer services like mail, encrypted e-mail, Web, internal access to Internet, external access to internal systems, and control services. Control services include DNS, ICMP, and NTP. To reduce security risks, services that are not required should not be offered. Types of Internet architectures are single-line access, multiple-line access to a single ISP, and multiple-line access to multiple ISPs.
Summary Establishing a not truly trusted, semi-secure zone outside of the trusted network creates a DMZ. Router and firewall, single firewall, and dual firewall are the three DMZ architectures. Firewall performs the NAT function of translating one or more addresses into other addresses. Partner networks are generally established to exchange data between organizations.

Recommended

Lecture 6
Lecture 6Lecture 6
Lecture 6
Education
 
Firewall DMZ Zone
Firewall DMZ ZoneFirewall DMZ Zone
Firewall DMZ Zone
NetProtocol Xpert
 
network security, group policy and firewalls
network security, group policy and firewallsnetwork security, group policy and firewalls
network security, group policy and firewalls
Sapna Kumari
 
Firewall architectures
Firewall architecturesFirewall architectures
Firewall architectures
Arun Mahajan
 
Dmz
Dmz Dmz
Dmz
أحلام انصارى
 
Network Security
Network SecurityNetwork Security
Network Security
phanleson
 
Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsür
emin_oz
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
kkkseld
 

Recommended

Lecture 6
Lecture 6Lecture 6
Lecture 6
Education
 
Firewall DMZ Zone
Firewall DMZ ZoneFirewall DMZ Zone
Firewall DMZ Zone
NetProtocol Xpert
 
network security, group policy and firewalls
network security, group policy and firewallsnetwork security, group policy and firewalls
network security, group policy and firewalls
Sapna Kumari
 
Firewall architectures
Firewall architecturesFirewall architectures
Firewall architectures
Arun Mahajan
 
Dmz
Dmz Dmz
Dmz
أحلام انصارى
 
Network Security
Network SecurityNetwork Security
Network Security
phanleson
 
Firewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsürFirewall presentation m. emin özgünsür
Firewall presentation m. emin özgünsür
emin_oz
 
Presentation, Firewalls
Presentation, FirewallsPresentation, Firewalls
Presentation, Firewalls
kkkseld
 
Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentals
Thang Man
 
Data Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallData Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed Firewall
Manish Kumar
 
Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewalls
rajakhurram
 
Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt
Sabreen Irfana
 
session7 Firewalls and VPN
session7 Firewalls and VPNsession7 Firewalls and VPN
session7 Firewalls and VPN
Mustafa Jarrar
 
Firewall management introduction
Firewall management introductionFirewall management introduction
Firewall management introduction
Raghava Sharma
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security Definition
Patten John
 
Firewalls
FirewallsFirewalls
Firewalls
Sonali Parab
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
Pina Parmar
 
Windows 7 firewall & its configuration
Windows 7 firewall & its configurationWindows 7 firewall & its configuration
Windows 7 firewall & its configuration
Soban Ahmad
 
Firewalls
FirewallsFirewalls
Firewalls
junaid15bsse
 
Firewall
FirewallFirewall
Firewall
lmbriscoe
 
Firewall
FirewallFirewall
Firewall
Apo
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefits
Anthony Daniel
 
Firewall and its configuration
Firewall and its configurationFirewall and its configuration
Firewall and its configuration
Muhammad Baqar Kazmi
 
Firewall
FirewallFirewall
Firewall
nayakslideshare
 
Firewall & its configurations
Firewall & its configurationsFirewall & its configurations
Firewall & its configurations
Student
 
Approach of Data Security in Local Network Using Distributed Firewalls
Approach of Data Security in Local Network Using Distributed FirewallsApproach of Data Security in Local Network Using Distributed Firewalls
Approach of Data Security in Local Network Using Distributed Firewalls
International Journal of Science and Research (IJSR)
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
VC Infotech
 
Firewall Architecture
Firewall Architecture Firewall Architecture
Firewall Architecture
Yovan Chandel
 
Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
sonuagain
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
karthikvcyber
 

More Related Content

What's hot

Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentals
Thang Man
 
Data Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallData Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed Firewall
Manish Kumar
 
session7 Firewalls and VPN
session7 Firewalls and VPNsession7 Firewalls and VPN
session7 Firewalls and VPN
Mustafa Jarrar
 
Firewall
FirewallFirewall
Firewall
Apo
 
Approach of Data Security in Local Network Using Distributed Firewalls
Approach of Data Security in Local Network Using Distributed FirewallsApproach of Data Security in Local Network Using Distributed Firewalls
Approach of Data Security in Local Network Using Distributed Firewalls
International Journal of Science and Research (IJSR)
 

What's hot (20)

Firewall fundamentals
Firewall fundamentalsFirewall fundamentals
Firewall fundamentals
 
Data Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed FirewallData Security in Local Area Network Using Distributed Firewall
Data Security in Local Area Network Using Distributed Firewall
 
Lecture 4 firewalls
Lecture 4 firewallsLecture 4 firewalls
Lecture 4 firewalls
 
Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt Data security in local network using distributed firewall ppt
Data security in local network using distributed firewall ppt
 
session7 Firewalls and VPN
session7 Firewalls and VPNsession7 Firewalls and VPN
session7 Firewalls and VPN
 
Firewall management introduction
Firewall management introductionFirewall management introduction
Firewall management introduction
 
Firewall Security Definition
Firewall Security DefinitionFirewall Security Definition
Firewall Security Definition
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall Basing
Firewall BasingFirewall Basing
Firewall Basing
 
Windows 7 firewall & its configuration
Windows 7 firewall & its configurationWindows 7 firewall & its configuration
Windows 7 firewall & its configuration
 
Firewalls
FirewallsFirewalls
Firewalls
 
Firewall
FirewallFirewall
Firewall
 
Firewall
FirewallFirewall
Firewall
 
Network firewall function & benefits
Network firewall function & benefitsNetwork firewall function & benefits
Network firewall function & benefits
 
Firewall and its configuration
Firewall and its configurationFirewall and its configuration
Firewall and its configuration
 
Firewall
FirewallFirewall
Firewall
 
Firewall & its configurations
Firewall & its configurationsFirewall & its configurations
Firewall & its configurations
 
Approach of Data Security in Local Network Using Distributed Firewalls
Approach of Data Security in Local Network Using Distributed FirewallsApproach of Data Security in Local Network Using Distributed Firewalls
Approach of Data Security in Local Network Using Distributed Firewalls
 
Firewall protection
Firewall protectionFirewall protection
Firewall protection
 
Firewall Architecture
Firewall Architecture Firewall Architecture
Firewall Architecture
 

Similar to Ch18 Internet Security

lec3_10.ppt
lec3_10.pptlec3_10.ppt
lec3_10.ppt
ImXaib
 
Case1–NetworkDesignAbstractThecompanyinthisc.docx
Case1–NetworkDesignAbstractThecompanyinthisc.docxCase1–NetworkDesignAbstractThecompanyinthisc.docx
Case1–NetworkDesignAbstractThecompanyinthisc.docx
wendolynhalbert
 
M A M C H A R O
M A M C H A R OM A M C H A R O
M A M C H A R O
lime17
 
Networking Today Chapter 1 Networking Today Chapter 1
Networking Today Chapter 1 Networking Today Chapter 1Networking Today Chapter 1 Networking Today Chapter 1
Networking Today Chapter 1 Networking Today Chapter 1
TnNguyn57021
 
DEFENSE IN DEPTH6IntroductionThe objective of this pap
DEFENSE IN DEPTH6IntroductionThe objective of this papDEFENSE IN DEPTH6IntroductionThe objective of this pap
DEFENSE IN DEPTH6IntroductionThe objective of this pap
LinaCovington707
 

Similar to Ch18 Internet Security (20)

Network and security concepts
Network and security conceptsNetwork and security concepts
Network and security concepts
 
IPS NAT and VPN.pptx
IPS NAT and VPN.pptxIPS NAT and VPN.pptx
IPS NAT and VPN.pptx
 
A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)A Deep Dive in the World of IT Networking (Part 2)
A Deep Dive in the World of IT Networking (Part 2)
 
lec3_10.ppt
lec3_10.pptlec3_10.ppt
lec3_10.ppt
 
Cryptography and network security.
Cryptography and network security.Cryptography and network security.
Cryptography and network security.
 
Case1–NetworkDesignAbstractThecompanyinthisc.docx
Case1–NetworkDesignAbstractThecompanyinthisc.docxCase1–NetworkDesignAbstractThecompanyinthisc.docx
Case1–NetworkDesignAbstractThecompanyinthisc.docx
 
Ccna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 AnswersCcna 4 Chapter 1 V4.0 Answers
Ccna 4 Chapter 1 V4.0 Answers
 
MPLS ppt
MPLS pptMPLS ppt
MPLS ppt
 
Rkp internet part i
Rkp internet part iRkp internet part i
Rkp internet part i
 
UNIT 7-UNDERSTANDING LARGER NETWORKS.pptx
UNIT 7-UNDERSTANDING LARGER NETWORKS.pptxUNIT 7-UNDERSTANDING LARGER NETWORKS.pptx
UNIT 7-UNDERSTANDING LARGER NETWORKS.pptx
 
Ccna report
Ccna reportCcna report
Ccna report
 
M A M C H A R O
M A M C H A R OM A M C H A R O
M A M C H A R O
 
Networking Today Chapter 1 Networking Today Chapter 1
Networking Today Chapter 1 Networking Today Chapter 1Networking Today Chapter 1 Networking Today Chapter 1
Networking Today Chapter 1 Networking Today Chapter 1
 
DEFENSE IN DEPTH6IntroductionThe objective of this pap
DEFENSE IN DEPTH6IntroductionThe objective of this papDEFENSE IN DEPTH6IntroductionThe objective of this pap
DEFENSE IN DEPTH6IntroductionThe objective of this pap
 
Network security chapter 6 and 7 internet architecture
Network security chapter 6 and 7 internet architectureNetwork security chapter 6 and 7 internet architecture
Network security chapter 6 and 7 internet architecture
 
Web Technology
Web TechnologyWeb Technology
Web Technology
 
Web Technology
Web TechnologyWeb Technology
Web Technology
 
Web Technology
Web TechnologyWeb Technology
Web Technology
 
Virtual private networks (vpn)
Virtual private networks (vpn)Virtual private networks (vpn)
Virtual private networks (vpn)
 
Computer Networks basics
Computer Networks basicsComputer Networks basics
Computer Networks basics
 

More from phanleson

Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XML
phanleson
 

More from phanleson (20)

Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Firewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth FirewallsFirewall - Network Defense in Depth Firewalls
Firewall - Network Defense in Depth Firewalls
 
Mobile Security - Wireless hacking
Mobile Security - Wireless hackingMobile Security - Wireless hacking
Mobile Security - Wireless hacking
 
Authentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless ProtocolsAuthentication in wireless - Security in Wireless Protocols
Authentication in wireless - Security in Wireless Protocols
 
E-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server AttacksE-Commerce Security - Application attacks - Server Attacks
E-Commerce Security - Application attacks - Server Attacks
 
Hacking web applications
Hacking web applicationsHacking web applications
Hacking web applications
 
HBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table designHBase In Action - Chapter 04: HBase table design
HBase In Action - Chapter 04: HBase table design
 
HBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - OperationsHBase In Action - Chapter 10 - Operations
HBase In Action - Chapter 10 - Operations
 
Hbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBaseHbase in action - Chapter 09: Deploying HBase
Hbase in action - Chapter 09: Deploying HBase
 
Learning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlibLearning spark ch11 - Machine Learning with MLlib
Learning spark ch11 - Machine Learning with MLlib
 
Learning spark ch10 - Spark Streaming
Learning spark ch10 - Spark StreamingLearning spark ch10 - Spark Streaming
Learning spark ch10 - Spark Streaming
 
Learning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQLLearning spark ch09 - Spark SQL
Learning spark ch09 - Spark SQL
 
Learning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a ClusterLearning spark ch07 - Running on a Cluster
Learning spark ch07 - Running on a Cluster
 
Learning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark ProgrammingLearning spark ch06 - Advanced Spark Programming
Learning spark ch06 - Advanced Spark Programming
 
Learning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your DataLearning spark ch05 - Loading and Saving Your Data
Learning spark ch05 - Loading and Saving Your Data
 
Learning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value PairsLearning spark ch04 - Working with Key/Value Pairs
Learning spark ch04 - Working with Key/Value Pairs
 
Learning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with SparkLearning spark ch01 - Introduction to Data Analysis with Spark
Learning spark ch01 - Introduction to Data Analysis with Spark
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about LibertagiaHướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
 
Lecture 1 - Getting to know XML
Lecture 1 - Getting to know XMLLecture 1 - Getting to know XML
Lecture 1 - Getting to know XML
 
Lecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the WebLecture 4 - Adding XTHML for the Web
Lecture 4 - Adding XTHML for the Web
 

Recently uploaded

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Principled Technologies
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
UK Journal
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
panagenda
 

Recently uploaded (20)

Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
Deploy with confidence: VMware Cloud Foundation 5.1 on next gen Dell PowerEdg...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdfUnderstanding Discord NSFW Servers A Guide for Responsible Users.pdf
Understanding Discord NSFW Servers A Guide for Responsible Users.pdf
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 
AWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of TerraformAWS Community Day CPH - Three problems of Terraform
AWS Community Day CPH - Three problems of Terraform
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 

Ch18 Internet Security

  • 2. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address translation. Design partner networks.
  • 3. Internet Services Services to offer. Services not to offer. Mail. NetBIOS, Unix RPC, NFS, Encrypted e-mail. Web. “r” services, TFTP, Internal access to Remote Control Internet. Protocols, and SNMP. External access to internal systems. Control services.
  • 4. Mail Mail service is generally offered to internal employees to send and receive messages. It requires that at least one server be established to receive inbound mail. Outbound mail can move through the same server or directly through desktop systems. Organization may choose to establish relays for public mail to be sent to discussion groups.
  • 5. Encrypted E-mail It is better to encrypt the contents of the e-mail to protect any sensitive information. Systems like desktop software and network appliances placed in mail stream provide encrypted e-mail.
  • 6. Web To publish information via Web, the organization needs to establish a Web server. Web servers can provide static content or dynamic content. HTTPS is used for Web pages that contain sensitive information or require authentication. File Transfer Protocol (FTP) server allows external individuals to get or send files.
  • 7. Internal Access to Internet Most common services that employees are allowed to access are: HTTP (port 80) and HTTPS (port 443) FTP (ports 21 and 20) Telnet (port 23) and SSH (port 22) POP-3 (port 110) and IMAP (port 143) NNTP (port 119)
  • 8. External Access to Internal Systems External access to sensitive internal systems is a delicate matter. The two forms of external access are employee access or non-employee access. External access may be accomplished through VPNs, dial- up lines, leased lines, or unencrypted access over the Internet.
  • 9. Control Services These services are required for smooth function of network and Internet connection. DNS - Domain Name Service is used to resolve system names into IP addresses. ICMP - Internet Control Message Protocol provides services such as ping and messages that help the network function efficiently. NTP - Network Time Protocol is used to synchronize time between various systems.
  • 10. Develop a Communications Architecture Primary issues for establishing an organization’s Internet connection are throughput requirements and availability. Availability requirements of the connection should be set by the organization.
  • 11. Develop a Communications Architecture Single-line access Multiple-line access to a single ISP Multiple-line access to multiple ISPs
  • 13. Single-Line Access The following potential failures make single-line access suitable for non-business-critical Internet connections: Router failure. CSU failure. Cut local loop. Damage to the telephone company’s CO (central office). POP failure at the ISP.
  • 14. Multiple-Line Access to a Single ISP They are used to overcome the single point of failure issues with the single ISP architecture. Shadow link or redundant circuit services offered by different ISPs provide a second communication link in case of failure. Multiple-line access to a single ISP has Single-POP access or Multiple-POP access.
  • 15. Multiple-Line Access to a Single ISP Single-POP access: An ISP can provide fail-over access by setting up a redundant circuit to the same POP. It addresses failures in router, CSU, phone company circuit to CO, and ISP equipment. Benefit to this architecture is the low cost of the redundant circuit.
  • 16. Multiple-Line Access to a Single ISP Multiple-POP access: Running second connection to a second POP additional availability and reliability can be obtained. Border Gateway Protocol (BGP) protocol, run by ISP, specifies routes between entities with such dual connections. Single point failures of local loop and CO can be overcome if the organization’s facility has two local loop connections.
  • 17. Multiple-line Access to Multiple ISPs If architected correctly, use of multiple ISPs can reduce the risk of loss of service dramatically. Issues that occur in choosing ISPs are complexity of using different ISPs, thorough knowledge in ISPs, and physical routing of connections. Working with multiple ISPs also involve routing and IP address space issues that must be resolved.
  • 18. Design a Demilitarized Zone Defining the DMZ. Systems to place in DMZ. Appropriate DMZ architectures.
  • 19. Defining the DMZ A DMZ is created by providing a semi-protected network zone. The DMZ is delineated with network access controls, such as firewalls or heavily filtered routers. Any system that can be directly contacted by an external user should be placed in a DMZ since they can be attacked. External system’s access to sensitive systems must be avoided.
  • 20. Systems to Place in DMZ Layout of systems between the DMZ and the internal network
  • 21. Systems to Place in DMZ DMZ can have either both internal and external mail servers or a single firewall mail server. Using Web server for receiving user’s input and application server for processing it provides protection to the database server. All externally accessible systems should be placed in the DMZ. The organization’s ISP can provide alternate DNS services.
  • 22. Appropriate DMZ Architectures The three common architectures are router and firewall, single firewall, and dual firewall. These architectures have their own advantages and disadvantages; hence organizations must choose the appropriate one.
  • 23. Appropriate DMZ Architectures Router and firewall architecture: Router and firewall architecture involves risk to systems on the Internet. The risk can be reduced using filters on the router. Risk to systems can also be reduced by locking them so that only services offered by DMZ run on them.
  • 24. Appropriate DMZ Architectures Single firewall architecture: A single firewall can be used to create a DMZ using a third interface. The single firewall becomes a single point of failure and a potential bottleneck for traffic, unless in fail-over configuration. Single firewall architecture is simple compared to the router and firewall architecture.
  • 25. Appropriate DMZ Architectures Dual firewall architecture: Dual firewall architecture uses two firewalls to separate DMZ from external and internal networks. Dual firewalls increase cost of architecture and require additional management and configuration.
  • 26. Understand Network Address Translation Any organization that plans to install a firewall will have to deal with addressing issues. In most networks, the firewall performs the NAT function of translating one or more addresses into other addresses. NAT can also provide a security function as hidden addresses of internal systems are not visible to the Internet.
  • 27. Understand Network Address Translation Private class addresses are used on internal networks behind a firewall that performs NAT. These addresses provide an organization with flexibility in designing its internal addressing scheme. Static NAT is a one- to-one configuration that allows accessing internal network addresses from the Internet. Static NAT maps a single real address from the organization’s external network to a system on the DMZ.
  • 28.
  • 29. Understand Network Address Translation Dynamic NAT maps many internal addresses to a single real address. Dynamic NAT creates a practical limit of about 64,000 simultaneous connections. Dynamic NAT is useful for desktop clients who use the Dynamic Host Configuration Protocol (DHCP).
  • 30. Design Partner Networks Partner networks are generally established to exchange certain files or pieces of data between organizations. Architectures and methodologies of Internet connection can be used for partner networks as their requirements do not differ much. Rules must be added to firewall to allow systems at the partner organization and internal systems to access partner DMZ systems. NAT should be used when connecting to partner networks.
  • 31.
  • 32. Summary Organizations can offer services like mail, encrypted e-mail, Web, internal access to Internet, external access to internal systems, and control services. Control services include DNS, ICMP, and NTP. To reduce security risks, services that are not required should not be offered. Types of Internet architectures are single-line access, multiple-line access to a single ISP, and multiple-line access to multiple ISPs.
  • 33. Summary Establishing a not truly trusted, semi-secure zone outside of the trusted network creates a DMZ. Router and firewall, single firewall, and dual firewall are the three DMZ architectures. Firewall performs the NAT function of translating one or more addresses into other addresses. Partner networks are generally established to exchange data between organizations.