Transcription
Secure Network Design:Designing a DMZ & VPNDMZ :VPN : 52 Network Security Najwa AlGhamdi
Introduction DMZ stands for DeMilitarized Zone. A network added between a protected network and an external networkin order to provide an additional layer of security A DMZ is sometimes called a “Perimeter network” or a “Three-homedperimeter network. A DMZ is an example of the Defense-in-Depth principle.– no one thing, no two things, will ever provide total security.– It states that the only way for a system to be reasonably secured is toconsider every aspect of the systems existence and secure them all. A DMZ is a step towards defense in depth because it adds an extra layer ofsecurity beyond that of a single perimeter
Introduction A DMZ separates an external network from directlyreferencing an internal network. It does this by isolating the machine that is beingdirectly accessed from all other machines. Most of the time the external network is the Internetand what is in the DMZ is the web server but thisisn’t the only possible configuration. A DMZ can be used to isolate a particular machinewithin a network from other machines.
Introduction This might be done for a branch office that needs itsown Internet access but also needs access to thecorporate network. In DMZ terminology, an internal connection isgenerally thought of as having more secret orvaluable information than an external network. An easy way to understand which is the external andinternal network is to ask yourself which network amI protecting from the other.
Introduction DMZ is designed to support the principle of separation .– Any system should have its important applications separated. This acts as system of checks and balances to make surethat if any one area goes bad that it cannot corrupt thewhole. A DMZ’s separation will degrade performance. If configured correctly the degradation in performance isusually minimal and seldom noticeable. However, it doesexist and you need to be aware of it. This effect on performance must be calculated in the totalcost of implementing a DMZ.5IT352 Network Security Najwa AlGhamdi
DMZ Architecture DMZ is used to protect nodes that provide services to the externalnetwork: web, mail, ftp servers. DMZ use a firewall to Restrict access from Internet to the DMZ to protect servers from DMZ to intranet to protect against compromises Example Allow connections from Internet to mail server on port 25 (SMTP) Allow connections from intranet to mail server on port 993 (secureIMAP) Two of the most basic DMZ design architecture1. with a single firewall2. with dual firewalls.
Single firewall A single firewall with at least 3network interfaces can beused to create a networkarchitecture containing a DMZ. 1st firewall interface : Theexternal network ( Interent) 2nd firewall interface: theinternal network 3rd firewall interface : DMZ . The firewall will handle all ofthe traffic going to the DMZ aswell as the internal network.7 purple for LANgreen for DMZred for InternetIT352 Network Security Najwa AlGhamdi
Dual firewall A more secure approach is touse two firewalls to create aDMZ. The first firewall (also calledthe "front-end" firewall) mustbe configured to allow trafficdestined to the DMZ only. The second firewall (alsocalled "back-end" firewall)allows only traffic from theDMZ to the internal network.8 purple for LANgreen for DMZred for InternetIT352 Network Security Najwa AlGhamdi
Dual firewall There is even more protectionif the two firewalls areprovided by two differentvendors, because it makes itless likely that both devicessuffer from the same securityvulnerabilities. The practice of using differentfirewalls from differentvendors is sometimesdescribed as is an example of“defense in depth" securitystrategy9 purple for LANgreen for DMZred for InternetIT352 Network Security Najwa AlGhamdi
VIRTUAL PRIVATE NETWORKS(VPN)
Traditional Connectivity[From Gartner Consulting]
What is VPN? Virtual Private Network is a type of private networkthat uses public telecommunication, such as theInternet, instead of leased lines to communicate. Became popular as more employees worked inremote locations.
Private Networksvs.Virtual Private Networks Employees can access the network (Intranet) from remotelocations. Secured networks. The Internet is used as the backbone for VPNs Saves cost tremendously from reduction of equipmentand maintenance costs. Scalability
Remote Access Virtual Private Network(From Gartner Consulting)
Brief Overview of How it Works Two connections – one is made to the Internetand the second is made to the VPN. Datagrams – contains data, destination andsource information. Firewalls – VPNs allow authorized users topass through the firewalls. Protocols – protocols create the VPN tunnels.
Four Critical Functions Authentication – validates that the data was sentfrom the sender using digital signature. Access control – limiting unauthorized users fromaccessing the network. Confidentiality – preventing the data to be reador copied as the data is being transported. Usingpublic key cryptography . Data Integrity – ensuring that the data has notbeen altered
TunnelingA virtual point-to-point connectionmade through a public network. It transportsencapsulated datagram's.Original DatagramEncrypted Inner DatagramDatagram HeaderOuter Datagram Data AreaData Encapsulation [From Comer]Two types of end points: Remote Access Site-to-Site
Four Protocols used in VPN PPTP -- Point-to-Point Tunneling Protocol L2TP -- Layer 2 Tunneling Protocol IPsec -- Internet Protocol Security SOCKS – is not used as much as the onesabove
VPN Encapsulation of Packets
Types of Implementations What does “implementation” mean in VPNs? 3 types Intranet – Within an organization Extranet – Outside an organization Remote Access – Employee to Business
Virtual Private Networks (VPN)Basic Architecture
Device Types What it means 3 types– Hardware– Firewall– Software
Device Types: Hardware Usually a VPN type of routerProsConsHighest network throughput Cost Plug and Play Lack of flexibility Dual-purpose
Device Types: Firewall More security?ProsCons“Harden” Operating System Still relatively costly Tri-purpose Cost-effective
Device Types: Software Ideal for 2 end points not in same org. Great when different firewalls implementedProsConsFlexible Lack of efficiency Low relative cost More labor training requiredLower productivity; higher labor costs
AdvantagesVS.Disadvantages
Advantages: Cost Savings Eliminating the need for expensive long-distanceleased lines Reducing the long-distance telephone charges forremote access. Transferring the support burden to the serviceproviders Operational costs Cisco VPN Savings Calculator
Advantages: Scalability Flexibility of growth Efficiency with broadband technology
DisadvantagesVPNs require an in-depth understanding of publicnetwork security issues and proper deployment ofprecautionsAvailability and performance depends on factorslargely outside of their controlImmature standardsVPNs need to accommodate protocols other than IPand existing internal network technology
Applications: Site-to-Site VPNsLarge-scale encryption between multiple fixedsites such as remote offices and central officesNetwork traffic is sent over the branch officeInternet connectionThis saves the company hardware andmanagement expenses
Site-to-Site VPNs
Applications: Remote Access Encrypted connections between mobile or remoteusers and their corporate networks Remote user can make a local call to an ISP, asopposed to a long distance call to the corporateremote access server. Ideal for a telecommuter or mobile sales people. VPN allows mobile workers & telecommuters to takeadvantage of broadband connectivity.i.e. DSL, Cable
Industries That May Use a VPN Healthcare: enables the transferring of confidential patient informationwithin the medical facilities & health care provider Manufacturing: allow suppliers to view inventory & allow clients topurchase online safely Retail: able to securely transfer sales data or customer info between stores& the headquarters Banking/Financial: enables account information to be transferred safelywithin departments & branches General Business: communication between remote employees can besecurely exchanged
Some Businesses using a VPNCVS Pharmaceutical Corporation upgraded theirframe relay network to an IP VPNITW Foilmark secured remote location orders,running reports, & internet/intranet communicationsw/ a 168-bit encryption by switching to OpenReachVPNBacardi & Co. Implemented a 21-country, 44location VPN
Where Do We See VPNs Going in theFuture?VPNs are continually being enhanced.Example: Equant NVAs the VPN market becomes larger, moreapplications will be created along with moreVPN providers and new VPN types.Networks are expected to converge to createan integrated VPNImproved protocols are expected, which willalso improve VPNs.
Two of the most basic DMZ design architecture 1. with a single firewall 2. with dual firewalls. Single firewall A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. 1st firewall interface : The external network ( Interent) 2nd firewall interface: the internal network 3rd firewall interface : DMZ . The .