Secure Network Design: Designing A DMZ & VPN

Transcription

Secure Network Design:Designing a DMZ & VPNDMZ :VPN : 52 Network Security Najwa AlGhamdi

Introduction DMZ stands for DeMilitarized Zone. A network added between a protected network and an external networkin order to provide an additional layer of security A DMZ is sometimes called a “Perimeter network” or a “Three-homedperimeter network. A DMZ is an example of the Defense-in-Depth principle.– no one thing, no two things, will ever provide total security.– It states that the only way for a system to be reasonably secured is toconsider every aspect of the systems existence and secure them all. A DMZ is a step towards defense in depth because it adds an extra layer ofsecurity beyond that of a single perimeter

Introduction A DMZ separates an external network from directlyreferencing an internal network. It does this by isolating the machine that is beingdirectly accessed from all other machines. Most of the time the external network is the Internetand what is in the DMZ is the web server but thisisn’t the only possible configuration. A DMZ can be used to isolate a particular machinewithin a network from other machines.

Introduction This might be done for a branch office that needs itsown Internet access but also needs access to thecorporate network. In DMZ terminology, an internal connection isgenerally thought of as having more secret orvaluable information than an external network. An easy way to understand which is the external andinternal network is to ask yourself which network amI protecting from the other.

Introduction DMZ is designed to support the principle of separation .– Any system should have its important applications separated. This acts as system of checks and balances to make surethat if any one area goes bad that it cannot corrupt thewhole. A DMZ’s separation will degrade performance. If configured correctly the degradation in performance isusually minimal and seldom noticeable. However, it doesexist and you need to be aware of it. This effect on performance must be calculated in the totalcost of implementing a DMZ.5IT352 Network Security Najwa AlGhamdi

DMZ Architecture DMZ is used to protect nodes that provide services to the externalnetwork: web, mail, ftp servers. DMZ use a firewall to Restrict access from Internet to the DMZ to protect servers from DMZ to intranet to protect against compromises Example Allow connections from Internet to mail server on port 25 (SMTP) Allow connections from intranet to mail server on port 993 (secureIMAP) Two of the most basic DMZ design architecture1. with a single firewall2. with dual firewalls.

Single firewall A single firewall with at least 3network interfaces can beused to create a networkarchitecture containing a DMZ. 1st firewall interface : Theexternal network ( Interent) 2nd firewall interface: theinternal network 3rd firewall interface : DMZ . The firewall will handle all ofthe traffic going to the DMZ aswell as the internal network.7 purple for LANgreen for DMZred for InternetIT352 Network Security Najwa AlGhamdi

Dual firewall A more secure approach is touse two firewalls to create aDMZ. The first firewall (also calledthe "front-end" firewall) mustbe configured to allow trafficdestined to the DMZ only. The second firewall (alsocalled "back-end" firewall)allows only traffic from theDMZ to the internal network.8 purple for LANgreen for DMZred for InternetIT352 Network Security Najwa AlGhamdi

Dual firewall There is even more protectionif the two firewalls areprovided by two differentvendors, because it makes itless likely that both devicessuffer from the same securityvulnerabilities. The practice of using differentfirewalls from differentvendors is sometimesdescribed as is an example of“defense in depth" securitystrategy9 purple for LANgreen for DMZred for InternetIT352 Network Security Najwa AlGhamdi

VIRTUAL PRIVATE NETWORKS(VPN)

Traditional Connectivity[From Gartner Consulting]

What is VPN? Virtual Private Network is a type of private networkthat uses public telecommunication, such as theInternet, instead of leased lines to communicate. Became popular as more employees worked inremote locations.

Private Networksvs.Virtual Private Networks Employees can access the network (Intranet) from remotelocations. Secured networks. The Internet is used as the backbone for VPNs Saves cost tremendously from reduction of equipmentand maintenance costs. Scalability

Remote Access Virtual Private Network(From Gartner Consulting)

Brief Overview of How it Works Two connections – one is made to the Internetand the second is made to the VPN. Datagrams – contains data, destination andsource information. Firewalls – VPNs allow authorized users topass through the firewalls. Protocols – protocols create the VPN tunnels.

Four Critical Functions Authentication – validates that the data was sentfrom the sender using digital signature. Access control – limiting unauthorized users fromaccessing the network. Confidentiality – preventing the data to be reador copied as the data is being transported. Usingpublic key cryptography . Data Integrity – ensuring that the data has notbeen altered

TunnelingA virtual point-to-point connectionmade through a public network. It transportsencapsulated datagram's.Original DatagramEncrypted Inner DatagramDatagram HeaderOuter Datagram Data AreaData Encapsulation [From Comer]Two types of end points: Remote Access Site-to-Site

Four Protocols used in VPN PPTP -- Point-to-Point Tunneling Protocol L2TP -- Layer 2 Tunneling Protocol IPsec -- Internet Protocol Security SOCKS – is not used as much as the onesabove

VPN Encapsulation of Packets

Types of Implementations What does “implementation” mean in VPNs? 3 types Intranet – Within an organization Extranet – Outside an organization Remote Access – Employee to Business

Virtual Private Networks (VPN)Basic Architecture

Device Types What it means 3 types– Hardware– Firewall– Software

Device Types: Hardware Usually a VPN type of routerProsConsHighest network throughput Cost Plug and Play Lack of flexibility Dual-purpose

Device Types: Firewall More security?ProsCons“Harden” Operating System Still relatively costly Tri-purpose Cost-effective

Device Types: Software Ideal for 2 end points not in same org. Great when different firewalls implementedProsConsFlexible Lack of efficiency Low relative cost More labor training requiredLower productivity; higher labor costs

AdvantagesVS.Disadvantages

Advantages: Cost Savings Eliminating the need for expensive long-distanceleased lines Reducing the long-distance telephone charges forremote access. Transferring the support burden to the serviceproviders Operational costs Cisco VPN Savings Calculator

Advantages: Scalability Flexibility of growth Efficiency with broadband technology

DisadvantagesVPNs require an in-depth understanding of publicnetwork security issues and proper deployment ofprecautionsAvailability and performance depends on factorslargely outside of their controlImmature standardsVPNs need to accommodate protocols other than IPand existing internal network technology

Applications: Site-to-Site VPNsLarge-scale encryption between multiple fixedsites such as remote offices and central officesNetwork traffic is sent over the branch officeInternet connectionThis saves the company hardware andmanagement expenses

Site-to-Site VPNs

Applications: Remote Access Encrypted connections between mobile or remoteusers and their corporate networks Remote user can make a local call to an ISP, asopposed to a long distance call to the corporateremote access server. Ideal for a telecommuter or mobile sales people. VPN allows mobile workers & telecommuters to takeadvantage of broadband connectivity.i.e. DSL, Cable

Industries That May Use a VPN Healthcare: enables the transferring of confidential patient informationwithin the medical facilities & health care provider Manufacturing: allow suppliers to view inventory & allow clients topurchase online safely Retail: able to securely transfer sales data or customer info between stores& the headquarters Banking/Financial: enables account information to be transferred safelywithin departments & branches General Business: communication between remote employees can besecurely exchanged

Some Businesses using a VPNCVS Pharmaceutical Corporation upgraded theirframe relay network to an IP VPNITW Foilmark secured remote location orders,running reports, & internet/intranet communicationsw/ a 168-bit encryption by switching to OpenReachVPNBacardi & Co. Implemented a 21-country, 44location VPN

Where Do We See VPNs Going in theFuture?VPNs are continually being enhanced.Example: Equant NVAs the VPN market becomes larger, moreapplications will be created along with moreVPN providers and new VPN types.Networks are expected to converge to createan integrated VPNImproved protocols are expected, which willalso improve VPNs.

Two of the most basic DMZ design architecture 1. with a single firewall 2. with dual firewalls. Single firewall A single firewall with at least 3 network interfaces can be used to create a network architecture containing a DMZ. 1st firewall interface : The external network ( Interent) 2nd firewall interface: the internal network 3rd firewall interface : DMZ . The .