Transcription
Network SecurityFundamentalsSteven TaylorPresident, Distributed Networking Associates, Inc.Publisher/Editor, Webtorialstaylor@webtorials.comLarry HettickVice President, Wireline SolutionsCurrent Analysislarry@larryhettick.comThanks to the sponsor This presentation ismade possible in partdue to the generoussupport of NortelNetworks.1
Agenda Overview of the problemVarious Vulnerabilities WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)The Big PictureSecurity Requirements Security is a process ofbalancing risks andbenefitsSome potential securitythreats WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks(WANs)Physical securityMake a decision based ona realistic evaluation; notemotion2
Agenda Overview of the problemVarious Vulnerabilities WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)The Big PictureNetwork cessPointFirewallWide AreaNetwork3
Workstation SecurityExperienced Threats toInformation Security90%80%70%60%50%40%30%20%10%0%VirusInsider Abuseof NetworkLaptop TheftSystempenetrationUnauthorizedAccessDenial ofServiceSource: CSI/FBI 2004 Computer Crime and Security Survey Results. http://www.gocsi.com4
LAN SecurityEthernetSwitchTraditional (old) Ethernet Advantage Shared, “broadcast"medium provideseasy accessDisadvantage Shared, “broadcast"medium is asignificant securityrisk5
Switched Ethernet Switched 10 MbpsScalable Multiple paths throughthe switchDedicated full-speedmediaMultiple speeds to matchapplicationSpeed ConversionInherently moresecure100 MbpsPacket sniffing Can packets be sniffed? Yes, if you Have physical accessTap the lineDecode Ethernet, plus IP, plus IP encodingCan do this realtimeAnd you could use encryption (more later)Is switched Ethernet a security risk? Is it worth the trouble? No worse than traditional telephony Depends on physical access6
Wireless LAN ireless Ethernet Acts like traditionalEthernet without thewire Shared, “broadcast" mediumprovides easy access but isa security riskMultiple Securityenhancementsavailable Security needs to beimplemented carefully andfully7
Security and P Address Spoofing IP address is set bythe user Can be spoofedNeed for authenticationBut this problem ismostly solved Network AddressTranslation (NAT)Additional mechanisms foradvanced functions (likeSession Initiated Protocol– SIP)8
sPointFirewallFirewalls Applications to limit and control connectivitywithin network environmentsProvide both external access limitationsand internal resource protectionCorporateNetworkInternet9
WAN PointFirewallWide AreaNetworkCommon WAN Services Private line, framerelay and ATMPrivate IP VPNsInternet BackboneVPNs IPSecSSL10
Private Line, Frame Relayand ATM Security Private lines provide dedicatedbandwidth per circuit Frame relay and ATM PVC /SVC addresses are set bynetwork operations TDM technologySVC user controls connection,not addressAt some point, you must trustthe service provider(s) Common issue for all netsEncryption is available, but notusually requiredPrivate IP VPNs IP-based networks that are not based on the publicInternet “Closed User Group” for each enterpriseOften based on Multiprotocol Label Switching (MPLS) LSPs (Virtual Circuits) automatically configured based onIP address “Self-configuring” frame relaySometimes deployed as“Virtual Routers”Security issues similar toATM andframe relayRouter BRouter ALabelSwitchedPaths(LSPs)Router C11
Internet Backbone VPNs Uses IP as the “UNI” to the networkAny-to-Any connectivityNo inherent securityInternetISP #3ISP #1ISP #2ISP #4Internet Backbone VPNs Uses IP as the “UNI” to the networkAny-to-Any connectivityNo inherent securityMultiple ISPs connectedPeeringat “Peering Points”PointISP #3ISP #1ISP #2ISP #412
IPSec VPNs Internet transport layerNetwork A Network B Network CIPSec VPNs Internet transport layer“Tunnels” through the InternetNetwork A Network B Network C13
What is IPSec? Encapsulation method that encrypts IP packetsbetween two points inside another IP messageAuthenticates and secures VPNsover publicIP packetIPSecMessageIP servicesInternetWhat is SSL? Similar to IPSec Similar encryption algorithmsBrowser based Authenticates between browser and serverInternet14
Choosing a WANArchitecture All methods “work”All methods can be secureOne size doesn’t fit allCorporate “religion” is a majordecision-making factorAgenda Overview of the problemVarious Vulnerabilities WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)The Big Picture15
This is Your ointFirewallWide AreaNetworkWho’s guarding the ntFirewallWide AreaNetwork16
Thank you! Summary Overview of the problemVarious Vulnerabilities WorkstationsLANs and SwitchesRouters and FirewallsWide Area Networks (WANs)The Big PictureFor more information Webtorials Nortel Networks http://www.webtorials.comSponsor of this presentationhttp://www.nortelnetworks.com17
Routers and Firewalls Wide Area Networks (WANs) The Big Picture Security Requirements Security is a process of balancing risks and benefits Some potential security threats Workstations LANs and Switches Routers and Firewalls Wide Area Networks (WANs) Physical security Make a decision based on a realistic evaluation; not emotion
