Professional Documents
Culture Documents
4
Using Hardware and Software
Security Devices
• In medium to large enterprise networks, strategies for
security usually include some combination of internal
and perimeter routers plus firewall devices.
• Internal routers provide added security by screening
traffic to the more vulnerable parts of a corporate
network though a wide array of strategic access lists. Corporate
(Trusted)
Network
Untrusted
Network Perimeter Firewall Internal
(Premises) (Local Network)
Router Router
Internet
Web
Server
DMZ
Email
Server 5
Firewalls
• Firewalls are usually a combination of hardware and software.
• The hardware part is usually a router, but it can also be a
computer or a dedicated piece of hardware called a black box
that has two Network Interface Cards (NICs) in it.
• One of the NICs connects to the public side, and the other one
connects to the private side.
• The software part is configured to control how the firewall
actually works to protect your network by scrutinizing each
incoming and outgoing packet and rejecting any suspicious
ones.
6
Firewalls
• Network-Based Firewalls
– A network-based firewall is used to protect private
networks from public networks.
– This type of firewall is designed to protect an entire
network of computers instead of just one system.
– Usually a combination of hardware and software
• Host-Based Firewalls
– A host-based firewall is implemented on a single
machine so it only protects that one machine.
– Usually a software implementation
7
Firewall Technologies
• Access Control Lists (ACLs)
– The first line of defense for any network that’s
connected to the Internet are access control lists.
– These reside on your routers and determine by IP
addresses and/or ports which machines are allowed to
use those routers and in what direction.
A can access B,
B can access if a
secure authenticated
connection is detected.
Network B Network A
“Private” Network “Public” Network
Router
8
Port Security
9
•
Firewall Technologies
Demilitarized Zone (DMZ)
– A demilitarized zone (DMZ) is a network segment that
isn’t public or private but halfway between the two.
Internet
DMZ
FTP Server
Switch
Protected
Intranet
Email Server
File & Print Server
Internal Database
& Web Server
10
Firewall Technologies
• Protocol Switching
– Protocol switching protects data on the inside of a firewall.
TCP/IP Internet
Router
Switch IPX/SPX Only
TCP/IP Only
Protected
Intranet
Email Server
IPX/SPX File & Print Server
TCP/IP Both
Internal Database
& Web Server 11
Firewall Technologies
• Dynamic Packet Filtering
– Packet filtering refers to the ability of a router or a firewall
to discard packets that don’t meet the right criteria.
State List
Session between A & B:
Last packet #1238
Next packet #1239
Server sending
packet #1239
X Firewall
Hacker is denied access because the
Client expecting
Packet #1239
Hacker attempts
state list says the firewall should expect
to get in using
packet #1239 next, but instead It is
packet #1211
receiving #1211, so it rejects the packet.
12
Firewall Technologies
• Proxy Services
– Proxies act on behalf of the whole network to
completely separate packets from internal hosts
and external hosts.
Discarded
Web Server
Data
HTTP
From Proxy Proxy Server From A
Data Data
A
From Server From Proxy
Internet Data Data
13
Firewall Technologies
• Firewalls at the Application Layer vs. the Network Layer
– Stateful vs. Stateless Network-Layer Firewalls
– Application-Layer Firewalls
• Scanning Services and Other Firewall Features
15
Figure 15.7
Chapter 15
Internet Options Security tab
Figure 15.8
Chapter 15
Adding a trusted site
Figure 15.9
Chapter 15
Custom security settings
Figure 15.10
Intrusion-Detection and
Intrusion-Prevention Systems
• Firewalls are designed to block nasty traffic from
entering your network, but IDS is more of an auditing
tool: It keeps track of all activity on your network so
you can see if someone has been trespassing.
Firewall 3
Network
1 Attack underway
2 IDS analysis Looks for misuse
or known attack IDS
3 Response signatures 2 Attack Signature
&
Misuse Database
20
Intrusion-Detection and
Intrusion-Prevention Systems
• Network-Based IDS
– The most common implementation of a detection
system is a network-based IDS (NIDS).
– The IDS system is a separate device attached to the
network via a machine like a switch or directly via a tap.
Hub or Tap
Connection
Internet
Firewall
Secured
Management Channel
IDS
21
Intrusion-Detection and
Intrusion-Prevention Systems
• Changing network configuration
– An IDS can close the port either temporarily or permanently.
– If the IDS closes ports, legitimate traffic may not be able to
get through either, but it will definitely stop the attack.
Firewall
Sensor
1 Attack occurs 3
2 IDS analysis/responses
Alert Detected
3 Port 80 closed 2
Client
22
IDS Command (Close 80, 60 Seconds)
Intrusion-Detection and
Intrusion-Prevention Systems
• Deceiving the attacker
– Trick the attacker into thinking their attack is really working
when it’s not.
– The system logs information, trying to pinpoint who’s behind
the attack and which methods they’re using.
– A honeypot is a device or sever which the hacker is directed to;
it’s intended keep their interest long enough to gather enough
information to identify them and their attack method.
Firewall
Honeypot
1 Network Attack
3
X
Client
2 Alert Detected
IDS
1 Attack occurs
2 Analysis/response 23
3 Reroute network traffic
Vulnerability Scanners
• NESSUS
– Propriety vulnerability scanning
program that requires a license to
use commercially yet is the single
most popular scanning program in
use
• NMAP
– Originally intended to simply identify
devices on the network for the
purpose of creating a network
diagram, its functionality has
evolved. 24
VPN Concentrators
• A VPN concentrator is a device that creates remote access
for virtual private networks (VPNs) either for users logging
in remotely or for a large site-to-site VPN.
• In contrast to standard remote-access connections,
remote-access VPNs often allow higher data throughput
and provide encryption.
• Cisco produces VPN concentrators that support anywhere
from 100 users up to 10,000 simultaneous remote-access
connections.
25
Understanding Problems
Affecting Device Security
• Physical Security
– Physical Barriers
– Security Zones
26
Figure 15.17
Understanding Problems
Affecting Device Security
• Logical Security Configurations
– Ensure your network has an outside barrier and/or a
perimeter defense.
– Have a solid firewall, and it’s best to have an IDS or
IPS of some sort as well.
28
Chapter 15
Network perimeter defense
Figure 15.18
Internet
Router
Firewall IDS
Local Network
Chapter 15
Network divided into security zones
Figure 15.19
Administration Network
Zone 1
Accounting
Network
Internet
Router
Production Network
Zone 2 Private
Network
Sales Network
Zone 3
Understanding Problems
Affecting Device Security
• Maybe traffic is heavy, and you need to break up physical
segments.
• Perhaps different groups are in different buildings or on
different floors of a building, and you want to effectively
segment them.
Zone 3 IDS
Router
Border
Firewall
Router
IDS
Zone 2
Router
Zone 1 IDS 31
Router
Figure 15.21
Figure 15.22
Figure 15.23
Figure 15.24
Summary
• Summary
• Exam Essentials Section
• Written Labs
• Review Questions
36