You are on page 1of 27

Network Defenses

Niken D Cahyani
Gandeva Bayu Satrya

Telkom Institute of Technology

Learning Objectives
After completing this chapter you should be able to do the
Explain how to enhance security through network
Define network address translation and network access
List the different types of network security devices and
explain how they can be used

Network Design - Subnetting


identifies a network device (called a host) by its unique

Internet Protocol (IP) address, which is a 32-bit (4-byte) address
such as
grouped into classes (Class A, B, C, and special Classes D and
E). IP addresses are actually two addresses: one part is a network
address (such as 192.146.118) and one part is a host address
(such as 20).
improved addressing techniques in 1985 that allowed an IP
address to be split anywhere within its 32 bits, known as

Security - Subnetting

Subnetting a single network into multiple smaller subnets in order to

isolate groups of hosts.
Utilize network security tools to make it easier to regulate who has
access in and out of a particular subnetwork.
Addresses instantly recognizable so that the source of potential
security issues can be quickly addressed. For example, any IP
address beginning with 192.168.50 can indicate mobile users,
192.168.125 may designate executive users, and 192.168.200 can
indicate wireless network users.
Allows network administrators to hide the internal network layout
to make it difficult for attackers.

Subnetting Example

Advantages of Subnetting

Network Design - VLAN

A VLAN allows scattered users to be logically grouped

together even though they may be attached to different
A degree of security similar to subnetting: isolation, so
that sensitive data is transmitted only to members of the
Attacks on the switch that attempt to exploit
vulnerabilities such as weak passwords or default
accounts are common

Network Design - Convergence

Convergence of voice and data traffic over a single IP network.

Two important convergence technologies :

Voice over IP (VoIP)

IP telephony
Benefits :

Cost savings


Application development

Infrastructure requirements

Increased user productivity

Increase security : manage only one network

Convergence - Vulnerability

Network Design - Demilitarized Zone (DMZ)

A separate network that sits outside the secure network

After completing this chapter you should be able to do the
Define network address translation and network
access control
List the different types of network security devices and
explain how they can be used

Network Technologies Network

Address Translation (NAT)

NAT hides the IP addresses of network devices from attackers.

Network Technologies Network Access Control


NAC examines the current state of a system or network

device before it is allowed to connect to the network.
A specified set of criteria to meet, such as having the
most current antivirus signature, if not, is only allowed to
connect to a quarantine network where the security
deficiencies are corrected.
After the problems are solved, the device is connected to
the normal network.
To prevent computers with sub-optimal security from
potentially infecting other computers through the network

Network Access Control (NAC)

Network Access Control (NAC)

After completing this chapter you should be able to do the
List the different types of network security devices
and explain how they can be used

Network Security Devices - Firewall

Rule base which establishes what action the firewall

should take when it receives a packet. The options are:


Stateless packet filtering looks at the incoming packet

and permits or denies it based strictly on the rule base
Stateful packet filtering keeps a record of the state of a
connection between an internal computer and an external
server and then makes decisions based on the connection
as well as the rule base.

Firewall - Rules

Firewall - Rules

Network Security Devices Proxy


A computer system (or an application program) that

intercepts internal user requests and then processes that
request on behalf of the user.
A reverse proxy does not serve clients but instead routes
incoming requests to the correct server. Requests for
services are sent to the reverse proxy that then forwards it
to the server.
To the outside user the IP address of the reverse proxy is
the final IP address for requesting services, yet only the
reverse proxy can access the internal servers.

Proxy Server

Network Security Devices - Honeypot

A computer typically located in a DMZ that is loaded with

software and data files that appear to be authentic, yet they
are actually imitations of real data files configured with
security vulnerabilities so that it is open to attacks.
Purposes of a honeypot:

Deflect attention - A honeypot can direct an attackers attention away from

legitimate servers.
Early warnings of new attacks
Examine attacker techniques

Types of honeypots : Production Honeypots and

Research Honeypots

Network Intrusion Detection System


An intrusion detection system (IDS) attempts to

identify inappropriate activity by comparing new
behavior against normal or acceptable behavior and
issuing an alert.
Examples functions of IDS:

Configure the firewall to filter out the IP address of the intruder.

Launch a separate program to handle the event. Save the packets
in an evidence file for further analysis. Send e-mail, page, or a
cell phone message to the network administrator.
Terminate the TCP session by forging a TCP FIN packet to force
a connection to terminate.

Host and Network Intrusion Prevention Systems


HIPS : IPS which installed on each system, such as a server or

desktop that needs to be protected.
Most HIPS monitor the following desktop functions:

System calls
File system access
System Registry settings
Host input/output

Designed to integrate with existing antivirus, anti-spyware, and

firewalls that are installed on the desktop computer.
Network intrusion prevention systems (NIPS) work to protect the
entire network and all devices that are connected to it.

Protocol Analyzers

Detect a potential intrusion by :

detect statistical anomalies.

examine network traffic and look for well-known patterns of attack, much like
antivirus scanning.
protocol analyzer technology.

Protocol analyzers can fully decode application-layer

network protocols, such as Hypertext Transport Protocol
(HTTP) or file transfer protocol (FTP). Once these
protocols are decoded, the different parts of the protocol
can be analyzed for any suspicious behavior.

Internet Content Filter

Integrated Network Security


Multipurpose security appliances that provide multiple security

functions, such as:

Antispam and antiphishing

Antivirus and antispyware
Bandwidth optimization
Content filtering
Intrusion protection system

Combine or integrate multipurpose security appliances with a

traditional network device such as a switch or router to create
integrated network security hardware.