Tải bản đầy đủ

Lecture Security+ Certification: Chapter 8 - Trung tâm Athena

Chapter 8
Network Security
Topologies


Objectives in this Chapter






ATHENA

Explain network perimeter’s importance to an
organization’s security policies
Identify place and role of the demilitarized zone in the
network
Explain how network address translation is used to help
secure networks
Spell out the role of tunneling in network security

Describe security features of virtual local area networks


Perimeter Security Topologies


The whole goal of connecting networks is so
that people can share information.



The goal of perimeter security is to selectively
admit or deny data flows based on:





ATHENA

Protocol
Source
Destination
Content


Perimeter Security Topologies


Put in place using firewalls and routers on network edge



Permit secure communications between the
organization and third parties
Key enablers for many mission-critical network services
Include demilitarized zones (DMZs) extranets, and
intranets





ATHENA

continued…


Perimeter Security Topologies

ATHENA



The data flows that are allowed to enter, and
those that aren’t, are defined in an
organization’s security policy.



The security policy describes what type of
activities are permitted and what types are not.


Security Policies and Firewalls

ATHENA



These security policies are enforced primarily
with firewalls deployed at key boundaries in
the network, including the network perimeter.



Every packet entering or leaving is forced to
pass through a firewall, which checks it for
compliance with its rule set, discarding those
that don’t comply.


Multiple Perimeters


A network may contain multiple perimeters,
with different security levels:
• Outermost perimeter
• Internal perimeters
• Innermost perimeter

ATHENA


ATHENA


Outermost Perimeter







ATHENA

A router is used to separate network from ISP’s
network
Identifies separation point between assets you control
and those you do not
Most insecure area of a network infrastructure
Normally reserved for routers, firewalls, public
Internet servers (HTTP, FTP, DNS) (usually on the
DMZ)
Not for sensitive company information that is for
internal use only


Internal Perimeters

ATHENA



Represent additional boundaries where other
security measures are in place



Usually separated by firewalls



Used to separate areas with different security
levels and needs


Network Classifications

ATHENA



Trusted



Semi-trusted



Untrusted


Trusted Networks

ATHENA



Inside network security perimeter



The networks you are trying to protect


Semi-Trusted Networks

ATHENA



Allow access to some database materials and
e-mail



May include DNS, proxy, and modem (RAS)
servers, also DNS, web, and ftp



Not for confidential or proprietary
information



Referred to as the demilitarized zone (DMZ)


Untrusted Networks

ATHENA



Outside your security perimeter



Outside your control



You may need to communicate with some of
these networks – you configure your router,
firewall, and VPN (in some cases) to do this as
securely as possible


ATHENA


Creating and Developing Your Security
Design

ATHENA



Know your enemy – read books, take
classes/workshops, visit hacker web sites



Count the cost – cost vs. the value of what you
are protecting



Identify assumptions – we all know what
happens when we assume


Creating and Developing Your
Security Design

ATHENA



Control secrets (passwords, encryption keys,
etc.)



Know your weaknesses



Limit the scope of access by creating barriers
at multiple places



Understand your environment – know how
the network usually works



Limit your trust


DMZ

ATHENA



Used by a company to host its own Internet
services without sacrificing unauthorized
access to its private network (while
minimizing access)



Sits between Internet and internal network’s
line of defense, usually some combination of
firewalls and bastion hosts



Traffic originating from it should be filtered

continued…


DMZ


Typically contains devices accessible to
Internet traffic
• Web (HTTP) servers
• FTP servers
• SMTP (e-mail) servers
• DNS servers



ATHENA

Optional, more secure approach to a simple
firewall; may include a proxy server


ATHENA


DMZ Design Goals

ATHENA



Isolate internal networks



Minimize scope of damage



Protect sensitive data on the servers



Detect the compromise as soon as possible



Minimize effect of the compromise on other
organizations


Filtering

ATHENA



You filter traffic (using routers and/or
firewalls) coming from the external network
to the DMZ, and from the DMZ to the internal
network



You also filter traffic from the internal
network to the DMZ, and from the DMZ to
the external (although not as strictly)


ATHENA


Intranet

ATHENA



Either a network topology or application
(usually a Web portal) used as a single point
of access to deliver services to employees



Typically a collection of all LANs inside the
firewall



Shares company information and computing
resources among employees

continued…


Intranet

ATHENA



Allows access to public Internet through
firewalls that screen communications in both
directions to maintain company security



Also called a campus network


Tài liệu bạn tìm kiếm đã sẵn sàng tải về

Tải bản đầy đủ ngay

×