Slides - Ch. 10

INFO1200 – Hardening the Infrastructure

Perimeter Network Design

• Design Principles• Designing an Internet Access Network• Designing Internet Application Networks• Designing VPN & Remote Access Termination

Networks

Design Principles• Overview• Selecting & Deploying Firewalls

• Placing Firewalls for Maximum Effect• Determining Right Type of Firewall for Perimeter Design

• Including IDSs & IPSs in Your Design• Creating Network Segments

• Securing Perimeter Network with VLANs & Routers using ACLs

• Segmenting using DMZ Networks & Service Networks

Overview- Network design is usually a top-down design

three step approach

1.collect info to allow determination of requirements for capacity, functionality, performance, availability, scalability, affordability, manageability & security

2.create logical network design to encompass needs of app or users

3.create physical network design to include real network devices

- For perimeter networks top down design must put equal emphasis on designing for security & application requirements

Selecting & Deploying Firewalls- meant to be points of control between 2 network security

zones through which all network traffic must flow

- two main functions

enforcing security policies – ie. decide whether to allow network connections

logging – to determine traffic patterns & for forensic analysis

- firewalls alone do not provide complete network protection – must be implemented in conjunction with IDSs & IPSs

Placing Firewalls for Maximum Effect- good implementation is designed to keep out all network traffic

that is not specifically allowed

- firewalls in perimeter network responsible for maintaining security policies at all points of access

- should be placed at any access point to perimeter network as well as between any network segments within perimeter network

- multiple firewalls or multiple-interface firewalls should be used to create different security zones for different types of traffic requiring different security policies – ie. public zone segmented from higher level security zones like management network

Determining Right Type of Firewall for Perimeter Network- firewalls classified by

1. methods they use to enforce security

choices are - packet-filtering (including stateful firewalls)

- proxy-based firewalls- circuit gateway firewalls

2. how they handle network traffic

choices are - routing firewalls

- bridging mode firewalls3. the physical configuration of device

choices are - server-based firewalls

- firewall appliances

Including IDSs & IPSs in Your Design- Two main systems for IDSs & IPSs to detect intrusions

knowledge-based system – compares network traffic to known attack or intrusion signatures

behaviour-based system – examines traffic patterns and compares them with historical trends

- optimal location for IDS/IPS depends on its features & functions

passive IDS should be behind perimeter firewall closest to data to be protected

IPS capable of stopping DoS and DDoS attacks should be placed on perimeter network between perimeter router & perimeter firewall

IPS capable of quickly matching traffic patterns should be deployed inline to all network traffic right behind perimeter firewalls

Creating Network Segments- used to separate perimeter network into separate networks based

on content & use

- enables network security devices to be implemented at boundaries between network segments allowing more control over network traffic

- methods used to segment perimeter network include:

VLANs & Routers with Access Control Lists

- ways to separate perimeter network architecture include:

- segmenting network based on function and location of resources within each segment – ie. DMZ with web, mail servers

- segmenting network based on services resources within each segment provide

Designing an Internet Access Network

• Considerations when Designing Internet Access Network

• Designing Logical & Physical Networks

Considerations when Designing Internet Access Network- based on top-down network design - 1st collect requirements

- requirements generally broken down into two types – business & technical

- results are displayed in Table 10.1 of textbook

Logical & Physical Network Design for Internet Access Network

- Logical design is displayed in Figure 10.2 in textbook

- Physical design is displayed in Figure 10.3 in textbook

Designing Internet Application Networks

• Considerations when Designing Internet Application Networks

• Logical & Physical Network Design

Considerations when Designing Internet Application Networks- similar top-down network design approach required as for Internet

Access Network

Logical & Physical Network Design for Internet Application Network

Designing VPN & Remote Access Termination Networks

• Considerations when Designing VPN & Remote Access Termination Networks

• Logical & Physical Network Design

Considerations when Designing VPN & Remote Access Termination Networks- similar top-down network design approach required as for Internet

Access Network & Internet Application Network

Logical & Physical Network Design for VPN & Remote Access Termination Network

Slides - Ch. 10

Documents

Transcript of Slides - Ch. 10

Ch 10 slides

eFM2e, Ch 12, Slides

Ch 9 slides - Electrical, Computer & Energy Engineeringecee.colorado.edu/~ecen5797/course_material/Ch9handouts.pdf · Title: Ch 9 slides Author: Bob Erickson Created Date: 10/31/2003

Ch 18 Slides

Ch 02_Instructor PPT Slides

Ch 6 Lecture Slides

Mbm6 ch 3 slides

Ch 15 Slides

Ch 11 PPT Slides

Ch 8 Lecture Slides

Ch 03_Instructor PPT Slides

Ch. 33 slides

Ch.13 slides

CFFM6 Ch 03 Slides

Ch 6 - Air and Sea Interaction (Slides 1 - 10)

Ch 2 Pp Slides

Ch 6 Slides

Ch 10 Slides 331

09 Ch Lecture Slides

Ch 3 Shigley Slides