CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced...

CPE5021CPE5021Advanced Network SecurityAdvanced Network Security

---Network Security and Performance---Network Security and Performance--- ---

Lecture 9Lecture 9

CPE5002 - Advanced Nework Security 2

Outline Outline

Firewalls and Load BalancingFirewalls and Load Balancing VPN and Network PerformanceVPN and Network Performance NAT and Load BalancingNAT and Load Balancing Network Security ArchitectureNetwork Security Architecture


Firewalls and Load BalancingFirewalls and Load Balancing

Now a day most networks have at least one or Now a day most networks have at least one or two firewalls (packet filtering and proxy two firewalls (packet filtering and proxy firewalls).firewalls).

Most networks provide mail and web services Most networks provide mail and web services and have proxy firewalls that have to inspect and have proxy firewalls that have to inspect several fields of every packet.several fields of every packet.

Current firewalls are designed to effectively Current firewalls are designed to effectively protect networks against intrusions. However protect networks against intrusions. However they limit performance and scalability. they limit performance and scalability.

They are also often single points of failure They are also often single points of failure and hence can reduce network availability.and hence can reduce network availability.


Why Firewalls Introduce Problems :E.gWhy Firewalls Introduce Problems :E.g

Firewalls can be software based products installed on Firewalls can be software based products installed on a machine with two or three network interface cards a machine with two or three network interface cards (NIC).(NIC). One NIC connects the enterprise network to the public One NIC connects the enterprise network to the public

network (NIC ---Router---Internet).network (NIC ---Router---Internet). The second NIC is connected to the non DMZ part of the The second NIC is connected to the non DMZ part of the

corporate network.corporate network. The third NIC, if there is, is connected to the DMZ. The third NIC, if there is, is connected to the DMZ.

Because firewalls are deployed in the data path, by Because firewalls are deployed in the data path, by which all packets go through, they can limit network which all packets go through, they can limit network performance and scalability.performance and scalability.

Firewalls can slow communications by having to Firewalls can slow communications by having to process every packet. Eg: proxy firewalls.process every packet. Eg: proxy firewalls.

Firewalls cause difficulty to the upgrade of other Firewalls cause difficulty to the upgrade of other servers. Eg: firewalls with VPN; firewalls with servers. Eg: firewalls with VPN; firewalls with Routers.Routers.


Firewalls with 3 NICs : Example Firewalls with 3 NICs : Example

NIC to Internet

Internet

NIC to DMZ

NIC to non-DMZ

DMZ

router


SolutionsSolutions

Some sophisticated application devices such as Some sophisticated application devices such as specialised advanced switches (called Application specialised advanced switches (called Application Switches, eg: Alteon AS, Alteon Web Switch) can Switches, eg: Alteon AS, Alteon Web Switch) can reduce the problems caused by firewalls. reduce the problems caused by firewalls. Those switches are built with SSL features and act as load Those switches are built with SSL features and act as load

balancers. balancers. Application switches support, Network Layer 4 and Application switches support, Network Layer 4 and

higher Layer, switching and processing higher Layer, switching and processing functionality, and can maintain the state of functionality, and can maintain the state of individual TCP sessions.individual TCP sessions.

Vendors are also looking, beyond SSL, to integrate Vendors are also looking, beyond SSL, to integrate security features such as DoS, malicious URL security features such as DoS, malicious URL blocking, and application-layer firewalling to their blocking, and application-layer firewalling to their switches.switches.


Solutions (e.g)Solutions (e.g)

Cisco Cisco provides the L4-L7 switch/load provides the L4-L7 switch/load balancer without SSL.balancer without SSL.

Nortel Nortel provides the L4-L7 switch/load provides the L4-L7 switch/load balancer without SSL.balancer without SSL.

F5 Networks F5 Networks provides the SSL-enabled provides the SSL-enabled L4-L7 switches and load balancers.L4-L7 switches and load balancers.

Cisco Catalysts Cisco Catalysts with SSL service with SSL service modules. modules.

CiscoCisco firewall/VPN/load balancer series firewall/VPN/load balancer series


Firewalls and Net Device for Load Firewalls and Net Device for Load balancing: (eg)balancing: (eg)

Internet

balancer

balancer

balancer

balancer

Private Network


Firewalls and Load BalancersFirewalls and Load Balancers

Most load balancers can provide both Most load balancers can provide both packet filtering and packet inspection. packet filtering and packet inspection.

Load balancers can be set up so that only Load balancers can be set up so that only desired TCP/UDP ports are load-balanced.desired TCP/UDP ports are load-balanced.Eg: We can set up TCP port 80 for Web traffic Eg: We can set up TCP port 80 for Web traffic

which provides the packet filtering functionality.which provides the packet filtering functionality.

Load balancers do most of the work on the Load balancers do most of the work on the network level therefore they can keep TCP network level therefore they can keep TCP state information and make decisions based state information and make decisions based on states.on states.


VPN and Load BalancingVPN and Load Balancing

How do you improve the performance How do you improve the performance of your network if it provides VPN of your network if it provides VPN service?service?A VPN server separated from firewalls.A VPN server separated from firewalls.A VPN server integrated with a firewall.A VPN server integrated with a firewall.


VPN, Firewall and Load Balancer (e.g)VPN, Firewall and Load Balancer (e.g)

Symantec Firewall/VPN 200 ApplianceSymantec Firewall/VPN 200 Appliance Features 8 x 10/100 MBPS LAN Features 8 x 10/100 MBPS LAN 2 x 10 MBPS WAN2 x 10 MBPS WAN High availabilityHigh availability Load balancing on 2 WAN portsLoad balancing on 2 WAN ports

Symantec Firewall/VPN Appliance is both a firewall and a Symantec Firewall/VPN Appliance is both a firewall and a VPN solution for an efficient and secure Internet VPN solution for an efficient and secure Internet connectivity for small businesses. connectivity for small businesses.

A small business computer system can use IPSec A small business computer system can use IPSec gateway-to-gateway to connect to other networks and gateway-to-gateway to connect to other networks and remote users can access their company's network via remote users can access their company's network via client-to-gateway IPSec VPN.client-to-gateway IPSec VPN.


HotBrick Load Balancer LB-2HotBrick Load Balancer LB-2 (2 x WAN, 4 x LAN) (2 x WAN, 4 x LAN) Its 2 x 10/100MBPS WAN ports allows high speed Its 2 x 10/100MBPS WAN ports allows high speed

access with NAPT support. access with NAPT support. it enables port mapping of a pool of public IP addressesit enables port mapping of a pool of public IP addresses Provides dynamic DNS feature for mapping of dynamic Provides dynamic DNS feature for mapping of dynamic

addresses to virtual servers within the LAN. addresses to virtual servers within the LAN. Also it provides the options to double network Also it provides the options to double network

speed with failover feature along with its firewall speed with failover feature along with its firewall feature like URL & ICMP filter, DoS attack feature like URL & ICMP filter, DoS attack prevention, stateful packet Inspection and group prevention, stateful packet Inspection and group access control.access control.



HotBrick Firewall VPN 1200/2HotBrick Firewall VPN 1200/2 (2 x WAN, 12 x LAN) (2 x WAN, 12 x LAN) a firewall, a firewall, a VPN server, a VPN server, a router, a router, a load balancer,a load balancer, can support up to 88 Mbps of throughput and can support up to 88 Mbps of throughput and

5000 concurrent IP sessions.5000 concurrent IP sessions. The VPN server allows 20 VPN end-points plus The VPN server allows 20 VPN end-points plus

compatibility with RADIUS.compatibility with RADIUS.



NAT and Load BalancingNAT and Load Balancing

How do we improve network How do we improve network performance using load balancing performance using load balancing associated with:associated with:A NAT box behind a firewall.A NAT box behind a firewall.A NAT box behind a VPN server.A NAT box behind a VPN server.A NAT box in parallel with a VPN server.A NAT box in parallel with a VPN server.


NAT and VPN and Load BalancingNAT and VPN and Load Balancing

Borrowed from Cisco


Network Security Architectures Network Security Architectures

Network Security Architecture (NSA) is very important forNetwork Security Architecture (NSA) is very important forany medium and large network. A good architectureany medium and large network. A good architecturewill not only save a company money but also provide will not only save a company money but also provide adequate level of security and survive attacks. adequate level of security and survive attacks. A guideline for a good NSA should at least include:A guideline for a good NSA should at least include:

1.1. Dynamic cryptosystems.Dynamic cryptosystems.2.2. Structures for adapting of new protocols.Structures for adapting of new protocols.3.3. Structures for full-authentication of all network Structures for full-authentication of all network

elements including devices, software, protocols, elements including devices, software, protocols, users, servers, subnets, etc.users, servers, subnets, etc.

4.4. Structures for trusted computing systems.Structures for trusted computing systems.5.5. Structures to support load balancing, availability Structures to support load balancing, availability

and scalability.and scalability.


NSA: Dynamic CryptosystemsNSA: Dynamic Cryptosystems

A secure network needs to support many different crypto A secure network needs to support many different crypto systems.systems. Cryptography is evolving quickly with quantum computing and Cryptography is evolving quickly with quantum computing and

ECC theory. How will your NSA live with such evolution if your ECC theory. How will your NSA live with such evolution if your system has many traditional crypto algorithms?system has many traditional crypto algorithms?

Future networks will be wireless communications that require Future networks will be wireless communications that require different technologies and hence future networks have to be different technologies and hence future networks have to be able to support many different crypto systems.able to support many different crypto systems. If your NSA will support more wireless then what should it look If your NSA will support more wireless then what should it look

like when you create it now?like when you create it now? More powerful computers and network devices will be More powerful computers and network devices will be

produced in the near future and this will put a strong demand produced in the near future and this will put a strong demand on strong authentication and crypto systems.on strong authentication and crypto systems. What if your corporate does not have a very powerful computer What if your corporate does not have a very powerful computer

but the others do? but the others do?


NSA: Adaptation of new ProtocolsNSA: Adaptation of new Protocols

Many new voice, video, and other-new-Many new voice, video, and other-new-formed applications will be integrated into formed applications will be integrated into networks, especially the Internet, hence networks, especially the Internet, hence current crypto and authentication systems current crypto and authentication systems will need to be upgraded.will need to be upgraded.How can your NSA adapt a new protocol that How can your NSA adapt a new protocol that

may pose a threat to your organisation?may pose a threat to your organisation? ICRICR H323 (H323 (http://www.protocols.com/pbook/h323.htmhttp://www.protocols.com/pbook/h323.htm)) VoIPVoIP Etc.Etc.


NSA: A structure for Trusted Computing NSA: A structure for Trusted Computing Systems.Systems.

Trusted computing systems exist in Trusted computing systems exist in most of large networks, how do we most of large networks, how do we structure such networks with high structure such networks with high security?security?Use digital signatures for verifying Use digital signatures for verifying

software packages, programs, functions.software packages, programs, functions.Use network auditors to audit and Use network auditors to audit and

monitor the whole network.monitor the whole network.How do we get all done automatically?How do we get all done automatically?


NSA: Load balancing, availability and NSA: Load balancing, availability and scalability.scalability.

When should we think of load balancing, availability and When should we think of load balancing, availability and scalability? before or after we have designed and scalability? before or after we have designed and implemented firewalls, VPNs, NAT boxes, and other network implemented firewalls, VPNs, NAT boxes, and other network security components? security components?

How will Intelligent Application Network Components fit in How will Intelligent Application Network Components fit in NSA? When and how the following should be done?NSA? When and how the following should be done? Ensure continuous application availability with Layer 4 to Layer Ensure continuous application availability with Layer 4 to Layer

7 load balancing? 7 load balancing? Tune application infrastructure with Layer 7 content switching? Tune application infrastructure with Layer 7 content switching? Optimise multi-site load distribution using current Global Server Optimise multi-site load distribution using current Global Server

Load Balancing?Load Balancing? Enhance application performance for Web and non-Web Enhance application performance for Web and non-Web

applications? applications? Deliver increased application performance while reducing server Deliver increased application performance while reducing server

workload?workload? Accelerate secure application delivery with SSL/IPSec?Accelerate secure application delivery with SSL/IPSec?

CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced...

Documents

Transcript of CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced...