Download
network perimeter security n.
Skip this Video
Loading SlideShow in 5 Seconds..
Network Perimeter Security PowerPoint Presentation
Download Presentation
Network Perimeter Security

Network Perimeter Security

91 Vues Download Presentation
Télécharger la présentation

Network Perimeter Security

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Network Perimeter Security Yu Wang

  2. Main Topics • Border Router • Firewall • IPS/IDS • VLAN • SPAM • AAA • Q/A

  3. Border Router • Gate to the Internet • First and last line of defense • Role of a router • Designed to route packets • Operates primarily on layer 3 • Able to filter packet using Access Control List • Limitations on network security control

  4. Router ACL • Standard ACL (layer 3) • access-list 1 permit 168.223.0.0 0.0.255.255 • access-list 2 deny 192.168.0.0 0.0.0.255 • Extended ACL (layer 3, 4) • access-list 101 permit tcp 168.223.0.0 0.0.255.255 host 128.186.6.14 eq www • access-list 101 deny tcp 192.168.0.0 0.0.0.255 any log • access-list 101 deny ip any any

  5. Firewall • What is a firewall • A network device designed to filter packets • A software application developed to do the same function • Firewall operates on layer 3 – 7 • Firewall is stateful • If a packet is allowed to pass, an entry is added to the state table

  6. TCP States

  7. TCP States

  8. Firewall Stateful Operations • State Table • TCP out 67.76.135.17:26944 in 128.186.120.4:993 idle 23:27:42 bytes 333091 flags UfFIOB • TCP out 71.229.26.75:60849 in 128.186.120.56:22 idle 2:26:47 bytes 2074496 flags UIOB • ICMP out 192.168.25.15:512 in 128.186.120.179:0 idle 0:00:00 bytes 2048 • UDP out 64.70.24.76:53 in 128.186.120.179:1110 idle 0:00:00 flags – • Stateful filtering – layer 4 and lower • Stateful Inspection – all layers

  9. Firewall Product Examples • Hardware firewall • CISCO PIX firewall • Home router firewall • Software firewall • Iptables – Linux • Ipfilter – Solaris • Windows XP

  10. IPS/IDS • Intrusion Prevention/Detection System • Firewall is good in packet filtering but weak in layer 7 inspection • IPS/IDS operates on layer 2-7 • IPS can do application protection, performance protection, and infrastructure protection • It uses specialized network devices designed and a database of known attack signature

  11. IPS/IDS • IPS examples • TippingPoint UnityOne IPS • Uses “Digital Vaccine” effectively block viruses/worms, spyware, phishing, P2P, DDoS • Do not replace firewall

  12. IPS/IDS • IPS examples • Packeteer Traffic Shaper • Guarantee bandwidth availability for legitimate network traffics • Control malicious network traffics • Better use of existing bandwidth

  13. IPS/IDS • IPS examples • CISCO ASA • Uses modular approach • Simplifies configuration and management

  14. IPS/IDS • IDS examples • Snort • An open source solution • Low budget system suitable for organizational unit level • Runs on UNIX, Linux, Windows • Slower compare to ASA, TippingPoint • Flexible compare to ASA, TippingPoint

  15. VLAN • Virtual LAN is used to do resources separation • Divide a physical network into multiple virtual networks • Network traffics in one VLAN won’t go to another VLAN by default • Inter-VLAN traffics must go through a router where ACL can be used to filter unwanted flow

  16. SPAM Solution • SPAM and Email virus • Email is one of the most important network services. SPAM becomes big issue for many organizations • Many commercial SPAM filtering software available. • We use GFI mailessential and GFI mailsecurity. • RBL checking, Header checking, Message body checking • Virus checking, Phishing checking • Also use Spamassassin, procmail, clamav • Tumbleweed Mail Email Firewall (MMS) • Automatic quarantine and user release/deletion function

  17. AAA • Authentication • Use strong authentication methods • Kerberos, SSH, PKI • Authorization • Define access control • Harden network resources (servers) • Separate vulnerable servers from rest of network (DMZ) • Auditing • Central log server • Log analyzer/watcher

  18. Questions