1 / 14

Network Topology

Network Topology. How topology decisions affect speed/availability/security/cost/etc. Metrics for judging network design. Cost $$$ Bandwidth Maintenance hours Clock cycles Electricity Space Cooling requirements Others ... Security Confidentiality Integrity Availability Authenticity

jara
Télécharger la présentation

Network Topology

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Network Topology How topology decisions affect speed/availability/security/cost/etc.

  2. Metrics for judging network design • Cost • $$$ • Bandwidth • Maintenance hours • Clock cycles • Electricity • Space • Cooling requirements • Others ... • Security • Confidentiality • Integrity • Availability • Authenticity • Non-repudiation Biggest design trade-off: Availability vs. Confidentiality

  3. Dynamic vs. static addressing* Recommended settings: All workstations dynamic, all servers static. Workstation Dynamic Workstation Dynamic • Dynamic addresses: • Allow machines to be easily added and removed • Simplifies management, reduces errors • Static addresses: • Must/should be used for some servers • Reduces traffic for other servers (e.g. arp queries, DNS lookups) • Can be set in /etc/network/interfaces file Workstation Dynamic Gateway Router Static DHCP server Static DNS server Static Fileserver Either (Static recommended. Dynamic possible with discovery/DNS.) Webserver Either (Static recommended. Dynamic possible with DNS.) Mailserver Either (Static recommended. Dynamic possible with DNS.)

  4. Network “Attack Surface”* Each available port is theoretically open to attack IP: 5.5.5.100 Ports: 1-65535 Webserver IP: 5.5.5.5 ISP/Internet Router w/o NAT Switch IP: 5.5.5.101 Ports: 1-65535 DNS server IP: 5.5.5.102 Ports: 1-65535 Workstation IP: 5.5.5.100 Ports: 80, 443 Webserver IP: 5.5.5.5 ISP/Internet Router w/ NAT IP: 5.5.5.101 Port: 53 Switch DNS server IP: 5.5.5.102 Ports: None Workstation

  5. Basic Network Attacks“Front door” vs. “Back door” • “Front door” attack originates from outside the network. Assume that the only open port on the router is 80, which goes to webserver • Attacker finds an exploitable bug in the webserver. • Attacker sends a packet that contains code that creates a shell between attacker and webserver • Attacker uses the shell to “pivot” to the workstation and fileserver Webserver ISP/Internet Router w/ NAT Switch Fileserver Workstation * “Pivot” – to attack a device and gain a foothold (e.g. a shell) then use that foothold to attack other visible devices (ssh/telnet/metasploit/etc.).

  6. Basic Network Attacks“Front door” vs. “Back door” • “Back door” attack originates from inside the network. • Attacker sends an email with a malicious attachment • A workstation user clicks the attachment and runs the code • The code opens a connection to the hacker • The hacker now has a shell on the workstation and can install more software or pivot to other machines Webserver ISP/Internet Router w/ NAT Switch Fileserver Workstation

  7. Most basic topology* All servers & workstations in the ISP’s subnet* All IPs are visible to Internet Workstation Workstation ISP/Internet Router w/o NAT Switch Workstation Webserver Fileserver • PRO: • All IPs are easily accessible from anywhere in the world (Maximum Availability) • Low hardware costs • CON: • All IPs are easily accessible from anywhere in the world (Minimum Confidentiality) • Can access every port on every IP remotely • Very large attack surface • Cost of buying one IP address for each device WAP* * (WAP)Wireless Access Point

  8. Adding NAT* All servers & workstations in a single private subnet* Subnet IPs are hidden from Internet* The subnet appears as a single IP address for the router Workstation Workstation ISP/Internet Router w/ NAT Switch Workstation Webserver Fileserver WAP • PRO: • Much smaller attack surface than previous slide • Only a few IP/port pairs are accessible through router • CON: • All IPs are in the same subnet. An attacker who pwns one box can pivot to the others.

  9. Multiple isolated networks* Public servers are in blue subnet* Private servers & workstations are in green subnet Webserver Router w/ NAT Router w/ NAT Switch ISP/Internet Router w/ NAT Switch WAP Fileserver • PRO: • An attack against one network will not grant access to the other • CON: • Extra Internet IP address is required • Extra routers, switches, licenses, etc. are required • Maintenance-intensive • Difficult to give special priviliges on bluenet from greennet machines Workstation Workstation Workstation

  10. One network with a DMZ* Public servers are in blue subnet* Private servers & workstations are in green subnet Webserver ISP/Internet Router w/ NAT Router w/ NAT Switch WAP • PRO: • An attack against the public webserver will not grant access to workstations or the private fileserver • CON: • An extra router is required • “Double-NATing” of green subnet • Complexity increases chance of misconfigurations • Fileserver no longer available from outside LAN • WAP is a big target for attacks – will allow attacker to pivot to fileserver or workstations Fileserver Switch Workstation Workstation Workstation

  11. Moving WAP to DMZ* Wireless devices can now only connect to the public (blue) subnet WAP Webserver ISP/Internet Router w/ NAT Router w/ NAT Switch Fileserver Switch Workstation • PRO: • An attacker can no longer access the private fileserver after attacking the WAP (Confidentiality UP) • CON: • Mobile users no longer have access to the private fileserver(Availability DOWN) • Attacker can still pivot from WAP to webserver Workstation Workstation

  12. Single router with multiple subnets* WAP is moved to its own (purple) subnet Webserver WAP ISP/Internet Router w/ NAT Fileserver Switch Workstation • PRO: • Increased separation of devices makes it difficult for attacker to pivot • Fewer routers • CON: • More complex & expensive router required • Router rules are more complex, easier to misconfigure Workstation Workstation

  13. How many server applications per physical server? Webserver Fileserver Webserver, Fileserver, DNS, DHCP, FTP DNS DHCP FTP • PRO: • Can buy smaller servers for each task • Can put servers in different subnets • Security: • Only 2-3 ports open per machine • Much easier to find attacks in logfiles & create firewall rules • A successful attack against one service does not grant control over all services • PRO: • Fewer physical servers to buy & maintain • Reduced cost, space, electrical req. • Security: • Only one box to patch • Fewer passwords to forget

  14. Initial plan for class networks* Each group of 4 will build the following: Webserver Email server SI455 internet Router w/ NAT Switch DNS FTP Router w/ NAT Authentication Server DHCP Switch Fileserver • Bluenet: • Public – services available to other groups • Greennet: • Private – services available only to user workstations Workstation Workstation Workstation Workstation

More Related