1 / 101

Securing an Extranet

Securing an Extranet. Identifying Common Firewall Strategies Securing Internet-Accessible Resources in a Demilitarized Zone (DMZ) Securing Data Flow Through a DMZ. Identifying Common Firewall Strategies. Identifying firewall features to protect the extranet Comparing DMZ configurations.

octavius-soto
Télécharger la présentation

Securing an Extranet

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Securing an Extranet • Identifying Common Firewall Strategies • Securing Internet-Accessible Resources in a Demilitarized Zone (DMZ) • Securing Data Flow Through a DMZ

  2. Identifying Common Firewall Strategies • Identifying firewall features to protect the extranet • Comparing DMZ configurations

  3. Firewall Overview

  4. Firewall Services • Network Address Translation (NAT) • Packet filtering • Static address mapping • Stateful inspection of network traffic • Advanced features

  5. Protecting Private Network Addressing with NAT

  6. Private Network Addressing • RFC 1918 reserves three ranges of IP addresses for private network addressing: • 10.0.0.0 – 10.255.255.255 (10.0.0.0/8) • 172.16.0.0 – 172.31.255.255 (172.16.0.0/12) • 192.168.0.0 – 192.168.255.255 (192.168.0.0/16)

  7. Packet Filters

  8. Typical Packet Filter Fields • Source address • Source port • Destination address • Destination port • Protocol • Action

  9. Port Numbers • To determine what ports are used by specific services and applications, view the Services text file in the systemroot\system32\drivers\etc folder. • To view a listing of well-known port numbers, go to www.isi.edu/in-notes/iana/assignments /port-numbers.

  10. Mirroring Packet Filters

  11. Firewall Strategies • Choose one of the following typical firewall strategies, based on the organization's risk level. • Specify allowed protocols and prohibit everything else. • Specify prohibited protocols and allow everything else. • Higher security networks specify the allowed protocols and prohibit everything else.

  12. Static Address Mapping

  13. Stateful Inspection • Simple packet filters might not provide enough security. • Packet filters define which ports are left open at the firewall to redirect network traffic to Internet-accessible resources. • Many protocols use random ports above port 1024 at the client computer side. • Stateful inspection allows the firewall to inspect and open the ports used for an initial connection and then close them when the connection is terminated. • If any suspect ports are requested, the firewall can recognize the attack and drop the connection. • Stateful inspection allows firewall rules to be established so that User Datagram Protocol (UDP)-based protocols (such as SNMP) can pass through successfully.

  14. Advanced Techniques • Configuring time-out tolerance • Allows the firewall to disconnect sessions before the synchronize (SYN) queue overflows • Impedes SYN flood attacks, which attempt to lock up the firewall and prevent further connections by flooding it with incomplete Transmission Control Protocol (TCP) sessions • Content scanning • Allows the firewall to inspect the commands transmitted within a session • Can also scan all incoming content for known virus signatures

  15. Making the Decision: Designing Firewall Features • NAT • Packet filters • Static address mapping • Stateful inspection • Time-out tolerances • Content scanning

  16. Applying the Decision: Designing the Market Florists Firewall • NAT • The private network client computers require access to the Internet. • All outgoing IP addresses will be replaced with the NAT common address (client.marketflorist.tld IP address: 131.107.88.2). • Packet filters • Packet filtering must be defined to allow only the authorized protocols to connect to each network resource. • Several protocols are allowed to enter the extranet for each Market Florist server.

  17. Applying the Decision: Designing the Market Florists Firewall (Cont.) • Static address mapping • www.marketflorist.tld • ftp.marketflorist.tld • mail.marketflorist.tld • vpn.marketflorist.tld • Stateful inspection • Flower Power uses UDP as its transport protocol. • UDP-based applications do not establish sessions. • Stateful inspection ensures that the Flower Power connections are not hijacked. • Stateful inspection ensures that all response packets use the same IP addresses and UDP ports that were used by the initial request packets.

  18. Applying the Decision: Designing the Market Florists Firewall (Cont.) • Time-out tolerance • Time-outs disconnect sessions to protect the Web site and other extranet resources from a denial of service attack. • Time-out tolerance prevents SYN flooding attacks against the network. • Content scanning • To prevent uploads of data to the MFFTP server, the firewall should deploy content scanning and prevent all attempts to use the FTP PUT command. • This provides greater protection by scanning the File Transfer Protocol (FTP) transmissions for disallowed commands.

  19. Comparing DMZ Configurations • It is unadvisable to host Internet-accessible resources within the private network. • Place all Internet-accessible resources in a network segment (called a DMZ) between the private network and the public network. • Other terms for DMZ are screened subnet and perimeter network. • There are three types of DMZ designs: three-pronged firewall, mid-ground, and hybrid (or multizone). • A DMZ is part of the public and private network.

  20. A Three-Pronged Firewall DMZ

  21. A Mid-Ground DMZ

  22. A Hybrid DMZ with a Single Firewall

  23. A Hybrid DMZ with Multiple Firewalls

  24. Making the Decision:Choosing Among DMZ Strategies • Three-pronged firewall DMZ • Mid-ground DMZ • Hybrid DMZ

  25. Applying the Decision: Developing a DMZ Strategy for Market Florist

  26. Securing Internet-Accessible Resources in a DMZ • Securing Internet Information Server (IIS) • Securing other services within the DMZ

  27. Securing Internet Information Server (IIS) • The content on a Web server is the most common network resource exposed to the Internet. • IIS 5.0, included with Microsoft Windows 2000 Server, allows an organization to host Web sites. • Additional configuration is required to fully secure an IIS server when it is exposed to the Internet.

  28. Preventing Attacks Against the Web Servers • Change all default account names. • Ensure that the Web server is not a member of the same forest as the private network.

  29. Preventing Attacks Against the Web Servers (Cont.) • Separate content into different folders by type.

  30. Preventing Attacks Against the Web Servers (Cont.) • Secure available content by type.

  31. Preventing Attacks Against the Web Servers (Cont.) • Remove all sample applications from the Web server.

  32. Preventing Attacks Against the Web Servers (Cont.) • Disable unnecessary services. • Block commonly attacked ports with Internet Protocol Security (IPSec). • Enable IIS logging. • Implement Secure Socket Layer (SSL) to protect secure areas of the Web server. • Deploy an intrusion detection system. • Disable the use of parent paths. • Apply the IIS 5.0 security checklist. • Mitigate against successful attacks. • Maintain the latest service packs and hot fixes for the Web server.

  33. Making the Decision: Securing a Web Server • Track all access to the Web server. • Provide the strongest security to Web-accessible data. • Prevent an attacker from accessing unauthorized areas of the disk subsystem. • Prevent port scans against commonly attacked ports. • Detect hacking attempts. • Prevent a successful attack against the Web server from compromising other data stored on the network. • Ensure that the latest security fixes are applied to the Web server. • Limit the effect of a successful hacking attempt. • Apply the recommended security configuration for the Web server.

  34. Applying the Decision: Configuring the Web Server for Market Florist • Configure the Web server as a Network Load Balancing Service (NLBS) cluster. • Configure the NLBS cluster to load balance equally among the four nodes. • Apply any additional security configurations uniformly against all four servers.

  35. Applying the Decision: Configuring the Web Server for Market Florist (Cont.) • Configuration for the four Web servers • Enable auditing on each Web server. • Separate the content from the rest of the Web site. • Implement SSL on the Web server. • Apply Internet Protocol Security (IPSec) to restrict public network access to the Web server. • Apply the IIS 5.0 security checklist recommendations to the IIS servers.

  36. Applying the Decision: Configuring the Web Server for Market Florist (Cont.) • Recommended IPSec filters

  37. Securing Other Services Within the DMZ • FTP services • Telnet services • Domain Name System (DNS) services • Terminal Services • All services

  38. Protect Transmitted Data Between Computers in the DMZ

  39. Making the Decision: Protecting Internet-Accessible Resources • Protect the following resources: • FTP services • Telnet services • DNS services • All services • Interaction between servers

  40. Applying the Decision: Protecting Internet-Accessible Resources at Market Florist • Implement the following resources: • FTP service • DNS service • Telnet services • Terminal Services • Interaction between servers

  41. Securing Data Flow Through a DMZ • Determining a firewall strategy • Securing DNS resolution traffic • Securing Web traffic • Securing FTP traffic • Securing mail traffic • Securing application traffic • Securing Terminal server traffic • Securing VPN traffic

  42. Specify Allowed Protocols and Prohibit Everything Else • The packet filters identify all protocols that can pass through the firewall. • If the packet filter does not identify a packet, the packet is assumed to be disallowed and is dropped. • This strategy is typically used at external firewalls to define which protocols are allowed to enter the DMZ and the private network. • This strategy is also used in high-security networks where only authorized protocols are allowed to enter the DMZ and the private network.

  43. Specify Prohibited Protocols and Allow Everything Else • The packet filters identify all protocols that must be dropped at the firewall. • If the packet filter does not identify a packet, the packet is allowed to pass through the firewall. • This strategy is typically used at internal firewalls to block private network users from specific protocols. • This strategy is also used in lower security networks where only unauthorized protocols are blocked at the firewall.

  44. Order of the Packet Filters • The order of processing depends on the specific firewall product. • Two common methods for processing packet filters: • Process the packet filters in the order in which they are entered. • Process the most specific packet filters before the more general packet filters.

  45. Making the Decision: Choosing Firewall Strategies • The "Specify allowed protocols and prohibit everything else" strategy • The "Specify prohibited protocols and allow everything else" strategy • The "Specify allowed protocols and prohibit everything else” strategy and then create packet filters that deny specific protocols

  46. Applying the Decision: Choosing a Firewall Strategy for Market Florist • The "Specify allowed protocols and prohibit everything else" strategy best meets the security needs of the Market Florist network. • It allows Market Florist to define only authorized protocols that can enter the DMZ and the private network. • If a protocol is not included in the packet filter list, the protocol is assumed to be denied access to the DMZ or private network.

  47. Securing DNS Resolution Traffic • The DNS service is used as a locator service in a Microsoft Windows 2000 network. • DNS is also used as the locator service for the Internet. • When designing security for the DNS service, define how DNS traffic moves through the private network and the DMZ to the Internet. • Separate the internal DNS service from the external DNS service.

  48. DNS Traffic Flow in a DMZ

  49. Internal Firewall Rules to Restrict DNS Usage

  50. External Firewall Rules to Restrict DNS Usage

More Related