1 / 6

Chapter 26: Network Security

Chapter 26: Network Security. Dr. Wayne Summers Department of Computer Science Columbus State University Summers_wayne@colstate.edu http://csc.colstate.edu/summers. Policy Development. Data Classes Public Data Development Data for existing products Development data for future products

sdevoe
Télécharger la présentation

Chapter 26: Network Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Chapter 26: Network Security Dr. Wayne Summers Department of Computer Science Columbus State University Summers_wayne@colstate.edu http://csc.colstate.edu/summers

  2. Policy Development • Data Classes • Public Data • Development Data for existing products • Development data for future products • Corporate data • Customer Data • User Classes • Outsiders (public) • Developers • Corporation Executives • Employees • Availability • Consistency Check

  3. Network Organization • DeMilitarized Zone (DMZ) – portion of network that separates internal network from external network • Firewall: Internetwork gateway that restricts data communication traffic to and from one of the connected networks (the one said to be "inside" the firewall) and thus protects that network's system resources against threats from the other network (the one that is said to be "outside" the firewall). [RFC 2828] • Filtering firewall – performs access control on the basis of the attributes of the packet header • Proxy: Intermediate agent or server that acts on behalf of endpoints without allowing a direct connection between two end points. • Proxy (Application Level) Firewall: uses proxies to perform access control. It can based on content and header info.

  4. Network Organization • Analysis of the Network Infrastructure • The DMZ servers are typically not allowed to make connections to the intranet. • Internet Systems not allowed to directly contact any systems in the intranet. • Intranet Systems not allowed to directly contact any systems in the Internet. (least privilege principle) • Systems in DMZ serve as mediator (go-between). Password/certificate/credential are presented for allowing mediating services. • No dual interface from DMZ servers directly to systems Intranet except the inner firewall. • Intranet system typically uses Private LAN addresses: 10.x.y.z; 172.a.x.z (16<=a<=32); 192.168.x.y. • Complete Mediation Principle: inner firewall mediate every access involves with DMZ and Intranet. • Separation of privileges; with different DMZ server running different network functions; firewall machines are different entities than the DMZ servers. • The outer firewall allows HTTP/HTTPS and SMTP access to DMZ server. Need to detect malware.

  5. Firewall Network Configuration

  6. Availability and Network Flooding • DoS – Denial of Service Attack • Ex. SYN flood • DDoS – Distributed DoS • Intermediate Hosts – use routers to divert/eliminate illegitimate traffic before it gets to the firewall • TCP State and Memory Allocation • SYN cookie: push the tracking of the state to the client • timeout pending connections • Anticipating Attacks • IDSs

More Related