Embed Size (px)
Citation preview
Internet Architecture
Course Network SecurityBCS 6th/ MCS 4th Term
Salam Ullah Khan
Services to Offer
• The first question that must be answered with regard to Internet architecture is:
• What services will the organization provide via the Internet?
• The services that will be offered and who will be accessing them will greatly impact the overall architecture
• it is generally offered to internal employees to send and receive messages.
• This service requires that at least one server be established to receive inbound mail.
• If higher availability is required, at least two mail servers are required.
• An organization may also choose to establish public mail relays for such things as e-mail discussion groups. Such systems are normally referred to as list servers.
• These systems will allow external people to send mail to the system and the system resends that message to the subscribers of the list.
Web
• To publish information to customers or partners via the World Wide Web, it needs to establish a Web server.
• Web server may be hosted at another location or it may be hosted internally.
• Web servers can provide simple, static content or dynamic content.
• Access to the Web site can be public or it can be restricted HTTPS using 443 port number e.g. through login system
Web
• An FTP server allows external individuals to get or send files using Web browser or FTP Client software.
• It can be anonymous or it can require a login ID and password.
Internal Access to the Internet
• How employees access the Internet should be governed by organization policy
• Organizations may allow any service they choose including instant messaging, chat, and streaming video or audio or to access only certain Web sites.
Internal Access to Internet
External Access to Internal Systems
• A touchy subject for security and network staff.
• External access can take two forms: employee access (usually from remote locations as part of their job) or non-employee access.
• Employee access to internal systems from remote locations is usually accomplished through the use of a virtual private network
• (VPN) over the Internet
External Access to Internal Systems
• External organizations require access to internal systems.
• Even access by trusted business partners must be mediated to manage risk.
• External access may be accomplished through the use of VPNs, dial-up lines, or leased lines
FIREWALLS
• A firewall is a network access control device that is designed to deny all traffic except that which is explicitly allowed.
• Different than a router• Firewall is a security device that can allow
appropriate traffic to flow while a router is a network device.
Firewalls
• Firewalls can be configured to allow traffic based on the service, the IP address of the
• source or destination, or the ID of the user requesting service.
• Firewalls can also be configured to log all traffic.
• Firewalls rules do all the work.
Types of Firewalls
• There are two general types of firewalls: • Application layer firewalls• Packet filtering firewalls.
Application Layer Firewalls
• Application layer firewalls (also called proxy firewalls) are software packages that sit on top of general-purpose operating systems or on firewall appliances.
• The firewall will have multiple interfaces, one for each network to which it is connected.
• A set of policy rules defines how traffic from one network is transported to any other.
• All connections terminate on the firewall
Policy rules are enforced through the use of proxies. On an application layer firewall, each protocol to be allowed must have its own proxy.
Application Layer Firewalls
• Application layer firewalls will have proxies for the most commonly used protocols such as HTTP, SMTP, FTP, and telnet. Other proxies may not be available. If a proxy is not available, the protocol cannot be used across the firewall.
• The firewall also hides the addresses of systems behind the application layer firewall.
Packet Filtering Firewalls
• Are also software packages.• The firewall will have multiple interfaces, one
for each network to which it is connected.• And also like the application layer firewall, a
set of policy rules define how traffic from one network is transported to any other.
• If a rule does not specifically allow the traffic to flow, the firewall will deny or drop the packets.
Packet Filtering Firewalls
• Policy rules are enforced through the use of packet inspection filters.
• The filters examine the packets and determine whether the traffic is allowed based on the policy rules and the state of the protocol.
• If the protocol is running over TCP, state determination is relatively easy as TCP itself maintains state.
• If UDP?
Packet Filtering Firewalls
• With a packet filtering firewall, connections do not terminate on the firewall
• But instead travel directly to the destination system.
• As the packets arrive at the firewall, the firewall will determine if the packet and connection state are allowed by the policy rules.
• Allow or Drop?
Hybrid Firewalls are also available now
Firewall Configuration
• Web server offering service on port 80 only.• Mail server offering service on port 25 only.• The Internet policy for the organization allows
internal users to use the following services:• HTTP• HTTPS• FTP• Telnet• SSH
Firewall Configuration
• Single Firewall
• Dual Firewalls
Firewall Rule set Design
• Good rule set design can be as important to a firewall as good hardware.
• work on “first match” when deciding whether to accept or reject a packet i.e. most specific rules be placed at the top of the rule set and so on.
• More rules that must be examined for each packet, the more processing must be done by the firewall. So keep it efficient and short.
Firewall Rule set Design
• First Look at the expected traffic load of the firewall and rank the traffic types in order.
• HTTP traffic will be the largest. So keep it on top of the list.
Network Address Translation NAT
• Any organization that plans to install a firewall will have to deal with addressing issues.
• At the root of the problem is the shortage of IP address space.
• For example Most ISPs will provide blocks of 16 or 32 addresses (which actually become 14 or 30 addresses when the broadcast addresses are taken into account). Solution NAT
NAT
• it translates one or more addresses into other addresses. So how does this help? When we build our networks we use the 30 or so addresses provided by the ISP for systems that must be visible to the Internet.
• On the inside of the network, we use addresses that are not visible but are translated
NAT
• Mostly the firewall performs the NAT function. Routers can also be used for this function if necessary.
• Application layer firewalls perform NAT as part of their design.
• Since all connections terminate on the firewall, only the firewall’s address is visible to the outside.
• Packet filtering firewalls also have this capability but it must be configured during firewall setup.
NAT
• NAT can also provide a security function as the hidden addresses of the internal systems are not visible to the Internet.
Private Class Addresses
• Despite NAT we still need addresses for the internal network. The choice of internal addresses can cause all types of routing problems if it is not done properly.
• RFC (that is, Request for Comment, which is how Internet standards are published)1918 specifies what are called private class addresses.
Private Class Addresses
• These addresses are intended for use on internal networks behind a firewall that performs NAT.
• Subnet Mask?
Private Class Addresses
• None of these addresses are routable on the Internet. If you attempt to ping to a private class address, the packets will be returned with a “network unreachable” message.
Static NAT
• We architect a network to use private class addresses and we want to use NAT to allow systems to be accessible from the Internet. For this situation, we use what is called static
• NAT. • Static NAT maps a single real address from the
organization’s external network to a system. • Static NAT is a one-to-one configuration. For each
system that must be accessible from the Internet, one real address is used.
Dynamic NAT• Dynamic NAT differs from static NAT in that many
internal addresses are mapped to a single real address.
• real address that is used is the external address of the firewall.
• The firewall then tracks the connections and uses one port for each connection.
• Dynamic NAT is especially useful for desktop clients who use Dynamic Host Configuration
• Protocol (DHCP).
Dynamic NAT
• Systems that use dynamic NAT are not addressable from the outside since only the firewall maintains the mappings of ports to systems and the mappings will change regularly.
Chapter 7
Virtual Private Networks (VPN)
VPNs• Private networks have been used by
organizations to communicate with remote sites and with other organizations.
• made up of lines leased from the various phone companies and ISPs.
• leased lines create a real circuit between the two sites.
• Many Advantages of Private Networks• Disadvantage COST• Solution: Virtual Private Networks
Defining VPNs
• With the increasing use of the Internet, many organizations have moved to Virtual Private Networks (VPN).
• VPNs offer organizations many of the advantages of private networks with a lower cost.
• However, VPNs introduce a whole new set of issues and risks for an organization.
VPN’s • Use Public Network like Internet for send data securely.• we separate our traffic from everyone else’s.• Encryption• Much of that traffic is sent in the clear so that• anyone watching the traffic can see exactly what is
going by. • This is true for most mail and Web traffic as well as
telnet and FTP sessions. Secure Shell (SSH) and HyperText Transfer Protocol –
• Secure (HTTPS) traffic is encrypted.
VPNs
• VPNs have several characteristics:• Traffic is encrypted so as to prevent
eavesdropping.• The remote site is authenticated.• Multiple protocols are supported over the
VPN.• The connection is point to point.
VPNs• VPN packets are mixed in with the regular
traffic flow on the Internet and segregated because only the end points of the connection can read the traffic.
VPN Types
• VPNs are generally separated into two types: user VPNs and site VPNs.
User VPNs• User VPNs are virtual private networks between
an individual user machine and an organization site or network.
• Often user VPNs are used for employees who travel or work from home.
• organization’s site requests the user to authenticate and, if successful, allows the user access to the organization’s internal network as if the user were within the site and physically on the network. Slower speed due to user Connection
User VPNs
• While the user has a VPN back to the organization’s internal network, he or she also
• has a connection to the Internet and can surf the Web or perform other activities like a normal Internet user.
Benefits of User VPNs
• Employees who travel can have access to e-mail, files, and internal systems wherever they are without the need for expensive long distance calls to dial-in servers.
• Employees who work from home can have the same access to network services as employees who work from the organization facilities without the requirement for expensive leased lines.
• COST saving + Speed
Issues with user VPNs
• significant security risks and implementation issues.
• biggest single security issue with the use of a VPN by an employee is the simultaneous connection to other Internet sites.
• If the user’s computer has been compromised• with a Trojan Horse program, it may be possible
for some external, unauthorized user to use the employee’s computer to connect to the organization’s internal network
Issues with User VPNs
• User VPNs require the same attention to user-management issues as internal systems.
• which users require remote VPN access and which do not.
• Also consider when employees leaves the job.• Users must authenticate themselves before
using the VPN.• Organizations must also be concerned with
traffic loads due to many connections of VPNs.
Managing User VPNs• Managing user VPNs is primarily an issue of managing
the users and user computer systems.• Procedures must be used till employee separation.• proper VPN software versions and configurations.• If the computers are owned by the organization, this
becomes part of the standard software load for the computer.
• If the organization allows employees to use the VPN from their home computers, the organization will need to increase overall support to these users and configurations.
Managing User VPNs
• One key aspect of the user VPN that should not be forgotten is the use of a good anti-virus software package on the user’s computer.
