Chapter 8
Network Security
Topologies
Objectives in this Chapter
ATHENA
Explain network perimeter’s importance to an
organization’s security policies
Identify place and role of the demilitarized zone in the
network
Explain how network address translation is used to help
secure networks
Spell out the role of tunneling in network security
Describe security features of virtual local area networks
Perimeter Security Topologies
The whole goal of connecting networks is so
that people can share information.
The goal of perimeter security is to selectively
admit or deny data flows based on:
•
•
•
•
ATHENA
Protocol
Source
Destination
Content
Perimeter Security Topologies
Put in place using firewalls and routers on network edge
Permit secure communications between the
organization and third parties
Key enablers for many mission-critical network services
Include demilitarized zones (DMZs) extranets, and
intranets
ATHENA
continued…
Perimeter Security Topologies
ATHENA
The data flows that are allowed to enter, and
those that aren’t, are defined in an
organization’s security policy.
The security policy describes what type of
activities are permitted and what types are not.
Security Policies and Firewalls
ATHENA
These security policies are enforced primarily
with firewalls deployed at key boundaries in
the network, including the network perimeter.
Every packet entering or leaving is forced to
pass through a firewall, which checks it for
compliance with its rule set, discarding those
that don’t comply.
Multiple Perimeters
A network may contain multiple perimeters,
with different security levels:
• Outermost perimeter
• Internal perimeters
• Innermost perimeter
ATHENA
ATHENA
Outermost Perimeter
ATHENA
A router is used to separate network from ISP’s
network
Identifies separation point between assets you control
and those you do not
Most insecure area of a network infrastructure
Normally reserved for routers, firewalls, public
Internet servers (HTTP, FTP, DNS) (usually on the
DMZ)
Not for sensitive company information that is for
internal use only
Internal Perimeters
ATHENA
Represent additional boundaries where other
security measures are in place
Usually separated by firewalls
Used to separate areas with different security
levels and needs
Network Classifications
ATHENA
Trusted
Semi-trusted
Untrusted
Trusted Networks
ATHENA
Inside network security perimeter
The networks you are trying to protect
Semi-Trusted Networks
ATHENA
Allow access to some database materials and
e-mail
May include DNS, proxy, and modem (RAS)
servers, also DNS, web, and ftp
Not for confidential or proprietary
information
Referred to as the demilitarized zone (DMZ)
Untrusted Networks
ATHENA
Outside your security perimeter
Outside your control
You may need to communicate with some of
these networks – you configure your router,
firewall, and VPN (in some cases) to do this as
securely as possible
ATHENA
Creating and Developing Your Security
Design
ATHENA
Know your enemy – read books, take
classes/workshops, visit hacker web sites
Count the cost – cost vs. the value of what you
are protecting
Identify assumptions – we all know what
happens when we assume
Creating and Developing Your
Security Design
ATHENA
Control secrets (passwords, encryption keys,
etc.)
Know your weaknesses
Limit the scope of access by creating barriers
at multiple places
Understand your environment – know how
the network usually works
Limit your trust
DMZ
ATHENA
Used by a company to host its own Internet
services without sacrificing unauthorized
access to its private network (while
minimizing access)
Sits between Internet and internal network’s
line of defense, usually some combination of
firewalls and bastion hosts
Traffic originating from it should be filtered
continued…
DMZ
Typically contains devices accessible to
Internet traffic
• Web (HTTP) servers
• FTP servers
• SMTP (e-mail) servers
• DNS servers
ATHENA
Optional, more secure approach to a simple
firewall; may include a proxy server
ATHENA
DMZ Design Goals
ATHENA
Isolate internal networks
Minimize scope of damage
Protect sensitive data on the servers
Detect the compromise as soon as possible
Minimize effect of the compromise on other
organizations
Filtering
ATHENA
You filter traffic (using routers and/or
firewalls) coming from the external network
to the DMZ, and from the DMZ to the internal
network
You also filter traffic from the internal
network to the DMZ, and from the DMZ to
the external (although not as strictly)
ATHENA
Intranet
ATHENA
Either a network topology or application
(usually a Web portal) used as a single point
of access to deliver services to employees
Typically a collection of all LANs inside the
firewall
Shares company information and computing
resources among employees
continued…
Intranet
ATHENA
Allows access to public Internet through
firewalls that screen communications in both
directions to maintain company security
Also called a campus network