Exploring Secure Topologies Module 11 

advertisement
Module 11
Exploring Secure Topologies
MModified by :Ahmad Al Ghoul
PPhiladelphia University
FFaculty Of Administrative & Financial Sciences
BBusiness Networking & System Management Department
RRoom Number 32406
EE-mail Address: ahmad4_2_69@hotmail.com
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
1
Module Objectives
 List different types of security zones
 Explain the Intranet and its security issues
 Explain the Extranet and its security issues
 Identify uses for virtual private networks
(VPNs)
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
2
Security Zones
 Organizations often create security zones by placing firewalls between
internal and external networks. Multiple firewalls are often used to
create multiple layers of protection between the internal and external
networks, as previously discussed. Some network designs place a
network segment between two firewalls. This network segment
between the firewalls is called a perimeter network (also known as a
DMZ, demilitarized zone, or screened subnet). The creation of a
perimeter network creates a division of the network infrastructure into
three separate subordinate network structures called security zones.
Security zones help organizations classify, prioritize, and focus on
security issues based on the services that are required in each zone.
These security zones are as follows:
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
3
Intranet & Extranet
 Intranet.
 The organization's private network; this is used by employees and




those internal to the organization (such as contractors and on-site
partners).
Perimeter network.
Used to provide services to users on the Internet and sometimes those
inside the organization.
Extranet.
Depending on the security devices used and the network layout, the
external network might be called a wide area network (WAN), Internet,
public network, or untrusted network. For example, some threepronged firewalls label the external network connection as a WAN, and
others as the Internet.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
4
Intranet
The security zone closest to the company is called the intranet. This is also known
as the internal network, private network, local area network (LAN), trusted
network, protected network, and company or organizational network. The
intranet is typically the network (or networks) that contains most of the
organization's private resources, including computers, users, data, printers, and
other network infrastructure equipment.
Organizations typically don't expect malicious attacks from their own intranets.
This is why this security zone is often considered the trusted network.
However, former and current employees and contractors might attack
resources on the intranet. Intranet users could wittingly or unwittingly install
viruses, and they could also try to access or spy on confidential resources.
Additionally, internal users probably have access to some part of or possibly
the entire physical network. Physical access could enable users to unplug
equipment, destroy equipment, or attach unauthorized devices to the network.
Security for the intranet security zone typically includes the following
measures:
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
5
Intranet







Firewall protection from the external network and the perimeter
network
Installing and updating virus-scanning software
Observing and auditing confidential resources
Using host-based firewalls for computers that maintain confidential
data
Documenting and auditing the physical infrastructure and critical
systems configurations to ensure there are no unauthorized devices
or connections
Restricting and monitoring access to critical systems, services, and
confidential information
Removing unnecessary services from mission-critical servers
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
6
Extranet
Another security zone that is optionally created by an organization is
known as an extranet. The extranet is typically used for partner
access to resources. For example, the United Nations has an extranet
that provides secure access to shared resources for the various
member nations.
Extranets are similar to perimeter networks in that they are semisecure
zones. The purpose of an extranet is to share information and
technology between members of multiple organizations. Extranets
are typically created using VPN connections, which are encrypted
connections that can be used on a private or public network. Two
VPN servers or a VPN client and a VPN server can create a VPN
connection. The two devices utilize an agreed-on encryption method
to implement a secure encrypted connection with one another. If two
servers implement the VPN, they can encrypt communication
between two points. The next Figure shows an example of two
partner networks connected by two VPN servers.
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
7
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
8
Extranet
 Two intranets, two perimeter networks, or one of each can be used to




create the extranet. The idea is that the two connected networks are
used to share resources between the partner organizations. Some
organizations implement multiple perimeter networks to handle such
configurations. The first perimeter network is used to provide
services to Internet users and the second is used to provide extranet
services to partner organizations, as shown in the next Figure .
Security for the extranet security zone typically includes the
following components:
Firewall protection from the external network
Limiting the services provided and removing all unnecessary services
Auditing of all services
Use of VPN connections
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
9
25070
Network Security
Philadelphia University
Ahmad Al-Ghoul 2010-2011
10
Download