Module 11 Exploring Secure Topologies MModified by :Ahmad Al Ghoul PPhiladelphia University FFaculty Of Administrative & Financial Sciences BBusiness Networking & System Management Department RRoom Number 32406 EE-mail Address: ahmad4_2_69@hotmail.com Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 1 Module Objectives List different types of security zones Explain the Intranet and its security issues Explain the Extranet and its security issues Identify uses for virtual private networks (VPNs) Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 2 Security Zones Organizations often create security zones by placing firewalls between internal and external networks. Multiple firewalls are often used to create multiple layers of protection between the internal and external networks, as previously discussed. Some network designs place a network segment between two firewalls. This network segment between the firewalls is called a perimeter network (also known as a DMZ, demilitarized zone, or screened subnet). The creation of a perimeter network creates a division of the network infrastructure into three separate subordinate network structures called security zones. Security zones help organizations classify, prioritize, and focus on security issues based on the services that are required in each zone. These security zones are as follows: Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 3 Intranet & Extranet Intranet. The organization's private network; this is used by employees and those internal to the organization (such as contractors and on-site partners). Perimeter network. Used to provide services to users on the Internet and sometimes those inside the organization. Extranet. Depending on the security devices used and the network layout, the external network might be called a wide area network (WAN), Internet, public network, or untrusted network. For example, some threepronged firewalls label the external network connection as a WAN, and others as the Internet. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 4 Intranet The security zone closest to the company is called the intranet. This is also known as the internal network, private network, local area network (LAN), trusted network, protected network, and company or organizational network. The intranet is typically the network (or networks) that contains most of the organization's private resources, including computers, users, data, printers, and other network infrastructure equipment. Organizations typically don't expect malicious attacks from their own intranets. This is why this security zone is often considered the trusted network. However, former and current employees and contractors might attack resources on the intranet. Intranet users could wittingly or unwittingly install viruses, and they could also try to access or spy on confidential resources. Additionally, internal users probably have access to some part of or possibly the entire physical network. Physical access could enable users to unplug equipment, destroy equipment, or attach unauthorized devices to the network. Security for the intranet security zone typically includes the following measures: Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 5 Intranet Firewall protection from the external network and the perimeter network Installing and updating virus-scanning software Observing and auditing confidential resources Using host-based firewalls for computers that maintain confidential data Documenting and auditing the physical infrastructure and critical systems configurations to ensure there are no unauthorized devices or connections Restricting and monitoring access to critical systems, services, and confidential information Removing unnecessary services from mission-critical servers Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 6 Extranet Another security zone that is optionally created by an organization is known as an extranet. The extranet is typically used for partner access to resources. For example, the United Nations has an extranet that provides secure access to shared resources for the various member nations. Extranets are similar to perimeter networks in that they are semisecure zones. The purpose of an extranet is to share information and technology between members of multiple organizations. Extranets are typically created using VPN connections, which are encrypted connections that can be used on a private or public network. Two VPN servers or a VPN client and a VPN server can create a VPN connection. The two devices utilize an agreed-on encryption method to implement a secure encrypted connection with one another. If two servers implement the VPN, they can encrypt communication between two points. The next Figure shows an example of two partner networks connected by two VPN servers. Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 7 Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 8 Extranet Two intranets, two perimeter networks, or one of each can be used to create the extranet. The idea is that the two connected networks are used to share resources between the partner organizations. Some organizations implement multiple perimeter networks to handle such configurations. The first perimeter network is used to provide services to Internet users and the second is used to provide extranet services to partner organizations, as shown in the next Figure . Security for the extranet security zone typically includes the following components: Firewall protection from the external network Limiting the services provided and removing all unnecessary services Auditing of all services Use of VPN connections Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 9 25070 Network Security Philadelphia University Ahmad Al-Ghoul 2010-2011 10