Security fundamentals Topic 10 Securing the network perimeter Agenda • Secure network topologies and security zones • Network perimeter security and models • Implementing firewalls Secure topologies • Goal is to separate network traffic so that no network segment carries traffic not required on the segment • Performance will also be more efficient • Security zones: – Areas of the network that contain resources with similar security requirements – Group computers and devices according to security needs – Reduce the attack surface of your resources – Builds a network security framework • What are the threats? • What can be used to protect? Security zones • VLANs – Create security zones with VLANs: subnets created by switches and joined by routers • 802.1q tagging • Servers can sit on many VLANS • Limits broadcast domains • Flexible for adding, moving and changing port VLANs • Hides physical configuration • Fast isolation of devices that are the source of threats • Vulnerable to Layer 2 attacks Security zones • Create security zones by placing firewalls between internal and external networks • Perimeter network, screened subnet, DMZ: a separate security zone for Internet facing resources. • Intranet (trusted) • Extranet (partners) • Perimeter network (access from internet) • Internet (untrusted) Intranets • Internal network, private network, LAN • Typically trusted but not safe from disgruntled employees and contractors • Protection: – – – – – Firewall protection from internet and DMZ Antivirus on all network hosts Audit critical resources and confidential data Use firewalls on hosts with confidential data Document and audit physical infrastructure and critical systems for unauthorised devices and connections – Restrict and monitor access to critical systems – Remove unnecessary services from mission critical servers Perimeter networks • Deploy public resources such as DNS, mail and web servers • Also use for untrusted networks (eg wireless) • Protection: – – – – – – – Firewall external network Limit services and remove unnecessary services Audit all services Name resolution is separated from internal network Remove or restrict remote management service Document and audit all physical and logical configurations Perform frequent data and configuration backups Extranets • Partner access to resources • Partners must authenticate and then get access to non public resources • Access can be provided by a VPN • Protection: – – – – Firewall from external network Authenticate all access Limit services and remove unnecessary services Audit all network and service access Perimeter network types • Three-pronged firewall – Single firewall with three interfaces for internet, internal network and DMZ – Small organisations and branch offices – Weakness is if firewall fails all networks are vulnerable • Back-to-back firewalls – Two firewalls with DMZ behind the first firewall and internal network behind the first and second firewalls. – Defence in depth strategy: Two firewalls to break to reach the internal network – More restrictive rules on the 2nd firewall. – Security by diversity by using different brands of firewalls N-Tier architecture & bastion hosts • For e-business operations • Business function servers each have separate tiers: web tier, middle tier, data tier. • Each tier is protected by a firewall and traffic between tiers is controlled, thereby reducing the attack surface • Bastion hosts: – Single host provides external services – Single firewall protects internal network and only allows traffic to bastion host – If the bastion is compromised the attacker is on the internal network – Least secure design Perimeter security and traffic • By default block network traffic and then make exceptions for required network traffic • Allow only required traffic: block by protocol, port and destination • Don’t automatically trust outgoing traffic (may be confidential data on the way out) • Review network traffic that was blocked and investigate the source of this traffic Firewalls • • • • • • Packet filtering Application filtering Circuit level inspection Stateful inspection Content inspection Proxy Packet filtering • Inspects the IP header of each packet • Applies rules, permit or deny, inbound or outbound – – – – – – – – – – Source IP Destination IP Layer 4 protocol TCP/UDP Source port number Destination port number ICMP message type (eg echo request) Fragmentation flags IP Options (mostly used for diagnostics) Packet size No inspection of payload Circuit level inspection • Monitors for hosts establishing connections • If the connection is allowed, then all following traffic is allowed without further inspection • Does not inspect payload • More efficient than packet filtering Stateful inspection • Monitors for hosts establishing connections • If the connection is allowed, then all following traffic is allowed • Continues to monitor the packets within the connection and checks that the packets are valid – sequence numbers are checked • Each connection is tracked using a state table • Does not inspect payload • Initially a feature of checkpoint firewalls Application layer filtering/Gateway • Examines the payload of network packets • Inspection depends on the application layer protocol – Will inspect HTTP, SMTP, FTP and other protocol commands – Will inspect Microsoft® ActiveX, Java® etc – Used to check email for viruses – Used to inspect web requests for signs of attack – ISA server – Can be slow as it is deep packet inspection and multiple packets in a sequence can be examined in context Tunnelling • Used to bypass firewall inspection by encapsulating traffic with a header that will pass inspection • Also used to bypass firewall inspection by encapsulating encrypted traffic that can’t be inspected • To protect from tunnel traffic: – Perform application layer filtering – Block encrypted traffic – Implement Intrusion detection Proxy servers • Accepts a connection from a client and then creates a separate connection to the server/destination • No direct connection between client and server • Application layer proxy will also filter content and cache web content • May require the clients to be configured to use the proxy NAT • • • • • • • • • RFC 3022 Changes IP addresses and port numbers Allows a network to use a single external IP Private addresses are not routable on the internet Hides internal addresses No payload inspection Static NAT one-to-one IPs Dynamic NAT many-to-many IPs PAT using up to 64,000 port numbers per IP Protecting firewalls • Rules: – Start with a default deny any – Put specific rules first – Permit only required ports, protocols, applications • • • • • • • • Keep the firewall updated – watch security announcements Update virus definition files routinely Physically protect the firewall Document firewall configuration and review Limit and authenticate remote management Use complex passwords Know and test rules Ensure no connections circumvent the firewall Lesson summary • Learned about the concept of secure network topologies, segmented logically into security zones, with different trust levels • How to use models and zones to secure the network perimeter • How to go about implementing and using firewalls for network security, and different types