SlideShare a Scribd company logo

Ch18 Internet Security

P
phanleson

This document discusses internet architecture and security best practices. It covers topics like internet services to offer and not offer, developing communications architectures using single or multiple lines, designing demilitarized zones and appropriate architectures, understanding network address translation, and designing partner networks.

Technology
1 of 33
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
Lesson 18-Internet Architecture
Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address translation. Design partner networks.
Internet Services Services to offer. Services not to offer. Mail. NetBIOS, Unix RPC, NFS, Encrypted e-mail. Web. “r” services, TFTP, Internal access to Remote Control Internet. Protocols, and SNMP. External access to internal systems. Control services.
Mail Mail service is generally offered to internal employees to send and receive messages. It requires that at least one server be established to receive inbound mail. Outbound mail can move through the same server or directly through desktop systems. Organization may choose to establish relays for public mail to be sent to discussion groups.
Encrypted E-mail It is better to encrypt the contents of the e-mail to protect any sensitive information. Systems like desktop software and network appliances placed in mail stream provide encrypted e-mail.
Web To publish information via Web, the organization needs to establish a Web server. Web servers can provide static content or dynamic content. HTTPS is used for Web pages that contain sensitive information or require authentication. File Transfer Protocol (FTP) server allows external individuals to get or send files.
Internal Access to Internet Most common services that employees are allowed to access are: HTTP (port 80) and HTTPS (port 443) FTP (ports 21 and 20) Telnet (port 23) and SSH (port 22) POP-3 (port 110) and IMAP (port 143) NNTP (port 119)
External Access to Internal Systems External access to sensitive internal systems is a delicate matter. The two forms of external access are employee access or non-employee access. External access may be accomplished through VPNs, dial- up lines, leased lines, or unencrypted access over the Internet.
Control Services These services are required for smooth function of network and Internet connection. DNS - Domain Name Service is used to resolve system names into IP addresses. ICMP - Internet Control Message Protocol provides services such as ping and messages that help the network function efficiently. NTP - Network Time Protocol is used to synchronize time between various systems.
Develop a Communications Architecture Primary issues for establishing an organization’s Internet connection are throughput requirements and availability. Availability requirements of the connection should be set by the organization.
Develop a Communications Architecture Single-line access Multiple-line access to a single ISP Multiple-line access to multiple ISPs
Single-Line Access Standard single-line access architecture
Single-Line Access The following potential failures make single-line access suitable for non-business-critical Internet connections: Router failure. CSU failure. Cut local loop. Damage to the telephone company’s CO (central office). POP failure at the ISP.
Multiple-Line Access to a Single ISP They are used to overcome the single point of failure issues with the single ISP architecture. Shadow link or redundant circuit services offered by different ISPs provide a second communication link in case of failure. Multiple-line access to a single ISP has Single-POP access or Multiple-POP access.
Multiple-Line Access to a Single ISP Single-POP access: An ISP can provide fail-over access by setting up a redundant circuit to the same POP. It addresses failures in router, CSU, phone company circuit to CO, and ISP equipment. Benefit to this architecture is the low cost of the redundant circuit.
Multiple-Line Access to a Single ISP Multiple-POP access: Running second connection to a second POP additional availability and reliability can be obtained. Border Gateway Protocol (BGP) protocol, run by ISP, specifies routes between entities with such dual connections. Single point failures of local loop and CO can be overcome if the organization’s facility has two local loop connections.
Multiple-line Access to Multiple ISPs If architected correctly, use of multiple ISPs can reduce the risk of loss of service dramatically. Issues that occur in choosing ISPs are complexity of using different ISPs, thorough knowledge in ISPs, and physical routing of connections. Working with multiple ISPs also involve routing and IP address space issues that must be resolved.
Design a Demilitarized Zone Defining the DMZ. Systems to place in DMZ. Appropriate DMZ architectures.
Defining the DMZ A DMZ is created by providing a semi-protected network zone. The DMZ is delineated with network access controls, such as firewalls or heavily filtered routers. Any system that can be directly contacted by an external user should be placed in a DMZ since they can be attacked. External system’s access to sensitive systems must be avoided.
Systems to Place in DMZ Layout of systems between the DMZ and the internal network
Systems to Place in DMZ DMZ can have either both internal and external mail servers or a single firewall mail server. Using Web server for receiving user’s input and application server for processing it provides protection to the database server. All externally accessible systems should be placed in the DMZ. The organization’s ISP can provide alternate DNS services.
Appropriate DMZ Architectures The three common architectures are router and firewall, single firewall, and dual firewall. These architectures have their own advantages and disadvantages; hence organizations must choose the appropriate one.
Appropriate DMZ Architectures Router and firewall architecture: Router and firewall architecture involves risk to systems on the Internet. The risk can be reduced using filters on the router. Risk to systems can also be reduced by locking them so that only services offered by DMZ run on them.
Appropriate DMZ Architectures Single firewall architecture: A single firewall can be used to create a DMZ using a third interface. The single firewall becomes a single point of failure and a potential bottleneck for traffic, unless in fail-over configuration. Single firewall architecture is simple compared to the router and firewall architecture.
Appropriate DMZ Architectures Dual firewall architecture: Dual firewall architecture uses two firewalls to separate DMZ from external and internal networks. Dual firewalls increase cost of architecture and require additional management and configuration.
Understand Network Address Translation Any organization that plans to install a firewall will have to deal with addressing issues. In most networks, the firewall performs the NAT function of translating one or more addresses into other addresses. NAT can also provide a security function as hidden addresses of internal systems are not visible to the Internet.
Understand Network Address Translation Private class addresses are used on internal networks behind a firewall that performs NAT. These addresses provide an organization with flexibility in designing its internal addressing scheme. Static NAT is a one- to-one configuration that allows accessing internal network addresses from the Internet. Static NAT maps a single real address from the organization’s external network to a system on the DMZ.
Ch18 Internet Security
Understand Network Address Translation Dynamic NAT maps many internal addresses to a single real address. Dynamic NAT creates a practical limit of about 64,000 simultaneous connections. Dynamic NAT is useful for desktop clients who use the Dynamic Host Configuration Protocol (DHCP).
Design Partner Networks Partner networks are generally established to exchange certain files or pieces of data between organizations. Architectures and methodologies of Internet connection can be used for partner networks as their requirements do not differ much. Rules must be added to firewall to allow systems at the partner organization and internal systems to access partner DMZ systems. NAT should be used when connecting to partner networks.
Ch18 Internet Security
Summary Organizations can offer services like mail, encrypted e-mail, Web, internal access to Internet, external access to internal systems, and control services. Control services include DNS, ICMP, and NTP. To reduce security risks, services that are not required should not be offered. Types of Internet architectures are single-line access, multiple-line access to a single ISP, and multiple-line access to multiple ISPs.
Summary Establishing a not truly trusted, semi-secure zone outside of the trusted network creates a DMZ. Router and firewall, single firewall, and dual firewall are the three DMZ architectures. Firewall performs the NAT function of translating one or more addresses into other addresses. Partner networks are generally established to exchange data between organizations.

More Related Content

PPT
Lecture 6
Education
 
PPTX
Firewall DMZ Zone
NetProtocol Xpert
 
PPTX
network security, group policy and firewalls
Sapna Kumari
 
PDF
Firewall architectures
Arun Mahajan
 
PPT
Dmz
أحلام انصارى
 
PPT
Network Security
phanleson
 
PPT
Firewall presentation m. emin özgünsür
emin_oz
 
PPT
Presentation, Firewalls
kkkseld
 
Lecture 6
Education
 
Firewall DMZ Zone
NetProtocol Xpert
 
network security, group policy and firewalls
Sapna Kumari
 
Firewall architectures
Arun Mahajan
 
Dmz
أحلام انصارى
 
Network Security
phanleson
 
Firewall presentation m. emin özgünsür
emin_oz
 
Presentation, Firewalls
kkkseld
 

What's hot (20)

PDF
Firewall fundamentals
Thang Man
 
PPT
Data Security in Local Area Network Using Distributed Firewall
Manish Kumar
 
PPT
Lecture 4 firewalls
rajakhurram
 
PPT
Data security in local network using distributed firewall ppt
Sabreen Irfana
 
PDF
session7 Firewalls and VPN
Mustafa Jarrar
 
PPTX
Firewall management introduction
Raghava Sharma
 
PPT
Firewall Security Definition
Patten John
 
DOCX
Firewalls
Sonali Parab
 
PPTX
Firewall Basing
Pina Parmar
 
PPT
Windows 7 firewall & its configuration
Soban Ahmad
 
PPT
Firewalls
junaid15bsse
 
PPT
Firewall
lmbriscoe
 
DOC
Firewall
Apo
 
PDF
Network firewall function & benefits
Anthony Daniel
 
PPTX
Firewall and its configuration
Muhammad Baqar Kazmi
 
PPT
Firewall
nayakslideshare
 
PPT
Firewall & its configurations
Student
 
PDF
Approach of Data Security in Local Network Using Distributed Firewalls
International Journal of Science and Research (IJSR)
 
PPT
Firewall protection
VC Infotech
 
PPT
Firewall Architecture
Yovan Chandel
 
Firewall fundamentals
Thang Man
 
Data Security in Local Area Network Using Distributed Firewall
Manish Kumar
 
Lecture 4 firewalls
rajakhurram
 
Data security in local network using distributed firewall ppt
Sabreen Irfana
 
session7 Firewalls and VPN
Mustafa Jarrar
 
Firewall management introduction
Raghava Sharma
 
Firewall Security Definition
Patten John
 
Firewalls
Sonali Parab
 
Firewall Basing
Pina Parmar
 
Windows 7 firewall & its configuration
Soban Ahmad
 
Firewalls
junaid15bsse
 
Firewall
lmbriscoe
 
Firewall
Apo
 
Network firewall function & benefits
Anthony Daniel
 
Firewall and its configuration
Muhammad Baqar Kazmi
 
Firewall
nayakslideshare
 
Firewall & its configurations
Student
 
Approach of Data Security in Local Network Using Distributed Firewalls
International Journal of Science and Research (IJSR)
 
Firewall protection
VC Infotech
 
Firewall Architecture
Yovan Chandel
 
Ad

Similar to Ch18 Internet Security (20)

PPT
Network security chapter 6 and 7 internet architecture
Muhammad ismail Shah
 
PDF
IBM zEnterprise System - Network Security
IBM India Smarter Computing
 
PDF
IBM zEnterprise System - Network Security
IBM India Smarter Computing
 
PPT
Network security
Presentaionslive.blogspot.com
 
PDF
Coolie @ call
ICFAI Business School
 
PDF
Tivoli firewall magic redp0227
Banking at Ho Chi Minh city
 
PDF
Microsoft Word Project, Firewalls
kkkseld
 
DOCX
Running head NETWORK INFRASTRUCTURE AND SECURITY 1NETWOR.docx
todd581
 
DOCX
Running head NETWORK INFRASTRUCTURE AND SECURITY 1NETWOR.docx
glendar3
 
PPTX
MVA slides lesson 8
Fabio Almeida- Oficina Eletrônica
 
PPTX
98 366 mva slides lesson 8
suddenven
 
PPT
Ch05 Network Defenses
Information Technology
 
DOCX
Network management
Nitesh Saitwal
 
PPTX
Module 7 Firewalls Part - 2 Presentation
9921103075
 
PPSX
Firewall & its Services
Navdeep Dhingra
 
PDF
Recomended ip telephony architecture
Feras Ajjawi
 
PDF
Architecting Secure Web Systems
InnoTech
 
PDF
Zdalna komunikacja sieciowa - zagadnienia sieciowe
Agnieszka Kuba
 
PPT
Firewall
Manikyala Rao
 
PDF
Creating a DMZ - pfSense Hangout January 2016
Netgate
 
Network security chapter 6 and 7 internet architecture
Muhammad ismail Shah
 
IBM zEnterprise System - Network Security
IBM India Smarter Computing
 
IBM zEnterprise System - Network Security
IBM India Smarter Computing
 
Network security
Presentaionslive.blogspot.com
 
Coolie @ call
ICFAI Business School
 
Tivoli firewall magic redp0227
Banking at Ho Chi Minh city
 
Microsoft Word Project, Firewalls
kkkseld
 
Running head NETWORK INFRASTRUCTURE AND SECURITY 1NETWOR.docx
todd581
 
Running head NETWORK INFRASTRUCTURE AND SECURITY 1NETWOR.docx
glendar3
 
MVA slides lesson 8
Fabio Almeida- Oficina Eletrônica
 
98 366 mva slides lesson 8
suddenven
 
Ch05 Network Defenses
Information Technology
 
Network management
Nitesh Saitwal
 
Module 7 Firewalls Part - 2 Presentation
9921103075
 
Firewall & its Services
Navdeep Dhingra
 
Recomended ip telephony architecture
Feras Ajjawi
 
Architecting Secure Web Systems
InnoTech
 
Zdalna komunikacja sieciowa - zagadnienia sieciowe
Agnieszka Kuba
 
Firewall
Manikyala Rao
 
Creating a DMZ - pfSense Hangout January 2016
Netgate
 
Ad

More from phanleson (20)

PDF
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
PPT
Firewall - Network Defense in Depth Firewalls
phanleson
 
PPT
Mobile Security - Wireless hacking
phanleson
 
PPT
Authentication in wireless - Security in Wireless Protocols
phanleson
 
PPT
E-Commerce Security - Application attacks - Server Attacks
phanleson
 
PPT
Hacking web applications
phanleson
 
PPTX
HBase In Action - Chapter 04: HBase table design
phanleson
 
PPT
HBase In Action - Chapter 10 - Operations
phanleson
 
PPT
Hbase in action - Chapter 09: Deploying HBase
phanleson
 
PPTX
Learning spark ch11 - Machine Learning with MLlib
phanleson
 
PPTX
Learning spark ch10 - Spark Streaming
phanleson
 
PPTX
Learning spark ch09 - Spark SQL
phanleson
 
PPT
Learning spark ch07 - Running on a Cluster
phanleson
 
PPTX
Learning spark ch06 - Advanced Spark Programming
phanleson
 
PPTX
Learning spark ch05 - Loading and Saving Your Data
phanleson
 
PPTX
Learning spark ch04 - Working with Key/Value Pairs
phanleson
 
PPTX
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
PPT
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
phanleson
 
PPT
Lecture 1 - Getting to know XML
phanleson
 
PPTX
Lecture 4 - Adding XTHML for the Web
phanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
Firewall - Network Defense in Depth Firewalls
phanleson
 
Mobile Security - Wireless hacking
phanleson
 
Authentication in wireless - Security in Wireless Protocols
phanleson
 
E-Commerce Security - Application attacks - Server Attacks
phanleson
 
Hacking web applications
phanleson
 
HBase In Action - Chapter 04: HBase table design
phanleson
 
HBase In Action - Chapter 10 - Operations
phanleson
 
Hbase in action - Chapter 09: Deploying HBase
phanleson
 
Learning spark ch11 - Machine Learning with MLlib
phanleson
 
Learning spark ch10 - Spark Streaming
phanleson
 
Learning spark ch09 - Spark SQL
phanleson
 
Learning spark ch07 - Running on a Cluster
phanleson
 
Learning spark ch06 - Advanced Spark Programming
phanleson
 
Learning spark ch05 - Loading and Saving Your Data
phanleson
 
Learning spark ch04 - Working with Key/Value Pairs
phanleson
 
Learning spark ch01 - Introduction to Data Analysis with Spark
phanleson
 
Hướng Dẫn Đăng Ký LibertaGia - A guide and introduciton about Libertagia
phanleson
 
Lecture 1 - Getting to know XML
phanleson
 
Lecture 4 - Adding XTHML for the Web
phanleson
 

Recently uploaded (20)

PDF
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
PDF
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
PDF
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
PPTX
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
PDF
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
PPTX
A Presentation on Artificial Intelligence
memembruh336
 
DOCX
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
PDF
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
PDF
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
PDF
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
PDF
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
PDF
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
PPTX
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
PDF
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
PDF
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
PDF
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
PPTX
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
PDF
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
PDF
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
PPTX
MYSQL Presentation for SQL database connectivity
Swati270511
 
Spectral efficient network and resource selection model in 5G networks
IAESIJAI
 
A comparative analysis of optical character recognition models for extracting...
IAESIJAI
 
Build a system with the filesystem maintained by OSTree @ COSCUP 2025
Jian-Hong Pan
 
Programs and apps: productivity, graphics, security and other tools
4mqw9zch22
 
Agricultural_Statistics_at_a_Glance_2022_0.pdf
SandeepSingh286037
 
A Presentation on Artificial Intelligence
memembruh336
 
The AUB Centre for AI in Media Proposal.docx
GAONE9
 
Empathic Computing: Creating Shared Understanding
Mark Billinghurst
 
Optimiser vos workloads AI/ML sur Amazon EC2 et AWS Graviton
Julien SIMON
 
Advanced methodologies resolving dimensionality complications for autism neur...
IAESIJAI
 
Architecting across the Boundaries of two Complex Domains - Healthcare & Tech...
Peter Tan
 
Review of recent advances in non-invasive hemoglobin estimation
IAESIJAI
 
Big Data Technologies - Introduction.pptx
kuthubussaman1
 
Peak of Data & AI Encore- AI for Metadata and Smarter Workflows
Safe Software
 
Reach Out and Touch Someone: Haptics and Empathic Computing
Mark Billinghurst
 
Mobile App Security Testing_ A Comprehensive Guide.pdf
flufftailshop
 
KOM of Painting work and Equipment Insulation REV00 update 25-dec.pptx
muhammadmuneebnaeem7
 
Dropbox Q2 2025 Financial Results & Investor Presentation
Dropbox
 
Encapsulation_ Review paper, used for researhc scholars
gurumoop
 
MYSQL Presentation for SQL database connectivity
Swati270511
 

Ch18 Internet Security

  • 2. Overview Internet services. Develop a communications architecture. Design a demilitarized zone. Understand network address translation. Design partner networks.
  • 3. Internet Services Services to offer. Services not to offer. Mail. NetBIOS, Unix RPC, NFS, Encrypted e-mail. Web. “r” services, TFTP, Internal access to Remote Control Internet. Protocols, and SNMP. External access to internal systems. Control services.
  • 4. Mail Mail service is generally offered to internal employees to send and receive messages. It requires that at least one server be established to receive inbound mail. Outbound mail can move through the same server or directly through desktop systems. Organization may choose to establish relays for public mail to be sent to discussion groups.
  • 5. Encrypted E-mail It is better to encrypt the contents of the e-mail to protect any sensitive information. Systems like desktop software and network appliances placed in mail stream provide encrypted e-mail.
  • 6. Web To publish information via Web, the organization needs to establish a Web server. Web servers can provide static content or dynamic content. HTTPS is used for Web pages that contain sensitive information or require authentication. File Transfer Protocol (FTP) server allows external individuals to get or send files.
  • 7. Internal Access to Internet Most common services that employees are allowed to access are: HTTP (port 80) and HTTPS (port 443) FTP (ports 21 and 20) Telnet (port 23) and SSH (port 22) POP-3 (port 110) and IMAP (port 143) NNTP (port 119)
  • 8. External Access to Internal Systems External access to sensitive internal systems is a delicate matter. The two forms of external access are employee access or non-employee access. External access may be accomplished through VPNs, dial- up lines, leased lines, or unencrypted access over the Internet.
  • 9. Control Services These services are required for smooth function of network and Internet connection. DNS - Domain Name Service is used to resolve system names into IP addresses. ICMP - Internet Control Message Protocol provides services such as ping and messages that help the network function efficiently. NTP - Network Time Protocol is used to synchronize time between various systems.
  • 10. Develop a Communications Architecture Primary issues for establishing an organization’s Internet connection are throughput requirements and availability. Availability requirements of the connection should be set by the organization.
  • 11. Develop a Communications Architecture Single-line access Multiple-line access to a single ISP Multiple-line access to multiple ISPs
  • 13. Single-Line Access The following potential failures make single-line access suitable for non-business-critical Internet connections: Router failure. CSU failure. Cut local loop. Damage to the telephone company’s CO (central office). POP failure at the ISP.
  • 14. Multiple-Line Access to a Single ISP They are used to overcome the single point of failure issues with the single ISP architecture. Shadow link or redundant circuit services offered by different ISPs provide a second communication link in case of failure. Multiple-line access to a single ISP has Single-POP access or Multiple-POP access.
  • 15. Multiple-Line Access to a Single ISP Single-POP access: An ISP can provide fail-over access by setting up a redundant circuit to the same POP. It addresses failures in router, CSU, phone company circuit to CO, and ISP equipment. Benefit to this architecture is the low cost of the redundant circuit.
  • 16. Multiple-Line Access to a Single ISP Multiple-POP access: Running second connection to a second POP additional availability and reliability can be obtained. Border Gateway Protocol (BGP) protocol, run by ISP, specifies routes between entities with such dual connections. Single point failures of local loop and CO can be overcome if the organization’s facility has two local loop connections.
  • 17. Multiple-line Access to Multiple ISPs If architected correctly, use of multiple ISPs can reduce the risk of loss of service dramatically. Issues that occur in choosing ISPs are complexity of using different ISPs, thorough knowledge in ISPs, and physical routing of connections. Working with multiple ISPs also involve routing and IP address space issues that must be resolved.
  • 18. Design a Demilitarized Zone Defining the DMZ. Systems to place in DMZ. Appropriate DMZ architectures.
  • 19. Defining the DMZ A DMZ is created by providing a semi-protected network zone. The DMZ is delineated with network access controls, such as firewalls or heavily filtered routers. Any system that can be directly contacted by an external user should be placed in a DMZ since they can be attacked. External system’s access to sensitive systems must be avoided.
  • 20. Systems to Place in DMZ Layout of systems between the DMZ and the internal network
  • 21. Systems to Place in DMZ DMZ can have either both internal and external mail servers or a single firewall mail server. Using Web server for receiving user’s input and application server for processing it provides protection to the database server. All externally accessible systems should be placed in the DMZ. The organization’s ISP can provide alternate DNS services.
  • 22. Appropriate DMZ Architectures The three common architectures are router and firewall, single firewall, and dual firewall. These architectures have their own advantages and disadvantages; hence organizations must choose the appropriate one.
  • 23. Appropriate DMZ Architectures Router and firewall architecture: Router and firewall architecture involves risk to systems on the Internet. The risk can be reduced using filters on the router. Risk to systems can also be reduced by locking them so that only services offered by DMZ run on them.
  • 24. Appropriate DMZ Architectures Single firewall architecture: A single firewall can be used to create a DMZ using a third interface. The single firewall becomes a single point of failure and a potential bottleneck for traffic, unless in fail-over configuration. Single firewall architecture is simple compared to the router and firewall architecture.
  • 25. Appropriate DMZ Architectures Dual firewall architecture: Dual firewall architecture uses two firewalls to separate DMZ from external and internal networks. Dual firewalls increase cost of architecture and require additional management and configuration.
  • 26. Understand Network Address Translation Any organization that plans to install a firewall will have to deal with addressing issues. In most networks, the firewall performs the NAT function of translating one or more addresses into other addresses. NAT can also provide a security function as hidden addresses of internal systems are not visible to the Internet.
  • 27. Understand Network Address Translation Private class addresses are used on internal networks behind a firewall that performs NAT. These addresses provide an organization with flexibility in designing its internal addressing scheme. Static NAT is a one- to-one configuration that allows accessing internal network addresses from the Internet. Static NAT maps a single real address from the organization’s external network to a system on the DMZ.
  • 29. Understand Network Address Translation Dynamic NAT maps many internal addresses to a single real address. Dynamic NAT creates a practical limit of about 64,000 simultaneous connections. Dynamic NAT is useful for desktop clients who use the Dynamic Host Configuration Protocol (DHCP).
  • 30. Design Partner Networks Partner networks are generally established to exchange certain files or pieces of data between organizations. Architectures and methodologies of Internet connection can be used for partner networks as their requirements do not differ much. Rules must be added to firewall to allow systems at the partner organization and internal systems to access partner DMZ systems. NAT should be used when connecting to partner networks.
  • 32. Summary Organizations can offer services like mail, encrypted e-mail, Web, internal access to Internet, external access to internal systems, and control services. Control services include DNS, ICMP, and NTP. To reduce security risks, services that are not required should not be offered. Types of Internet architectures are single-line access, multiple-line access to a single ISP, and multiple-line access to multiple ISPs.
  • 33. Summary Establishing a not truly trusted, semi-secure zone outside of the trusted network creates a DMZ. Router and firewall, single firewall, and dual firewall are the three DMZ architectures. Firewall performs the NAT function of translating one or more addresses into other addresses. Partner networks are generally established to exchange data between organizations.