SlideShare a Scribd company logo

Network security chapter 6 and 7 internet architecture

Download as PPT, PDF
M
Muhammad ismail Shah

This document discusses internet architecture and network security. It covers various services an organization may offer like mail, web, and FTP servers. It also discusses internal and external access to systems, including through virtual private networks (VPNs). The document outlines firewall configuration and types, including packet filtering and application layer firewalls. It describes network address translation (NAT) and private IP addresses. Finally, it discusses user VPNs and site VPNs, benefits and issues with user VPNs, and managing user VPN access.

Education
1 of 50
Downloaded 25 times
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
Internet Architecture Course Network Security BCS 6th / MCS 4th Term Salam Ullah Khan
Services to Offer • The first question that must be answered with regard to Internet architecture is: • What services will the organization provide via the Internet? • The services that will be offered and who will be accessing them will greatly impact the overall architecture
Mail • it is generally offered to internal employees to send and receive messages. • This service requires that at least one server be established to receive inbound mail. • If higher availability is required, at least two mail servers are required.
Mail • An organization may also choose to establish public mail relays for such things as e-mail discussion groups. Such systems are normally referred to as list servers. • These systems will allow external people to send mail to the system and the system resends that message to the subscribers of the list.
Web • To publish information to customers or partners via the World Wide Web, it needs to establish a Web server. • Web server may be hosted at another location or it may be hosted internally. • Web servers can provide simple, static content or dynamic content. • Access to the Web site can be public or it can be restricted HTTPS using 443 port number e.g. through login system
Web • An FTP server allows external individuals to get or send files using Web browser or FTP Client software. • It can be anonymous or it can require a login ID and password.
Internal Access to the Internet • How employees access the Internet should be governed by organization policy • Organizations may allow any service they choose including instant messaging, chat, and streaming video or audio or to access only certain Web sites.
Internal Access to Internet
External Access to Internal Systems • A touchy subject for security and network staff. • External access can take two forms: employee access (usually from remote locations as part of their job) or non-employee access. • Employee access to internal systems from remote locations is usually accomplished through the use of a virtual private network • (VPN) over the Internet
External Access to Internal Systems • External organizations require access to internal systems. • Even access by trusted business partners must be mediated to manage risk. • External access may be accomplished through the use of VPNs, dial-up lines, or leased lines
FIREWALLS • A firewall is a network access control device that is designed to deny all traffic except that which is explicitly allowed. • Different than a router • Firewall is a security device that can allow appropriate traffic to flow while a router is a network device.
Firewalls • Firewalls can be configured to allow traffic based on the service, the IP address of the • source or destination, or the ID of the user requesting service. • Firewalls can also be configured to log all traffic. • Firewalls rules do all the work.
Types of Firewalls • There are two general types of firewalls: • Application layer firewalls • Packet filtering firewalls.
Application Layer Firewalls • Application layer firewalls (also called proxy firewalls) are software packages that sit on top of general-purpose operating systems or on firewall appliances. • The firewall will have multiple interfaces, one for each network to which it is connected. • A set of policy rules defines how traffic from one network is transported to any other. • All connections terminate on the firewall
Policy rules are enforced through the use of proxies. On an application layer firewall, each protocol to be allowed must have its own proxy.
Application Layer Firewalls • Application layer firewalls will have proxies for the most commonly used protocols such as HTTP, SMTP, FTP, and telnet. Other proxies may not be available. If a proxy is not available, the protocol cannot be used across the firewall. • The firewall also hides the addresses of systems behind the application layer firewall.
Packet Filtering Firewalls • Are also software packages. • The firewall will have multiple interfaces, one for each network to which it is connected. • And also like the application layer firewall, a set of policy rules define how traffic from one network is transported to any other. • If a rule does not specifically allow the traffic to flow, the firewall will deny or drop the packets.
Packet Filtering Firewalls • Policy rules are enforced through the use of packet inspection filters. • The filters examine the packets and determine whether the traffic is allowed based on the policy rules and the state of the protocol. • If the protocol is running over TCP, state determination is relatively easy as TCP itself maintains state. • If UDP?
Packet Filtering Firewalls • With a packet filtering firewall, connections do not terminate on the firewall • But instead travel directly to the destination system. • As the packets arrive at the firewall, the firewall will determine if the packet and connection state are allowed by the policy rules. • Allow or Drop?
Hybrid Firewalls are also available now
Firewall Configuration • Web server offering service on port 80 only. • Mail server offering service on port 25 only. • The Internet policy for the organization allows internal users to use the following services: • HTTP • HTTPS • FTP • Telnet • SSH
Firewall Configuration • Single Firewall • Dual Firewalls
Firewall Rule set Design • Good rule set design can be as important to a firewall as good hardware. • work on “first match” when deciding whether to accept or reject a packet i.e. most specific rules be placed at the top of the rule set and so on. • More rules that must be examined for each packet, the more processing must be done by the firewall. So keep it efficient and short.
Network security chapter 6 and 7 internet architecture
Firewall Rule set Design • First Look at the expected traffic load of the firewall and rank the traffic types in order. • HTTP traffic will be the largest. So keep it on top of the list.
Network Address Translation NAT • Any organization that plans to install a firewall will have to deal with addressing issues. • At the root of the problem is the shortage of IP address space. • For example Most ISPs will provide blocks of 16 or 32 addresses (which actually become 14 or 30 addresses when the broadcast addresses are taken into account). Solution NAT
NAT • it translates one or more addresses into other addresses. So how does this help? When we build our networks we use the 30 or so addresses provided by the ISP for systems that must be visible to the Internet. • On the inside of the network, we use addresses that are not visible but are translated
NAT • Mostly the firewall performs the NAT function. Routers can also be used for this function if necessary. • Application layer firewalls perform NAT as part of their design. • Since all connections terminate on the firewall, only the firewall’s address is visible to the outside. • Packet filtering firewalls also have this capability but it must be configured during firewall setup.
NAT • NAT can also provide a security function as the hidden addresses of the internal systems are not visible to the Internet.
Private Class Addresses • Despite NAT we still need addresses for the internal network. The choice of internal addresses can cause all types of routing problems if it is not done properly. • RFC (that is, Request for Comment, which is how Internet standards are published)1918 specifies what are called private class addresses.
Private Class Addresses • These addresses are intended for use on internal networks behind a firewall that performs NAT. • Subnet Mask?
Private Class Addresses • None of these addresses are routable on the Internet. If you attempt to ping to a private class address, the packets will be returned with a “network unreachable” message.
Static NAT • We architect a network to use private class addresses and we want to use NAT to allow systems to be accessible from the Internet. For this situation, we use what is called static • NAT. • Static NAT maps a single real address from the organization’s external network to a system. • Static NAT is a one-to-one configuration. For each system that must be accessible from the Internet, one real address is used.
Dynamic NAT • Dynamic NAT differs from static NAT in that many internal addresses are mapped to a single real address. • real address that is used is the external address of the firewall. • The firewall then tracks the connections and uses one port for each connection. • Dynamic NAT is especially useful for desktop clients who use Dynamic Host Configuration • Protocol (DHCP).
Dynamic NAT • Systems that use dynamic NAT are not addressable from the outside since only the firewall maintains the mappings of ports to systems and the mappings will change regularly.
Chapter 7 Virtual Private Networks (VPN)
VPNs • Private networks have been used by organizations to communicate with remote sites and with other organizations. • made up of lines leased from the various phone companies and ISPs. • leased lines create a real circuit between the two sites. • Many Advantages of Private Networks • Disadvantage COST • Solution: Virtual Private Networks
Defining VPNs • With the increasing use of the Internet, many organizations have moved to Virtual Private Networks (VPN). • VPNs offer organizations many of the advantages of private networks with a lower cost. • However, VPNs introduce a whole new set of issues and risks for an organization.
VPN’s • Use Public Network like Internet for send data securely. • we separate our traffic from everyone else’s. • Encryption • Much of that traffic is sent in the clear so that • anyone watching the traffic can see exactly what is going by. • This is true for most mail and Web traffic as well as telnet and FTP sessions. Secure Shell (SSH) and HyperText Transfer Protocol – • Secure (HTTPS) traffic is encrypted.
VPNs • VPNs have several characteristics: • Traffic is encrypted so as to prevent eavesdropping. • The remote site is authenticated. • Multiple protocols are supported over the VPN. • The connection is point to point.
VPNs • VPN packets are mixed in with the regular traffic flow on the Internet and segregated because only the end points of the connection can read the traffic.
Network security chapter 6 and 7 internet architecture
VPN Types • VPNs are generally separated into two types: user VPNs and site VPNs.
User VPNs • User VPNs are virtual private networks between an individual user machine and an organization site or network. • Often user VPNs are used for employees who travel or work from home. • organization’s site requests the user to authenticate and, if successful, allows the user access to the organization’s internal network as if the user were within the site and physically on the network. Slower speed due to user Connection
User VPNs • While the user has a VPN back to the organization’s internal network, he or she also • has a connection to the Internet and can surf the Web or perform other activities like a normal Internet user.
Benefits of User VPNs • Employees who travel can have access to e-mail, files, and internal systems wherever they are without the need for expensive long distance calls to dial-in servers. • Employees who work from home can have the same access to network services as employees who work from the organization facilities without the requirement for expensive leased lines. • COST saving + Speed
Issues with user VPNs • significant security risks and implementation issues. • biggest single security issue with the use of a VPN by an employee is the simultaneous connection to other Internet sites. • If the user’s computer has been compromised • with a Trojan Horse program, it may be possible for some external, unauthorized user to use the employee’s computer to connect to the organization’s internal network
Issues with User VPNs • User VPNs require the same attention to user- management issues as internal systems. • which users require remote VPN access and which do not. • Also consider when employees leaves the job. • Users must authenticate themselves before using the VPN. • Organizations must also be concerned with traffic loads due to many connections of VPNs.
Managing User VPNs • Managing user VPNs is primarily an issue of managing the users and user computer systems. • Procedures must be used till employee separation. • proper VPN software versions and configurations. • If the computers are owned by the organization, this becomes part of the standard software load for the computer. • If the organization allows employees to use the VPN from their home computers, the organization will need to increase overall support to these users and configurations.
Managing User VPNs • One key aspect of the user VPN that should not be forgotten is the use of a good anti-virus software package on the user’s computer.

More Related Content

PPT
Internet architecture
Naman Rastogi
 
PPT
Network Trends
Arun ACE
 
PPTX
Computer Networks
Mark Rotondella
 
PPTX
Computer networking
aslamslides
 
PPTX
Topic 4.0 wireless technology
Atika Zaimi
 
PPTX
Topic 2.2 network protocol
Atika Zaimi
 
PPTX
Topic 1.1 basic concepts of computer network
Atika Zaimi
 
PPTX
Networking basic fundamental
Satish Sehrawat
 
Internet architecture
Naman Rastogi
 
Network Trends
Arun ACE
 
Computer Networks
Mark Rotondella
 
Computer networking
aslamslides
 
Topic 4.0 wireless technology
Atika Zaimi
 
Topic 2.2 network protocol
Atika Zaimi
 
Topic 1.1 basic concepts of computer network
Atika Zaimi
 
Networking basic fundamental
Satish Sehrawat
 

What's hot (20)

PPT
1 introduction-to-computer-networking
Priya Manik
 
PPT
Data communication lecture 02
Muhammad Tahir Mehmood
 
PDF
Telecommunications and Network Security Presentation
Wajahat Rajab
 
PDF
Basic networking
worr1244
 
PPT
Computer networks basic network_hardware_1
Aneesh Nelavelly
 
PPTX
Internet architecture protocol
GLIM Digital
 
PDF
A Course Outline About Computer Networks
adil raja
 
PPT
NETWORK COMPONENTS
bwire sedrick
 
PPT
Computer networks--osi model
Aditya Mehta
 
PPTX
Presentation On Computer Network
Avinash Ranjan
 
PPT
Networking (2)
LALIT MAHATO
 
PPTX
Wireless communications
Archana Dwivedi
 
PPSX
Basic Concepts of Networking
Vivin NL
 
PPTX
Networking basics
Vadiraj Jahagirdar
 
PPTX
Computer Network, Internet, Computer Security and Cyber Ethics
Subas Paudel
 
PPTX
Advanced computer network
Trinity Dwarka
 
PPTX
Basics Of Comuter Networking
anishgoel
 
PPTX
Networking concepts
preetisangwan8
 
PPTX
Computer Networking 101
Sameer Mahajan
 
PPTX
Data communication MIS
Jerome Aljibe
 
1 introduction-to-computer-networking
Priya Manik
 
Data communication lecture 02
Muhammad Tahir Mehmood
 
Telecommunications and Network Security Presentation
Wajahat Rajab
 
Basic networking
worr1244
 
Computer networks basic network_hardware_1
Aneesh Nelavelly
 
Internet architecture protocol
GLIM Digital
 
A Course Outline About Computer Networks
adil raja
 
NETWORK COMPONENTS
bwire sedrick
 
Computer networks--osi model
Aditya Mehta
 
Presentation On Computer Network
Avinash Ranjan
 
Networking (2)
LALIT MAHATO
 
Wireless communications
Archana Dwivedi
 
Basic Concepts of Networking
Vivin NL
 
Networking basics
Vadiraj Jahagirdar
 
Computer Network, Internet, Computer Security and Cyber Ethics
Subas Paudel
 
Advanced computer network
Trinity Dwarka
 
Basics Of Comuter Networking
anishgoel
 
Networking concepts
preetisangwan8
 
Computer Networking 101
Sameer Mahajan
 
Data communication MIS
Jerome Aljibe
 
Ad

Viewers also liked (20)

PDF
Python + STIX = Awesome
stixproject
 
PPTX
Everything about TAXII
stixproject
 
PDF
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworks
Matthew J. Harmon
 
PPTX
Mobile Security Basics
anandraje
 
PPTX
Security Basics
Rishi Prasath
 
PPTX
Computer security basics
Srinu Potnuru
 
ODP
Plmce mysql-101-security-basics
David Busby, CISSP
 
PPTX
Introduction to STIX 101
stixproject
 
PDF
Security Basics - Internet Safety
Axxes IT Consultancy
 
PPT
Network basics
Junaid AJ
 
PPTX
Network security & cryptography
Rahulprasad Yadav
 
PPT
Network Basics & Internet
VNSGU
 
PPTX
Cryptography
Darshini Parikh
 
PPTX
Cryptography
Sidharth Mohapatra
 
PDF
What exactly is the "Internet of Things"?
Dr. Mazlan Abbas
 
PPT
Basic concepts of computer Networking
Hj Habib
 
PPT
BASIC CONCEPTS OF COMPUTER NETWORKS
Kak Yong
 
PDF
IoT architecture
Sumit Sharma
 
PPTX
Cryptography and network security
patisa
 
PPTX
Introduction to computer network
Ashita Agrawal
 
Python + STIX = Awesome
stixproject
 
Everything about TAXII
stixproject
 
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworks
Matthew J. Harmon
 
Mobile Security Basics
anandraje
 
Security Basics
Rishi Prasath
 
Computer security basics
Srinu Potnuru
 
Plmce mysql-101-security-basics
David Busby, CISSP
 
Introduction to STIX 101
stixproject
 
Security Basics - Internet Safety
Axxes IT Consultancy
 
Network basics
Junaid AJ
 
Network security & cryptography
Rahulprasad Yadav
 
Network Basics & Internet
VNSGU
 
Cryptography
Darshini Parikh
 
Cryptography
Sidharth Mohapatra
 
What exactly is the "Internet of Things"?
Dr. Mazlan Abbas
 
Basic concepts of computer Networking
Hj Habib
 
BASIC CONCEPTS OF COMPUTER NETWORKS
Kak Yong
 
IoT architecture
Sumit Sharma
 
Cryptography and network security
patisa
 
Introduction to computer network
Ashita Agrawal
 
Ad

Similar to Network security chapter 6 and 7 internet architecture (20)

PPTX
MVA slides lesson 8
Fabio Almeida- Oficina Eletrônica
 
PPTX
98 366 mva slides lesson 8
suddenven
 
PPT
Advance firewalls
Subi Mastermind
 
PPT
Firewalls (1).ppt
adnanetnzr
 
PPT
Fw.ppt
AlbertoValencia49
 
PPT
Firewalls presentation tells about the fire walls
slalithaditya1
 
PPT
Firewalls.ppt
AkhilReddy197918
 
PPT
Firewalls.ppt
Rohan389045
 
PPT
Firewalls presentation powerpoint powepoint
anxiousanoja
 
PPT
Firewalls.ppt
Sharika Technologiies
 
PPT
Network related Firewalls security funtions
sheharyarahmedkhan26
 
PPTX
Firewall Design and Implementation
ajeet singh
 
PPTX
Firewall Design and Implementation
ajeet singh
 
PPTX
Module 7 Firewalls Part - 2 Presentation
9921103075
 
PPT
firewall.ppt
ssuser530a07
 
PPT
Firewalls.ppt
205203ANNAMALAIK
 
PPT
Firewalls.ppt
Kaushal72
 
PPT
Unit 5.3_Firewalls (1).ppt
AnuReddy68
 
PDF
BAIT1103 Chapter 8
limsh
 
PPTX
Lecture-13-Firewall_information_Security.pptx
homecooking511
 
MVA slides lesson 8
Fabio Almeida- Oficina Eletrônica
 
98 366 mva slides lesson 8
suddenven
 
Advance firewalls
Subi Mastermind
 
Firewalls (1).ppt
adnanetnzr
 
Fw.ppt
AlbertoValencia49
 
Firewalls presentation tells about the fire walls
slalithaditya1
 
Firewalls.ppt
AkhilReddy197918
 
Firewalls.ppt
Rohan389045
 
Firewalls presentation powerpoint powepoint
anxiousanoja
 
Firewalls.ppt
Sharika Technologiies
 
Network related Firewalls security funtions
sheharyarahmedkhan26
 
Firewall Design and Implementation
ajeet singh
 
Firewall Design and Implementation
ajeet singh
 
Module 7 Firewalls Part - 2 Presentation
9921103075
 
firewall.ppt
ssuser530a07
 
Firewalls.ppt
205203ANNAMALAIK
 
Firewalls.ppt
Kaushal72
 
Unit 5.3_Firewalls (1).ppt
AnuReddy68
 
BAIT1103 Chapter 8
limsh
 
Lecture-13-Firewall_information_Security.pptx
homecooking511
 

Recently uploaded (20)

PPTX
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
PDF
Computing-Curriculum for Schools in Ghana
abigailanane203
 
PDF
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
PPTX
master seminar digital applications in india
ananyaray35
 
PDF
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
PPTX
Institutional Correction lecture only . . .
limvtheghins
 
PDF
Classroom Observation Tools for Teachers
Nicaramirez
 
PDF
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
PPTX
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
PDF
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
PDF
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
PDF
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPTX
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
PDF
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
PDF
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
PDF
RMMM.pdf make it easy to upload and study
sajedul2
 
PPTX
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
PPTX
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
PPTX
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
PDF
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 
Cell Types and Its function , kingdom of life
ClaireMangundayao1
 
Computing-Curriculum for Schools in Ghana
abigailanane203
 
ANTIBIOTICS.pptx.pdf………………… xxxxxxxxxxxxx
HakHe
 
master seminar digital applications in india
ananyaray35
 
FourierSeries-QuestionsWithAnswers(Part-A).pdf
Raji Murugan
 
Institutional Correction lecture only . . .
limvtheghins
 
Classroom Observation Tools for Teachers
Nicaramirez
 
Physiotherapy_for_Respiratory_and_Cardiac_Problems WEBBER.pdf
DrMONISHAphysio
 
school management -TNTEU- B.Ed., Semester II Unit 1.pptx
NihumathunnisaH
 
The Lost Whites of Pakistan by Jahanzaib Mughal.pdf
jahanzaibmughal6
 
Insiders guide to clinical Medicine.pdf
AbhishekPatil315128
 
Black Hat USA 2025 - Micro ICS Summit - ICS/OT Threat Landscape
Chris Sistrunk
 
PPH.pptx obstetrics and gynecology in nursing
SrideviDevaraj5
 
TR - Agricultural Crops Production NC III.pdf
avgilmegino3
 
STATICS OF THE RIGID BODIES Hibbelers.pdf
pascualasturiaskaye4
 
RMMM.pdf make it easy to upload and study
sajedul2
 
Renaissance Architecture: A Journey from Faith to Humanism
DrMonicaSharma
 
Final Presentation General Medicine 03-08-2024.pptx
ZaheerAhmad228692
 
Cell Structure & Organelles in detailed.
DHANASHREESIVAKUMAR
 
Abdominal Access Techniques with Prof. Dr. R K Mishra
mohitsuren827
 

Network security chapter 6 and 7 internet architecture

  • 1. Internet Architecture Course Network Security BCS 6th / MCS 4th Term Salam Ullah Khan
  • 2. Services to Offer • The first question that must be answered with regard to Internet architecture is: • What services will the organization provide via the Internet? • The services that will be offered and who will be accessing them will greatly impact the overall architecture
  • 3. Mail • it is generally offered to internal employees to send and receive messages. • This service requires that at least one server be established to receive inbound mail. • If higher availability is required, at least two mail servers are required.
  • 4. Mail • An organization may also choose to establish public mail relays for such things as e-mail discussion groups. Such systems are normally referred to as list servers. • These systems will allow external people to send mail to the system and the system resends that message to the subscribers of the list.
  • 5. Web • To publish information to customers or partners via the World Wide Web, it needs to establish a Web server. • Web server may be hosted at another location or it may be hosted internally. • Web servers can provide simple, static content or dynamic content. • Access to the Web site can be public or it can be restricted HTTPS using 443 port number e.g. through login system
  • 6. Web • An FTP server allows external individuals to get or send files using Web browser or FTP Client software. • It can be anonymous or it can require a login ID and password.
  • 7. Internal Access to the Internet • How employees access the Internet should be governed by organization policy • Organizations may allow any service they choose including instant messaging, chat, and streaming video or audio or to access only certain Web sites.
  • 9. External Access to Internal Systems • A touchy subject for security and network staff. • External access can take two forms: employee access (usually from remote locations as part of their job) or non-employee access. • Employee access to internal systems from remote locations is usually accomplished through the use of a virtual private network • (VPN) over the Internet
  • 10. External Access to Internal Systems • External organizations require access to internal systems. • Even access by trusted business partners must be mediated to manage risk. • External access may be accomplished through the use of VPNs, dial-up lines, or leased lines
  • 11. FIREWALLS • A firewall is a network access control device that is designed to deny all traffic except that which is explicitly allowed. • Different than a router • Firewall is a security device that can allow appropriate traffic to flow while a router is a network device.
  • 12. Firewalls • Firewalls can be configured to allow traffic based on the service, the IP address of the • source or destination, or the ID of the user requesting service. • Firewalls can also be configured to log all traffic. • Firewalls rules do all the work.
  • 13. Types of Firewalls • There are two general types of firewalls: • Application layer firewalls • Packet filtering firewalls.
  • 14. Application Layer Firewalls • Application layer firewalls (also called proxy firewalls) are software packages that sit on top of general-purpose operating systems or on firewall appliances. • The firewall will have multiple interfaces, one for each network to which it is connected. • A set of policy rules defines how traffic from one network is transported to any other. • All connections terminate on the firewall
  • 15. Policy rules are enforced through the use of proxies. On an application layer firewall, each protocol to be allowed must have its own proxy.
  • 16. Application Layer Firewalls • Application layer firewalls will have proxies for the most commonly used protocols such as HTTP, SMTP, FTP, and telnet. Other proxies may not be available. If a proxy is not available, the protocol cannot be used across the firewall. • The firewall also hides the addresses of systems behind the application layer firewall.
  • 17. Packet Filtering Firewalls • Are also software packages. • The firewall will have multiple interfaces, one for each network to which it is connected. • And also like the application layer firewall, a set of policy rules define how traffic from one network is transported to any other. • If a rule does not specifically allow the traffic to flow, the firewall will deny or drop the packets.
  • 18. Packet Filtering Firewalls • Policy rules are enforced through the use of packet inspection filters. • The filters examine the packets and determine whether the traffic is allowed based on the policy rules and the state of the protocol. • If the protocol is running over TCP, state determination is relatively easy as TCP itself maintains state. • If UDP?
  • 19. Packet Filtering Firewalls • With a packet filtering firewall, connections do not terminate on the firewall • But instead travel directly to the destination system. • As the packets arrive at the firewall, the firewall will determine if the packet and connection state are allowed by the policy rules. • Allow or Drop?
  • 20. Hybrid Firewalls are also available now
  • 21. Firewall Configuration • Web server offering service on port 80 only. • Mail server offering service on port 25 only. • The Internet policy for the organization allows internal users to use the following services: • HTTP • HTTPS • FTP • Telnet • SSH
  • 22. Firewall Configuration • Single Firewall • Dual Firewalls
  • 23. Firewall Rule set Design • Good rule set design can be as important to a firewall as good hardware. • work on “first match” when deciding whether to accept or reject a packet i.e. most specific rules be placed at the top of the rule set and so on. • More rules that must be examined for each packet, the more processing must be done by the firewall. So keep it efficient and short.
  • 25. Firewall Rule set Design • First Look at the expected traffic load of the firewall and rank the traffic types in order. • HTTP traffic will be the largest. So keep it on top of the list.
  • 26. Network Address Translation NAT • Any organization that plans to install a firewall will have to deal with addressing issues. • At the root of the problem is the shortage of IP address space. • For example Most ISPs will provide blocks of 16 or 32 addresses (which actually become 14 or 30 addresses when the broadcast addresses are taken into account). Solution NAT
  • 27. NAT • it translates one or more addresses into other addresses. So how does this help? When we build our networks we use the 30 or so addresses provided by the ISP for systems that must be visible to the Internet. • On the inside of the network, we use addresses that are not visible but are translated
  • 28. NAT • Mostly the firewall performs the NAT function. Routers can also be used for this function if necessary. • Application layer firewalls perform NAT as part of their design. • Since all connections terminate on the firewall, only the firewall’s address is visible to the outside. • Packet filtering firewalls also have this capability but it must be configured during firewall setup.
  • 29. NAT • NAT can also provide a security function as the hidden addresses of the internal systems are not visible to the Internet.
  • 30. Private Class Addresses • Despite NAT we still need addresses for the internal network. The choice of internal addresses can cause all types of routing problems if it is not done properly. • RFC (that is, Request for Comment, which is how Internet standards are published)1918 specifies what are called private class addresses.
  • 31. Private Class Addresses • These addresses are intended for use on internal networks behind a firewall that performs NAT. • Subnet Mask?
  • 32. Private Class Addresses • None of these addresses are routable on the Internet. If you attempt to ping to a private class address, the packets will be returned with a “network unreachable” message.
  • 33. Static NAT • We architect a network to use private class addresses and we want to use NAT to allow systems to be accessible from the Internet. For this situation, we use what is called static • NAT. • Static NAT maps a single real address from the organization’s external network to a system. • Static NAT is a one-to-one configuration. For each system that must be accessible from the Internet, one real address is used.
  • 34. Dynamic NAT • Dynamic NAT differs from static NAT in that many internal addresses are mapped to a single real address. • real address that is used is the external address of the firewall. • The firewall then tracks the connections and uses one port for each connection. • Dynamic NAT is especially useful for desktop clients who use Dynamic Host Configuration • Protocol (DHCP).
  • 35. Dynamic NAT • Systems that use dynamic NAT are not addressable from the outside since only the firewall maintains the mappings of ports to systems and the mappings will change regularly.
  • 36. Chapter 7 Virtual Private Networks (VPN)
  • 37. VPNs • Private networks have been used by organizations to communicate with remote sites and with other organizations. • made up of lines leased from the various phone companies and ISPs. • leased lines create a real circuit between the two sites. • Many Advantages of Private Networks • Disadvantage COST • Solution: Virtual Private Networks
  • 38. Defining VPNs • With the increasing use of the Internet, many organizations have moved to Virtual Private Networks (VPN). • VPNs offer organizations many of the advantages of private networks with a lower cost. • However, VPNs introduce a whole new set of issues and risks for an organization.
  • 39. VPN’s • Use Public Network like Internet for send data securely. • we separate our traffic from everyone else’s. • Encryption • Much of that traffic is sent in the clear so that • anyone watching the traffic can see exactly what is going by. • This is true for most mail and Web traffic as well as telnet and FTP sessions. Secure Shell (SSH) and HyperText Transfer Protocol – • Secure (HTTPS) traffic is encrypted.
  • 40. VPNs • VPNs have several characteristics: • Traffic is encrypted so as to prevent eavesdropping. • The remote site is authenticated. • Multiple protocols are supported over the VPN. • The connection is point to point.
  • 41. VPNs • VPN packets are mixed in with the regular traffic flow on the Internet and segregated because only the end points of the connection can read the traffic.
  • 43. VPN Types • VPNs are generally separated into two types: user VPNs and site VPNs.
  • 44. User VPNs • User VPNs are virtual private networks between an individual user machine and an organization site or network. • Often user VPNs are used for employees who travel or work from home. • organization’s site requests the user to authenticate and, if successful, allows the user access to the organization’s internal network as if the user were within the site and physically on the network. Slower speed due to user Connection
  • 45. User VPNs • While the user has a VPN back to the organization’s internal network, he or she also • has a connection to the Internet and can surf the Web or perform other activities like a normal Internet user.
  • 46. Benefits of User VPNs • Employees who travel can have access to e-mail, files, and internal systems wherever they are without the need for expensive long distance calls to dial-in servers. • Employees who work from home can have the same access to network services as employees who work from the organization facilities without the requirement for expensive leased lines. • COST saving + Speed
  • 47. Issues with user VPNs • significant security risks and implementation issues. • biggest single security issue with the use of a VPN by an employee is the simultaneous connection to other Internet sites. • If the user’s computer has been compromised • with a Trojan Horse program, it may be possible for some external, unauthorized user to use the employee’s computer to connect to the organization’s internal network
  • 48. Issues with User VPNs • User VPNs require the same attention to user- management issues as internal systems. • which users require remote VPN access and which do not. • Also consider when employees leaves the job. • Users must authenticate themselves before using the VPN. • Organizations must also be concerned with traffic loads due to many connections of VPNs.
  • 49. Managing User VPNs • Managing user VPNs is primarily an issue of managing the users and user computer systems. • Procedures must be used till employee separation. • proper VPN software versions and configurations. • If the computers are owned by the organization, this becomes part of the standard software load for the computer. • If the organization allows employees to use the VPN from their home computers, the organization will need to increase overall support to these users and configurations.
  • 50. Managing User VPNs • One key aspect of the user VPN that should not be forgotten is the use of a good anti-virus software package on the user’s computer.