Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 12 Advanced Cryptography.
CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced...
-
Upload
barry-dickerson -
Category
Documents
-
view
226 -
download
5
Transcript of CPE5021 Advanced Network Security ---Network Security and Performance--- Lecture 9 CPE5021 Advanced...
CPE5021CPE5021Advanced Network SecurityAdvanced Network Security
---Network Security and Performance---Network Security and Performance--- ---
Lecture 9Lecture 9
CPE5002 - Advanced Nework Security 2
Outline Outline
Firewalls and Load BalancingFirewalls and Load Balancing VPN and Network PerformanceVPN and Network Performance NAT and Load BalancingNAT and Load Balancing Network Security ArchitectureNetwork Security Architecture
CPE5002 - Advanced Nework Security 3
Firewalls and Load BalancingFirewalls and Load Balancing
Now a day most networks have at least one or Now a day most networks have at least one or two firewalls (packet filtering and proxy two firewalls (packet filtering and proxy firewalls).firewalls).
Most networks provide mail and web services Most networks provide mail and web services and have proxy firewalls that have to inspect and have proxy firewalls that have to inspect several fields of every packet.several fields of every packet.
Current firewalls are designed to effectively Current firewalls are designed to effectively protect networks against intrusions. However protect networks against intrusions. However they limit performance and scalability. they limit performance and scalability.
They are also often single points of failure They are also often single points of failure and hence can reduce network availability.and hence can reduce network availability.
CPE5002 - Advanced Nework Security 4
Why Firewalls Introduce Problems :E.gWhy Firewalls Introduce Problems :E.g
Firewalls can be software based products installed on Firewalls can be software based products installed on a machine with two or three network interface cards a machine with two or three network interface cards (NIC).(NIC). One NIC connects the enterprise network to the public One NIC connects the enterprise network to the public
network (NIC ---Router---Internet).network (NIC ---Router---Internet). The second NIC is connected to the non DMZ part of the The second NIC is connected to the non DMZ part of the
corporate network.corporate network. The third NIC, if there is, is connected to the DMZ. The third NIC, if there is, is connected to the DMZ.
Because firewalls are deployed in the data path, by Because firewalls are deployed in the data path, by which all packets go through, they can limit network which all packets go through, they can limit network performance and scalability.performance and scalability.
Firewalls can slow communications by having to Firewalls can slow communications by having to process every packet. Eg: proxy firewalls.process every packet. Eg: proxy firewalls.
Firewalls cause difficulty to the upgrade of other Firewalls cause difficulty to the upgrade of other servers. Eg: firewalls with VPN; firewalls with servers. Eg: firewalls with VPN; firewalls with Routers.Routers.
CPE5002 - Advanced Nework Security 5
Firewalls with 3 NICs : Example Firewalls with 3 NICs : Example
NIC to Internet
Internet
NIC to DMZ
NIC to non-DMZ
DMZ
router
CPE5002 - Advanced Nework Security 6
SolutionsSolutions
Some sophisticated application devices such as Some sophisticated application devices such as specialised advanced switches (called Application specialised advanced switches (called Application Switches, eg: Alteon AS, Alteon Web Switch) can Switches, eg: Alteon AS, Alteon Web Switch) can reduce the problems caused by firewalls. reduce the problems caused by firewalls. Those switches are built with SSL features and act as load Those switches are built with SSL features and act as load
balancers. balancers. Application switches support, Network Layer 4 and Application switches support, Network Layer 4 and
higher Layer, switching and processing higher Layer, switching and processing functionality, and can maintain the state of functionality, and can maintain the state of individual TCP sessions.individual TCP sessions.
Vendors are also looking, beyond SSL, to integrate Vendors are also looking, beyond SSL, to integrate security features such as DoS, malicious URL security features such as DoS, malicious URL blocking, and application-layer firewalling to their blocking, and application-layer firewalling to their switches.switches.
CPE5002 - Advanced Nework Security 7
Solutions (e.g)Solutions (e.g)
Cisco Cisco provides the L4-L7 switch/load provides the L4-L7 switch/load balancer without SSL.balancer without SSL.
Nortel Nortel provides the L4-L7 switch/load provides the L4-L7 switch/load balancer without SSL.balancer without SSL.
F5 Networks F5 Networks provides the SSL-enabled provides the SSL-enabled L4-L7 switches and load balancers.L4-L7 switches and load balancers.
Cisco Catalysts Cisco Catalysts with SSL service with SSL service modules. modules.
CiscoCisco firewall/VPN/load balancer series firewall/VPN/load balancer series
CPE5002 - Advanced Nework Security 8
Firewalls and Net Device for Load Firewalls and Net Device for Load balancing: (eg)balancing: (eg)
Internet
balancer
balancer
balancer
balancer
Private Network
CPE5002 - Advanced Nework Security 9
Firewalls and Load BalancersFirewalls and Load Balancers
Most load balancers can provide both Most load balancers can provide both packet filtering and packet inspection. packet filtering and packet inspection.
Load balancers can be set up so that only Load balancers can be set up so that only desired TCP/UDP ports are load-balanced.desired TCP/UDP ports are load-balanced.Eg: We can set up TCP port 80 for Web traffic Eg: We can set up TCP port 80 for Web traffic
which provides the packet filtering functionality.which provides the packet filtering functionality.
Load balancers do most of the work on the Load balancers do most of the work on the network level therefore they can keep TCP network level therefore they can keep TCP state information and make decisions based state information and make decisions based on states.on states.
CPE5002 - Advanced Nework Security 10
VPN and Load BalancingVPN and Load Balancing
How do you improve the performance How do you improve the performance of your network if it provides VPN of your network if it provides VPN service?service?A VPN server separated from firewalls.A VPN server separated from firewalls.A VPN server integrated with a firewall.A VPN server integrated with a firewall.
CPE5002 - Advanced Nework Security 11
VPN, Firewall and Load Balancer (e.g)VPN, Firewall and Load Balancer (e.g)
Symantec Firewall/VPN 200 ApplianceSymantec Firewall/VPN 200 Appliance Features 8 x 10/100 MBPS LAN Features 8 x 10/100 MBPS LAN 2 x 10 MBPS WAN2 x 10 MBPS WAN High availabilityHigh availability Load balancing on 2 WAN portsLoad balancing on 2 WAN ports
Symantec Firewall/VPN Appliance is both a firewall and a Symantec Firewall/VPN Appliance is both a firewall and a VPN solution for an efficient and secure Internet VPN solution for an efficient and secure Internet connectivity for small businesses. connectivity for small businesses.
A small business computer system can use IPSec A small business computer system can use IPSec gateway-to-gateway to connect to other networks and gateway-to-gateway to connect to other networks and remote users can access their company's network via remote users can access their company's network via client-to-gateway IPSec VPN.client-to-gateway IPSec VPN.
CPE5002 - Advanced Nework Security 12
HotBrick Load Balancer LB-2HotBrick Load Balancer LB-2 (2 x WAN, 4 x LAN) (2 x WAN, 4 x LAN) Its 2 x 10/100MBPS WAN ports allows high speed Its 2 x 10/100MBPS WAN ports allows high speed
access with NAPT support. access with NAPT support. it enables port mapping of a pool of public IP addressesit enables port mapping of a pool of public IP addresses Provides dynamic DNS feature for mapping of dynamic Provides dynamic DNS feature for mapping of dynamic
addresses to virtual servers within the LAN. addresses to virtual servers within the LAN. Also it provides the options to double network Also it provides the options to double network
speed with failover feature along with its firewall speed with failover feature along with its firewall feature like URL & ICMP filter, DoS attack feature like URL & ICMP filter, DoS attack prevention, stateful packet Inspection and group prevention, stateful packet Inspection and group access control.access control.
VPN, Firewall and Load Balancer (e.g)VPN, Firewall and Load Balancer (e.g)
CPE5002 - Advanced Nework Security 13
HotBrick Firewall VPN 1200/2HotBrick Firewall VPN 1200/2 (2 x WAN, 12 x LAN) (2 x WAN, 12 x LAN) a firewall, a firewall, a VPN server, a VPN server, a router, a router, a load balancer,a load balancer, can support up to 88 Mbps of throughput and can support up to 88 Mbps of throughput and
5000 concurrent IP sessions.5000 concurrent IP sessions. The VPN server allows 20 VPN end-points plus The VPN server allows 20 VPN end-points plus
compatibility with RADIUS.compatibility with RADIUS.
VPN, Firewall and Load Balancer (e.g)VPN, Firewall and Load Balancer (e.g)
CPE5002 - Advanced Nework Security 14
NAT and Load BalancingNAT and Load Balancing
How do we improve network How do we improve network performance using load balancing performance using load balancing associated with:associated with:A NAT box behind a firewall.A NAT box behind a firewall.A NAT box behind a VPN server.A NAT box behind a VPN server.A NAT box in parallel with a VPN server.A NAT box in parallel with a VPN server.
CPE5002 - Advanced Nework Security 15
NAT and VPN and Load BalancingNAT and VPN and Load Balancing
Borrowed from Cisco
CPE5002 - Advanced Nework Security 16
Network Security Architectures Network Security Architectures
Network Security Architecture (NSA) is very important forNetwork Security Architecture (NSA) is very important forany medium and large network. A good architectureany medium and large network. A good architecturewill not only save a company money but also provide will not only save a company money but also provide adequate level of security and survive attacks. adequate level of security and survive attacks. A guideline for a good NSA should at least include:A guideline for a good NSA should at least include:
1.1. Dynamic cryptosystems.Dynamic cryptosystems.2.2. Structures for adapting of new protocols.Structures for adapting of new protocols.3.3. Structures for full-authentication of all network Structures for full-authentication of all network
elements including devices, software, protocols, elements including devices, software, protocols, users, servers, subnets, etc.users, servers, subnets, etc.
4.4. Structures for trusted computing systems.Structures for trusted computing systems.5.5. Structures to support load balancing, availability Structures to support load balancing, availability
and scalability.and scalability.
CPE5002 - Advanced Nework Security 17
NSA: Dynamic CryptosystemsNSA: Dynamic Cryptosystems
A secure network needs to support many different crypto A secure network needs to support many different crypto systems.systems. Cryptography is evolving quickly with quantum computing and Cryptography is evolving quickly with quantum computing and
ECC theory. How will your NSA live with such evolution if your ECC theory. How will your NSA live with such evolution if your system has many traditional crypto algorithms?system has many traditional crypto algorithms?
Future networks will be wireless communications that require Future networks will be wireless communications that require different technologies and hence future networks have to be different technologies and hence future networks have to be able to support many different crypto systems.able to support many different crypto systems. If your NSA will support more wireless then what should it look If your NSA will support more wireless then what should it look
like when you create it now?like when you create it now? More powerful computers and network devices will be More powerful computers and network devices will be
produced in the near future and this will put a strong demand produced in the near future and this will put a strong demand on strong authentication and crypto systems.on strong authentication and crypto systems. What if your corporate does not have a very powerful computer What if your corporate does not have a very powerful computer
but the others do? but the others do?
CPE5002 - Advanced Nework Security 18
NSA: Adaptation of new ProtocolsNSA: Adaptation of new Protocols
Many new voice, video, and other-new-Many new voice, video, and other-new-formed applications will be integrated into formed applications will be integrated into networks, especially the Internet, hence networks, especially the Internet, hence current crypto and authentication systems current crypto and authentication systems will need to be upgraded.will need to be upgraded.How can your NSA adapt a new protocol that How can your NSA adapt a new protocol that
may pose a threat to your organisation?may pose a threat to your organisation? ICRICR H323 (H323 (http://www.protocols.com/pbook/h323.htmhttp://www.protocols.com/pbook/h323.htm)) VoIPVoIP Etc.Etc.
CPE5002 - Advanced Nework Security 19
NSA: A structure for Trusted Computing NSA: A structure for Trusted Computing Systems.Systems.
Trusted computing systems exist in Trusted computing systems exist in most of large networks, how do we most of large networks, how do we structure such networks with high structure such networks with high security?security?Use digital signatures for verifying Use digital signatures for verifying
software packages, programs, functions.software packages, programs, functions.Use network auditors to audit and Use network auditors to audit and
monitor the whole network.monitor the whole network.How do we get all done automatically?How do we get all done automatically?
CPE5002 - Advanced Nework Security 20
NSA: Load balancing, availability and NSA: Load balancing, availability and scalability.scalability.
When should we think of load balancing, availability and When should we think of load balancing, availability and scalability? before or after we have designed and scalability? before or after we have designed and implemented firewalls, VPNs, NAT boxes, and other network implemented firewalls, VPNs, NAT boxes, and other network security components? security components?
How will Intelligent Application Network Components fit in How will Intelligent Application Network Components fit in NSA? When and how the following should be done?NSA? When and how the following should be done? Ensure continuous application availability with Layer 4 to Layer Ensure continuous application availability with Layer 4 to Layer
7 load balancing? 7 load balancing? Tune application infrastructure with Layer 7 content switching? Tune application infrastructure with Layer 7 content switching? Optimise multi-site load distribution using current Global Server Optimise multi-site load distribution using current Global Server
Load Balancing?Load Balancing? Enhance application performance for Web and non-Web Enhance application performance for Web and non-Web
applications? applications? Deliver increased application performance while reducing server Deliver increased application performance while reducing server
workload?workload? Accelerate secure application delivery with SSL/IPSec?Accelerate secure application delivery with SSL/IPSec?