Advanced Security and Mobile Networks

Similar documents
Advanced Security and Forensic Computing

Wireless LANs (CO72047) Bill Buchanan, Reader, School of Computing.

6 Network Security Elements

Why Firewalls? Firewall Characteristics

Prof. Bill Buchanan Room: C.63

Distributed Systems. 27. Firewalls and Virtual Private Networks Paul Krzyzanowski. Rutgers University. Fall 2013

CSC Network Security

Int ernet w orking. Internet Security. Literature: Forouzan: TCP/IP Protocol Suite : Ch 28

7 Filtering and Firewalling

Chapter 8 roadmap. Network Security

Firewalls, Tunnels, and Network Intrusion Detection

Lecture 33. Firewalls. Firewall Locations in the Network. Castle and Moat Analogy. Firewall Types. Firewall: Illustration. Security April 15, 2005

firewalls perimeter firewall systems firewalls security gateways secure Internet gateways

Computer Security and Privacy

Appendix B Policies and Filters

Configuring Commonly Used IP ACLs

Network Security and Cryptography. 2 September Marking Scheme

Implementing Firewall Technologies

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Manual Key Configuration for Two SonicWALLs

Indicate whether the statement is true or false.

This document is a tutorial related to the Router Emulator which is available at:

CSC 4900 Computer Networks: Security Protocols (2)

Internet Security Firewalls

SecBlade Firewall Cards NAT Configuration Examples

Computer Security. 12. Firewalls & VPNs. Paul Krzyzanowski. Rutgers University. Spring 2018

Routers use access lists to control incoming or outgoing traffic. You should know the following characteristics of an access list.

COMPUTER NETWORK SECURITY

Router and ACL ACL Filter traffic ACL: The Three Ps One ACL per protocol One ACL per direction One ACL per interface

Unit 4: Firewalls (I)

Network Security. Thierry Sans

Applied IT Security. System Security. Dr. Stephan Spitz 6 Firewalls & IDS. Applied IT Security, Dr.

SSL VPN Virtual Private Networks based on Secure Socket Layer

Context Based Access Control (CBAC): Introduction and Configuration

Distributed Systems. 29. Firewalls. Paul Krzyzanowski. Rutgers University. Fall 2015

Chapter 32 Security in the Internet: IPSec, SSL/TLS, PGP,

CSE543 Computer and Network Security Module: Network Security

Network Security Fundamentals

Hands-On Activity. Firewall Simulation. Simulated Network. Firewall Simulation 3/19/2010. On Friday, February 26, we will be meeting in

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

ipro-04n Security Configuration Guide

Firewalls Network Security: Firewalls and Virtual Private Networks CS 239 Computer Software March 3, 2003

CyberP3i Course Module Series

Computer Network Vulnerabilities

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

Firewall Simulation COMP620

TCP/IP Filtering. Main TCP/IP Filtering Dialog Box. Route Filters Button. Packet Filters Button CHAPTER

Security Engineering. Lecture 16 Network Security Fabio Massacci (with the courtesy of W. Stallings)

Internet Security: Firewall

Chapter 9. Firewalls

Configuring a Hub & Spoke VPN in AOS

Object Groups for ACLs

Configuring a Zone-Based Firewall on the Cisco ISA500 Security Appliance

Extended ACL Configuration Mode Commands

CompTIA Security+ CompTIA SY0-401 Dumps Available Here at:

Using the Terminal Services Gateway Lesson 10

DPX8000 Series Deep Service Switching Gateway User Configuration Guide Firewall Service Board Module v1.0

HP A-F1000-A-EI_A-F1000-S-EI VPN Firewalls

CTS2134 Introduction to Networking. Module 08: Network Security

Teacher s Reference Manual

Features of a proxy server: - Nowadays, by using TCP/IP within local area networks, the relaying role that the proxy

Firewalls. Content. Location of firewalls Design of firewalls. Definitions. Forwarding. Gateways, routers, firewalls.

Configuring Authentication Proxy

Wireless-G Router User s Guide

Broadcast Infrastructure Cybersecurity - Part 2

COSC 301 Network Management

Firewall and IDS/IPS. What is a firewall?

A+ Guide to Software: Managing, Maintaining, and Troubleshooting, 5e. Chapter 8 Networking Essentials

VPN and IPsec. Network Administration Using Linux. Virtual Private Network and IPSec 04/2009

Global Information Assurance Certification Paper

es T tpassport Q&A * K I J G T 3 W C N K V [ $ G V V G T 5 G T X K E G =K ULLKX LXKK [VJGZK YKX\OIK LUX UTK _KGX *VVR YYY VGUVRCUURQTV EQO

Firewalls. IT443 Network Security Administration Slides courtesy of Bo Sheng

CSC 474/574 Information Systems Security

n Learn about the Security+ exam n Learn basic terminology and the basic approaches n Implement security configuration parameters on network

Cisco ASA 5500 LAB Guide

ACS-3921/ Computer Security And Privacy. Chapter 9 Firewalls and Intrusion Prevention Systems

Object Groups for ACLs

Sybex CCENT Chapter 12: Security. Instructor & Todd Lammle

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Fundamentals of Network Security v1.1 Scope and Sequence

Configuring Web Cache Services By Using WCCP

Cisco IOS Firewall Authentication Proxy

Network Protocols. Security. TDC375 Autuman 03/04 John Kristoff - DePaul University 1

Some of the slides borrowed from the book Computer Security: A Hands on Approach by Wenliang Du. Firewalls. Chester Rebeiro IIT Madras

20-CS Cyber Defense Overview Fall, Network Basics

CSE 565 Computer Security Fall 2018

Cisco IPS AIM Deployment, Benefits, and Capabilities

Firewalls and NAT. Firewalls. firewall isolates organization s internal net from larger Internet, allowing some packets to pass, blocking others.

Application Layer. Presentation Layer. Session Layer. Transport Layer. Network Layer. Data Link Layer. Physical Layer

Inspection of Router-Generated Traffic

Network Security and Cryptography. December Sample Exam Marking Scheme

PIX/ASA : Port Redirection(Forwarding) with nat, global, static and access list Commands

Sample excerpt. Virtual Private Networks. Contents

Configuring Authentication Proxy

REMOTE ACCESS IPSEC. Course /14/2014 Global Technology Associates, Inc.

HC-711 Q&As. HCNA-CBSN (Constructing Basic Security Network) - CHS. Pass Huawei HC-711 Exam with 100% Guarantee

Protection of Communication Infrastructures

User Role Firewall Policy

Spring 2010 CS419. Computer Security. Vinod Ganapathy Lecture 14. Chapters 6 and 9 Intrusion Detection and Prevention

W is a Firewall. Internet Security: Firewall. W a Firewall can Do. firewall = wall to protect against fire propagation

Transcription:

WJ Buchanan. ASMN (1) Advanced Security and Mobile Networks Unit 1: Network Security

Application Presentation Session Transport Network Data Link Physical OSI Application Transport Internet Internet model OSI and Internet models WJ Buchanan. ASMN (2)

Screening irewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Screening firewall: ilters for source and destination TCP ports Screen firewall: ilters for source and destination IP addresses Application Transport Internet Internet model irewalls WJ Buchanan. ASMN (3)

Screening irewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Application Transport Internet Screening firewall: Advantages: -Simple. - Low costs Disadvantages: - Complexity of rules. - Cost of managing firewall. - Lack of user-authentication. Internet model irewalls and Proxies WJ Buchanan. ASMN (4)

or example the firewall may block TP traffic going out of the network. A port on a router can be setup with ACLs to filter traffic based on the network address or the source or destination port number Router Screening irewall WJ Buchanan. ASMN (5)

Source IP address. The address that the data packet was sent from. Destination IP address. The address that the data packet is destined for. Source TCP port. The port that the data segment originated from. Typical ports which could be blocked are TP (port 21), TELNET (port 23), and WWW (port 80). Destination TCP port. The port that the data segment is destined for. Protocol type. This filters for UDP or TCP traffic. ACLs WJ Buchanan. ASMN (6)

Router# access-list access-list-value {permit deny} source source-mask Router# access-list 1 deny 156.1.1.10 0.0.0.0 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 permit ip any any Standard ACLs filter on the source IP address Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.0 Router (config-if)# ip access-group 1 in Standard ACLs WJ Buchanan. ASMN (7)

E1 Traffic from any address rather than 156.1.1.0 can pass Router# access-list 1 deny 156.1.1.0 0.0.0.255 Router# access-list 1 permit ip any any E0 156.1.1.130 Match this part 156.1.1.2 161.10.11.12 161.10.11.13 Ignore this part Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.0 Router (config-if)# ip access-group 1 in 156.1.1.2 Standard ACLs WJ Buchanan. ASMN (8)

156.1.1.2 156.1.1.2 Unit 1: Network Security E0 156.1.1.130 Standard ACLs are applied as near to the destination as possible, so that they do not affect any other traffic 161.10.11.12 161.10.11.13! interface Ethernet0 ip address 120.11.12.13 255.255.255.0 ip access-group 1 in! access-list 1 deny 156.1.1.0 0.0.0.255 access-list 1 permit ip any any Standard ACLs WJ Buchanan. ASMN (9)

Router# access-list access-list-value {permit deny} {test-conditions} Unit 1: Network Security Router(config)#access-list 100 deny ip host 156.1.1.134 156.70.1.1 0.0.0.0 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 156.70.1.0 0.0.0.255 Router(config)#access-list 100 permit ip any any Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.254 host 156.70.1.1 Router(config)#access-list 100 permit ip any any Router (config)# interface Ethernet0 Router (config-if)# ip address 156.1.1.130 255.255.255.192 Router (config-if)# ip access-group 100 in Extended ACLs WJ Buchanan. ASMN (10)

156.1.1.2 156.1.1.2 Unit 1: Network Security E1 E0 156.1.1.130 161.10.11.12 161.10.11.13 from Router(config)#access-list 100 deny ip host 156.1.1.2 70.1.2.0 0.0.0.255 Router(config)#access-list 100 permit ip any any to Denies traffic from 156.1.1.2 to the 70.1.2.0 network Router(config)#access-list 100 deny ip 156.1.1.0 0.0.0.255 70.1.2.0 0.0.0.255 Router(config)#access-list 100 permit ip any any Denies traffic from any host on 156.1.1.0 to the 70.1.2.0 network Extended ACLs WJ Buchanan. ASMN (11)

All other traffic can flow Traffic blocked to the barred site 140.5.6.7 156.1.1.130 156.1.1.2 161.10.11.12 161.10.11.13 156.1.1.2! interface Ethernet0 ip address 156.1.1.130 255.255.255.0 ip access-group 100 in! access-list 100 deny ip 156.1.1.0 0.0.0.255 140.5.6.7 0.0.0.255 access-list 100 permit ip any any Extended ACLs are applied as near to the source as possible, as they are more targeted Example of an Extended ACL WJ Buchanan. ASMN (12)

An extended ACLs can also filter for TCP/UDP traffic, such as: Optional field in brackets Router(config)#access-list access-list-value { permit deny } {tcp udp igrp} source source-mask destination destination-mask {eq neq lt gt} port access-list 101 deny tcp 156.1.1.0 0.0.0.255 eq telnet host 156.70.1.1 eq telnet access-list 101 permit ip any any E1 156.70.1.1 No Telnet Access to 156.70.1.1 E0 156.1.1.130 156.1.1.2 161.10.11.12 161.10.11.13 Extended ACLs filtering TCP traffic WJ Buchanan. ASMN (13)

access-list 101 permit. access-list 101 deny ip any any E1 access-list 101 deny. access-list 101 permit ip any any E1 E0 156.1.1.130 A closed firewall, permits some things, and denies everything else E0 156.1.1.130 An open firewall, denies some things, and permits everything else 156.1.1.2 156.1.1.2 161.10.11.12 161.10.11.13 Open and closed firewalls WJ Buchanan. ASMN (14)

To block Napster traffic destined for port 8888: (config)# access-list 100 deny tcp 192.5.5.0 0.0.0.255 any eq 8888 log (config)# access-list 100 deny udp 192.5.5.0 0.0.0.255 any eq 8888 log (config)# interface e0 (config-if)# ip access-group 100 in or Kazaa (on port 1214): (config)# access-list 101 deny tcp 192.5.5.0 0.0.0.255 any eq 1214 log (config)# access-list 101 deny udp 192.5.5.0 0.0.0.255 any eq 1214 log (config)# interface e0 (config-if)# ip access-group 101 in Gnutella can be blocked with ports 6346 and 6347, while ICQ is blocked with 5190. or example blocking Kazza, Gnutella, Napster and ICQ WJ Buchanan. ASMN (15)

Screening irewalls and Proxies: Proxy - isolates local network from untrusted networks (AKA: Application gateway) Proxy: Advantages: - User-oriented authentication. - User-oriented logging. - User-oriented accounting. Disadvantages: - Build specifically for each application (although the SOCKS protocol has been designed, which is an all-one proxy). Application Transport Internet Internet model irewalls WJ Buchanan. ASMN (16)

Accesses are made through the proxy Screening firewall filters packets, based on source/destination IP addresses and TCP ports Our irst Security Model WJ Buchanan. ASMN (17)

Data can be send to the proxy E1 E0 169.10.11.1 192.168.10.1 Barred Barred hostname myrouter! interface Ethernet0 ip address 192.168.10.1 255.255.255.0 ip access-group 100 in! interface Ethernet1 ip address 169.10.11.1 255.255.0.0 ip access-group 101 in! access-list 100 permit ip 192.168.10.65 any access-list 100 deny any any! access-list 101 permit ip any host 192.168.10.65 access-list 101 deny any any end 192.168.10.65 192.168.10.2 192.168.10.3 192.168.10.4 Access to proxy is allowed Everything else is barred Blocking the Incoming Traffic to Hosts WJ Buchanan. ASMN (18)

Data can be sent from the proxy E1 E0 169.10.11.1 192.168.10.1 Barred Barred hostname myrouter! interface Ethernet0 ip address 192.168.10.1 255.255.255.0 ip access-group 100 in! interface Ethernet1 ip address 169.10.11.1 255.255.0.0 ip access-group 100 in! access-list 100 permit ip 192.168.10.65 any access-list 100 deny any any! access-list 101 permit ip any host 192.168.10.65 access-list 101 deny any any end 192.168.10.65 192.168.10.2 192.168.10.3 192.168.10.4 Blocking Outgoing Traffic from Hosts WJ Buchanan. ASMN (19)

Screened firewall only allows traffic to flow to and from the proxy Screened firewall only allows traffic between the hosts and the proxy An Improvement - Application Level irewall WJ Buchanan. ASMN (20)

WWW server Access made to WWW site on Port 80 192.168.10.65 HTTP goes out on TCP port 6588, to the proxy Proxy setup WJ Buchanan. ASMN (21)

WWW server Access made to WWW site on Port 80 192.168.10.65 HTTP (web browsers) (port 6588) HTTPS (secure web browsers) (port 6588) SOCKS4 (TCP proxying) (port 1080) SOCKS4a (TCP proxying w/ DNS lookups) (port 1080) SOCKS5 (only partial support, no UDP) (port 1080) NNTP (usenet newsgroups) (port 119) POP3 (receiving email) (port 110) SMTP (sending email) (port 25) TP (file transfers) (port 21) Proxy setup WJ Buchanan. ASMN (22)

192.168.10.65 Unit 1: Network Security WWW server Only telnet, ftp, http and pop3 are allowed hostname myrouter! interface Ethernet1 ip address 169.10.11.1 255.255.0.0 ip access-group 101 in!! access-list 101 permit tcp any any eq telnet host 192.168.10.65 access-list 101 permit tcp any any eq ftp host 192.168.10.65 access-list 101 permit tcp any any eq http host 192.168.10.65 access-list 101 permit tcp any any eq pop3 host 192.168.10.65 access-list 101 deny any any! end iltering incoming ports WJ Buchanan. ASMN (23)

192.168.10.65 Unit 1: Network Security WWW server Only telnet, ftp, http and pop3 are allowed out hostname myrouter! interface Ethernet0 ip address 192.168.10.1 255.255.255.0 ip access-group 100 in!! access-list 100 permit tcp host 192.168.10.65 any any eq telnet access-list 100 permit tcp host 192.168.10.65 any any eq ftp access-list 100 permit tcp host 192.168.10.65 any any eq http access-list 100 permit tcp host 192.168.10.65 any any eq pop3 access-list 100 deny any any! end iltering outgoing ports WJ Buchanan. ASMN (24)

WWW server Access made to WWW site on Port 80 192.168.10.65 03/06/2003 21:26:19.957: 3750332 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:21.620: 3773004 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:23.232: 3773004 - HTTP Closing socket (2) 03/06/2003 21:26:23.863: 3773004 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:26.527: 3773004 - HTTP Closing socket (2) 03/06/2003 21:26:26.737: 3773004 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:29.091: 3773004 - HTTP Closing socket (2) 03/06/2003 21:26:29.371: 3773004 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:29.431: 3750332 - HTTP Closing socket (2) 03/06/2003 21:26:30.453: 3773004 - HTTP Closing socket (1) 03/06/2003 21:26:31.644: 3750332 - HTTP Client connection accepted from 192.168.0.20 03/06/2003 21:26:32.786: 3750332 - HTTP Closing socket (1) 03/06/2003 21:26:33.126: 3750332 - HTTP Client connection accepted from 192.168.0.20 Proxy logging WJ Buchanan. ASMN (25)

192.168.10.65 Unit 1: Network Security WWW server The log will always show the address of the proxy. Proxy allows: The hosts to be hidden from the outside. Private addresses can be used for the internal network. Logging of data packets. User-level authentication, where users may require a username and a password. Isolation of nodes inside the network, as they cannot be directly contacted. Proxy logging WJ Buchanan. ASMN (26)

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Incoming data data PAT (Port address translation) Maps many addresses to one global address. N Network address translation WJ Buchanan. ASMN (27)

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data N 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Incoming data data IP:port (inside) IP:port (outside) Ipdest:port 192.168.10.12:4444 168.10.34.21:5555 11.122.33.44:80 NAT router remembers the source and destination IP address and ports Network address translation WJ Buchanan. ASMN (28)

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data IP:port (inside) IP:port (outside) Ipdest:port 192.168.10.12:4444 168.10.34.21:5555 11.122.33.44:80 192.168.10.12:4445 168.10.34.21:5556 11.122.33.44:80 192.168.10.12:4446 168.10.34.21:5557 11.122.33.44:80 192.168.10.20:1234 168.10.34.21:5558 11.122.33.44:80 N 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Incoming data data New connects in the table Network address translation WJ Buchanan. ASMN (29)

192.168.10.12:4444 192.168.10.12:4444 Outgoing data data 192.168.10.12:4444 192.168.10.12:4444 Incoming data data Nat: Hides the network addresses of the network. Bars direct contact with a host. Increased range of address. Allow easy creation of subnetworks. Network address translation N 168.10.34.21:5555 168.10.34.21:5555 Outgoing data data 168.10.34.21:5555 168.10.34.21:5555 Incoming data data WJ Buchanan. ASMN (30)

Static translation. Each public IP address translates to a private one through a static table. Good for security/logging/traceabilty. Bad, as it does not hide the internal network. IP Masquerading (Dynamic Translation). A single public IP address is used for the whole network. The table is thus dynamic. Load Balancing Translation. With this, a request is made to a resource, such as to a WWW server, the NAT device then looks at the current loading of the systems, and forwards the request to the one which is most lightly used a1.b1.c1.d1 a2.b2.c2.d2 Private address a1.b1.c1.d1 a2.b2.c2.d2 Private address N N w1.x1.y1.z1 w2.x2.y2.z2 Public address w.x.y.z w.x.y.z Public address NAT WJ Buchanan. ASMN (31)

a1.b1.c1.d1 Or a1.b1.c1.d1 Or an.bn.cn.dn a1.b1.c1.d1 a1.b1.c1.d1 an.bn.cn.dn Private address Server pool N NAT device selects the least used resource w.x.y.z Public address NAT - Load balancing WJ Buchanan. ASMN (32)

a1.b1.c1.d1 a2.b2.c2.d2 Private address N a1.b1.c1.d1 a2.b2.c2.d2 Private address w1.x1.y1.z1 w2.x2.y2.z2 Public address N NAT is good as we are isolated from the external public network, where our hosts make the initiate connections w.x.y.z Public address but what happens if we use applications which create connections in the reverse direction, such as with TP and IRC?.. we thus need some form of backtracking of connections in the NAT device. NAT - Backtrack connections WJ Buchanan. ASMN (33)

Static NAT is poor for security, as it does not hide the network. This is because there is a one-to-one mapping. Corporate WWW site a1.b1.c1.d1 N Dynamic NAT is good for security, as it hides the network. Unfortunately it has two major weaknesses: - Backtracking allows external parties to trace back a connection. - If the NAT device becomes compromised the external party can redirect traffic. w1.x1.y1.z1 Compromised NAT table causes the connection to point to the external intruder s WWW site Backtracking External Intruder s WWW site NAT - Weaknesses. WJ Buchanan. ASMN (34)

Our side (trusted) DMZ - an area where military actions are prohibited. Their side (untrusted) De-Militarized Zone (DMZ) WJ Buchanan. ASMN (35)

Our side (trusted) DMZ - an area where military actions are prohibited. Their side (untrusted) De-Militarized Zone (DMZ) WJ Buchanan. ASMN (36)

Untrusted network Traffic is allowed to flow from the corporate intranet to the untrusted network (typically, the Internet) DMZ allows untrusted traffic to flow to corporate servers De-Militarized Zone (DMZ) This is a weak approach as the firewall in the DMZ could be attacked, which might compromise the corporate intranet. An improved method is N WWW server Corporate intranet Public TP server De-Militarized Zone (DMZ) - Double Legged irewall WJ Buchanan. ASMN (37)

Untrusted network DMZ allows untrusted traffic to flow to corporate servers Another bastion is Inserted to isolate the Corporate intranet from untrusted networks which leads to De-Militarized Zone (DMZ) N WWW server NAT device hides the corporate network to the outside Corporate intranet Public TP server De-Militarized Zone (DMZ) - Improved Method WJ Buchanan. ASMN (38)

Enemy takes some time to penetrate each level of defence Unit 1: Network Security orth-line defence Third-line defence Second-line defence irst-line defence Defence-in-depth WJ Buchanan. ASMN (39)

Untrusted network Defence-in-depth puts as many obstacles in the way of an intruder, so that it becomes harder to penetrate the network, and it is easier to detect the intrusion Defence-in-depth Audit/ logging De-Militarized Zone (DMZ) N Intrusion Detection System WWW server Public TP server WJ Buchanan. ASMN (40)

Untrusted network De-Militarized Zone (DMZ) In secure networks, firewalls should ban incoming TCP SYN packets, as these identify an incoming connection Defence-in-depth Audit/ logging N Intrusion Detection System WWW server Public TP server WJ Buchanan. ASMN (41)

Corporate Corporate Intranet Intranet 1 VPN router 192.168.0.0 Untrusted network (Internet) Private addresses Corporate Corporate Intranet Intranet 2 192.168.1.0 VPN router VPN s - Virtual Private Networks WJ Buchanan. ASMN (42)

Corporate Corporate Intranet Intranet 1 VPN router 192.168.0.10 Untrusted network (Internet) or a connection between 192.168.0.10 and 192.168.1.20, the VPN router negotiates the connection, and generates encryption keys. This creates a tunnel over the untrusted network. Corporate Corporate Intranet Intranet 2 192.168.1.20 VPN router VPN s - Virtual Private Networks WJ Buchanan. ASMN (43)

Corporate Corporate Intranet Intranet 1 VPN router 192.168.0.10 Untrusted network (Internet) They then encrypt all the data packets for the connection. The encryption process will be discussed in Unit 3.. The biggest problem with VPNs is latency Corporate Corporate Intranet Intranet 2 192.168.1.20 VPN router VPN s - Virtual Private Networks WJ Buchanan. ASMN (44)

Corporate Corporate Intranet Intranet 1 VPN router Untrusted Untrusted network network (Internet) (Internet) Untrusted Untrusted network network (Internet) (Internet) Untrusted Untrusted network network (Internet) (Internet) Corporate Corporate Intranet Intranet 2 192.168.0.0 192.168.1.0 In a mesh architecture has a connection between each VPN router VPN router Corporate Corporate Intranet Intranet 3 192.168.2.0 VPN router VPN s - Mesh Architecture WJ Buchanan. ASMN (45)

Corporate Corporate Intranet Intranet 2 Untrusted Untrusted network network (Internet) (Internet) Hub Untrusted Untrusted network network (Internet) (Internet) Untrusted Untrusted network network (Internet) (Internet) VPN router Corporate Corporate Intranet Intranet 2 192.168.0.0 192.168.1.0 In a spoke architecture a hub switches between VPN s Corporate Corporate Intranet Intranet 3 192.168.2.0 VPN router VPN s - Spoke Architecture WJ Buchanan. ASMN (46)

Internet Layer security: IPSEC Uses cryptographic methods: Authentication Header (AH) Encapsulated Security Payload (ES) The AH provide AUTHENTICATION. The ESP provides CONIDENTIALITY. IPSEC will be covered in Unit 3. Application Transport Internet Internet model Internet Layer Security WJ Buchanan. ASMN (47)

Transport Layer Protection includes: SSL (Secure Socket Layer). MD5/SHA for authentication and RC4/DES for encryption. PCT (Private Communication Technology). Secure sockets include: Port: 443. https (HTTP + SSL). Port: 465. ssmtp (SMTP + SSL). Port: 563. snntp (NNTP + SSL). These will be covered in Unit 3. Application Transport Internet Internet model Transport Layer Security WJ Buchanan. ASMN (48)

Application Layer protection includes: Email: PGP. Application Layer Protocols: https (HTTP + SSL). ssmtp (SMTP + SSL). snntp (NNTP + SSL). Typical encryption schemes: DES, Triple-DES, Typical authentication schemes: MD5 Email encryption: PGP These will be covered in Unit 3. Application Transport Internet Internet model Application Layer Security WJ Buchanan. ASMN (49)

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback