chapter 5 - network defenses

7/25/2019 Chapter 5 - Network Defenses

1/27

Network Defenses

Niken D CahyaniGandeva Bayu Satrya

Telkom Institute of Technology


2/27

Learning Objectives

After completing this chapter you should be able to do the

following:

Explain how to enhance security through network

design Define network address translation and network access

control

List the different types of network security devices and

explain how they can be used


3/27

Network Design - Subnetting

Subnetting identifies a network device (called a host! by its uni"ue

#nternet $rotocol (#$! address% which is a &'bit ()byte! address

such as *+',*)-,**.,'/, grouped into classes (0lass A% 1% 0% and special 0lasses D and

2!, #$ addresses are actually two addresses: one part is a network

address (such as *+',*)-,**.! and one part is a host address

(such as '/!,

improved addressing techniques in *+.3 that allowed an #$address to be split anywhere within its &' bits% known as

subnetting,


4/27

Security - Subnetting

Subnetting a single network into multiple smaller subnets in order to

isolategroups of hosts,

4tili5e network security tools to make it easier to regulate who has

access in and out of a particular subnetwork,

Addresses instantly recognizable so that the source of potential

security issues can be "uickly addressed, 6or example% any #$

address beginning with *+',*-.,3/ can indicate mobile users%

*+',*-.,*'3 may designate executive users% and *+',*-.,'// can

indicate wireless network users,

Allows network administrators to hide the internal network layout

to make it difficult for attackers,


5/27

Subnetting Example


6/27

Avantages of Subnetting


7/27

Network Design - !LAN

A 7LA8 allows scattered users to be logically grouped

together even though they may be attached to different

switches,

A degree of security similar to subnetting: isolation% sothat sensitive data is transmitted only to members of the

7LA8

Attacks on the switch that attempt to exploit

vulnerabilities such as weak passwords or defaultaccounts are common


8/27

Network Design - "onvergence

# 0onvergence of voice and data traffic over a single #$ network,

# 9wo important convergence technologies :$ 7oice over #$ (7o#$!

$ #$ telephony# 1enefits :

$ 0ost savings$ anagement$ Application development$ #nfrastructure re"uirements$ #ncreased user productivity$ #ncrease security : manage only one network


9/27

"onvergence - !ulnerability


10/27

Network Design - Demilitari%e &one 'D(&)

A separate network that sits outside the secure network

perimeter


11/27

Objectives


following:

Define network address translation and network

access control List the different types of network security devices and

explain how they can be used


12/27

Network *ec+nologies $ Network

Aress *ranslation 'NA*) 8A9 hides the #$ addresses of network devices from attackers,


13/27

Network *ec+nologies $ Network Access "ontrol

'NA")

8A0 examines the current state of a system or network

device before it is allowed to connect to the network,

A specified set of criteria to meet% such as having the

most current antivirus signature% if not% is only allowed toconnect to a "uarantine network where the security

deficiencies are corrected,

After the problems are solved% the device is connected to

the normal network, 9o prevent computers with suboptimal security from

potentially infecting other computers through the network


14/27

Network Access "ontrol 'NA")


15/27

Network Access "ontrol 'NA")


16/27

Objectives


following:

List the different types of network security devices

and explain how they can be used


17/27

Network Security Devices - ,irewall

;ule base which establishes what action the firewall

should take when it receives a packet, 9he options are: Allow

1lock

$rompt

Stateless packet filtering looks at the incoming packet

and permits or denies it based strictly on the rule base

Stateful packet filtering keeps a record of the state of a

connection between an internal computer and an external

server and then makes decisions based on the connection

as well as the rule base,


18/27

,irewall - ules


19/27

,irewall - ules


20/27

Network Security Devices $ .roxy

Server

A computer system (or an application program! that

intercepts internal user re"uests and then processes that

re"uest on behalf of the user,

A reverse proxy does not serve clients but instead routesincoming re"uests to the correct server, ;e"uests for

services are sent to the reverse proxy that then forwards it

to the server,

9o the outside user the #$ address of the reverse proxy isthe final #$ address for re"uesting services% yet only the

reverse proxy can access the internal servers,


21/27

.roxy Server


22/27

8etwork Security Devices s attention away from

legitimate servers,

Early warnings of new attacks

Examine attacker techniques

9ypes of honeypots : roduction !oneypots and

"esearch !oneypots


23/27

8etwork #ntrusion Detection System

(#DS!

An intrusion detection system #$DS% attempts to

identify inappropriate activity by comparing new

behavior against normal or acceptable behavior and

issuing an alert, 2xamples functions of #DS:

0onfigure the firewall to filter out the #$ address of the intruder,

Launch a separate program to handle the event, Save the packets

in an evidence file for further analysis, Send email% page% or a

cell phone message to the network administrator,

9erminate the 90$ session by forging a 90$ 6#8 packet to force

a connection to terminate,


24/27


25/27

$rotocol Analy5ers

Detect a potential intrusion by : detect statistical anomalies,

examine network traffic and look for wellknown patterns of attack% much like

antivirus scanning,

protocol analy5er technology,

$rotocol analy5ers can fully decode applicationlayer

network protocols% such as


26/27

/nternet "ontent ,ilter


27/27

/ntegrate Network Security

0arware

ultipurpose security appliances that provide multiple security

functions% such as: Antispam and antiphishing

Antivirus and antispyware

1andwidth optimi5ation 0ontent filtering

2ncryption

6irewall

#ntrusion protection system

0ombine or integrate multipurpose security appliances with atraditional network device such as a switch or router to create

integrated network security hardware,

chapter 5 - network defenses

Documents