This document discusses internet architecture and network security. It covers various services an organization may offer like mail, web, and FTP servers. It also discusses internal and external access to systems, including through virtual private networks (VPNs). The document outlines firewall configuration and types, including packet filtering and application layer firewalls. It describes network address translation (NAT) and private IP addresses. Finally, it discusses user VPNs and site VPNs, benefits and issues with user VPNs, and managing user VPN access.
2. Services to Offer
• The first question that must be answered with
regard to Internet architecture is:
• What services will the organization provide via
the Internet?
• The services that will be offered and who will
be accessing them will greatly impact the
overall architecture
3. Mail
• it is generally offered to internal employees to
send and receive messages.
• This service requires that at least one server
be established to receive inbound mail.
• If higher availability is required, at least two
mail servers are required.
4. Mail
• An organization may also choose to establish
public mail relays for such things as e-mail
discussion groups. Such systems are normally
referred to as list servers.
• These systems will allow external people to
send mail to the system and the system
resends that message to the subscribers of the
list.
5. Web
• To publish information to customers or partners
via the World Wide Web, it needs to establish a
Web server.
• Web server may be hosted at another location or
it may be hosted internally.
• Web servers can provide simple, static content or
dynamic content.
• Access to the Web site can be public or it can be
restricted HTTPS using 443 port number e.g.
through login system
6. Web
• An FTP server allows external individuals to
get or send files using Web browser or FTP
Client software.
• It can be anonymous or it can require a login
ID and password.
7. Internal Access to the Internet
• How employees access the Internet should be
governed by organization policy
• Organizations may allow any service they
choose including instant messaging, chat, and
streaming video or audio or to access only
certain Web sites.
9. External Access to Internal Systems
• A touchy subject for security and network
staff.
• External access can take two forms: employee
access (usually from remote locations as part
of their job) or non-employee access.
• Employee access to internal systems from
remote locations is usually accomplished
through the use of a virtual private network
• (VPN) over the Internet
10. External Access to Internal Systems
• External organizations require access to
internal systems.
• Even access by trusted business partners must
be mediated to manage risk.
• External access may be accomplished through
the use of VPNs, dial-up lines, or leased lines
11. FIREWALLS
• A firewall is a network access control device
that is designed to deny all traffic except that
which is explicitly allowed.
• Different than a router
• Firewall is a security device that can allow
appropriate traffic to flow while a router is a
network device.
12. Firewalls
• Firewalls can be configured to allow traffic
based on the service, the IP address of the
• source or destination, or the ID of the user
requesting service.
• Firewalls can also be configured to log all
traffic.
• Firewalls rules do all the work.
13. Types of Firewalls
• There are two general types of firewalls:
• Application layer firewalls
• Packet filtering firewalls.
14. Application Layer Firewalls
• Application layer firewalls (also called proxy
firewalls) are software packages that sit on
top of general-purpose operating systems or
on firewall appliances.
• The firewall will have multiple interfaces, one
for each network to which it is connected.
• A set of policy rules defines how traffic from
one network is transported to any other.
• All connections terminate on the firewall
15. Policy rules are enforced through the use of proxies. On an
application layer firewall, each protocol to be allowed
must have its own proxy.
16. Application Layer Firewalls
• Application layer firewalls will have proxies for
the most commonly used protocols such as
HTTP, SMTP, FTP, and telnet. Other proxies
may not be available. If a proxy is not
available, the protocol cannot be used across
the firewall.
• The firewall also hides the addresses of
systems behind the application layer firewall.
17. Packet Filtering Firewalls
• Are also software packages.
• The firewall will have multiple interfaces, one
for each network to which it is connected.
• And also like the application layer firewall, a
set of policy rules define how traffic from one
network is transported to any other.
• If a rule does not specifically allow the traffic
to flow, the firewall will deny or drop the
packets.
18. Packet Filtering Firewalls
• Policy rules are enforced through the use of
packet inspection filters.
• The filters examine the packets and determine
whether the traffic is allowed based on the
policy rules and the state of the protocol.
• If the protocol is running over TCP, state
determination is relatively easy as TCP itself
maintains state.
• If UDP?
19. Packet Filtering Firewalls
• With a packet filtering firewall, connections
do not terminate on the firewall
• But instead travel directly to the destination
system.
• As the packets arrive at the firewall, the
firewall will determine if the packet and
connection state are allowed by the policy
rules.
• Allow or Drop?
21. Firewall Configuration
• Web server offering service on port 80 only.
• Mail server offering service on port 25 only.
• The Internet policy for the organization allows
internal users to use the following services:
• HTTP
• HTTPS
• FTP
• Telnet
• SSH
23. Firewall Rule set Design
• Good rule set design can be as important to a
firewall as good hardware.
• work on “first match” when deciding whether
to accept or reject a packet i.e. most specific
rules be placed at the top of the rule set and
so on.
• More rules that must be examined for each
packet, the more processing must be done by
the firewall. So keep it efficient and short.
24.
25. Firewall Rule set Design
• First Look at the expected traffic load of the
firewall and rank the traffic types in order.
• HTTP traffic will be the largest. So keep it on
top of the list.
26. Network Address Translation NAT
• Any organization that plans to install a firewall
will have to deal with addressing issues.
• At the root of the problem is the shortage of
IP address space.
• For example Most ISPs will provide blocks of
16 or 32 addresses (which actually become 14
or 30 addresses when the broadcast
addresses are taken into account). Solution
NAT
27. NAT
• it translates one or more addresses into other
addresses. So how does this help? When we
build our networks we use the 30 or so
addresses provided by the ISP for systems that
must be visible to the Internet.
• On the inside of the network, we use
addresses that are not visible but are
translated
28. NAT
• Mostly the firewall performs the NAT function.
Routers can also be used for this function if
necessary.
• Application layer firewalls perform NAT as part of
their design.
• Since all connections terminate on the firewall,
only the firewall’s address is visible to the
outside.
• Packet filtering firewalls also have this capability
but it must be configured during firewall setup.
29. NAT
• NAT can also provide a security function as
the hidden addresses of the internal systems
are not visible to the Internet.
30. Private Class Addresses
• Despite NAT we still need addresses for the
internal network. The choice of internal
addresses can cause all types of routing
problems if it is not done properly.
• RFC (that is, Request for Comment, which is
how Internet standards are published)1918
specifies what are called private class
addresses.
31. Private Class Addresses
• These addresses are intended for use on
internal networks behind a firewall that
performs NAT.
• Subnet Mask?
32. Private Class Addresses
• None of these addresses are routable on the
Internet. If you attempt to ping to a private
class address, the packets will be returned
with a “network unreachable” message.
33. Static NAT
• We architect a network to use private class
addresses and we want to use NAT to allow
systems to be accessible from the Internet. For
this situation, we use what is called static
• NAT.
• Static NAT maps a single real address from the
organization’s external network to a system.
• Static NAT is a one-to-one configuration. For each
system that must be accessible from the Internet,
one real address is used.
34. Dynamic NAT
• Dynamic NAT differs from static NAT in that
many internal addresses are mapped to a single
real address.
• real address that is used is the external address
of the firewall.
• The firewall then tracks the connections and uses
one port for each connection.
• Dynamic NAT is especially useful for desktop
clients who use Dynamic Host Configuration
• Protocol (DHCP).
35. Dynamic NAT
• Systems that use dynamic NAT are not
addressable from the outside since only the
firewall maintains the mappings of ports to
systems and the mappings will change
regularly.
37. VPNs
• Private networks have been used by
organizations to communicate with remote sites
and with other organizations.
• made up of lines leased from the various phone
companies and ISPs.
• leased lines create a real circuit between the two
sites.
• Many Advantages of Private Networks
• Disadvantage COST
• Solution: Virtual Private Networks
38. Defining VPNs
• With the increasing use of the Internet, many
organizations have moved to Virtual Private
Networks (VPN).
• VPNs offer organizations many of the
advantages of private networks with a lower
cost.
• However, VPNs introduce a whole new set of
issues and risks for an organization.
39. VPN’s
• Use Public Network like Internet for send data
securely.
• we separate our traffic from everyone else’s.
• Encryption
• Much of that traffic is sent in the clear so that
• anyone watching the traffic can see exactly what is
going by.
• This is true for most mail and Web traffic as well as
telnet and FTP sessions. Secure Shell (SSH) and
HyperText Transfer Protocol –
• Secure (HTTPS) traffic is encrypted.
40. VPNs
• VPNs have several characteristics:
• Traffic is encrypted so as to prevent
eavesdropping.
• The remote site is authenticated.
• Multiple protocols are supported over the
VPN.
• The connection is point to point.
41. VPNs
• VPN packets are mixed in with the regular
traffic flow on the Internet and segregated
because only the end points of the connection
can read the traffic.
42.
43. VPN Types
• VPNs are generally separated into two types:
user VPNs and site VPNs.
44. User VPNs
• User VPNs are virtual private networks between
an individual user machine and an organization
site or network.
• Often user VPNs are used for employees who
travel or work from home.
• organization’s site requests the user to
authenticate and, if successful, allows the user
access to the organization’s internal network as if
the user were within the site and physically on
the network. Slower speed due to user
Connection
45. User VPNs
• While the user has a VPN back to the
organization’s internal network, he or she also
• has a connection to the Internet and can surf
the Web or perform other activities like a
normal Internet user.
46. Benefits of User VPNs
• Employees who travel can have access to e-mail,
files, and internal systems wherever they are
without the need for expensive long distance
calls to dial-in servers.
• Employees who work from home can have the
same access to network services as employees
who work from the organization facilities without
the requirement for expensive leased lines.
• COST saving + Speed
47. Issues with user VPNs
• significant security risks and implementation
issues.
• biggest single security issue with the use of a VPN
by an employee is the simultaneous connection
to other Internet sites.
• If the user’s computer has been compromised
• with a Trojan Horse program, it may be possible
for some external, unauthorized user to use the
employee’s computer to connect to the
organization’s internal network
48. Issues with User VPNs
• User VPNs require the same attention to user-
management issues as internal systems.
• which users require remote VPN access and
which do not.
• Also consider when employees leaves the job.
• Users must authenticate themselves before
using the VPN.
• Organizations must also be concerned with
traffic loads due to many connections of VPNs.
49. Managing User VPNs
• Managing user VPNs is primarily an issue of managing
the users and user computer systems.
• Procedures must be used till employee separation.
• proper VPN software versions and configurations.
• If the computers are owned by the organization, this
becomes part of the standard software load for the
computer.
• If the organization allows employees to use the VPN
from their home computers, the organization will need
to increase overall support to these users and
configurations.
50. Managing User VPNs
• One key aspect of the user VPN that should
not be forgotten is the use of a good anti-virus
software package on the user’s computer.