SlideShare a Scribd company logo

Network security chapter 6 and 7 internet architecture

Download as PPT, PDF
M
Muhammad ismail Shah

This document discusses internet architecture and network security. It covers various services an organization may offer like mail, web, and FTP servers. It also discusses internal and external access to systems, including through virtual private networks (VPNs). The document outlines firewall configuration and types, including packet filtering and application layer firewalls. It describes network address translation (NAT) and private IP addresses. Finally, it discusses user VPNs and site VPNs, benefits and issues with user VPNs, and managing user VPN access.

Education
1 of 50
Internet Architecture Course Network Security BCS 6th / MCS 4th Term Salam Ullah Khan
Services to Offer • The first question that must be answered with regard to Internet architecture is: • What services will the organization provide via the Internet? • The services that will be offered and who will be accessing them will greatly impact the overall architecture
Mail • it is generally offered to internal employees to send and receive messages. • This service requires that at least one server be established to receive inbound mail. • If higher availability is required, at least two mail servers are required.
Mail • An organization may also choose to establish public mail relays for such things as e-mail discussion groups. Such systems are normally referred to as list servers. • These systems will allow external people to send mail to the system and the system resends that message to the subscribers of the list.
Web • To publish information to customers or partners via the World Wide Web, it needs to establish a Web server. • Web server may be hosted at another location or it may be hosted internally. • Web servers can provide simple, static content or dynamic content. • Access to the Web site can be public or it can be restricted HTTPS using 443 port number e.g. through login system
Web • An FTP server allows external individuals to get or send files using Web browser or FTP Client software. • It can be anonymous or it can require a login ID and password.
Internal Access to the Internet • How employees access the Internet should be governed by organization policy • Organizations may allow any service they choose including instant messaging, chat, and streaming video or audio or to access only certain Web sites.
Internal Access to Internet
External Access to Internal Systems • A touchy subject for security and network staff. • External access can take two forms: employee access (usually from remote locations as part of their job) or non-employee access. • Employee access to internal systems from remote locations is usually accomplished through the use of a virtual private network • (VPN) over the Internet
External Access to Internal Systems • External organizations require access to internal systems. • Even access by trusted business partners must be mediated to manage risk. • External access may be accomplished through the use of VPNs, dial-up lines, or leased lines
FIREWALLS • A firewall is a network access control device that is designed to deny all traffic except that which is explicitly allowed. • Different than a router • Firewall is a security device that can allow appropriate traffic to flow while a router is a network device.
Firewalls • Firewalls can be configured to allow traffic based on the service, the IP address of the • source or destination, or the ID of the user requesting service. • Firewalls can also be configured to log all traffic. • Firewalls rules do all the work.
Types of Firewalls • There are two general types of firewalls: • Application layer firewalls • Packet filtering firewalls.
Application Layer Firewalls • Application layer firewalls (also called proxy firewalls) are software packages that sit on top of general-purpose operating systems or on firewall appliances. • The firewall will have multiple interfaces, one for each network to which it is connected. • A set of policy rules defines how traffic from one network is transported to any other. • All connections terminate on the firewall
Policy rules are enforced through the use of proxies. On an application layer firewall, each protocol to be allowed must have its own proxy.
Application Layer Firewalls • Application layer firewalls will have proxies for the most commonly used protocols such as HTTP, SMTP, FTP, and telnet. Other proxies may not be available. If a proxy is not available, the protocol cannot be used across the firewall. • The firewall also hides the addresses of systems behind the application layer firewall.
Packet Filtering Firewalls • Are also software packages. • The firewall will have multiple interfaces, one for each network to which it is connected. • And also like the application layer firewall, a set of policy rules define how traffic from one network is transported to any other. • If a rule does not specifically allow the traffic to flow, the firewall will deny or drop the packets.
Packet Filtering Firewalls • Policy rules are enforced through the use of packet inspection filters. • The filters examine the packets and determine whether the traffic is allowed based on the policy rules and the state of the protocol. • If the protocol is running over TCP, state determination is relatively easy as TCP itself maintains state. • If UDP?
Packet Filtering Firewalls • With a packet filtering firewall, connections do not terminate on the firewall • But instead travel directly to the destination system. • As the packets arrive at the firewall, the firewall will determine if the packet and connection state are allowed by the policy rules. • Allow or Drop?
Hybrid Firewalls are also available now
Firewall Configuration • Web server offering service on port 80 only. • Mail server offering service on port 25 only. • The Internet policy for the organization allows internal users to use the following services: • HTTP • HTTPS • FTP • Telnet • SSH
Firewall Configuration • Single Firewall • Dual Firewalls
Firewall Rule set Design • Good rule set design can be as important to a firewall as good hardware. • work on “first match” when deciding whether to accept or reject a packet i.e. most specific rules be placed at the top of the rule set and so on. • More rules that must be examined for each packet, the more processing must be done by the firewall. So keep it efficient and short.
Firewall Rule set Design • First Look at the expected traffic load of the firewall and rank the traffic types in order. • HTTP traffic will be the largest. So keep it on top of the list.
Network Address Translation NAT • Any organization that plans to install a firewall will have to deal with addressing issues. • At the root of the problem is the shortage of IP address space. • For example Most ISPs will provide blocks of 16 or 32 addresses (which actually become 14 or 30 addresses when the broadcast addresses are taken into account). Solution NAT
NAT • it translates one or more addresses into other addresses. So how does this help? When we build our networks we use the 30 or so addresses provided by the ISP for systems that must be visible to the Internet. • On the inside of the network, we use addresses that are not visible but are translated
NAT • Mostly the firewall performs the NAT function. Routers can also be used for this function if necessary. • Application layer firewalls perform NAT as part of their design. • Since all connections terminate on the firewall, only the firewall’s address is visible to the outside. • Packet filtering firewalls also have this capability but it must be configured during firewall setup.
NAT • NAT can also provide a security function as the hidden addresses of the internal systems are not visible to the Internet.
Private Class Addresses • Despite NAT we still need addresses for the internal network. The choice of internal addresses can cause all types of routing problems if it is not done properly. • RFC (that is, Request for Comment, which is how Internet standards are published)1918 specifies what are called private class addresses.
Private Class Addresses • These addresses are intended for use on internal networks behind a firewall that performs NAT. • Subnet Mask?
Private Class Addresses • None of these addresses are routable on the Internet. If you attempt to ping to a private class address, the packets will be returned with a “network unreachable” message.
Static NAT • We architect a network to use private class addresses and we want to use NAT to allow systems to be accessible from the Internet. For this situation, we use what is called static • NAT. • Static NAT maps a single real address from the organization’s external network to a system. • Static NAT is a one-to-one configuration. For each system that must be accessible from the Internet, one real address is used.
Dynamic NAT • Dynamic NAT differs from static NAT in that many internal addresses are mapped to a single real address. • real address that is used is the external address of the firewall. • The firewall then tracks the connections and uses one port for each connection. • Dynamic NAT is especially useful for desktop clients who use Dynamic Host Configuration • Protocol (DHCP).
Dynamic NAT • Systems that use dynamic NAT are not addressable from the outside since only the firewall maintains the mappings of ports to systems and the mappings will change regularly.
Chapter 7 Virtual Private Networks (VPN)
VPNs • Private networks have been used by organizations to communicate with remote sites and with other organizations. • made up of lines leased from the various phone companies and ISPs. • leased lines create a real circuit between the two sites. • Many Advantages of Private Networks • Disadvantage COST • Solution: Virtual Private Networks
Defining VPNs • With the increasing use of the Internet, many organizations have moved to Virtual Private Networks (VPN). • VPNs offer organizations many of the advantages of private networks with a lower cost. • However, VPNs introduce a whole new set of issues and risks for an organization.
VPN’s • Use Public Network like Internet for send data securely. • we separate our traffic from everyone else’s. • Encryption • Much of that traffic is sent in the clear so that • anyone watching the traffic can see exactly what is going by. • This is true for most mail and Web traffic as well as telnet and FTP sessions. Secure Shell (SSH) and HyperText Transfer Protocol – • Secure (HTTPS) traffic is encrypted.
VPNs • VPNs have several characteristics: • Traffic is encrypted so as to prevent eavesdropping. • The remote site is authenticated. • Multiple protocols are supported over the VPN. • The connection is point to point.
VPNs • VPN packets are mixed in with the regular traffic flow on the Internet and segregated because only the end points of the connection can read the traffic.
VPN Types • VPNs are generally separated into two types: user VPNs and site VPNs.
User VPNs • User VPNs are virtual private networks between an individual user machine and an organization site or network. • Often user VPNs are used for employees who travel or work from home. • organization’s site requests the user to authenticate and, if successful, allows the user access to the organization’s internal network as if the user were within the site and physically on the network. Slower speed due to user Connection
User VPNs • While the user has a VPN back to the organization’s internal network, he or she also • has a connection to the Internet and can surf the Web or perform other activities like a normal Internet user.
Benefits of User VPNs • Employees who travel can have access to e-mail, files, and internal systems wherever they are without the need for expensive long distance calls to dial-in servers. • Employees who work from home can have the same access to network services as employees who work from the organization facilities without the requirement for expensive leased lines. • COST saving + Speed
Issues with user VPNs • significant security risks and implementation issues. • biggest single security issue with the use of a VPN by an employee is the simultaneous connection to other Internet sites. • If the user’s computer has been compromised • with a Trojan Horse program, it may be possible for some external, unauthorized user to use the employee’s computer to connect to the organization’s internal network
Issues with User VPNs • User VPNs require the same attention to user- management issues as internal systems. • which users require remote VPN access and which do not. • Also consider when employees leaves the job. • Users must authenticate themselves before using the VPN. • Organizations must also be concerned with traffic loads due to many connections of VPNs.
Managing User VPNs • Managing user VPNs is primarily an issue of managing the users and user computer systems. • Procedures must be used till employee separation. • proper VPN software versions and configurations. • If the computers are owned by the organization, this becomes part of the standard software load for the computer. • If the organization allows employees to use the VPN from their home computers, the organization will need to increase overall support to these users and configurations.
Managing User VPNs • One key aspect of the user VPN that should not be forgotten is the use of a good anti-virus software package on the user’s computer.

Recommended

Internet architecture
Internet architectureInternet architecture
Internet architectureNaman Rastogi
 
Network Trends
Network TrendsNetwork Trends
Network TrendsArun ACE
 
Computer Networks
Computer NetworksComputer Networks
Computer NetworksMark Rotondella
 
Computer networking
Computer networkingComputer networking
Computer networkingaslamslides
 
Topic 4.0 wireless technology
Topic 4.0 wireless technologyTopic 4.0 wireless technology
Topic 4.0 wireless technologyAtika Zaimi
 
Topic 2.2 network protocol
Topic 2.2 network protocolTopic 2.2 network protocol
Topic 2.2 network protocolAtika Zaimi
 
Topic 1.1 basic concepts of computer network
Topic 1.1 basic concepts of computer networkTopic 1.1 basic concepts of computer network
Topic 1.1 basic concepts of computer networkAtika Zaimi
 
Networking basic fundamental
Networking basic fundamentalNetworking basic fundamental
Networking basic fundamentalSatish Sehrawat
 

Recommended

Internet architecture
Internet architectureInternet architecture
Internet architectureNaman Rastogi
 
Network Trends
Network TrendsNetwork Trends
Network TrendsArun ACE
 
Computer Networks
Computer NetworksComputer Networks
Computer NetworksMark Rotondella
 
Computer networking
Computer networkingComputer networking
Computer networkingaslamslides
 
Topic 4.0 wireless technology
Topic 4.0 wireless technologyTopic 4.0 wireless technology
Topic 4.0 wireless technologyAtika Zaimi
 
Topic 2.2 network protocol
Topic 2.2 network protocolTopic 2.2 network protocol
Topic 2.2 network protocolAtika Zaimi
 
Topic 1.1 basic concepts of computer network
Topic 1.1 basic concepts of computer networkTopic 1.1 basic concepts of computer network
Topic 1.1 basic concepts of computer networkAtika Zaimi
 
Networking basic fundamental
Networking basic fundamentalNetworking basic fundamental
Networking basic fundamentalSatish Sehrawat
 
1 introduction-to-computer-networking
1 introduction-to-computer-networking1 introduction-to-computer-networking
1 introduction-to-computer-networkingPriya Manik
 
Data communication lecture 02
Data communication lecture 02Data communication lecture 02
Data communication lecture 02Muhammad Tahir Mehmood
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security PresentationWajahat Rajab
 
Basic networking
Basic networkingBasic networking
Basic networkingworr1244
 
Computer networks basic network_hardware_1
Computer networks basic network_hardware_1Computer networks basic network_hardware_1
Computer networks basic network_hardware_1Aneesh Nelavelly
 
Internet architecture protocol
Internet architecture protocolInternet architecture protocol
Internet architecture protocolGLIM Digital
 
A Course Outline About Computer Networks
A Course Outline About Computer NetworksA Course Outline About Computer Networks
A Course Outline About Computer Networksadil raja
 
NETWORK COMPONENTS
NETWORK COMPONENTSNETWORK COMPONENTS
NETWORK COMPONENTSbwire sedrick
 
Computer networks--osi model
Computer networks--osi modelComputer networks--osi model
Computer networks--osi modelAditya Mehta
 
Presentation On Computer Network
Presentation On Computer NetworkPresentation On Computer Network
Presentation On Computer NetworkAvinash Ranjan
 
Networking (2)
Networking (2)Networking (2)
Networking (2)LALIT MAHATO
 
Wireless communications
Wireless communicationsWireless communications
Wireless communicationsArchana Dwivedi
 
Basic Concepts of Networking
Basic Concepts of NetworkingBasic Concepts of Networking
Basic Concepts of NetworkingVivin NL
 
Networking basics
Networking basicsNetworking basics
Networking basicsVadiraj Jahagirdar
 
Computer Network, Internet, Computer Security and Cyber Ethics
Computer Network, Internet, Computer Security and Cyber EthicsComputer Network, Internet, Computer Security and Cyber Ethics
Computer Network, Internet, Computer Security and Cyber EthicsSubas Paudel
 
Advanced computer network
Advanced computer networkAdvanced computer network
Advanced computer networkTrinity Dwarka
 
Basics Of Comuter Networking
Basics Of Comuter NetworkingBasics Of Comuter Networking
Basics Of Comuter Networkinganishgoel
 
Networking concepts
Networking conceptsNetworking concepts
Networking conceptspreetisangwan8
 
Computer Networking 101
Computer Networking 101Computer Networking 101
Computer Networking 101Sameer Mahajan
 
Data communication MIS
Data communication MISData communication MIS
Data communication MISJerome Aljibe
 
Python + STIX = Awesome
Python + STIX = AwesomePython + STIX = Awesome
Python + STIX = Awesomestixproject
 
Everything about TAXII
Everything about TAXIIEverything about TAXII
Everything about TAXIIstixproject
 

More Related Content

What's hot

1 introduction-to-computer-networking
1 introduction-to-computer-networking1 introduction-to-computer-networking
1 introduction-to-computer-networkingPriya Manik
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security PresentationWajahat Rajab
 
Basic networking
Basic networkingBasic networking
Basic networkingworr1244
 
Computer networks basic network_hardware_1
Computer networks basic network_hardware_1Computer networks basic network_hardware_1
Computer networks basic network_hardware_1Aneesh Nelavelly
 
Internet architecture protocol
Internet architecture protocolInternet architecture protocol
Internet architecture protocolGLIM Digital
 
A Course Outline About Computer Networks
A Course Outline About Computer NetworksA Course Outline About Computer Networks
A Course Outline About Computer Networksadil raja
 
Computer networks--osi model
Computer networks--osi modelComputer networks--osi model
Computer networks--osi modelAditya Mehta
 
Presentation On Computer Network
Presentation On Computer NetworkPresentation On Computer Network
Presentation On Computer NetworkAvinash Ranjan
 
Basic Concepts of Networking
Basic Concepts of NetworkingBasic Concepts of Networking
Basic Concepts of NetworkingVivin NL
 
Computer Network, Internet, Computer Security and Cyber Ethics
Computer Network, Internet, Computer Security and Cyber EthicsComputer Network, Internet, Computer Security and Cyber Ethics
Computer Network, Internet, Computer Security and Cyber EthicsSubas Paudel
 
Advanced computer network
Advanced computer networkAdvanced computer network
Advanced computer networkTrinity Dwarka
 
Basics Of Comuter Networking
Basics Of Comuter NetworkingBasics Of Comuter Networking
Basics Of Comuter Networkinganishgoel
 
Computer Networking 101
Computer Networking 101Computer Networking 101
Computer Networking 101Sameer Mahajan
 
Data communication MIS
Data communication MISData communication MIS
Data communication MISJerome Aljibe
 

What's hot (20)

1 introduction-to-computer-networking
1 introduction-to-computer-networking1 introduction-to-computer-networking
1 introduction-to-computer-networking
 
Data communication lecture 02
Data communication lecture 02Data communication lecture 02
Data communication lecture 02
 
Telecommunications and Network Security Presentation
Telecommunications and Network Security PresentationTelecommunications and Network Security Presentation
Telecommunications and Network Security Presentation
 
Basic networking
Basic networkingBasic networking
Basic networking
 
Computer networks basic network_hardware_1
Computer networks basic network_hardware_1Computer networks basic network_hardware_1
Computer networks basic network_hardware_1
 
Internet architecture protocol
Internet architecture protocolInternet architecture protocol
Internet architecture protocol
 
A Course Outline About Computer Networks
A Course Outline About Computer NetworksA Course Outline About Computer Networks
A Course Outline About Computer Networks
 
NETWORK COMPONENTS
NETWORK COMPONENTSNETWORK COMPONENTS
NETWORK COMPONENTS
 
Computer networks--osi model
Computer networks--osi modelComputer networks--osi model
Computer networks--osi model
 
Presentation On Computer Network
Presentation On Computer NetworkPresentation On Computer Network
Presentation On Computer Network
 
Networking (2)
Networking (2)Networking (2)
Networking (2)
 
Wireless communications
Wireless communicationsWireless communications
Wireless communications
 
Basic Concepts of Networking
Basic Concepts of NetworkingBasic Concepts of Networking
Basic Concepts of Networking
 
Networking basics
Networking basicsNetworking basics
Networking basics
 
Computer Network, Internet, Computer Security and Cyber Ethics
Computer Network, Internet, Computer Security and Cyber EthicsComputer Network, Internet, Computer Security and Cyber Ethics
Computer Network, Internet, Computer Security and Cyber Ethics
 
Advanced computer network
Advanced computer networkAdvanced computer network
Advanced computer network
 
Basics Of Comuter Networking
Basics Of Comuter NetworkingBasics Of Comuter Networking
Basics Of Comuter Networking
 
Networking concepts
Networking conceptsNetworking concepts
Networking concepts
 
Computer Networking 101
Computer Networking 101Computer Networking 101
Computer Networking 101
 
Data communication MIS
Data communication MISData communication MIS
Data communication MIS
 

Viewers also liked

Python + STIX = Awesome
Python + STIX = AwesomePython + STIX = Awesome
Python + STIX = Awesomestixproject
 
Everything about TAXII
Everything about TAXIIEverything about TAXII
Everything about TAXIIstixproject
 
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworks
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworksSANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworks
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworksMatthew J. Harmon
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basicsanandraje
 
Computer security basics
Computer security basicsComputer security basics
Computer security basicsSrinu Potnuru
 
Plmce mysql-101-security-basics
Plmce mysql-101-security-basicsPlmce mysql-101-security-basics
Plmce mysql-101-security-basicsDavid Busby, CISSP
 
Introduction to STIX 101
Introduction to STIX 101Introduction to STIX 101
Introduction to STIX 101stixproject
 
Network basics
Network basicsNetwork basics
Network basicsJunaid AJ
 
Network security & cryptography
Network security & cryptographyNetwork security & cryptography
Network security & cryptographyRahulprasad Yadav
 
Network Basics & Internet
Network Basics & InternetNetwork Basics & Internet
Network Basics & InternetVNSGU
 
What exactly is the "Internet of Things"?
What exactly is the "Internet of Things"?What exactly is the "Internet of Things"?
What exactly is the "Internet of Things"?Dr. Mazlan Abbas
 
Basic concepts of computer Networking
Basic concepts of computer NetworkingBasic concepts of computer Networking
Basic concepts of computer NetworkingHj Habib
 
BASIC CONCEPTS OF COMPUTER NETWORKS
BASIC CONCEPTS OF COMPUTER NETWORKS BASIC CONCEPTS OF COMPUTER NETWORKS
BASIC CONCEPTS OF COMPUTER NETWORKS Kak Yong
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network securitypatisa
 
Introduction to computer network
Introduction to computer networkIntroduction to computer network
Introduction to computer networkAshita Agrawal
 

Viewers also liked (20)

Python + STIX = Awesome
Python + STIX = AwesomePython + STIX = Awesome
Python + STIX = Awesome
 
Everything about TAXII
Everything about TAXIIEverything about TAXII
Everything about TAXII
 
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworks
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworksSANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworks
SANS_Minneapolis_2015_ThreatIntelligence_NeighborhoodWatchForYourNetworks
 
Mobile Security Basics
Mobile Security BasicsMobile Security Basics
Mobile Security Basics
 
Security Basics
Security BasicsSecurity Basics
Security Basics
 
Computer security basics
Computer security basicsComputer security basics
Computer security basics
 
Plmce mysql-101-security-basics
Plmce mysql-101-security-basicsPlmce mysql-101-security-basics
Plmce mysql-101-security-basics
 
Introduction to STIX 101
Introduction to STIX 101Introduction to STIX 101
Introduction to STIX 101
 
Security Basics - Internet Safety
Security Basics - Internet SafetySecurity Basics - Internet Safety
Security Basics - Internet Safety
 
Network basics
Network basicsNetwork basics
Network basics
 
Network security & cryptography
Network security & cryptographyNetwork security & cryptography
Network security & cryptography
 
Network Basics & Internet
Network Basics & InternetNetwork Basics & Internet
Network Basics & Internet
 
Cryptography
CryptographyCryptography
Cryptography
 
Cryptography
CryptographyCryptography
Cryptography
 
What exactly is the "Internet of Things"?
What exactly is the "Internet of Things"?What exactly is the "Internet of Things"?
What exactly is the "Internet of Things"?
 
Basic concepts of computer Networking
Basic concepts of computer NetworkingBasic concepts of computer Networking
Basic concepts of computer Networking
 
BASIC CONCEPTS OF COMPUTER NETWORKS
BASIC CONCEPTS OF COMPUTER NETWORKS BASIC CONCEPTS OF COMPUTER NETWORKS
BASIC CONCEPTS OF COMPUTER NETWORKS
 
IoT architecture
IoT architectureIoT architecture
IoT architecture
 
Cryptography and network security
Cryptography and network securityCryptography and network security
Cryptography and network security
 
Introduction to computer network
Introduction to computer networkIntroduction to computer network
Introduction to computer network
 

Similar to Network security chapter 6 and 7 internet architecture

98 366 mva slides lesson 8
98 366 mva slides lesson 898 366 mva slides lesson 8
98 366 mva slides lesson 8suddenven
 
Firewalls (1).ppt
Firewalls (1).pptFirewalls (1).ppt
Firewalls (1).pptadnanetnzr
 
Firewalls presentation powerpoint powepoint
Firewalls presentation powerpoint powepointFirewalls presentation powerpoint powepoint
Firewalls presentation powerpoint powepointanxiousanoja
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementationajeet singh
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation9921103075
 
Unit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptUnit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptAnuReddy68
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.pptKaushal72
 
BAIT1103 Chapter 8
BAIT1103 Chapter 8BAIT1103 Chapter 8
BAIT1103 Chapter 8limsh
 
Network defenses
Network defensesNetwork defenses
Network defensesG Prachi
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)Jainam Shah
 
windows server installation procedure or
windows server installation procedure orwindows server installation procedure or
windows server installation procedure orYogeshKumar187055
 

Similar to Network security chapter 6 and 7 internet architecture (20)

MVA slides lesson 8
MVA slides lesson 8MVA slides lesson 8
MVA slides lesson 8
 
98 366 mva slides lesson 8
98 366 mva slides lesson 898 366 mva slides lesson 8
98 366 mva slides lesson 8
 
Advance firewalls
Advance firewallsAdvance firewalls
Advance firewalls
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Firewalls (1).ppt
Firewalls (1).pptFirewalls (1).ppt
Firewalls (1).ppt
 
Fw.ppt
Fw.pptFw.ppt
Fw.ppt
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Firewalls presentation powerpoint powepoint
Firewalls presentation powerpoint powepointFirewalls presentation powerpoint powepoint
Firewalls presentation powerpoint powepoint
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Firewall Design and Implementation
Firewall Design and ImplementationFirewall Design and Implementation
Firewall Design and Implementation
 
Module 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 PresentationModule 7 Firewalls Part - 2 Presentation
Module 7 Firewalls Part - 2 Presentation
 
firewall.ppt
firewall.pptfirewall.ppt
firewall.ppt
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
Unit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).pptUnit 5.3_Firewalls (1).ppt
Unit 5.3_Firewalls (1).ppt
 
Firewalls.ppt
Firewalls.pptFirewalls.ppt
Firewalls.ppt
 
BAIT1103 Chapter 8
BAIT1103 Chapter 8BAIT1103 Chapter 8
BAIT1103 Chapter 8
 
Network defenses
Network defensesNetwork defenses
Network defenses
 
Firewall ( Cyber Security)
Firewall ( Cyber Security)Firewall ( Cyber Security)
Firewall ( Cyber Security)
 
windows server installation procedure or
windows server installation procedure orwindows server installation procedure or
windows server installation procedure or
 

Recently uploaded

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxnegromaestrong
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...EduSkills OECD
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactPECB
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17Celine George
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsTechSoup
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfJayanti Pande
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...KokoStevan
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.MateoGardella
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdfQucHHunhnh
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactdawncurless
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxVishalSingh1417
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxheathfieldcps1
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introductionMaksud Ahmed
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfChris Hunter
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Disha Kariya
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDThiyagu K
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAssociation for Project Management
 

Recently uploaded (20)

Seal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptxSeal of Good Local Governance (SGLG) 2024Final.pptx
Seal of Good Local Governance (SGLG) 2024Final.pptx
 
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
Presentation by Andreas Schleicher Tackling the School Absenteeism Crisis 30 ...
 
Beyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global ImpactBeyond the EU: DORA and NIS 2 Directive's Global Impact
Beyond the EU: DORA and NIS 2 Directive's Global Impact
 
Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1Código Creativo y Arte de Software | Unidad 1
Código Creativo y Arte de Software | Unidad 1
 
How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17How to Give a Domain for a Field in Odoo 17
How to Give a Domain for a Field in Odoo 17
 
Introduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The BasicsIntroduction to Nonprofit Accounting: The Basics
Introduction to Nonprofit Accounting: The Basics
 
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
Mattingly "AI & Prompt Design: Structured Data, Assistants, & RAG"
 
Web & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdfWeb & Social Media Analytics Previous Year Question Paper.pdf
Web & Social Media Analytics Previous Year Question Paper.pdf
 
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
SECOND SEMESTER TOPIC COVERAGE SY 2023-2024 Trends, Networks, and Critical Th...
 
Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.Gardella_Mateo_IntellectualProperty.pdf.
Gardella_Mateo_IntellectualProperty.pdf.
 
1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf1029 - Danh muc Sach Giao Khoa 10 . pdf
1029 - Danh muc Sach Giao Khoa 10 . pdf
 
Accessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impactAccessible design: Minimum effort, maximum impact
Accessible design: Minimum effort, maximum impact
 
Unit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptxUnit-IV- Pharma. Marketing Channels.pptx
Unit-IV- Pharma. Marketing Channels.pptx
 
The basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptxThe basics of sentences session 2pptx copy.pptx
The basics of sentences session 2pptx copy.pptx
 
microwave assisted reaction. General introduction
microwave assisted reaction. General introductionmicrowave assisted reaction. General introduction
microwave assisted reaction. General introduction
 
Making and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdfMaking and Justifying Mathematical Decisions.pdf
Making and Justifying Mathematical Decisions.pdf
 
Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..Sports & Fitness Value Added Course FY..
Sports & Fitness Value Added Course FY..
 
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptxINDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
INDIA QUIZ 2024 RLAC DELHI UNIVERSITY.pptx
 
Measures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SDMeasures of Dispersion and Variability: Range, QD, AD and SD
Measures of Dispersion and Variability: Range, QD, AD and SD
 
APM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across SectorsAPM Welcome, APM North West Network Conference, Synergies Across Sectors
APM Welcome, APM North West Network Conference, Synergies Across Sectors
 

Network security chapter 6 and 7 internet architecture

  • 1. Internet Architecture Course Network Security BCS 6th / MCS 4th Term Salam Ullah Khan
  • 2. Services to Offer • The first question that must be answered with regard to Internet architecture is: • What services will the organization provide via the Internet? • The services that will be offered and who will be accessing them will greatly impact the overall architecture
  • 3. Mail • it is generally offered to internal employees to send and receive messages. • This service requires that at least one server be established to receive inbound mail. • If higher availability is required, at least two mail servers are required.
  • 4. Mail • An organization may also choose to establish public mail relays for such things as e-mail discussion groups. Such systems are normally referred to as list servers. • These systems will allow external people to send mail to the system and the system resends that message to the subscribers of the list.
  • 5. Web • To publish information to customers or partners via the World Wide Web, it needs to establish a Web server. • Web server may be hosted at another location or it may be hosted internally. • Web servers can provide simple, static content or dynamic content. • Access to the Web site can be public or it can be restricted HTTPS using 443 port number e.g. through login system
  • 6. Web • An FTP server allows external individuals to get or send files using Web browser or FTP Client software. • It can be anonymous or it can require a login ID and password.
  • 7. Internal Access to the Internet • How employees access the Internet should be governed by organization policy • Organizations may allow any service they choose including instant messaging, chat, and streaming video or audio or to access only certain Web sites.
  • 9. External Access to Internal Systems • A touchy subject for security and network staff. • External access can take two forms: employee access (usually from remote locations as part of their job) or non-employee access. • Employee access to internal systems from remote locations is usually accomplished through the use of a virtual private network • (VPN) over the Internet
  • 10. External Access to Internal Systems • External organizations require access to internal systems. • Even access by trusted business partners must be mediated to manage risk. • External access may be accomplished through the use of VPNs, dial-up lines, or leased lines
  • 11. FIREWALLS • A firewall is a network access control device that is designed to deny all traffic except that which is explicitly allowed. • Different than a router • Firewall is a security device that can allow appropriate traffic to flow while a router is a network device.
  • 12. Firewalls • Firewalls can be configured to allow traffic based on the service, the IP address of the • source or destination, or the ID of the user requesting service. • Firewalls can also be configured to log all traffic. • Firewalls rules do all the work.
  • 13. Types of Firewalls • There are two general types of firewalls: • Application layer firewalls • Packet filtering firewalls.
  • 14. Application Layer Firewalls • Application layer firewalls (also called proxy firewalls) are software packages that sit on top of general-purpose operating systems or on firewall appliances. • The firewall will have multiple interfaces, one for each network to which it is connected. • A set of policy rules defines how traffic from one network is transported to any other. • All connections terminate on the firewall
  • 15. Policy rules are enforced through the use of proxies. On an application layer firewall, each protocol to be allowed must have its own proxy.
  • 16. Application Layer Firewalls • Application layer firewalls will have proxies for the most commonly used protocols such as HTTP, SMTP, FTP, and telnet. Other proxies may not be available. If a proxy is not available, the protocol cannot be used across the firewall. • The firewall also hides the addresses of systems behind the application layer firewall.
  • 17. Packet Filtering Firewalls • Are also software packages. • The firewall will have multiple interfaces, one for each network to which it is connected. • And also like the application layer firewall, a set of policy rules define how traffic from one network is transported to any other. • If a rule does not specifically allow the traffic to flow, the firewall will deny or drop the packets.
  • 18. Packet Filtering Firewalls • Policy rules are enforced through the use of packet inspection filters. • The filters examine the packets and determine whether the traffic is allowed based on the policy rules and the state of the protocol. • If the protocol is running over TCP, state determination is relatively easy as TCP itself maintains state. • If UDP?
  • 19. Packet Filtering Firewalls • With a packet filtering firewall, connections do not terminate on the firewall • But instead travel directly to the destination system. • As the packets arrive at the firewall, the firewall will determine if the packet and connection state are allowed by the policy rules. • Allow or Drop?
  • 20. Hybrid Firewalls are also available now
  • 21. Firewall Configuration • Web server offering service on port 80 only. • Mail server offering service on port 25 only. • The Internet policy for the organization allows internal users to use the following services: • HTTP • HTTPS • FTP • Telnet • SSH
  • 22. Firewall Configuration • Single Firewall • Dual Firewalls
  • 23. Firewall Rule set Design • Good rule set design can be as important to a firewall as good hardware. • work on “first match” when deciding whether to accept or reject a packet i.e. most specific rules be placed at the top of the rule set and so on. • More rules that must be examined for each packet, the more processing must be done by the firewall. So keep it efficient and short.
  • 24.
  • 25. Firewall Rule set Design • First Look at the expected traffic load of the firewall and rank the traffic types in order. • HTTP traffic will be the largest. So keep it on top of the list.
  • 26. Network Address Translation NAT • Any organization that plans to install a firewall will have to deal with addressing issues. • At the root of the problem is the shortage of IP address space. • For example Most ISPs will provide blocks of 16 or 32 addresses (which actually become 14 or 30 addresses when the broadcast addresses are taken into account). Solution NAT
  • 27. NAT • it translates one or more addresses into other addresses. So how does this help? When we build our networks we use the 30 or so addresses provided by the ISP for systems that must be visible to the Internet. • On the inside of the network, we use addresses that are not visible but are translated
  • 28. NAT • Mostly the firewall performs the NAT function. Routers can also be used for this function if necessary. • Application layer firewalls perform NAT as part of their design. • Since all connections terminate on the firewall, only the firewall’s address is visible to the outside. • Packet filtering firewalls also have this capability but it must be configured during firewall setup.
  • 29. NAT • NAT can also provide a security function as the hidden addresses of the internal systems are not visible to the Internet.
  • 30. Private Class Addresses • Despite NAT we still need addresses for the internal network. The choice of internal addresses can cause all types of routing problems if it is not done properly. • RFC (that is, Request for Comment, which is how Internet standards are published)1918 specifies what are called private class addresses.
  • 31. Private Class Addresses • These addresses are intended for use on internal networks behind a firewall that performs NAT. • Subnet Mask?
  • 32. Private Class Addresses • None of these addresses are routable on the Internet. If you attempt to ping to a private class address, the packets will be returned with a “network unreachable” message.
  • 33. Static NAT • We architect a network to use private class addresses and we want to use NAT to allow systems to be accessible from the Internet. For this situation, we use what is called static • NAT. • Static NAT maps a single real address from the organization’s external network to a system. • Static NAT is a one-to-one configuration. For each system that must be accessible from the Internet, one real address is used.
  • 34. Dynamic NAT • Dynamic NAT differs from static NAT in that many internal addresses are mapped to a single real address. • real address that is used is the external address of the firewall. • The firewall then tracks the connections and uses one port for each connection. • Dynamic NAT is especially useful for desktop clients who use Dynamic Host Configuration • Protocol (DHCP).
  • 35. Dynamic NAT • Systems that use dynamic NAT are not addressable from the outside since only the firewall maintains the mappings of ports to systems and the mappings will change regularly.
  • 36. Chapter 7 Virtual Private Networks (VPN)
  • 37. VPNs • Private networks have been used by organizations to communicate with remote sites and with other organizations. • made up of lines leased from the various phone companies and ISPs. • leased lines create a real circuit between the two sites. • Many Advantages of Private Networks • Disadvantage COST • Solution: Virtual Private Networks
  • 38. Defining VPNs • With the increasing use of the Internet, many organizations have moved to Virtual Private Networks (VPN). • VPNs offer organizations many of the advantages of private networks with a lower cost. • However, VPNs introduce a whole new set of issues and risks for an organization.
  • 39. VPN’s • Use Public Network like Internet for send data securely. • we separate our traffic from everyone else’s. • Encryption • Much of that traffic is sent in the clear so that • anyone watching the traffic can see exactly what is going by. • This is true for most mail and Web traffic as well as telnet and FTP sessions. Secure Shell (SSH) and HyperText Transfer Protocol – • Secure (HTTPS) traffic is encrypted.
  • 40. VPNs • VPNs have several characteristics: • Traffic is encrypted so as to prevent eavesdropping. • The remote site is authenticated. • Multiple protocols are supported over the VPN. • The connection is point to point.
  • 41. VPNs • VPN packets are mixed in with the regular traffic flow on the Internet and segregated because only the end points of the connection can read the traffic.
  • 42.
  • 43. VPN Types • VPNs are generally separated into two types: user VPNs and site VPNs.
  • 44. User VPNs • User VPNs are virtual private networks between an individual user machine and an organization site or network. • Often user VPNs are used for employees who travel or work from home. • organization’s site requests the user to authenticate and, if successful, allows the user access to the organization’s internal network as if the user were within the site and physically on the network. Slower speed due to user Connection
  • 45. User VPNs • While the user has a VPN back to the organization’s internal network, he or she also • has a connection to the Internet and can surf the Web or perform other activities like a normal Internet user.
  • 46. Benefits of User VPNs • Employees who travel can have access to e-mail, files, and internal systems wherever they are without the need for expensive long distance calls to dial-in servers. • Employees who work from home can have the same access to network services as employees who work from the organization facilities without the requirement for expensive leased lines. • COST saving + Speed
  • 47. Issues with user VPNs • significant security risks and implementation issues. • biggest single security issue with the use of a VPN by an employee is the simultaneous connection to other Internet sites. • If the user’s computer has been compromised • with a Trojan Horse program, it may be possible for some external, unauthorized user to use the employee’s computer to connect to the organization’s internal network
  • 48. Issues with User VPNs • User VPNs require the same attention to user- management issues as internal systems. • which users require remote VPN access and which do not. • Also consider when employees leaves the job. • Users must authenticate themselves before using the VPN. • Organizations must also be concerned with traffic loads due to many connections of VPNs.
  • 49. Managing User VPNs • Managing user VPNs is primarily an issue of managing the users and user computer systems. • Procedures must be used till employee separation. • proper VPN software versions and configurations. • If the computers are owned by the organization, this becomes part of the standard software load for the computer. • If the organization allows employees to use the VPN from their home computers, the organization will need to increase overall support to these users and configurations.
  • 50. Managing User VPNs • One key aspect of the user VPN that should not be forgotten is the use of a good anti-virus software package on the user’s computer.