Professional Documents
Culture Documents
4.1 Firewall 4.2 Virtual Private Network (VPN) Kerberos Security Topology and DMZ
4.1 Firewall 4.2 Virtual Private Network (VPN) Kerberos Security Topology and DMZ
Dheeraj S. Sadawarte
Contents
Firewalls
Need for firewall,
Characteristics
Limitation
Types of firewalls
Hardware, software,
Packet filter, proxy server, Hybrid,
Application gateway,
Circuit level gateway, implementing firewall
August 26, 2015 Dheeraj S. Sadawarte 2
dheerajsadawarte.blogspot.in
Firewall
A dedicated appliance (H/w) or S/W.
Stands between trusted & untrusted N/W,
inspecting all traffic passing between them.
A choke point of control and monitoring
Imposes restrictions on network services
Only authorized traffic is allowed
Provide NAT & usage monitoring
Implement VPNs using IPSec
Usually between
trusted and untrusted
networks (such as
between a corporate
network and the
Internet)
Corporate
Site
Advantages
Simplicity
Packet Filtering Firewall
Transparency to the users
High speed
Disadvantage
Lack of authentication
Difficulty of setting up packet filtering rules.
August 26, 2015 Dheeraj S. Sadawarte 22
dheerajsadawarte.blogspot.in
Proxy Server
Important part of web architecture
Reduce loads on servers
Act as a gateway to and from the Internet.
An intermediary program that acts as both a
server and a client for the purpose of making
requests on behalf of other clients.
Two forms of proxy servers
Nontransparent and Transparent
A nontransparent server is visible to a user –
User configures a browser to contact proxy
instead original.
August 26, 2015 Dheeraj S. Sadawarte 23
dheerajsadawarte.blogspot.in
Proxy Server
A transparent proxy no need to change configure
Examines all TCP connection that pass through it
Requests are serviced internally or by passing
them, with possible translation, on to other servers.
A proxy must interpret and, if necessary, rewrite a
request message before forwarding it.
Proxies are often used as client-side portals
through network Firewalls.
Clients connect to Proxy Server when they make a
request for resources located on the Internet
Also known as application gateway
August 26, 2015 Dheeraj S. Sadawarte 24
dheerajsadawarte.blogspot.in
Proxy Server
Server gets the resource and returns it to the client.
Since you are only presenting one IP address to the
Internet, Proxy Server effectively hides your
internal network.
The Proxy Server is the only computer in the
network attached to both internal and external
networks. W
MSBTE E
B
You S
Tube E
R
Client V
Proxy E
111.222.3.4 FB
August 26, 2015 222.111.123.234
Dheeraj S. Sadawarte R
25
dheerajsadawarte.blogspot.in S
Application Level Gateway
Also known as proxy server.
It acts like proxy & decides about the flow of
application level traffic.
User contacts application level gateway using a
TCP/IP application, such as FTP or HTTP.
Application level gateway asks the user about
the remote host with which user wants to set up
connection for comm.
Corporate
Site
August 26, 2015 Dheeraj S. Sadawarte 43
dheerajsadawarte.blogspot.in
Firewall Deployment
•Corporate Network Gateway
•Internal Segment Gateway Internet
Public Servers
–Protect sensitive segments
(Finance, HR, Product
Development) Demilitarized Zone
(Publicly-accessible
–Provide second layer of servers)
defense
–Ensure protection against Human Resources Network
internal attacks and misuse
Internal Segment Gateway
Corporate
Site
August 26, 2015 Dheeraj S. Sadawarte 44
dheerajsadawarte.blogspot.in
Firewall Deployment
•Corporate Network
Internet
Gateway Public Servers
DMZ
•Internal Segment
Gateway
•Server-Based Firewall
–Protect individual Human Resources Network
application servers
–Files protect Server-Based
Firewall
Corporate
Site
SAP
August 26, 2015 Dheeraj S. Sadawarte Server 45
dheerajsadawarte.blogspot.in
Summary
Firewall
Limitation
Firewall Types
Packet Filtering Firewall
Application Level Gateway
Circuit Level Gateway
Firewall Configuration
VPN
Tunnel
Firewall 1 Firewall 2
Internet
Network 1 Network 2
Access
Concentrator
RAS
PPTP Operation
User dials into local PPTP access concentrator host
User sends the access concentrator a PPP frame
within an IP packet
Access
Concentrator RAS
PPTP Operation
Access concentrator places incoming IP packet within
another IP packet
Sends packet to the distant RAS
Access
Concentrator RAS
Encapsulated Packet
August 26, 2015 Dheeraj S. Sadawarte 58
dheerajsadawarte.blogspot.in
PPTP
PPTP Operation
Distant RAS removes the original packet
Treats the packet as if it came in over a local
telephone line
Deals with the PPP frame within the packet
RAS
Original IP Packet
August 26, 2015 Dheeraj S. Sadawarte 59
dheerajsadawarte.blogspot.in
PPTP
PPTP Encapsulation
Access concentrator receives the original IP packet,
which has the destination IP address of the access
concentrator
Adds a new IP header with the IP address of the RAS
Adds an enhanced general routing encapsulation
(GRE) header for security
Enhanced New
Original IP Packet
GRE Header IP Header
RAS
Access Tunnel
Concentrator
August 26, 2015 Dheeraj S. Sadawarte 61
dheerajsadawarte.blogspot.in
VPN Protocols
L2TP (Layer 2 Tunneling protocol)
Developed by IETF
Improvement over PPTP.
L2TP is considered as secure open standard for
VPN.
It works for both combinations : user-to-LAN &
LAN-to-LAN.
Authentication
Server (AS)
2
User
Ticket Granting
Workstation Server (TGS)
1 4
3
Server
Once per 6
service
session
August 26, 2015 Dheeraj S. Sadawarte 69
dheerajsadawarte.blogspot.in
1. Workstation sends a message to the authentication
server requesting a ticket granting ticket (TGT)
2. The AS verifies users access rights and creates a TGT
and session key. AS encrypts result using a key
derived from users password and send encrypted
result to user workstation.
–
User decrypt using password.
3. Workstation send a request to TG Server containing
the client name, realm name (domain), and a
timestamp.
• User proves his identity by sending authenticator
encrypted with session key
August 26, 2015 Dheeraj S. Sadawarte 70
dheerajsadawarte.blogspot.in
4. TGS decrypts the ticket and authenticator, verifies
request, and creates ticket for requested server.
• The ticket contains client name, and optionally IP
addr, realm name and ticket timestamp
• The TGS returns ticket to workstation.
5. Client application sends a service request to server
containing ticket.
• The service authenticates the request by decrypting
session key. The server verifies ticket and
authenticator match and then grant access to the
service.
• 6. If mutual authentication is required, then server
will
August 26, 2015reply with server authentication
Dheeraj S. Sadawarte
dheerajsadawarte.blogspot.in
message. 71
Security Topologies
Security Topology
Is a logical map that depicts interconnectivity
between security devices, networks
That are protected by security devices, and
security domains that host these networks.
Security topologies serve as a foundation to create
IPsec VPNs on network
And to configure firewall policies on security
devices.
August 26, 2015 Dheeraj S. Sadawarte 73
dheerajsadawarte.blogspot.in
Security Zones
Is a way to classify websites into different security
categories.
Internet explorer includes five predefined zone:
Internet, local Intranet, trusted sites, restricted sites &
my computer
Trusted Sites : This zone is for sites that you trust.
Unclassified sites : This zone is for sites that you
haven‟t classified or you are not sure of it.
Restricted Sites : This zone is for sites that you don‟t
trust and want to restrict them.
August 26, 2015 Dheeraj S. Sadawarte 74
dheerajsadawarte.blogspot.in
Key aspects of Creating & Designing
Security zone
• Internet Zone
Contains websites that are not on your
computer or on local intranet.
The default security level is medium.
Switch/
Bridge
VLAN 3 VLAN 4
Fig. VLAN
August 26, 2015 Dheeraj S. Sadawarte 88
dheerajsadawarte.blogspot.in
Advantages of VLAN
1. Performance
• In network high percentage of traffic is of
broadcast and multicast
• VLAN reduce need to send traffic to
unnecessary dest.
2. Formation of virtual workgroup
3. Simplified Administration
4. Security
August 26, 2015 Dheeraj S. Sadawarte 89
dheerajsadawarte.blogspot.in
Types of VLAN
• Layer 1 VLAN : Membership by port
Membership in VLAN can be based on the ports
that belongs to the VLAN.
Disadvantage of this is that it does not allow user
mobility.
Port 1 2 3 4 5 6 7 8
VLAN 1 1 3 3 2 2 4 4
August 26, 2015 Dheeraj S. Sadawarte 90
dheerajsadawarte.blogspot.in
Types of VLAN
• Layer 2 VLAN: Membership by MAC addresses
Membership is based on MAC address of
workstation
Switch tracks MAC addresses belongs to which
VLAN.
If workstation is moved or port is changed then no
need to reconfigure VLAN.
Disadvantage is membership is assigned initially. In
n/w with thousand of users this is not a easy task.
August 26, 2015 Dheeraj S. Sadawarte 91
dheerajsadawarte.blogspot.in
VLAN Types
• Layer 2 VLAN: Membership by protocol
This method is based on protocol field.
Protocols are assigned to different port
Ex. IP protocol traffic is assigned to port 1
And other traffic on some another port.
IP Address Subnet
192.168.1.100 255.255.255.128
192.168.1.100 255.255.255.128
117.240.248.129 255.255.255.240