Scribd Logo
Upload

Welcome to Scribd!

  • Securing The Borderless Network

    Uploaded by

    Biprajit Bhattacharjee
    7 views16 pages
    The document discusses securing networks in the modern, internet-connected world. It begins by describing how networks used to be designed and secured when they were isolated mainframe systems, and have since become borderless with the rise of the internet. The key points discussed for securing internet applications include incorporating security reviews early in the design process, designing for strong authentication and growth, and encrypting critical data end-to-end. Important infrastructure components identified are firewalls, DMZs, IDS, and encrypted data paths. The document also discusses choosing the right firewall solution, the importance of IDS, and maintaining security through ongoing monitoring, audits, and incident response procedures. Future developments discussed include improved authentication, open security models,

    Original Description:

    Original Title

    gp

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    PPT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses securing networks in the modern, internet-connected world. It begins by describing how networks used to be designed and secured when they were isolated mainframe systems, and have since become borderless with the rise of the internet. The key points discussed for securing internet applications include incorporating security reviews early in the design process, designing for strong authentication and growth, and encrypting critical data end-to-end. Important infrastructure components identified are firewalls, DMZs, IDS, and encrypted data paths. The document also discusses choosing the right firewall solution, the importance of IDS, and maintaining security through ongoing monitoring, audits, and incident response procedures. Future developments discussed include improved authentication, open security models,

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    7 views16 pages

    Securing The Borderless Network

    Uploaded by

    Biprajit Bhattacharjee
    The document discusses securing networks in the modern, internet-connected world. It begins by describing how networks used to be designed and secured when they were isolated mainframe systems, and have since become borderless with the rise of the internet. The key points discussed for securing internet applications include incorporating security reviews early in the design process, designing for strong authentication and growth, and encrypting critical data end-to-end. Important infrastructure components identified are firewalls, DMZs, IDS, and encrypted data paths. The document also discusses choosing the right firewall solution, the importance of IDS, and maintaining security through ongoing monitoring, audits, and incident response procedures. Future developments discussed include improved authentication, open security models,

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as PPT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    Download as ppt, pdf, or txt
    of 16

    Securing the

    Borderless Network

    By Hitesh Arora
    D1801A21
    10800783
    Introduction

    The Internet has fundamentally


    changed the way networks are
    designed and secured
    Old Model

    How things used to be . . .

    • single host environment


    • mainframe security
    systems Mainframe
    • hierarchical controls Controller

    • well-defined access paths


    • dumb terminals
    • centralized Dumb Terminals Dumb Terminals

    storage/processing of data
    Design and Build

    How do you Build a Secure


    Internet Application Environment?
    • Incorporate security reviews early in the design process
    • Design with future strong authentication methods in mind
    • Design for explosive growth
    • Encrypt entire path from client to backup tapes for critical
    data
    • Establish security baselines and perform security
    hardening before going live on the Internet
    Infrastructure

    Key Components of the


    Secure Network
    • Border routers
    • DMZ
    • Firewalls
    • Encrypted data paths
    • Intrusion Detection System (IDS)
    • Content Security (CVP)
    Firewall Comparison
    Choosing the Right Firewall Solution
    PROS CONS
    • Application Independent • Low Security
    Packet • High Performance • No Protection Above
    Filters • Scalable Network Layer

    • Good Security • Poor Performance


    Application- • Fully Aware of Application • Limited Application Support
    Proxy Gateways Layer • Poor Scalability

    • Good Security • More Expensive


    Stateful • High Performance
    Inspection • Scalable
    • Fully Aware of Application
    Layer
    • Extensible
    IDS

    Is Intrusion Detection Necessary?


    • Definition – the ability to detect and defend
    against defined attack patterns
    • Host based & network based
    • Network IDS can be integrated with firewalls to
    automatically respond to attacks
    • Host based IDS can detect changes to operating
    system programs and configurations
    Design Case Study

    Backup Intrusion Detection


    Application/Database Server System (IDS)
    Server

    External DMZ
    Router Internal
    Internet Router
    Internal
    Network
    Outside Inside

    Intranet Web
    Internet Web Server
    Server
    Design Case Study
    Web Server
    App Server
    IDS

    DMZ Backup
    Server
    External DMZ
    Router
    Internet IDS Console

    NAT CVP
    Serve
    r Internal
    NAT Network
    IDS
    Internal
    Router
    Maintenance

    How do you Maintain a Secure


    Internet Application Environment?
    • Keeping ahead of security exploits is a full time
    job
    • Actually review and report on firewall, IDS and
    system logs
    • Develop incidence response (IR) procedures and
    IR team
    • Periodically review and audit system and network
    security configurations
    Future Developments

    What is coming in Network Security?


    • Better, cheaper authentication mechanisms
    • Open network security models
    • System, application level “firewalls”
    • Windows 2000
    Future Developments

    Windows 2000 Security


    • Kerberos Authentication Infrastructure
    • Certificate Authority (CA)
    • Security Configuration Editor
    • IPSec Support
    • Encrypting File System (EFS)
    Future Developments
    Kerberos Authentication
    Windows 2000 supports several authentication
    models: Kerberos for internal authentication and
    X.509 certificates for external authentication.
    Kerberos can be configured to use private or public
    key authentication. Keys are managed by the
    Domain Controller (DC) in the Key Distribution
    Center (KDC). A User is granted a ticket or
    certificate which permits a session between the user
    and the server. Important security considerations:

    • The KDC MUST be physically secured


    • Susceptible to password dictionary attacks
    • Administrators still have complete access
    Future Developments

    Encrypting File System (EFS)


    Allows users to encrypt files and directories
    that only they (and administrators) can
    decrypt. EFS creates a separate 56-bit
    encryption key based on the Data Encryption
    Standard (DES) algorithm. The
    administrator’s key can unlock any encrypted
    file in the domain. This service is very fast
    and encryption/decryption occurs without the
    user noticing.
    Summary

    Summary of Best Practices


    • If possible, create a separate trusted network
    (DMZ)
    • Choosing the right firewall solution is key
    • Application security is only as strong as system
    and network security
    • Design the infrastructure to facilitate monitoring
    and data backups
    • Intrusion Detection Systems – you can’t defend
    what you don’t detect
    ANY QUERIES ???

    Thank You

    You might also like