Professional Documents
Culture Documents
Isec311 LCN 08
Isec311 LCN 08
Network Topology:
Private networks
Peripheral networks: often exposed to untrusted
outside network . Also known as DMZ: (De-
Militarized Zone)
Network Architecture
Internet
Internet
Packet
filtering
router
Router
Internal Network
Server 1 Server 2
A Single-Homed Bastion Host and a Router
Bastion Internet
Internet
host
(Proxy)
Packet
Router Filtering
Router
Internal Network
Server 1 Server 2
Dual-homed
bastion Router +
Server (Proxy)
Network
Server 1 Server 2
• A dual-homed host is a system with at least two interfaces inserted between a trusted
network (LAN), and an untrusted network (Internet).
• It could act as a router.
• Systems inside the firewalled network can communicate with the dual-homed host, and
systems outside the firewall (on the Internet) can communicate with the dual-homed
host, but these systems can't communicate directly with each other.
A Dual-Homed Bastion Host and a Screening
Router
Bastion Interne
Interne
host tt
(Proxy)
Private Packet
Router
Network Filtering
Router
DMZ
Server
• In this architecture, the primary security is provided by packet filtering
• The bastion host sits on the internal network.
• The packet filtering by the router ensures that the bastion host is the only system on the
internal network that hosts on the Internet can open connections to
• Any external system can only access internal systems or services via the bastion host
• Packet filtering also permits the bastion host to open allowable connections with the
outside
A Dual-Homed Bastion Host and a Screening
Router
13
An Inside and an Outside Router
Internet
Internet
Inside Router
Private
Network
An Inside and an Outside Router and A Single-Homed
Bastion Host : Screened-subnet Firewall System
Bastion Internet
Internet
host
(Proxy) Web Server
Packet
Filtering
Outside Router Router
DMZ
(Screened subnet)
Inside Router
Private (internal)
Network
An Inside and an Outside Router and A Single-Homed
Bastion Host : Screened-subnet Firewall System
Features
Two packet-filtering routers are used
Creation of an isolated sub-network
• Advantages:
– Three levels of defense towards intruders
– Very secure configuration
– The outside router advertises only the existence of the
screened subnet to the Internet (internal network is
invisible to the Internet)
An Inside and an Outside Router and A Single-Homed
Bastion Host : Screened-subnet Firewall System
Advantages (continued):
The inside router advertises only the existence of the
screened subnet to the internal network (the systems on
the inside network cannot construct direct routes to the
Internet)
If the bastion (Proxy) is compromised, it is significantly
more difficult to attack the internal network
Integrated Router and Bastion (Proxy) and Inside Router
Internet
Internet
Bastion (Proxy)/
Outside Router
DMZ
Web Server
Inside Router
Private network
Integrated Router and Bastion (Proxy) and Inside Router
Advantage:
Less expensive than the architecture with two routers
Fast filtering process
Centralization of verification and identification
Drawback:
The Bastion can get very busy
Can crack easily
Double role: Proxy (Bastion) and router, therefore
more vulnerable
Outside Router, Inside Integrated Router and Bastion (Proxy)
Internet
Internet This configuration is not
recommended
Outside Router
DMZ
Web Server
Bastion (Proxy)/
Inside Router
Private
Network
Outside Router, Inside Integrated Router and Bastion (Proxy)
• Not recommended:
• The Bastion can get very busy
• If a hacker succeeds to attack the Bastion, the
whole private network will be compromised
• Advantage:
• Not expensive
Several Inside Routers
Internet
Internet
DMZ
Web Server
Private
network
The possibility of conflicts among the inside routers is high
Several Private Networks
Internet
Internet
Web Server
Router
DMZ
Web Server
Internet
Internet
Server Web
Router
DMZ
Router
Dorsal
Web Server
Router Router
Private Private
Network A Network B
One Inside Router and Several Outside Routers
Internet Client
Clientor
orpartner
partner
Internet
network
network
Web Server
Router Router
Network
Web Server
Router
Private Network
Private IP Addresses and
Network Address Translation (NAT)
Architecture
IP Addresses for the Private Networks
Recommandation of IANA: RFC 1918
(@ IP non routable)
• Class A: 10.0.0.0
• Class B: 172.16.0.0 TO 172.31.0.0
• The 256 networks of Class C:
192.168.0.0 TO 192.168.255.0
Private network
Router
10.0.0.1/254
(@IP non routables)
One-to-one NAT
Many-to-one NAT
LAN
Router Internet
Internet
Translater
Source Socket
• Network Address Translation
@priv1, 1025 @pubA, 3025 • Port Address Translation
@priv2, 1067 @pubA, 3026
@priv3, 1067 @pubA, 3027
Table:
translation @IP, Port number