ISEC 311: Network Security

Secure Network Architecture

College of Information Technology (CIT)
United Arab Emirates University
Spring 2022
 Network Architecture
A network connected to the Internet has many
types of machines:
PC and LapTops
Internal servers: FTP…
External servers (Bastion) : Web, SMTP …

 Network Topology:
Private networks
Peripheral networks: often exposed to untrusted
outside network . Also known as DMZ: (De-
Militarized Zone)
 Network Architecture

The network architecture depends on :

• Organization’s security policies
• Available budget
• Activities and services provided by the
organization
Bastion Hosts
Simple single-layer architecture
Reside outside of the firewall or in the
demilitarized zone (DMZ)
Typically serve as the first point of connection
from the Internet
Can be a software or hardware solution
 The Bastion Host
General requirements:
•High memory and processor speed
• Secure host software (installed OS, patches etc.)
• Remove unnecessary services / accounts
• Reconfigure the host as necessary as needed to ensure
up to date configuarions
• Do often security audits to ensure compliane with
security policies
Different Firewall
Architectures
Only One Packet Filtering (Screening)
Router

Internet
Internet

Packet
filtering
router
Router

Internal Network

Server 1 Server 2
A Single-Homed Bastion Host and a Router
Bastion Internet
Internet
host
(Proxy)
Packet
Router Filtering
Router
Internal Network

Server 1 Server 2

A bastion host is a highly secure single system

A Single-Homed Bastion Host and a Router

Configuration for the packet-filtering router:

Only packets from and to the bastion host are allowed to
pass through the router
The bastion host performs authentication and
proxy functions
• Greater security than single router (defense in
depth) because :
• This configuration implements both packet-level and
application-level filtering (allowing for flexibility in
defining security policy)
• An intruder must generally penetrate two separate
systems
A Dual-Homed Bastion Host as a Screening Router
Internet
Internet

Dual-homed
bastion Router +
Server (Proxy)

Network

Server 1 Server 2
• A dual-homed host is a system with at least two interfaces inserted between a trusted
network (LAN), and an untrusted network (Internet).
• It could act as a router.
• Systems inside the firewalled network can communicate with the dual-homed host, and
systems outside the firewall (on the Internet) can communicate with the dual-homed
host, but these systems can't communicate directly with each other.
A Dual-Homed Bastion Host and a Screening
Router
Bastion Interne
Interne
host tt
(Proxy)
Private Packet
Router
Network Filtering
Router
DMZ
Server
• In this architecture, the primary security is provided by packet filtering
• The bastion host sits on the internal network.
• The packet filtering by the router ensures that the bastion host is the only system on the
internal network that hosts on the Internet can open connections to
• Any external system can only access internal systems or services via the bastion host
• Packet filtering also permits the bastion host to open allowable connections with the
outside
A Dual-Homed Bastion Host and a Screening
Router

Packet filtering can be configured on the router to:

Allow internal hosts to connect directly with external
ones (a security risk exists when allowing this)
Prevent internal hosts to connect directly with external
hosts forcing them to go through the basion host
A mix of the above two rules is possible
It is easier to protect the router than the basion host
against attacks
This configuration provides better security and
flexibility than a dual-homed host architecture.
12
 What is a DMZ?
 A DMZ Network is a network segment configured to protect and add an
extra layer of security to an organization’s LAN from untrusted traffic. One
common DMZ is a network segment that resides between the Internet and
a LAN where public servers of an organization are hosted.
 A DMZ is usually created between two firewalls, one connecting it to the
Internet and another connecting it to the organization’s LAN.

13
 An Inside and an Outside Router
Internet
Internet

Web Server SMTP Server

Packet
Outside Router
Filtering
DMZ (Peripheral
Router
Network)

Internal Web Server

Inside Router

Private
Network
An Inside and an Outside Router and A Single-Homed
Bastion Host : Screened-subnet Firewall System

Bastion Internet
Internet
host
(Proxy) Web Server
Packet
Filtering
Outside Router Router

DMZ
(Screened subnet)
Inside Router
Private (internal)
Network
 An Inside and an Outside Router and A Single-Homed
Bastion Host : Screened-subnet Firewall System

Features
Two packet-filtering routers are used
Creation of an isolated sub-network

• Advantages:
– Three levels of defense towards intruders
– Very secure configuration
– The outside router advertises only the existence of the
screened subnet to the Internet (internal network is
invisible to the Internet)
 An Inside and an Outside Router and A Single-Homed
Bastion Host : Screened-subnet Firewall System

Advantages (continued):
The inside router advertises only the existence of the
screened subnet to the internal network (the systems on
the inside network cannot construct direct routes to the
Internet)
If the bastion (Proxy) is compromised, it is significantly
more difficult to attack the internal network
Integrated Router and Bastion (Proxy) and Inside Router

Internet
Internet

Bastion (Proxy)/
Outside Router

DMZ

Web Server

Inside Router
Private network
Integrated Router and Bastion (Proxy) and Inside Router

Advantage:
 Less expensive than the architecture with two routers
 Fast filtering process
 Centralization of verification and identification

Drawback:
 The Bastion can get very busy
 Can crack easily
 Double role: Proxy (Bastion) and router, therefore
more vulnerable
Outside Router, Inside Integrated Router and Bastion (Proxy)

Internet
Internet This configuration is not
recommended

Outside Router
DMZ

Web Server
Bastion (Proxy)/
Inside Router
Private
Network
Outside Router, Inside Integrated Router and Bastion (Proxy)

• Not recommended:
• The Bastion can get very busy
• If a hacker succeeds to attack the Bastion, the
whole private network will be compromised

• Advantage:
• Not expensive
 Several Inside Routers

Internet
Internet

This configuration is not

Web Server
recommended
Outside Router

DMZ

Web Server

Inside Router Inside Router

Private
network
The possibility of conflicts among the inside routers is high
 Several Private Networks

Internet
Internet

Web Server

Router
DMZ

Web Server

Private Router Router Private

Network A Network B
 Dorsal with Several Private Networks

Internet
Internet

Server Web
Router
DMZ

Router

Dorsal
Web Server

Router Router

Private Private
Network A Network B
One Inside Router and Several Outside Routers

Internet Client
Clientor
orpartner
partner
Internet
network
network

Web Server

Router Router

Network

Web Server

Router
Private Network
 Private IP Addresses and
Network Address Translation (NAT)
Architecture
IP Addresses for the Private Networks
Recommandation of IANA: RFC 1918
(@ IP non routable)
• Class A: 10.0.0.0
• Class B: 172.16.0.0 TO 172.31.0.0
• The 256 networks of Class C:
192.168.0.0 TO 192.168.255.0

• Isolation of your trafic from the Internet trafic

• The need of address translator:
• Network Address Translator (NAT)
• NAT does not replace the Firewall or Proxy server
IP Addresses for the Private Networks
Internet
Internet

Web Server SMTP Server

Router Peripheral network
(DMZ)
193.95.37.0/255
(@IP routables)
Web Server

Private network
Router
10.0.0.1/254
(@IP non routables)
One-to-one NAT
 Many-to-one NAT
LAN

Router Internet
Internet
Translater

Source Socket
• Network Address Translation
@priv1, 1025 @pubA, 3025 • Port Address Translation
@priv2, 1067 @pubA, 3026
@priv3, 1067 @pubA, 3027

Table:
translation @IP, Port number