Saturday, November 16, 2019
The Perimeter Network Security System Computer Science Essay
The Perimeter Network Security System Computer Science Essay As like in the real life, securing the borders are the first level of defense to protect the internal network of an organisation. The purpose of this report is to design a perimeter network security system that will provide security enhancement on the existing network infrastructure of Napier University. Network perimeter is an important line of defence in an enterprise network and every organisation has this perimeter network. Perimeter network is where the internal network meets the border network. The main security architecture using this potential area of the network is firewalling. Here this report discusses the egress and ingress filtering of packets by the firewall in order to let the bad traffic out of the perimeter and allow only the good traffic to trusted internal network. One of the core ideas behind the securing the network from outside threat is to develop and implement multiple overlapping layers of security solutions with different security components like Firewalls, VPN, IDS/P and Proxying. Though there are no single security solutions to protect the university network, multiple layers of perimeter security solution will provide maximum available protection from both outside and internal threats. (Watkins, 2011) The design considers hardening of network devices by striping down unnecessary protocols and services and manages the security perimeter from a management network for proper monitoring and mitigation. The main challenges to design and implement a perimeter security is to determine the proper firewall design, as Perimeter firewall and border routers are key components that decide the security to internal network. Most modern day attacks are happening in the Application layer and filtering in this top layer is extremely important for a successful security design. An enhanced packet inspection with proper monitoring and reporting is required throughout the end points of the network to block the malicious traffic from in and out of the network. There are number of ways and techniques involved in designing a perimeter security and this design proposes the specific solutions to the security threats in a campus wide network than in a highly complex enterprise network. 1 CSN11111 Perimeter Network Security System 10800584 RESEARCH AND DESIGN (25/ 1000 words) Security is not a product but a process. Network security depends on multiple components, policy and procedure to enforce the best practices on systems, people and infrastructure (Michael E. Whitman, 2009). The basic idea of information security is to protect the three fundamental components of information security that are Confidentiality, Integrity and Availability. Perimeter security design follows this principle to protect these components by using various security components. The design of the perimeter security depends on what resources need to be protected and the business need. SECURITY ARCHITECTURE The main design of the security architecture consists of segregating different zones in a network. These zones have different levels of security trust levels that allow or deny traffic. This layered architecture will provide the University to keep out of attackers (the term attacker is used in this report and not hacker, as an attacker is a hacker with a malicious intent and not all hackers are malicious intent). In the enterprise network, the network is divided generally into three zones and these are Border Network, Perimeter network and internal network. The perimeter security consists of border network and perimeter network as shown in the picture. Each of these considered as single entity against potential threats. In a network perimeter has many points where an effective security policy should be established. The network perimeter is the most important points of security against 2 CSN11111 Perimeter Network Security System 10800584 external threats. Many types of security can be implemented like packet filtering, intrusion detection systems/prevention and anomaly detection etc. Border Network Border network is the Internet facing zone via a border router (Edge router) that provides an initial layer of protection against all the starting point of attacks. It is most likely an IDP (Intrusion Detection and Prevention) System to be placed to create an extra layer of security. The border router will allow the traffic as per the Ingress and Egress filtering rules set on the router. Apart from protecting the outside threats these edge router and IDP also help to reduce the network load on the perimeter firewall by filtering spoofed traffic out of reaching to the perimeter firewall. Egress filtering helps to prevent specific types of traffic going out of the University that may be some confidential information or can an attacker plant traffic from a payload. A common rules used in the border router is to filter out the ICMP traffic to avoid the probing of network infrastructure. (Dailey, 2009) Perimeter Network Perimeter network sits in between the Border network and the trusted internal network often referred as DMZ. A Perimeter Firewall is the main component to filter the traffic to DMZ and passes the traffic to internal network. This firewall allows traffic from outside the network to servers like Web server or Email Server and also allows a limited access from the internal users. 3 CSN11111 Perimeter Network Security System 10800584 Perimeter firewall allows the filtered traffic to internal firewall where traffic is further scrutinised by the set of rules according the security policies of the organisation. These firewalls are commonly uses the stateful inspection technology where the states of legitimate traffics are stored in the firewall cache. Only traffic matching the states of the connection is allowed and others are dropped. REQUIREMENT ANALYSIS When designing a secure network there are number of factors are taken into considerations. Security is not just a technical issue but a business issue. The goal is to make sure a balanced approach towards the requirements in general. The general security requiement is to provide the services according to the CIA triad of the information security. Apart from these there are also factors like budget, existing infrastructure and scalability. Other factors also constitute the decision making of a proper design are reduce cost, employee productivity, avoid business down time, comply with industry standards etc. SECURITY THREATS This section discusses the better known attacks and the reason behind using perimeter security as first line of defense. Attacks can be devided into external attacks- coming from the internet and internal attacks- coming from the internal network. Information Gathering is the first method an attacker try to get the maximum informaiton about the network architecture. 4 CSN11111 Perimeter Network Security System 10800584 The external attacks are from the simple probing of the network to DoS( Denial of Service Attacks). An insider attack considers one of the major threats to any perimeter security design. These attacks may come from a mischievous user to a disgruntled employee who wanted to grab confidential information or to steal company secrets like financial data, personal information etc. A well configured internal firewall along along with the perimeter firewall can be the good level of defense against these attacks Other types of attacks inlcude intrusion packet sniffing, IP spoofing and DoS attacks that poses a direct threat to the organisation. Application layer security is one of the important design area to be take care of. Well known attacks like SQL injection are of these types. These exploits the known or unknown vulnerability on a web server or database server in order to gain the unauthorised access to the internal network. DESIGN The design of each of the security zones for the Napier University may be different but as whole these components acts together to provide a common goals by protecting the perimeter. It is important to understand where the perimeter of the network exists and what technologies are used against the threats. Perimeter security is handled by several different technologies including border router, firewalls, intrusion detection sytems and prevention systems, VPNs. Border Router The border router sits in the border or the edge of network where there is a direct interface to Internet. It acts like a traffic policeman, directs the traffic in or out of the network and also block the traffic which are not allowed to. The border router will do a NATing to provide this feature. This will give the outside network to probe the internal network. Although these routers are do not act like a firewall, it helps to protect the very first line of defense. Firewall 5 CSN11111 Perimeter Network Security System 10800584 A firewall is an active device that job is to permit or deny the data packets as per the rules set or the states of the connection. Perimeter firewall is the center point of defense against all the threat that coming to internal network. Firewall can be software based or hardware based hardned for the filtering of packets. The proposed perimeter security can be stand alone or multiple layers that combined with other security devices like IDS, IDP and VPN. A static filter firewall is the common and simplest firewalls. These firewal allow or block traffic based on the packet header. A perfect example is blocking of Spoofed IP traffic. The main advantage of this type is that I has a very fast throughput but the down side is this firewall block already established connection which may be malicious intent. On the other hand the stateful inspection firewall is the best way of defending the maliciuos attacks. Stateful inspection firewall keeps a copy of the state of each connection so that the traffic will be allowed or denied according the states in the state cache maintained in the firewall. The disadvantage of using this firewall is slow traffic coming out of the firewall as invidiual packets need to be verified and checked with the cache table. Another firewall which is effective against the application layer attacks are the Proxy firewalls. Since the most modern day attacks are pointed against the application protocols the stateful or stateful firewalls will not block the malicious traffic coming to/out of the network. A proxy firewall acts in the middle of the internet and private hosts and the proxy by acting on behalf of the host. The filtering rules are applied in the application layer. The ruleset or signature can be created according to the latest threats. Because of the huge number of traffic these firewalls considered the lowest throughput than any other firewall but top end in droping unwanted malicous application layer traffic. A web application filter and a spam filter are the example of a proxy firewall. DMZ A DeMilitarized Zone or DMZ is the separate zone from the perimeter firewall between the external network and trusted internal network. The public internet facing servers like Web servers, email servers are placed in this area because the DMZ is considered the the most sensitive area with high security stance. The firewall restrict the traffic in this zones in order to avoid the potential threats that may come into the internal 6 CSN11111 Perimeter Network Security System 10800584 network. The network inside this zone cannot initiate a session to the outside world unlcess it is a reply to an incoming connection. Intrusion Detection Systems (IDS)/ Prevention systems (IPS) An intrusion detection system or prevention system works in sync with the firewalls by providing a coming security goal of blocking unwanted traffic and notify any event that pop up in the network or host. IDS anlayse the packets for any suspicious activity and alerts the administrator. An IPS will prevent these activity by droping apart from the detection the same way IDS does. IDS and IPS have extensive rules set or singnatures of malicious activity which matches the incoming or outdoing traffic when in operation. One disadvantages with the IPS or IDS is that it may alert an legitimate traffic which considered false positive. A proper configuration of these devices is required in order to kept the false positive minimum as some times this will be a menace to handle too many logs with many thousands of false positives. A host based IDS also provide the security administrator with alerts against he malicious activity destined against a particular server like in Database server. VPN Virtual Private Nework (VPN) establish a secure remote connection to the private network by creating a secure virtual tunnel through the public untrusted network. VPN provides perimeter security by ecrypting the data in the tunnel and establish a secure connection over the internet. VPN considered to be the potential threat when an attacker comprise the tunnel as the traffic cannot be verified by the IDS or IPS because of the encrypted pakcets it uses for communication. An SSL VPN with an end-to-end VPN can be the best possible way to stay the attacker out of the network. A perimeter security design is incomplete without a proper firewall policy and an organisation wide security practices. For example if an administrator keep a weak password for these devices or any hosts in the network can nullify the entire effort put on designing a perimeter security. These security policy should also be applied to 7 CSN11111 Perimeter Network Security System 10800584 systems, and users as there needs to be a minimum level of secure access policy with proper Authentication, Autherisation and Authentication(AAA) methods. http://www.cisco.com/en/US/products/sw/secursw/ps1018/products_tech_note09186a00808bc994.shtml Management Network Management and logging is the most important aspects of a perimeter security. This network has the high security stance as all the administrative access are controlled in the management network. An attacker can take direct access by accessing the management network. The traffic to management network to be encrypted to avoid any possible attack on the internal network. For example to access the IDS, ISP and or routers to be through a secure shell, or SSL, or a https access. Log monitoring is another important aspect of a perimeter security like keeping the IDS and IPS logs or firewall logs. Log files can help to identify the probable attack on the internal or malicious activity originating from the internal network. Another possible thing to do to harden all the security devices destined to do only services that (Convery, 2004). IMPLEMENTATION (20/ 800 words) Building a perimeter security system consists of bringing different security technologies explained in the previous topic; together for a common goal-to protect the internal network from external or internal threats. The router and firewall separate the public untrusted network from the internal network, the IDS/IPS monitors all traffic, and the VPN provides remote access. All of these components together form a defense in depth security in a perimeter. Figure xxx shows the outline prototype of the proposed design. 8 CSN11111 Perimeter Network Security System 10800584 authentication server-dmz One of the first best practices before the implementation is to develop a firewall policy. The policy mainly defines the security trust levels of each zone in the network and the flow of the data traffic. The flow of data traffic is one of core in implementing the organisation wide security technologies. Perimeter firewall is the centre point in this prototype. This firewall is a stateful inspection firewall and manages traffic from external and internal network. This firewall is a closed security stance by blocking all traffic except those required for the University network. 9 CSN11111 Perimeter Network Security System 10800584 The figure - above shows how the data flows through different layers of security first where the first line of defense is border router. This multiple layers of security filter the bad traffic in different layers in the network. The first level of defense is border router with a backup from the NIDS. This can be implemented by enabling basic packet filtering rules and Access Control Lists. Blocking the IP Spoofing and ICMP traffic are the examples. This outline NIDS will detect the any unknown behaviour in the traffic, which will be alerted to the administrator through management network. In some cases border router may not required as the perimeter firewall it self can handle the security threats but that depends on the business decision like cost and availability. Diagram for flow of trafficà ¢Ã¢â ¬Ã ¦ As shown in the figure the data flow in the perimeter firewall. Perimeter firewalls allows or deny traffic as per the ingress and egress filter rules. Almost all the traffic coming to the internal network will be blocked by firewall and only allow as per the egress rules. The exception for this rule is for VPN clients and the VPN uses the encrypted tunnel and the VPN server is inbuilt in the Firewall itself. The Perimeter firewall also allows ingress traffic to DMZ zone but drop traffic originates from the webserver other than the reply to the already established connection. DMZ is the least trust level and this is why DMZ is isolated from other network zones. The internal network is allowed to access the Internet and Intranet through a proxy server in the DMZ zone. A web filtering software in the Proxy server can be implemented to filter out the unintended malicious URLs and links. The DMZ also has an inline NIPS in order to defend attacks against the application level threats like DoS attacks. The in line IPS behind the Perimeter firewall act like a sub-cop to check the malicious activity originating both from external and 10 CSN11111 Perimeter Network Security System 10800584 internal network. Internal threat may come from a disgruntled employee or a malicious traffic from a Trojan program or a zombie for a possible DDoS (Distributed Denial of Service) attack by a hacker (black hat off course!) harvested by using techniques like social engineering. The table explains the detailed egress and ingress rules on the Perimeter firewall. TRAFFIC TYPES INGRESS EGRESS ALLOW HTTP/S Request, DMZ Allow ICMP DMZ Deny Email (SMTP) Request DMZ Allow Email (Exchange RPC) DMZ Allow All Other Traffic DMZ Deny HTTP Reply DMZ Allow SMTP Reply DMZ Allow Exchange RPC Reply DMZ Allow All Other Traffic DMZ Deny ICMP (depends on policy) Internal Network Deny Remote VPN Connection Internal Network Allow All Other (Including from DMZ) Internal Network Deny Proxy Server (Port 8080)- Internet Internal Network Allow Email Server Access (DMZ) Internal Network Allow ICMP Internal Network Deny All Other Traffic Internal Network Deny Management network in the proposed diagram is one of the top security trust level where the management of all the security devices can be done. Log analysis, Secure tunnel access to routers, firewalls, IDS/P are all done in this network. The trusted servers in the internal network are protected with an internal packet filter firewall with only few of the protocols and ports are allowed. This will give the server farms with highest level of security. The staff and student networks are segregated with VLAN, as staffs should have access to student network but not vice versa. VLAN separate the traffic like a router and this will be important when considered in a University network. 11 CSN11111 Perimeter Network Security System 10800584 Both staffs and Students can have access to trusted servers through the internal firewalls. The NIDS is also monitor any suspicious event and alerted. The other Host based IDS and personal firewall in each of the workstations provides an extra layer of security. So the proposed design with a defense-in-depth can be implemented to enhance the existing infrastructure of the Napier. TESTING AND EVALUATION (25/ 1000 words) 12 CSN11111 Perimeter Network Security System 10800584 CONCLUSION (15/ 600 words) Unifiied threat management Appliance emerging cobbà ¢Ã¢â ¬Ã ¦. One persons good enough is another persons never! Bandwidth for authentication is trivial in any case I can think of that doesnt include downloading extremely large biological mappings of the authentication target. As far as security measurements, I dont know what yard stick youre using, but strong on-host, per-host authentication works well when you have a trusted path, everything else is a usability or management compromise, I dont think Id tout them as security features. Placement of authentication server Placement of internal firewall. http://www.sans.org/reading_room/whitepapers/firewalls/achieving-defense-in-depth-internal-firewalls_797 he single, authenticated/anonymous, and individualized DMZ designs are all secure designs that provide the best protection for various network sizes. The single DMZ is respected for its simple design which separates itself from a private network. The authenticated/anonymous DMZ classifies servers and the data they protect in order to segregate servers that need strong access controls from the ones that do not. The 13 CSN11111 Perimeter Network Security System 10800584 individualized DMZ gives the greatest security for a mature network, but also has the highest setup and maintenance costs. All of these secure DMZ designs are susceptible to a poorly configured server which can allow a criminal access to a data store or worse, the entire private network. In a nutshell, theres no such thing as absolute security. How much you invest in firewalls should be a function of how much you have to lose if an attack is successful. (reword) You probably heard a number of so called security experts claim the perimeter is dead because it is not effective at blocking attacks. Nothing cluld be further from the trust. Its true that attacks have become far more complex. The concern is no longer simple port scans. What we need to do however is enhance our posture, not scrap useful technologies. To be fair however, its not just the perimeter that is having the problems with modern attacks vectors. Tools like metasploit have reduced the time of exploit development from days to minutes. Networks are being spear targested with Malware which goes undetected by their Antivirus software, in some cases for as long as two years. Attackers have figured out that they do need to completely defeat forensics, they just need to make it difficult enough that it is no longer cost effective in a CFOs eyes to fully analyse the comprosmised system. So the true problem is attack technology is advancing and we need to keep up. Sometimes this is finding new security technologies and sometimes its by retasking the ones we are already using. To draw a parallel, think of what has happened with the common automobile. 40+ years ago a tuner could tweak more power out of an engine with a simple toolkit from sears. Many of those old times tuners will tell you that engines are now too complex t work on. T o the modern tuner however who is willing to add things like OBD-II adapters and laptops to their toolki, the payoffs are huge. Power levels that used to equire huge V8 engines can be produced in tiny four cylinders with as much displacement as half gallono fmilk. 14 CSN11111 Perimeter Network Security System 10800584 https://ondemand.sans.org/b20080814/viewer.php?mode=2lo=7652moduleid=530 7pos=0hint=1#viewer Properly configured firewalls and border routers are the cornerstone for perimeter security The Internet and mobility increase security risks VPNs have exposed a destructive, pernicious entry point for viruses and worms in many organizations Traditional packet-filtering firewalls only block network ports and computer addresses Most modern attacks occur at the application layer 15 CSN11111 Perimeter Network Security System 10800584
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.