2534 days ago, 855 views
PowerPoint PPT Presentation
Gadgets. Part 9. Learning Goals. Comprehend the reason for a system firewall and the sorts of firewall innovation accessible available Comprehend the part of switches, switches, and other systems administration equipment in security

Presentation Transcript

Slide 1

Gadgets Chapter 9

Slide 2

Learning Objectives Understand the reason for a system firewall and the sorts of firewall innovation accessible available Understand the part of switches, switches, and other systems administration equipment in security Determine when VPN or RAS innovation attempts to give a safe system association

Slide 3

Firewalls Hardware or programming gadget that gives a methods for securing a PC or system from undesirable interruption Dedicated physical gadget that shields organize from interruption Software highlight added to a switch, switch, or other gadget that keeps movement to or from some portion of a system

Slide 4

Management Cycle for Firewall Protection Draft a composed security arrangement Design the firewall to actualize the strategy Implement the plan by introducing chose equipment and programming Test the firewall Review new dangers, prerequisites for extra security, and updates to frameworks and programming; rehash prepare from initial step

Slide 5

Drafting a Security Policy What am I ensuring? From whom? What administrations does my organization need to access over the system? Who accesses what assets? Who controls the system?

Slide 6

Available Targets and Who Is Aiming at Them Common regions of assault Web servers Mail servers FTP servers Databases Intruders Sport programmers Malicious programmers

Slide 8

Who Gets Access to Which Resources? List representatives or gatherings of workers alongside documents and record servers and databases and database servers they have to get to List which representatives require remote access to the system

Slide 9

Who Administers the Network? Decide individual(s) and extent of individual administration control

Slide 10

Designing the Firewall to Implement the Policy Select suitable innovation to send the firewall

Slide 11

What Do Firewalls Protect Against? Disavowal of administration (DoS) Ping of death Teardrop or Raindrop assaults SYN surge LAND assault Brute drive or smurf assaults IP caricaturing

Slide 12

How Do Firewalls Work? Arrange address interpretation (NAT) Basic bundle sifting Stateful parcel examination (SPI) Application portals Access control records (ACL)

Slide 13

Network Address Translation (NAT) Only procedure utilized by fundamental firewalls Enables a LAN to utilize one arrangement of IP locations for inner activity and a moment set for outer activity Each dynamic association requires a novel outer address for span of correspondence Port address interpretation (PAT) Derivative of NAT Supports a great many concurrent associations on a solitary open IP address

Slide 14

Basic Packet Filtering Firewall framework looks at every parcel that enters it and permits through just those parcels that match a predefined set of principles Can be designed to screen data in light of numerous information fields: Protocol sort IP address TCP/UDP port Source steering data

Slide 15

Stateful Packet Inspection (SPI) Controls access to arrange by breaking down approaching/active bundles and giving them a chance to pass or not in view of IP locations of source and goal Examines a bundle in view of data in its header Enhances security by permitting the channel to recognize on which side of firewall an association was started; basic to blocking IP parodying joins

Slide 16

Access Control Lists (ACL) Rules worked by hierarchical strategy that characterizes who can get to segments of the system

Slide 17

Routers Network administration gadget that sits between system fragments and courses movement starting with one system then onto the next Allows systems to speak with each other Allows Internet to capacity Act as advanced activity cop (with expansion of bundle sifting)

Slide 18

How a Router Moves Information Examines electronic envelope encompassing a parcel; thinks about deliver to rundown of locations contained in switch's query tables Determines which switch to send the bundle to next, in light of changing system conditions

Slide 19

How a Router Moves Information

Slide 20

Beyond the Firewall Demilitarized zone (DMZ) Bastion has (conceivably)

Slide 21

Demilitarized Zone Area put aside for servers that are freely available or have bring down security prerequisites Sits between the Internet and interior system's line of barrier Stateful gadget completely secures other inward frameworks Packet channel permits outer activity just to administrations gave by DMZ servers Allows an organization to host its own Internet administrations without yielding unapproved access to its private system

Slide 23

Bastion Hosts Computers that dwell in a DMZ and that host Web, mail, DNS, and additionally FTP administrations Gateway between an inside system and an outside system Defends against assaults went for within system; utilized as a safety effort Unnecessary projects, administrations, and conventions are expelled; pointless system ports are debilitated Do not impart verification administrations to put stock in hosts inside the system

Slide 24

Application Gateways Also known as intermediary servers Monitor particular applications (FTP, HTTP, Telnet) Allow parcels getting to those administrations to go to just those PCs that are permitted Good reinforcement to bundle separating

Slide 25

Application Gateways Security focal points Information concealing Robust confirmation and logging Simpler sifting rules Disadvantage Two stages are required to interface inbound or outbound movement; can expand processor overhead

Slide 26

OSI Reference Model Architecture that orders most system capacities Seven layers Application Presentation Session Transport Network Data-Link Physical

Slide 28

The OSI Stack Layers 4 and 5 Where TCP and UDP ports that control correspondence sessions work Layer 3 Routes IP bundles Layer 2 Delivers information outlines crosswise over LANs

Slide 29

Limitations of Packet-Filtering Routers ACL can turn out to be for quite some time, confounded, and hard to oversee and grasp Throughput diminishes as number of guidelines being handled builds Unable to decide particular substance or information of parcels at layers 3 through 5

Slide 30

Switches Provide same capacity as scaffolds (partition crash areas), yet utilize application-particular coordinated circuits (ASICs) that are improved for the undertaking Reduce impact space to two hubs (switch and host) Main advantage over center points Separation of impact spaces confines the likelihood of sniffing

Slide 31


Slide 32

Switch Security ACLs Virtual Local Area Networks (VLANs)

Slide 33

Virtual Local Area Network Uses open wires to associate hubs Broadcast area inside an exchanged system Uses encryption and other security components to guarantee that Only approved clients can get to the system Data can't be caught Clusters clients in littler gatherings Increases security from programmers Reduces probability of communicate tempest

Slide 34

Security Problems with Switches Common methods for switch seizing Try default passwords which might not have been changed Sniff system to get chairman secret key by means of SNMP or Telnet

Slide 35

Securing a Switch Isolate all administration interfaces Manage switch by physical association with a serial port or through secure shell (SSH) or other encoded technique Use isolate switches or center points for DMZs to physically disconnect them from the system and avoid VLAN bouncing proceeded…

Slide 36

Securing a Switch Put switch behind devoted firewall gadget Maintain the switch; introduce most recent rendition of programming and security patches Read item documentation Set solid passwords

Slide 37

Example of a Compromised VLAN

Slide 38

Wireless Almost anybody can listen in on a system correspondence Encryption is the main secure technique for speaking with remote innovation

Slide 39


Slide 40

DSL versus Cable Modem Security DSL Direct association between PC/organize and the Internet Cable modem Connected to a mutual section; partisan loyalty Most have essential firewall abilities to keep documents from being seen or downloaded Most actualize the Data Over Cable Service Interface Specification (DOCSIS) for validation and bundle separating

Slide 41

Dynamic versus Static IP Addressing Static IP addresses Provide a settled focus for potential programmers Dynamic IP addresses Provide upgraded security By changing IP locations of customer machines, DHCP server makes them moving focuses for potential programmers Assigned by the Dynamic Host Configuration Protocol (DHCP)

Slide 42

Remote Access Service (RAS) Provides an instrument for one PC to safely dial into another PC Treats modem as an augmentation of the system Includes encryption and logging Accepts approaching calls Should be put in the DMZ

Slide 43

Security Problems with RAS Behind physical firewall; potential for system to be bargained Most RAS frameworks offer encryption and callback as elements to improve security

Slide 44

Telecom/Private Branch Exchange (PBX) PBX Private telephone framework that offers elements, for example, phone message, call sending, and meeting calling Failure to secure a PBX can bring about toll extortion, burglary of data, disavowal of administration, and improved vulnerability to legitimate obligation

Slide 45

IP-Based PBX

Slide 46

PBX Security Concerns Remote PBX administration Hoteling or employment sharing Many move codes are institutionalized and posted on the Internet

Slide 47

Virtual Private Networks Provide secure correspondence pathway or passage through open systems (eg, Internet) Lowest levels of TCP/IP are executed utilizing existing TCP/IP association Encrypts either hidden information in a parcel or the whole parcel itself before wrapping it in another IP bundle for conveyance Further upgrades security by executing Internet Protocol Security (IPSec)

Slide 49

Internet Protocol Security (IPSec) Allows encryption of either simply the information in a parcel (transport mode) or the parcel all in all (passage mode) Enables a VPN to wipe out parcel sniffing and personality