Understanding Enterprise Network Security and Firewalls

Exploring key aspects of enterprise network security, this presentation delves into topics such as perimeter control, host-based security, intrusion detection, and various types of firewalls. It highlights filtering rulesets, requirements for outbound traffic, and the importance of dynamic packet filtering in enhancing security measures.

• Network Security
• Firewalls
• Filtering Rulesets
• Dynamic Packet Filtering
• Enterprise Security

bsote Follow

Uploaded on Sep 17, 2024 | 0 Views

Download Presentation

Please find below an Image/Link to download the presentation.

The content on the website is provided AS IS for your information and personal use only. It may not be sold, licensed, or shared on other websites without obtaining consent from the author. Download presentation by click this link. If you encounter any issues during the download, it is possible that the publisher has removed the file from their server.

Presentation Transcript

1. CIS 6930 Report Presentation Schedule Nov 7: Michael Goltz Nov 7: Song Fang Nov 9: Song Yang Nov 9: Dakun Shen Nov 14: Shamaria Engram Nov 14: Joseph Fields Nov 28: Exam 1

2. Enterprise Network Security Perimeter control Firewalls Securing hosts Host-based vulnerability scanner Intrusion detection Network-based and host-based 2

3. Firewalls Types of firewalls Host-based firewall Network-based firewall Types of firewalls Packet filters Gateways 3

4. Example Internet Filtering interfaces portal DMZ firewall dnsServer CORP workStation fileServer 4

5. Typical format of a filter rule <protocol, srcIP, srcPort, dstIP, dstPort, action> e.g. <ip, blackListIP, -, *, -, drop> <udp, dnsServerIP, *, *, 53, allow> <tcp, *, *, portalIP, 80, allow> <tcp, *, *, portalIP, 443, allow> <nfs, portalIP, -, fileServerIP, -, allow> 5

6. Filtering Rulesets Order matters The first match determines the fate of the packet Default action Either drop or allow Ingress and Egress filtering Different rulesets for packets coming into the interface and those coming out of the interface 6

7. Requirement 1 Outbound http traffic from CORP zone should be allowed <tcp, CORPIP, *, *, 80, allow> <tcp, CORPIP, *, *, 443, allow> Internet 1 portal 3 DMZ firewall 2 dnsServer CORP workStation 7 fileServer

8. Requirement 2 Outbound smtp traffic from portal should be allowed <tcp, portalIP, *, *, 25, allow> Internet 1 portal 3 DMZ firewall 2 dnsServer CORP workStation 8 fileServer

9. Dynamic Packet Filtering How do we let in the return packets? Typical problems with packet-filtering Solution: dynamic packet filtering, or stateful inspection Option1: dynamically insert a new filtering rule to let in the return traffic Option2: firewall acts as an transparent proxy between the communication parties 9

10. Option 2 1.2.3.4 5.6.7.8 1.2.3.4 5.6.7.8 firewall 10

11. Asymmetric Route H1 F1 F2 H2 X 11

12. Network Address Translation (NAT) 1.2.3.4 5.6.7.8 10.11.12.13 5.6.7.8 firewall 12

13. Requirement 3 Outbound FTP traffic from CORP zone should be allowed; Inbound FTP traffic to portal should be allowed <tcp, CORPIP, *, *, 21, allow> <tcp, *, *, portalIP, 21, allow> Internet 1 portal 3 DMZ firewall 2 dnsServer CORP workStation 13 fileServer

14. The FTP Problem Two channels: control channel and data channel Port 21 is for control channel; two modes for establishing a data channel Active mode: client issues a PORT command to tell the server which port number to connect back Passive mode: client issues a PASV command and server responds with a port number for the client to connect to Has to use dynamic filtering to allow the data channel traffic Potential security problems 14

15. Use an Application Proxy Application Proxy 1.2.3.4 5.6.7.8 10.11.12.13 5.6.7.8 firewall 15

16. Requirement 4 NFS traffic from portal to fileServer should be allowed <nfs, portalIP, -, fileServerIP, -, allow> Internet 1 portal 3 DMZ firewall 2 dnsServer CORP workStation fileServer 16

17. Requirement 5 Inbound DNS query to portal should be allowed; Outbound DNS query from dnsServer should be allowed; DNS query from CORP zone to dnsServer should be allowed; <udp, *, *, portalIP, 53, allow> <udp, nameServerIP, *, *, 53, allow> <udp, CORPIP, *, nameServerIP, 53, allow> 17

18. Other requirements Inbound HTTP request to portal should be allowed; Inbound SSH request to portal should be allowed; Outbound IMAP traffic from CORP zone should be allowed; It is non-trivial to get the firewall rule-set right 18

19. Summary Current enterprise network defense tools only provide point-solutions Defenders need automated correlation from a number of monitoring/control devices to make the right decisions quickly 19