Training Course on Network Administration

Save this PDF as:
 WORD  PNG  TXT  JPG

Size: px
Start display at page:

Download "Training Course on Network Administration"

Transcription

1 Training Course on Network Administration 03-07, March 2014 National Centre for Physics 1

2 Network Security and Monitoring 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 2

3 Crafting a Secure Network 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 3

4 Network Security Network security is an integral part of computer networking Imporant on any size network. 4

5 Network Security Network security is an integral part of computer networking Imporant on any size network. 5

6 External Threats The most common external threats to networks include: Viruses, worms, and Trojan horses - malicious software and arbitrary code running on a user device Spyware and adware - software installed on a user device that secretly collects information about the user Zero-day attacks, also called zero-hour attacks - an attack that occurs on the first day that a vulnerability becomes known Hacker attacks - an attack by a knowledgeable person to user devices or network resources Denial of service attacks - attacks designed to slow or crash applications and processes on a network device Data interception and theft - an attack to capture private information from an organization s network Identity theft - an attack to steal the login credentials of a user in order to access private data. 6

7 Internal Threats The most common data breaches happen because of internal users of the network. Due to: lost or stolen devices accidental misuse by employees malicious employees With the evolving BYOD strategies, corporate data is much more vulnerable. Therefore, when developing a security policy, it is important to address both external and internal security threats.. 7

8 Security Solutions Network security components for a home or small office network should include: Antivirus and antispyware - to protect user devices from malicious software Firewall filtering - to block unauthorized access to the network. In addition to the above, larger networks and corporate networks often have other security requirements: Dedicated firewall systems - to provide more advanced firewall capability that can filter large amounts of traffic with more granularity Access control lists (ACL) - to further filter access and traffic forwarding Intrusion prevention systems (IPS) - to identify fast-spreading threats, such as zero-day or zero-hour attacks Virtual private networks (VPN) - to provide secure access to remote workers. Policies, procedures, standards guidelines 8

9 Security through Network Design Subnetting IP addresses are actually two addresses: one part is a network address and one part is a host address Subnetting or subnet addressing Splits a large block of IP addresses into smaller groups 9

10 Image from Cisco CCNA Class 1 10

11 Subnetting at CCSF Whole College: / through Eng Dept: / through CNIT Dept: / through Image from Cisco CCNA class 1, modified 11

12 Advantages of Subnetting 12

13 Subnets Improve Security Each subnet can be isolated from the rest of the network Traffic between subnets can be monitored and restricted at the routers Subnets also allow network administrators to hide the internal network layout Outsiders only see your public servers, not your private subnets 13

14 Virtual Local Area Network (VLAN) VLANs segment a network with switches, not routers A VLAN allows scattered users to be logically grouped together even though they may be attached to different switches Can reduce network traffic and provide a degree of security similar to subnetting: VLANs can be isolated so that sensitive data is transmitted only to members of the VLAN 14

15 VLAN Security VLAN communication can take place in two ways All devices are connected to the same switch Traffic is handled by the switch itself Devices are connected to different switches A special tagging protocol must be used, such as the IEEE 802.1Q-2005 A VLAN is heavily dependent upon the switch for correctly directing packets Attackers could take control of the switch itself, if it has a default or weak password Specially crafted traffic can also "hop" from one VLAN to another 15

16 Demilitarized Zone (DMZ) A separate network that sits outside the secure network perimeter Outside users can access the DMZ but cannot enter the secure network 16

17 DMZ with Firewall 17

18 Network Address Translation (NAT) Hides the IP addresses of network devices from attackers Private addresses IP addresses not assigned to any specific user or organization Function as regular IP addresses on an internal network Non-routable addresses--traffic addressed to private addresses is discarded by Internet routers 18

19 Network Address Translation (NAT) NAT removes the private IP address from the sender s packet And replaces it with an alias IP address When a packet is returned to NAT, the process is reversed An attacker who captures the packet on the Internet cannot determine the actual IP address of the sender 19

20 Introducing NAT and PAT 20

21 NAT Example Inside local address The IP address assigned to a host on the inside network. This address is likely to be an RFC 1918 private address. Inside global address A legitimate (Internet routable or public) IP address assigned the service provider that represents one or more inside local IP addresses to the outside world. Outside local address The IP address of an outside host as it is known to the hosts on the inside network. 21

22 NAT Example 1 DA DA SA IP Header Data 2 SA Data IP Header The translation from Private source IP address to Public source IP address. 22

23 NAT Example 1 2 Inside local address The IP address assigned to a host on the inside network. Inside global address A legitimate (Internet routable or public) IP address assigned the service provider. Outside global address The IP address assigned to a host on the outside network. The owner of the host assigns this address. 23

24 NAT Example 4 3 DA SA IP Header DA... Data SA Data IP Header Translation back, from Public destination IP address to Private destination IP address. 24

25 NAT Example NAT allows you to have more than your allocated number of IP addresses by using RFC 1918 address space with smaller mask. However, because you have to use your Public IP addresses for the Internet, NAT still limits the number of hosts you can have access the Internet at any one time (depending upon the number of hosts in your public network mask.) 25

26 PAT Port Address Translation PAT (Port Address Translation) allows you to use a single Public IP address and assign it up to 65,536 inside hosts (4,000 is more realistic). PAT modifies the TCP/UDP source port to track inside Host addresses. Tracks and translates SA, DA and SP (which uniquely identifies each connection) for each stream of traffic. 26

27 PAT Example NAT/PAT table maintains translation of: DA, SA, SP DA DA SA IP Header SA IP Header DP 80 SP 1331 DA Data TCP/UDP Header DP TCP/UDP Header SP DA Data SA IP Header SA IP Header DP 80 SP 3333 Data TCP/UDP Header DP 80 SP 2222 Data TCP/UDP Header 27

28 PAT Example NAT/PAT table maintains translation of: SA (DA), DA (SA), DP (SP) DA SA IP Header DA SA IP Header DP SP DA Data TCP/UDP Header DP TCP/UDP Header SP DA Data SA IP Header SA IP Header DP 3333 SP 80 Data TCP/UDP Header DP 2222 SP 80 Data TCP/UDP Header 28

29 PAT Port Address Translation With PAT a multiple private IP addresses can be translated by a single public address (many-to-one translation). This solves the limitation of NAT which is one-to-one translation. 29

30 PAT Port Address Translation DA DA SA IP Header SA IP Header DP 80 SP 1331 DA Data TCP/UDP Header DP TCP/UDP Header SP DA Data SA IP Header SA IP Header DP 80 SP 3333 Data TCP/UDP Header DP 80 SP 2222 Data TCP/UDP Header 30

31 Configuring Static NAT 31

32 Configuring Dynamic NAT The network address space you have received from ARIN or your ISP is /24. In ISP s routing table: /24 via ISP Translate to these outside addresses Start here Source IP address must match here 32

33 is the address your ISP has assigned you. Instead of a host, you put a router there, running PAT so you can have multiple hosts share that same address. Configure PAT Overload In this example a single Public IP addresses is used, using PAT, source ports, to differentiate between connection streams. 33

34 Configure PAT Overload This is a different example, using the IP address of the outside interface instead specifying an IP address 34

35 NAT/PAT Clear Commands 35

36 Verifying NAT/PAT 36

37 Troubleshooting NAT/PAT 37

38 Issues with NAT/PAT NAT also forces some applications that use IP addressing to stop functioning because it hides end-to-end IP addresses. Applications that use physical addresses instead of a qualified domain name will not reach destinations that are translated across the NAT router. Sometimes, this problem can be avoided by implementing static NAT mappings. 38

39 NAT with PAT Web browser: Port Port 1102 Web browser: Port Address Translation Port > Port Port > Port Port > Port

40 Network Access Control (NAC) Examines a computer before it is allowed to connect to the network Each computer must meet security policy first, such as Windows patches up to date Antivirus software Antispyware software Etc. Any device that does not meet the policy is only allowed to connect to a quarantine network where the security deficiencies are corrected 40

41 41

42 Firewall Typically used to filter packets Sometimes called a packet filter Designed to prevent malicious packets from entering the network A firewall can be software-based or hardware-based Hardware firewalls usually are located outside the network security perimeter As the first line of defense 42

43 Firewall (continued) 43

44 Firewall (continued) The basis of a firewall is a rule base Establishes what action the firewall should take when it receives a packet (allow, block, and prompt) Stateless packet filtering Looks at the incoming packet and permits or denies it based strictly on the rule base Stateful packet filtering Keeps a record of the state of a connection between an internal computer and an external server Then makes decisions based on the connection as well as the rule base 44

45 Stateless Firewall Rules 45

46 Stateful Firewall Rules State = Established Note error in textbook in left column, 3rd row 46

47 Inbound and Outbound Traffic Filtering Most personal software firewalls today also filter outbound traffic as well as inbound traffic Filtering outbound traffic protects users by preventing malware from connecting to other computers and spreading But it annoys them with these alerts 47

48 Proxy Server I want to see yahoo.com I will get yahoo.com and save a copy Internet Here is my copy of yahoo.com 48

49 Proxy Server Clients never directly connect to the Internet This saves bandwidth, because one copy of a popular Web page can be used many times Allows a company to block forbidden Web sites It also prevents many attacks the same way NAT does Reverse proxy Does not serve clients but instead routes incoming requests to the correct server 49

50 Reverse Proxy Connect to Web server 1 50

51 Network Intrusion Detection Systems (NIDS) Network intrusion detection system (NIDS) Watches for attempts to penetrate a network NIDS work on the principle of comparing new behavior against normal or acceptable behavior A NIDS looks for suspicious patterns Passive intrusion detection just logs the traffic and sends alerts 51

52 Host Intrusion Prevention Systems (HIPS) Installed on each system that needs to be protected Rely on agents installed directly on the system being protected Work closely with the operating system, monitoring and intercepting requests in order to prevent attacks 52

53 Host Intrusion Prevention Systems (HIPS) Most HIPS monitor the following desktop functions: System calls File system access System Registry settings Host input/output HIPS are designed to integrate with existing antivirus, anti-spyware, and firewalls HIPS provide an additional level of security that is proactive instead of reactive 53

54 Network Intrusion Prevention Systems (NIPS) Work to protect the entire network and all devices that are connected to it By monitoring network traffic NIPS can immediately react to block a malicious attack NIPS are special-purpose hardware platforms that analyze, detect, and react to security-related events Can drop malicious traffic based on their configuration or security policy 54

55 Protocol Analyzers Three ways for detecting a potential intrusion Detecting statistical anomalies (unusual traffic) Examine network traffic and look for well-known patterns of attack Use protocol analyzer technology Protocol analyzers Can fully decode application-layer network protocols Parts of the protocol can be analyzed for any suspicious behavior Such as an overly long User-Agent field in an HTTP GET request 55

56 Internet Content Filters Internet content filters Monitor Internet traffic and block access to preselected Web sites and files A requested Web page is only displayed if it complies with the specified filters Unapproved Web sites can be restricted based on the Uniform Resource Locator (URL) or by matching keywords 56

57 Internet Content Filters (continued) 57

58 Monitoring 2008 Cisco Systems, Inc. All rights reserved. Cisco Confidential 58

59 SNMP is an application layer protocol that provides a message format for communication between what are termed managers and agents Components include SNMP manager SNMP agent Management Information Base 59

60 Get Set Trap - unreliable Trap (SNMPv3 uses ACK) - reliable 60

61 61

62 62

63 63

64 The Management Information Base (MIB) MIB defines each variable as an object ID (OID) Organizes the into a hierarchy of OIDs, usually MIB for any device includes some branches of shown as a tree the tree with variables common to many networking devices and branches with variables specific to that device. Networking equipment vendors like Cisco can define their own private branches of the tree 64

65 MIB tree 65

66 Obtaining MIB value with snmpget -v2c The version on SNMP in use -c community The SNMP password, called a community string The IP address of the monitored device The numeric object identifier (OID) of the MIB variable 66

67 There are two types of community strings in SNMP Version 2c: Read-only (RO): Provides access to the MIB variables, but does not allow these variables to changed, only read. Because security is so weak in Version 2c, many organizations only use SNMP in this read-only mode. Read-write (RW): Provides read and write access to all objects in the MIB. 67

68 R1(config)# ip access-list standard ACL_PROTECTSNMP R1(config-std-nacl)# permit host R1(config-std-nacl)# exit R1(config)# snmp-server community RO ACL_PROTECTSNMP R1(config)# snmp-server location Tampa R1(config)# snmp-server contact Anthony Sequeira R1(config)# end R1# 68

69 R2(config)# ip access-list standard ACL_PROTECTSNMP R2(config-std-nacl)# permit host R2(config-std-nacl)# exit R2(config)# snmp-server community RW ACL_PROTECTSNMP R2(config)# snmp-server location New York R2(config)# snmp-server contact John Sequeira R2(config)# end R2# 69

70 Message integrity: This helps ensure that a packet has not been tampered with in transit Authentication: This helps ensure that the packet came from a known and trusted source Encryption: This helps to ensure that information cannot be read if the data is captured in transit 70

71 71

72 Syslog permits various Cisco devices (and some other non-cisco devices) to send their system messages across the network to syslog servers There are many different Syslog server software packages for Windows and UNIX 72

73 The logging buffer (RAM inside the router or switch) The console line The terminal lines A syslog server 73

74 74

75 A timestamp: *Dec 18 17:10: The facility on the router that generated the message: %LINEPROTO The severity level: 5 A mnemonic for the message: UPDOWN The description of the message: Line protocol on Interface FastEthernet0/0, changed state to down 75

76 76

77 77

78 Verifying R1(config)#logging By default, Cisco routers and switches send log messages for all severity levels to the console. On some IOS versions, the device also buffers those log messages by default R1(config)# logging console R1(config)# logging buffered R1# show logging 78

79 Thank you! 79

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security Security+ Guide to Network Security Fundamentals, Fourth Edition Chapter 6 Network Security Objectives List the different types of network security devices and explain how they can be used Define network

More information

Chapter 9 Firewalls and Intrusion Prevention Systems

Chapter 9 Firewalls and Intrusion Prevention Systems Chapter 9 Firewalls and Intrusion Prevention Systems connectivity is essential However it creates a threat Effective means of protecting LANs Inserted between the premises network and the to establish

More information

INTRODUCTION TO FIREWALL SECURITY

INTRODUCTION TO FIREWALL SECURITY INTRODUCTION TO FIREWALL SECURITY SESSION 1 Agenda Introduction to Firewalls Types of Firewalls Modes and Deployments Key Features in a Firewall Emerging Trends 2 Printed in USA. What Is a Firewall DMZ

More information

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection.

A host-based firewall can be used in addition to a network-based firewall to provide multiple layers of protection. A firewall is a software- or hardware-based network security system that allows or denies network traffic according to a set of rules. Firewalls can be categorized by their location on the network: A network-based

More information

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design Learning Objectives Identify common misconceptions about firewalls Explain why a firewall

More information

Proxy Server, Network Address Translator, Firewall. Proxy Server

Proxy Server, Network Address Translator, Firewall. Proxy Server Proxy Server, Network Address Translator, Firewall 1 Proxy Server 2 1 Introduction What is a proxy server? Acts on behalf of other clients, and presents requests from other clients to a server. Acts as

More information

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion

Network Security. Tampere Seminar 23rd October 2008. Overview Switch Security Firewalls Conclusion Network Security Tampere Seminar 23rd October 2008 1 Copyright 2008 Hirschmann 2008 Hirschmann Automation and and Control GmbH. Contents Overview Switch Security Firewalls Conclusion 2 Copyright 2008 Hirschmann

More information

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall

We will give some overview of firewalls. Figure 1 explains the position of a firewall. Figure 1: A Firewall Chapter 10 Firewall Firewalls are devices used to protect a local network from network based security threats while at the same time affording access to the wide area network and the internet. Basically,

More information

INTRUSION DETECTION SYSTEMS and Network Security

INTRUSION DETECTION SYSTEMS and Network Security INTRUSION DETECTION SYSTEMS and Network Security Intrusion Detection System IDS A layered network security approach starts with : A well secured system which starts with: Up-to-date application and OS

More information

Security and Access Control Lists (ACLs)

Security and Access Control Lists (ACLs) Security and Access Control Lists (ACLs) Malin Bornhager Halmstad University Session Number 2002, Svenska-CNAP Halmstad University 1 Objectives Security Threats Access Control List Fundamentals Access

More information

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA Firewalls Securing Networks Chapter 3 Part 1 of 4 CA M S Mehta, FCA 1 Firewalls Learning Objectives Task Statements 1.3 Recognise function of Telecommunications and Network security including firewalls,..

More information

Configuring PA Firewalls for a Layer 3 Deployment

Configuring PA Firewalls for a Layer 3 Deployment Configuring PA Firewalls for a Layer 3 Deployment Configuring PAN Firewalls for a Layer 3 Deployment Configuration Guide January 2009 Introduction The following document provides detailed step-by-step

More information

Security Awareness. Wireless Network Security

Security Awareness. Wireless Network Security Security Awareness Wireless Network Security Attacks on Wireless Networks Three-step process Discovering the wireless network Connecting to the network Launching assaults Security Awareness, 3 rd Edition

More information

Network Security Topologies. Chapter 11

Network Security Topologies. Chapter 11 Network Security Topologies Chapter 11 Learning Objectives Explain network perimeter s importance to an organization s security policies Identify place and role of the demilitarized zone in the network

More information

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013 CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention Spring 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access

More information

Firewalls. Chapter 3

Firewalls. Chapter 3 Firewalls Chapter 3 1 Border Firewall Passed Packet (Ingress) Passed Packet (Egress) Attack Packet Hardened Client PC Internet (Not Trusted) Hardened Server Dropped Packet (Ingress) Log File Internet Border

More information

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 1. Obtain previous workpapers/audit reports. FIREWALL CHECKLIST Pre Audit Checklist 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review. 3. Obtain current network diagrams

More information

CMPT 471 Networking II

CMPT 471 Networking II CMPT 471 Networking II Firewalls Janice Regan, 2006-2013 1 Security When is a computer secure When the data and software on the computer are available on demand only to those people who should have access

More information

ΕΠΛ 674: Εργαστήριο 5 Firewalls

ΕΠΛ 674: Εργαστήριο 5 Firewalls ΕΠΛ 674: Εργαστήριο 5 Firewalls Παύλος Αντωνίου Εαρινό Εξάμηνο 2011 Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized

More information

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015)

Firewalls. Test your Firewall knowledge. Test your Firewall knowledge (cont) (March 4, 2015) s (March 4, 2015) Abdou Illia Spring 2015 Test your knowledge Which of the following is true about firewalls? a) A firewall is a hardware device b) A firewall is a software program c) s could be hardware

More information

Architecture Overview

Architecture Overview Architecture Overview Design Fundamentals The networks discussed in this paper have some common design fundamentals, including segmentation into modules, which enables network traffic to be isolated and

More information

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES

PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES PROTECTING INFORMATION SYSTEMS WITH FIREWALLS: REVISED GUIDELINES ON FIREWALL TECHNOLOGIES AND POLICIES Shirley Radack, Editor Computer Security Division Information Technology Laboratory National Institute

More information

Security Technology: Firewalls and VPNs

Security Technology: Firewalls and VPNs Security Technology: Firewalls and VPNs 1 Learning Objectives Understand firewall technology and the various approaches to firewall implementation Identify the various approaches to remote and dial-up

More information

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA

JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA JK0-022 CompTIA Academic/E2C Security+ Certification Exam CompTIA To purchase Full version of Practice exam click below; http://www.certshome.com/jk0-022-practice-test.html FOR CompTIA JK0-022 Exam Candidates

More information

CISCO IOS NETWORK SECURITY (IINS)

CISCO IOS NETWORK SECURITY (IINS) CISCO IOS NETWORK SECURITY (IINS) SEVENMENTOR TRAINING PVT.LTD [Type text] Exam Description The 640-553 Implementing Cisco IOS Network Security (IINS) exam is associated with the CCNA Security certification.

More information

Firewalls, IDS and IPS

Firewalls, IDS and IPS Session 9 Firewalls, IDS and IPS Prepared By: Dr. Mohamed Abd-Eldayem Ref.: Corporate Computer and Network Security By: Raymond Panko Basic Firewall Operation 2. Internet Border Firewall 1. Internet (Not

More information

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements

How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements How NETGEAR ProSecure UTM Helps Small Businesses Meet PCI Requirements I n t r o d u c t i o n The Payment Card Industry Data Security Standard (PCI DSS) was developed in 2004 by the PCI Security Standards

More information

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science

ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας. University of Cyprus Department of Computer Science ΕΠΛ 475: Εργαστήριο 9 Firewalls Τοίχοι πυρασφάλειας Department of Computer Science Firewalls A firewall is hardware, software, or a combination of both that is used to prevent unauthorized Internet users

More information

FIREWALLS & CBAC. philip.heimer@hh.se

FIREWALLS & CBAC. philip.heimer@hh.se FIREWALLS & CBAC philip.heimer@hh.se Implementing a Firewall Personal software firewall a software that is installed on a single PC to protect only that PC All-in-one firewall can be a single device that

More information

Objectives. Security+ Guide to Network Security Fundamentals, Third Edition. Network Vulnerabilities. Media-Based Vulnerabilities

Objectives. Security+ Guide to Network Security Fundamentals, Third Edition. Network Vulnerabilities. Media-Based Vulnerabilities Objectives Security+ Guide to Network Security Fundamentals, Third Edition Explain the types of network vulnerabilities List categories of network attacks Define different methods of network attacks Chapter

More information

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall

Firewall Introduction Several Types of Firewall. Cisco PIX Firewall Firewall Introduction Several Types of Firewall. Cisco PIX Firewall What is a Firewall? Non-computer industries: a wall that controls the spreading of a fire. Networks: a designed device that controls

More information

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall?

What is a Firewall? Computer Security. Firewalls. What is a Firewall? What is a Firewall? What is a Firewall? Computer Security Firewalls fire wall 1 : a wall constructed to prevent the spread of fire 2 usually firewall : a computer or computer software that prevents unauthorized access to

More information

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series

The Cisco IOS Firewall feature set is supported on the following platforms: Cisco 2600 series Cisco 3600 series Cisco IOS Firewall Feature Set Feature Summary The Cisco IOS Firewall feature set is available in Cisco IOS Release 12.0. This document includes information that is new in Cisco IOS Release 12.0(1)T, including

More information

http://www.it-exams.com

http://www.it-exams.com -The fastest and guaranteed way to certy now! http://www.it-exams.com Exam Number : SY0-301 Exam Name : Security+ Certification Exam 2011 version Version : Demo QUESTION NO: 1 Actively monitoring data

More information

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

2. From a control perspective, the PRIMARY objective of classifying information assets is to: MIS5206 Week 13 Your Name Date 1. When conducting a penetration test of an organization's internal network, which of the following approaches would BEST enable the conductor of the test to remain undetected

More information

642 523 Securing Networks with PIX and ASA

642 523 Securing Networks with PIX and ASA 642 523 Securing Networks with PIX and ASA Course Number: 642 523 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional and the Cisco Firewall

More information

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall

Chapter 5. Figure 5-1: Border Firewall. Firewalls. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall. Figure 5-1: Border Firewall Figure 5-1: Border s Chapter 5 Revised March 2004 Panko, Corporate Computer and Network Security Copyright 2004 Prentice-Hall Border 1. (Not Trusted) Attacker 1 1. Corporate Network (Trusted) 2 Figure

More information

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam JK0 015 CompTIA E2C Security+ (2008 Edition) Exam Version 4.1 QUESTION NO: 1 Which of the following devices would be used to gain access to a secure network without affecting network connectivity? A. Router

More information

Lab 8.4.2 Configuring Access Policies and DMZ Settings

Lab 8.4.2 Configuring Access Policies and DMZ Settings Lab 8.4.2 Configuring Access Policies and DMZ Settings Objectives Log in to a multi-function device and view security settings. Set up Internet access policies based on IP address and application. Set

More information

Guideline on Auditing and Log Management

Guideline on Auditing and Log Management CMSGu2012-05 Mauritian Computer Emergency Response Team CERT-MU SECURITY GUIDELINE 2011-02 Enhancing Cyber Security in Mauritius Guideline on Auditing and Log Management National Computer Board Mauritius

More information

Configuring Network Address Translation (NAT)

Configuring Network Address Translation (NAT) 8 Configuring Network Address Translation (NAT) Contents Overview...................................................... 8-3 Translating Between an Inside and an Outside Network........... 8-3 Local and

More information

Chapter 11 Cloud Application Development

Chapter 11 Cloud Application Development Chapter 11 Cloud Application Development Contents Motivation. Connecting clients to instances through firewalls. Chapter 10 2 Motivation Some of the questions of interest to application developers: How

More information

SonicWALL PCI 1.1 Implementation Guide

SonicWALL PCI 1.1 Implementation Guide Compliance SonicWALL PCI 1.1 Implementation Guide A PCI Implementation Guide for SonicWALL SonicOS Standard In conjunction with ControlCase, LLC (PCI Council Approved Auditor) SonicWall SonicOS Standard

More information

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals

Ch.9 Firewalls and Intrusion Prevention Systems. Firewall Design Goals Ch.9 Firewalls and Intrusion Prevention Systems Firewalls: effective means of protecting LANs Internet connectivity is essential for every organization and individuals introduces threats from the Internet

More information

8. Firewall Design & Implementation

8. Firewall Design & Implementation DMZ Networks The most common firewall environment implementation is known as a DMZ, or DeMilitarized Zone network. A DMZ network is created out of a network connecting two firewalls; i.e., when two or

More information

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1

Computer Security CS 426 Lecture 36. CS426 Fall 2010/Lecture 36 1 Computer Security CS 426 Lecture 36 Perimeter Defense and Firewalls CS426 Fall 2010/Lecture 36 1 Announcements There will be a quiz on Wed There will be a guest lecture on Friday, by Prof. Chris Clifton

More information

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0

ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 ACADEMIA LOCAL CISCO UCV-MARACAY CONTENIDO DE CURSO CURRICULUM CCNA. SEGURIDAD SEGURIDAD EN REDES. NIVEL I. VERSION 2.0 Module 1: Vulnerabilities, Threats, and Attacks 1.1 Introduction to Network Security

More information

642 552 Securing Cisco Network Devices (SND)

642 552 Securing Cisco Network Devices (SND) 642 552 Securing Cisco Network Devices (SND) Course Number: 642 552 Length: 1 Day(s) Course Overview This course is part of the training for the Cisco Certified Security Professional, Cisco Firewall Specialist,

More information

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Firewalls and VPNs. Principles of Information Security, 5th Edition 1 Firewalls and VPNs Principles of Information Security, 5th Edition 1 Learning Objectives Upon completion of this material, you should be able to: Understand firewall technology and the various approaches

More information

Overview. Firewall Security. Perimeter Security Devices. Routers

Overview. Firewall Security. Perimeter Security Devices. Routers Overview Firewall Security Chapter 8 Perimeter Security Devices H/W vs. S/W Packet Filtering vs. Stateful Inspection Firewall Topologies Firewall Rulebases Lecturer: Pei-yih Ting 1 2 Perimeter Security

More information

Proxy Server, Network Address Translator, Firewall

Proxy Server, Network Address Translator, Firewall For Summer Training on Computer Networking visit Proxy Server, Network Address Translator, Firewall Prepared by : Swapan Purkait Director Nettech Private Limited swapan@nettech.in + 91 93315 90003 Proxy

More information

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 http://technet.microsoft.com/en-us/library/cc757501(ws.10).aspx Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003 Updated: October 7, 2005 Applies To: Windows Server 2003 with

More information

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA

Configuring Personal Firewalls and Understanding IDS. Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA Configuring Personal Firewalls and Understanding IDS Securing Networks Chapter 3 Part 2 of 4 CA M S Mehta, FCA 1 Configuring Personal Firewalls and IDS Learning Objectives Task Statements 1.4 Analyze baseline

More information

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security

CTS2134 Introduction to Networking. Module 8.4 8.7 Network Security CTS2134 Introduction to Networking Module 8.4 8.7 Network Security Switch Security: VLANs A virtual LAN (VLAN) is a logical grouping of computers based on a switch port. VLAN membership is configured by

More information

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy

G/On. Basic Best Practice Reference Guide Version 6. For Public Use. Make Connectivity Easy For Public Use G/On Basic Best Practice Reference Guide Version 6 Make Connectivity Easy 2006 Giritech A/S. 1 G/On Basic Best Practices Reference Guide v.6 Table of Contents Scope...3 G/On Server Platform

More information

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations

PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations PT Activity: Configure Cisco Routers for Syslog, NTP, and SSH Operations Instructor Version Topology Diagram Addressing Table Device Interface IP Address Subnet Mask Default Gateway Switch Port R1 FA0/1

More information

Internet Security Firewalls

Internet Security Firewalls Internet Security Firewalls Ozalp Babaoglu ALMA MATER STUDIORUM UNIVERSITA DI BOLOGNA Overview Exo-structures Firewalls Virtual Private Networks Cryptography-based technologies IPSec Secure Socket Layer

More information

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles

Firewalls. Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49. Firewall Design Principles Firewalls Ola Flygt Växjö University, Sweden http://w3.msi.vxu.se/users/ofl/ Ola.Flygt@vxu.se +46 470 70 86 49 1 Firewall Design Principles Firewall Characteristics Types of Firewalls Firewall Configurations

More information

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs

Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Overview of Network Security The need for network security Desirable security properties Common vulnerabilities Security policy designs Why Network Security? Keep the bad guys out. (1) Closed networks

More information

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall.

Firewalls. Firewalls. Idea: separate local network from the Internet 2/24/15. Intranet DMZ. Trusted hosts and networks. Firewall. Firewalls 1 Firewalls Idea: separate local network from the Internet Trusted hosts and networks Firewall Intranet Router DMZ Demilitarized Zone: publicly accessible servers and networks 2 1 Castle and

More information

How are we keeping Hackers away from our UCD networks and computer systems?

How are we keeping Hackers away from our UCD networks and computer systems? How are we keeping Hackers away from our UCD networks and computer systems? Cybercrime Sony's Hacking Scandal Could Cost The Company $100 Million - http://www.businessinsider.com/sonys-hacking-scandal-could-cost-the-company-100-million-2014-12

More information

Firewalls, Tunnels, and Network Intrusion Detection

Firewalls, Tunnels, and Network Intrusion Detection Firewalls, Tunnels, and Network Intrusion Detection 1 Part 1: Firewall as a Technique to create a virtual security wall separating your organization from the wild west of the public internet 2 1 Firewalls

More information

Tutorial 3. June 8, 2015

Tutorial 3. June 8, 2015 Tutorial 3 June 8, 2015 I. Basic Notions 1. Multiple-choice (Review Questions Chapter 6, 8 and 11) 2. Answers by a small paragraph (Chapter 2: viruses: MBR, rootkits, ) Multiple choice X. Which is the

More information

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004

SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004 SFWR ENG 4C03 Class Project Firewall Design Principals Arash Kamyab 9940313 March 04, 2004 Introduction: A computer firewall protects computer networks from unwanted intrusions which could compromise confidentiality

More information

Firewall Security. Presented by: Daminda Perera

Firewall Security. Presented by: Daminda Perera Firewall Security Presented by: Daminda Perera 1 Firewalls Improve network security Cannot completely eliminate threats and a=acks Responsible for screening traffic entering and/or leaving a computer network

More information

Network Defense Tools

Network Defense Tools Network Defense Tools Prepared by Vanjara Ravikant Thakkarbhai Engineering College, Godhra-Tuwa +91-94291-77234 www.cebirds.in, www.facebook.com/cebirds ravikantvanjara@gmail.com What is Firewall? A firewall

More information

Network Virtualization Network Admission Control Deployment Guide

Network Virtualization Network Admission Control Deployment Guide Network Virtualization Network Admission Control Deployment Guide This document provides guidance for enterprises that want to deploy the Cisco Network Admission Control (NAC) Appliance for their campus

More information

Chapter 9 Monitoring System Performance

Chapter 9 Monitoring System Performance Chapter 9 Monitoring System Performance This chapter describes the full set of system monitoring features of your ProSafe Dual WAN Gigabit Firewall with SSL & IPsec VPN. You can be alerted to important

More information

Internet Security Firewalls

Internet Security Firewalls Overview Internet Security Firewalls Ozalp Babaoglu! Exo-structures " Firewalls " Virtual Private Networks! Cryptography-based technologies " IPSec " Secure Socket Layer ALMA MATER STUDIORUM UNIVERSITA

More information

A Model Design of Network Security for Private and Public Data Transmission

A Model Design of Network Security for Private and Public Data Transmission 2011, TextRoad Publication ISSN 2090-424X Journal of Basic and Applied Scientific Research www.textroad.com A Model Design of Network Security for Private and Public Data Transmission Farhan Pervez, Ali

More information

F-SECURE MESSAGING SECURITY GATEWAY

F-SECURE MESSAGING SECURITY GATEWAY F-SECURE MESSAGING SECURITY GATEWAY DEFAULT SETUP GUIDE This guide describes how to set up and configure the F-Secure Messaging Security Gateway appliance in a basic e-mail server environment. AN EXAMPLE

More information

Chapter 15. Firewalls, IDS and IPS

Chapter 15. Firewalls, IDS and IPS Chapter 15 Firewalls, IDS and IPS Basic Firewall Operation The firewall is a border firewall. It sits at the boundary between the corporate site and the external Internet. A firewall examines each packet

More information

- Introduction to Firewalls -

- Introduction to Firewalls - 1 Firewall Basics - Introduction to Firewalls - Traditionally, a firewall is defined as any device (or software) used to filter or control the flow of traffic. Firewalls are typically implemented on the

More information

Firewalls. Ahmad Almulhem March 10, 2012

Firewalls. Ahmad Almulhem March 10, 2012 Firewalls Ahmad Almulhem March 10, 2012 1 Outline Firewalls The Need for Firewalls Firewall Characteristics Types of Firewalls Firewall Basing Firewall Configurations Firewall Policies and Anomalies 2

More information

74% 96 Action Items. Compliance

74% 96 Action Items. Compliance Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on July 02, 2013 11:12 AM 1 74% Compliance 96 Action Items Upcoming 0 items About PCI DSS 2.0 PCI-DSS is a legal obligation mandated

More information

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006

Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 Enterprise Cybersecurity Best Practices Part Number MAN-00363 Revision 006 April 2013 Hologic and the Hologic Logo are trademarks or registered trademarks of Hologic, Inc. Microsoft, Active Directory,

More information

Computer Security: Principles and Practice

Computer Security: Principles and Practice Computer Security: Principles and Practice Chapter 9 Firewalls and Intrusion Prevention Systems First Edition by William Stallings and Lawrie Brown Lecture slides by Lawrie Brown Firewalls and Intrusion

More information

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) :

Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh. Name (in block letters) : Högskolan i Halmstad Sektionen för Informationsvetenskap, Data- Och Elektroteknik (IDÉ) Ola Lundh Written Exam in Network Security ANSWERS May 28, 2009. Allowed aid: Writing material. Name (in block letters)

More information

GFI White Paper PCI-DSS compliance and GFI Software products

GFI White Paper PCI-DSS compliance and GFI Software products White Paper PCI-DSS compliance and Software products The Payment Card Industry Data Standard () compliance is a set of specific security standards developed by the payment brands* to help promote the adoption

More information

Implementing Network Address Translation and Port Redirection in epipe

Implementing Network Address Translation and Port Redirection in epipe Implementing Network Address Translation and Port Redirection in epipe Contents 1 Introduction... 2 2 Network Address Translation... 2 2.1 What is NAT?... 2 2.2 NAT Redirection... 3 2.3 Bimap... 4 2.4

More information

Using a Firewall General Configuration Guide

Using a Firewall General Configuration Guide Using a Firewall General Configuration Guide Page 1 1 Contents There are no satellite-specific configuration issues that need to be addressed when installing a firewall and so this document looks instead

More information

Cornerstones of Security

Cornerstones of Security Internet Security Cornerstones of Security Authenticity the sender (either client or server) of a message is who he, she or it claims to be Privacy the contents of a message are secret and only known to

More information

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping

Larry Wilson Version 1.0 November, 2013. University Cyber-security Program Critical Asset Mapping Larry Wilson Version 1.0 November, 2013 University Cyber-security Program Critical Asset Mapping Part 3 - Cyber-Security Controls Mapping Cyber-security Controls mapped to Critical Asset Groups CSC Control

More information

Using Ranch Networks for Internal LAN Security

Using Ranch Networks for Internal LAN Security Using Ranch Networks for Internal LAN Security The Need for Internal LAN Security Many companies have secured the perimeter of their network with Firewall and VPN devices. However many studies have shown

More information

Configuring DHCP Snooping

Configuring DHCP Snooping CHAPTER 19 This chapter describes how to configure Dynamic Host Configuration Protocol (DHCP) snooping on Catalyst 4500 series switches. It provides guidelines, procedures, and configuration examples.

More information

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0

ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS. Version 2.0 ENTERPRISE IT SECURITY ARCHITECTURE SECURITY ZONES: NETWORK SECURITY ZONE STANDARDS Version 2.0 July 20, 2012 Table of Contents 1 Foreword... 1 2 Introduction... 1 2.1 Classification... 1 3 Scope... 1

More information

UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04

UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04 UNDERSTANDING FIREWALLS TECHNICAL NOTE 10/04 REVISED 23 FEBRUARY 2005 This paper was previously published by the National Infrastructure Security Co-ordination Centre (NISCC) a predecessor organisation

More information

E-commerce Production Firewalls

E-commerce Production Firewalls E-commerce Production Firewalls A Proper Security Design 2006 Philip J. Balsley. This document and all information contained herein is the sole and exclusive property of Philip J. Balsley. All rights reserved.

More information

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2

Firewall Server 7.2. Release Notes. What's New in Firewall Server 7.2 Firewall Server 7.2 Release Notes BorderWare Technologies is pleased to announce the release of version 7.2 of the Firewall Server. This release includes the following new features and improvements. What's

More information

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/

Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Computer Security DD2395 http://www.csc.kth.se/utbildning/kth/kurser/dd2395/dasakh10/ Fall 2010 Sonja Buchegger buc@kth.se Lecture 6, Nov. 10, 2010 Firewalls, Intrusion Prevention, Intrusion Detection

More information

Cisco Certified Security Professional (CCSP)

Cisco Certified Security Professional (CCSP) 529 Hahn Ave. Suite 101 Glendale CA 91203-1052 Tel 818.550.0770 Fax 818.550.8293 www.brandcollege.edu Cisco Certified Security Professional (CCSP) Program Summary This instructor- led program with a combination

More information

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT

Firewalls. Ingress Filtering. Ingress Filtering. Network Security. Firewalls. Access lists Ingress filtering. Egress filtering NAT Network Security s Access lists Ingress filtering s Egress filtering NAT 2 Drivers of Performance RequirementsTraffic Volume and Complexity of Static IP Packet Filter Corporate Network The Complexity of

More information

Common Remote Service Platform (crsp) Security Concept

Common Remote Service Platform (crsp) Security Concept Siemens Remote Support Services Common Remote Service Platform (crsp) Security Concept White Paper April 2013 1 Contents Siemens AG, Sector Industry, Industry Automation, Automation Systems This entry

More information

BUILDING AN UNIVERSAL NETWORK SECURITY MODEL

BUILDING AN UNIVERSAL NETWORK SECURITY MODEL BUILDING AN UNIVERSAL NETWORK SECURITY MODEL Zahari Todorov Slavov, Valentin Panchev Hristov Department of Computer Systems and Technology, South-West University Neofit Rilski, Blagoevgrad, Bulgaria, e-mail:

More information

Deploying Firewalls Throughout Your Organization

Deploying Firewalls Throughout Your Organization Deploying Firewalls Throughout Your Organization Avoiding break-ins requires firewall filtering at multiple external and internal network perimeters. Firewalls have long provided the first line of defense

More information

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials.

Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials. Note: This case study utilizes Packet Tracer. Please see the Chapter 5 Packet Tracer file located in Supplemental Materials. CHAPTER 5 OBJECTIVES Configure a router with an initial configuration. Use the

More information

ICANWK406A Install, configure and test network security

ICANWK406A Install, configure and test network security ICANWK406A Install, configure and test network security Release: 1 ICANWK406A Install, configure and test network security Modification History Release Release 1 Comments This Unit first released with

More information

Automate PCI Compliance Monitoring, Investigation & Reporting

Automate PCI Compliance Monitoring, Investigation & Reporting Automate PCI Compliance Monitoring, Investigation & Reporting Reducing Business Risk Standards and compliance are all about implementing procedures and technologies that reduce business risk and efficiently

More information

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering

Internet Firewall CSIS 3230. Internet Firewall. Spring 2012 CSIS 4222. net13 1. Firewalls. Stateless Packet Filtering Internet Firewall CSIS 3230 A combination of hardware and software that isolates an organization s internal network from the Internet at large Ch 8.8: Packet filtering, firewalls, intrusion detection Ch

More information

Barracuda Networks Web Application Firewall

Barracuda Networks Web Application Firewall McAfee Enterprise Security Manager Data Source Configuration Guide Data Source: Barracuda Networks Web Application Firewall January 30, 2015 Barracuda Networks Web Application Firewall Page 1 of 10 Important

More information