Security Design. thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/



Similar documents
Industrial Network Security for SCADA, Automation, Process Control and PLC Systems. Contents. 1 An Introduction to Industrial Network Security 1

JOB READY ASSESSMENT BLUEPRINT COMPUTER NETWORKING FUNDAMENTALS - PILOT. Test Code: 4514 Version: 01

Security+ Guide to Network Security Fundamentals, Fourth Edition. Chapter 6 Network Security

Network System Design Lesson Objectives

NETE-4635 Computer Network Analysis and Design. Designing a Network Topology. NETE Computer Network Analysis and Design Slide 1

Networking Devices. Lesson 6

Top-Down Network Design

Firewalls and VPNs. Principles of Information Security, 5th Edition 1

Securing Modern Substations With an Open Standard Network Security Solution. Kevin Leech Schweitzer Engineering Laboratories, Inc.

Chapter 5. Data Communication And Internet Technology

PowerLink Bandwidth Aggregation Redundant WAN Link and VPN Fail-Over Solutions

Security in Wireless Local Area Network

SSVP SIP School VoIP Professional Certification

Networking Technology Online Course Outline

Recommended IP Telephony Architecture

CUSTOMIZED ASSESSMENT BLUEPRINT COMPUTER SYSTEMS NETWORKING PA. Test Code: 8148 Version: 01

Developing Network Security Strategies

Local Area Networks (LANs) Blueprint (May 2012 Release)

Network Security Administrator

Security Technology: Firewalls and VPNs

CHAPTER 6 DESIGNING A NETWORK TOPOLOGY

Chapter 12. Security Policy Life Cycle. Network Security 8/19/2010. Network Security

Chapter 9 Firewalls and Intrusion Prevention Systems

Unified Services Routers

ICANWK406A Install, configure and test network security

Level: 3 Credit value: 9 GLH: 80. QCF unit reference R/507/8351. This unit has 6 learning outcomes.

Information Security Assessment and Testing Services RFQ # Questions and Answers September 8, 2014

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

VPN. Date: 4/15/2004 By: Heena Patel

How To - Configure Virtual Host using FQDN How To Configure Virtual Host using FQDN

SSVVP SIP School VVoIP Professional Certification

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

WAN Failover Scenarios Using Digi Wireless WAN Routers

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Firewalls. Securing Networks. Chapter 3 Part 1 of 4 CA M S Mehta, FCA

How To Protect Your Network From Attack

Unified Services Routers

Steelcape Product Overview and Functional Description

Firewall Environments. Name

Unified Services Routers

INTRODUCTION TO FIREWALL SECURITY

Elfiq Link Load Balancer Frequently Asked Questions (FAQ)

Appendix A: Configuring Firewalls for a VPN Server Running Windows Server 2003

CMPT 471 Networking II

5.0 Network Architecture. 5.1 Internet vs. Intranet 5.2 NAT 5.3 Mobile Network

Planeamento e Gestão de Redes. Análise de Requisitos

1 Which network type is a specifically designed configuration of computers and other devices located within a confined area? A Peer-to-peer network

Networking 4 Voice and Video over IP (VVoIP)

Computer Networking Networks

Network Technology CMP-354-TE. TECEP Test Description

WAN Traffic Management with PowerLink Pro100

VLAN 802.1Q. 1. VLAN Overview. 1. VLAN Overview. 2. VLAN Trunk. 3. Why use VLANs? 4. LAN to LAN communication. 5. Management port

CompTIA Convergence Examination Objectives

Lucent VPN Firewall Security in x Wireless Networks

Tutorial 3. June 8, 2015

Wholesale IP Bitstream on a Cable HFC infrastructure

ENHWI-N n Wireless Router

Remote Connectivity for mysap.com Solutions over the Internet Technical Specification

Implementing and Administering Security in a Microsoft Windows Server 2003 Network

FIREWALLS & NETWORK SECURITY with Intrusion Detection and VPNs, 2 nd ed. Chapter 5 Firewall Planning and Design

Ranch Networks for Hosted Data Centers

ICTTEN6172A Design and configure an IP- MPLS network with virtual private network tunnelling

VRGIII N Series Triple Play Gateway

Please purchase PDF Split-Merge on to remove this watermark.

1.264 Lecture 37. Telecom: Enterprise networks, VPN

Cornerstones of Security

Cisco Discovery 3: Introducing Routing and Switching in the Enterprise hours teaching time

MOC 6435A Designing a Windows Server 2008 Network Infrastructure

Technical papers Virtual private networks

A Network Design Primer

RuggedCom Solutions for

Security perimeter. Internet. - Access control, monitoring and management. Differentiate between insiders and outsiders - Different types of outsiders

UIP1868P User Interface Guide

Computer Networks. Secure Systems

Networking Topology For Your System

Objectives. Remote Connection Options. Teleworking. Connecting Teleworkers to the Corporate WAN. Providing Teleworker Services

LAN TCP/IP and DHCP Setup

How To Protect Your Firewall From Attack From A Malicious Computer Or Network Device

Medical Networks and Operating Systems

CS 356 Lecture 19 and 20 Firewalls and Intrusion Prevention. Spring 2013

Clustering. Configuration Guide IPSO 6.2

Data Sheet. V-Net Link 700 C Series Link Load Balancer. V-NetLink:Link Load Balancing Solution from VIAEDGE

Lesson Plans Managing a Windows 2003 Network Infrastructure

Network Access Security. Lesson 10

Release: 1. ICANWK607A Design and implement wireless network security

Network audit Campina UK Horsham November 10th, 2004

CompTIA Cloud+ 9318; 5 Days, Instructor-led

Service Definition. Internet Service. Introduction. Product Overview. Service Specification

Lecture 02b Cloud Computing II

CompTIA Cloud+ Course Content. Length: 5 Days. Who Should Attend:

NEWT Managed PBX A Secure VoIP Architecture Providing Carrier Grade Service

Implementing, Managing and Maintaining a Microsoft Windows Server 2003 Network Infrastructure: Network Services Course No.

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Advanced Higher Computing. Computer Networks. Homework Sheets

Transcription:

Security Design thm@informatik.uni-rostock.de http://wwwiuk.informatik.uni-rostock.de/

Content Security Design Analysing Design Requirements Resource Separation a Security Zones VLANs Tuning Load Balancing

Analysing Design Requirements Answering the following questions What resources need to be protected? Who are potential attackers? What are the business needs? What are the policy constraints?

Gathering requirements What resources need to be protected? Servers Workstations Network equipment / VPN / dial-up

Gathering requirements Who are potential attackers? Outsider Insider Unsophisticated attacker Malicious software agents

Gathering requirements What are the business needs? Costs Cost-risk-mitigation Performance Delays (e.g. through encryption, logging) Bandwidth (e.g. VPN) Business-related services (e.g. web server) Fault tolerance Intra-system redundancy Intra-side redundancy Geographic redundancy

Gathering requirements What are the policy constraints? Analyzing documents describing policies Need to update policies?

Design elements Firewalls Perimeter Inline Routers Cabling VPN gateways Access control Group policies Policies External devices (ISP routers, external VPN)

Resource Separation Security Zones VLANs Security zones Remember what happens when VPN users are connected with internet as well Logical grouping of resources according to their security classification What are meaningful groups? To answer this question, two other questions have to be answered Who needs to access services? How much risk is involved in using certain services? Zones can spread across a single subnet or multiple subnets Zones within a server (e.g. chroot)

Resource Separation Security Zones VLANs DMZ Separating all accessible services into a zone Trust between DMZ and internal network is limited but higher than within external and internal network Firewalls and other appliances guard DMZ from external network and internal network from DMZ Attacker has to break both barriers Examples Web servers Mail relays Split DNS

Resource Separation Security Zones VLANs Wireless networks WLANs are easily accessible from off a company s premises Unsecured WEP Useful protection WPA VPN Wireless subnet is a good candidate for a separated network

Resource Separation Security Zones VLANs VLANs reduce costs when subnets spread across several locations Ethernet frames are tagged with a VLAN ID (see IEEE 8021Q) 802.1Q) Protection of VLAN tags against manipulation is hard to accomplish Frames might be send into private subnets (VLANs)

Tuning - Load balancing Performance and security are sometimes competing design goals. Security process are time consuming, remember Encryption / decryption Signing / signature checking Firewalling / proxying Security processes consume bandwidth Packet size when authentication of packets is used (signatures) Tunneling

Tuning - Load balancing Performance factors (What are users complaining i about?) Bandwidth Frequency Medium (copper vs. fiber cabling) Latency Propagation Gateway processing Response time Throughput Availability Parallel users MTBF

Tuning - Load balancing Network architecture Broadcast domains vs. gateway processing Security aspects of separation WAN links (decentralized / centralized) Routing principles Distance vector vs. link state Physical location

Tuning - Load balancing Load balancing Load that exceeds the capabilities of any single device is being distributed to a group of equal devices Round robin DNS Load balancing appliances (Layer 4 and layer 7 dispatchers) Problems Stateful protocols Sessions (e.g. hybrid encryption)

Summary Security design is a process of gathering the requirements, analyzing possibilities, and implementing security features. Security and performance are competing. Security has to deal with performance limitations imposed by itself.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information