Penetration testing Security Analysis and Advanced Tools Designing
- Slides: 27
Penetration testing Security Analysis and Advanced Tools: Designing a DMZ
Introduction to Designing a DMZ • DMZ (demilitarized zone) – Computer host or small network inserted as a “neutral zone” between a company’s private network and the outside public network – Network construct that provides secure segregation of networks that host services for users, visitors, or partners • DMZ use has become a necessary method of providing a multilayered, defense-in-depth approach to security
Introduction to Designing a DMZ (cont’d. ) Firewalls are essential for the secure segregation of networks.
DMZ Concepts • DMZ has proven to be more secure and to offer multiple layers of protection for the security of the protected networks and machines • Bastion host – Device in a DMZ that is built to withstand attacks • Multitiered Firewall with a DMZ Flow – DMZ is established, separated, and protected from both the internal and external networks
DMZ Concepts (cont’d. ) A multitiered firewall is useful for protection from both internal and external networks.
DMZ Design Fundamentals • DMZ designs generally consist of – Firewalls and segments that are protected from each other by firewall rules and routing as well as the use of RFC 1918 addressing on the internal network • Design of the DMZ is critically important to the overall protection of the internal network • Access control lists (ACLs) – Determine who is allowed access to an item in a network and how that item can be used • DMZ Protocols – See next slide
DMZ Design Fundamentals (cont’d. ) Certain protocols are vulnerable to attack and should be used with caution.
Advanced Design Concepts • Internal Network Access – Consider the methods that might be used to provide VPN services – Limit or restrict outbound traffic from the internal network to inappropriate services – Provide for out-of-band management capabilities • Remote Administration – Extremely tempting to use the built-in capabilities of the various operating systems and the management software provided for many hardware devices – It is very important to thoroughly review alternatives
Advanced Design Concepts (cont’d. ) • Authentication – Generally inappropriate to locate a RADIUS or TACACS+ server in a DMZ segment – It might be necessary to implement a plan to accommodate the authentication of users entering the DMZ from a public network – DMZ design should include a separate authentication DMZ segment • Equipment in that segment should be hardened
DMZ Architecture • Inside-Versus-Outside Architecture – Packet-filtering routers act as initial line of defense • Three-Homed Firewall Architecture – DMZ handles the traffic between the internal network and firewall, as well as the traffic between the firewall and DMZ • Weak-Screened Subnet Architecture – Used when routers have better high-bandwidth datastream handling capacity • Strong-Screened Subnet Architecture – Both the DMZ and the internal networks are protected by a well-functioning firewall
Designing a DMZ Using IPtables The inside and outside firewalls in a DMZ serve multiple functions.
Designing a Wireless DMZ • Categories of attacks on wireless networks: – Passive attacks – Active attacks – Man-in-the-middle attacks – Jamming attacks • Placement of Wireless Equipment – Depends on needed accessibility area for the WLAN • Access to DMZ and Authentication Considerations – Access to DMZ Services – Authentication Considerations
Designing a Wireless DMZ (cont’d. ) • Wireless DMZ Components – – – Access Points Network Adapters Authentication Servers Enterprise Wireless Gateways and Wireless Gateways Firewalls and Screening Routers • Wireless DMZ Using RADIUS to Authenticate Users – See Figure 5 -12 • WLAN DMZ security best practices include – Perform a risk analysis of the network – Develop relevant and comprehensive security policies
Designing a Wireless DMZ (cont’d. ) A RADIUS server can be used to provide authentication at an access point.
Specific Operating System Design • Designing a Windows-Based DMZ – Select all the needed networking hardware – Scale up the number of connections to the Internet – Add more bandwidth and site-to-site VPN services – Set up a load-balanced solution – Make sure that users can obtain the information they need – Segment Internet-based resources via the DMZ for an added level of safety – Finalize the network layout
Specific Operating System Design (cont’d. ) • Precautions for DMZ Setup – Designer should consider other possible access to and from the DMZ • Security Analysis for the DMZ – After the DMZ network segment design is finalized and the systems are placed where they need to be, the security of such systems should be taken into account • ISA Server Support to DMZ Configuration – ISA firewall network needs to be created for the wireless DMZ segment – ISA firewall networks are defined depending on pernetwork interfaces
Specific Operating System Design (cont’d. ) • Designing a Sun Solaris DMZ – Features include zones, ZFS, and Reduced Networking Software Group – Placement of Servers • Depends on network requirements • Smaller networks generally place the DMZ server directly behind the router – Advanced Implementation of a Solaris DMZ Server • See Figure 5 -17 – Solaris DMZ Servers in a Conceptual Highly Available Configuration • See Figure 5 -18
Specific Operating System Design (cont’d. ) places a switch between the router and the DMZ server.
Specific Operating System Design (cont’d. ) In this conceptual Solaris configuration, three DMZs are connected to the external network switch.
Specific Operating System Design (cont’d. ) • Designing a Sun Solaris DMZ (cont’d. ) – Private and Public Network Firewall Rule Set • Private Network Rules • Public Network Rules – DMZ Server Firewall Rule Set • Generally, the best policy is to deny all traffic to the host from all systems – Solaris DMZ System Design (phases) • Planning • Implementation • Maintenance
Specific Operating System Design (cont’d. ) • Designing a Sun Solaris DMZ (cont’d. ) – Hardening Checklists for DMZ Servers and Solaris • Has a model or diagram of the host been made? • Is the host physically secured? • Designing a Linux DMZ – Ethernet Interface Requirements and Configuration – Traffic Routing Between Public and DMZ Servers – Protecting Internet Servers (Using DMZ Networks) • Disable all unnecessary services • Run services “chrooted” whenever possible • Use Firewall Security Policy and Anti-IP-Spoofing Features
Specific Operating System Design (cont’d. ) A common Linux DMZ configuration uses a Linux firewall and three Ethernet cards.
DMZ Router Security Best Practices • Checklist for ensuring router security: – Authenticate routing updates on dynamic routing protocols – Use ACLs to protect network resources and prevent address spoofing – Secure the management interfaces – Lock down the router services – Disable interface-related services – Disable unneeded services – Keep up to date on IOS bug fixes and vulnerabilities
DMZ Switch Security Best Practices • Checklist to follow to ensure switch security: – Secure the management interfaces – Lock down the switch services – Disable unneeded services – Use VLANs to logically segment a switch and PVLANs to isolate hosts on a VLAN – Use port security to secure the input to an interface by limiting and identifying the MAC addresses of hosts that are allowed to access the port – Do not use VTP on DMZ switches – Keep up to date on IOS bug fixes and vulnerabilities, and upgrade if necessary
Six Ways to Stop Data Leaks • Consider: – Get a handle on the data – Monitor content in motion – Keep an eye on databases – Limit user privileges – Cover those endpoints – Centralize intellectual property data • Tool: Reconnex – Enables an organization to protect all information assets on its network without requiring up-front knowledge of what needs to be protected
Summary • A DMZ functions as a “neutral zone” between an internal and external network • Multitiered firewalls are often used when there is a need to provide more than one type of service to the public • DMZ designers should be aware of protocol vulnerabilities • It is generally inappropriate to locate a RADIUS or TACACS+ server in a DMZ segment • DMZs for wireless networks must be set up with certain conditions in mind
Summary (cont’d. ) • A three-homed firewall DMZ handles the traffic between the internal network and firewall, as well as the traffic between the firewall and DMZ • A site survey can be conducted to determine the proper number of access points needed based on the expected number of users and the specific environment for a WLAN • Authentication may not be desired if a network is publicly accessible • An access point is a layer-2 device that serves as an interface between the wireless network and the wired network
- Cs 527 uiuc
- Web application penetration testing roadmap
- Ncrack vs hydra
- Penetration price
- Week 16 homework: penetration testing 1
- Owasp methodology
- Cryptography penetration testing
- Crystal box penetration testing
- Spray rack water testing
- Penetration testing using kali linux
- Msf metasploit
- Website penetration testing kali linux
- Ansi/aama 101-85
- Penetration testing kentucky
- Security private
- Scanning and analysis tools in information security
- Advanced application and middleware security
- Structured design tools
- Advanced software testing concepts
- Positive testing and negative testing
- Cs 3250
- Donut hammer spt
- Internet tools for advanced nursing practice
- Advanced maintenance for machine tools
- Azure secure enclave
- Oracle advanced security
- Hsarpa sbir
- Homeland security advanced research projects agency