Penetration testing Security Analysis and Advanced Tools Designing

  • Slides: 27
Download presentation
Penetration testing Security Analysis and Advanced Tools: Designing a DMZ

Penetration testing Security Analysis and Advanced Tools: Designing a DMZ

Introduction to Designing a DMZ • DMZ (demilitarized zone) – Computer host or small

Introduction to Designing a DMZ • DMZ (demilitarized zone) – Computer host or small network inserted as a “neutral zone” between a company’s private network and the outside public network – Network construct that provides secure segregation of networks that host services for users, visitors, or partners • DMZ use has become a necessary method of providing a multilayered, defense-in-depth approach to security

Introduction to Designing a DMZ (cont’d. ) Firewalls are essential for the secure segregation

Introduction to Designing a DMZ (cont’d. ) Firewalls are essential for the secure segregation of networks.

DMZ Concepts • DMZ has proven to be more secure and to offer multiple

DMZ Concepts • DMZ has proven to be more secure and to offer multiple layers of protection for the security of the protected networks and machines • Bastion host – Device in a DMZ that is built to withstand attacks • Multitiered Firewall with a DMZ Flow – DMZ is established, separated, and protected from both the internal and external networks

DMZ Concepts (cont’d. ) A multitiered firewall is useful for protection from both internal

DMZ Concepts (cont’d. ) A multitiered firewall is useful for protection from both internal and external networks.

DMZ Design Fundamentals • DMZ designs generally consist of – Firewalls and segments that

DMZ Design Fundamentals • DMZ designs generally consist of – Firewalls and segments that are protected from each other by firewall rules and routing as well as the use of RFC 1918 addressing on the internal network • Design of the DMZ is critically important to the overall protection of the internal network • Access control lists (ACLs) – Determine who is allowed access to an item in a network and how that item can be used • DMZ Protocols – See next slide

DMZ Design Fundamentals (cont’d. ) Certain protocols are vulnerable to attack and should be

DMZ Design Fundamentals (cont’d. ) Certain protocols are vulnerable to attack and should be used with caution.

Advanced Design Concepts • Internal Network Access – Consider the methods that might be

Advanced Design Concepts • Internal Network Access – Consider the methods that might be used to provide VPN services – Limit or restrict outbound traffic from the internal network to inappropriate services – Provide for out-of-band management capabilities • Remote Administration – Extremely tempting to use the built-in capabilities of the various operating systems and the management software provided for many hardware devices – It is very important to thoroughly review alternatives

Advanced Design Concepts (cont’d. ) • Authentication – Generally inappropriate to locate a RADIUS

Advanced Design Concepts (cont’d. ) • Authentication – Generally inappropriate to locate a RADIUS or TACACS+ server in a DMZ segment – It might be necessary to implement a plan to accommodate the authentication of users entering the DMZ from a public network – DMZ design should include a separate authentication DMZ segment • Equipment in that segment should be hardened

DMZ Architecture • Inside-Versus-Outside Architecture – Packet-filtering routers act as initial line of defense

DMZ Architecture • Inside-Versus-Outside Architecture – Packet-filtering routers act as initial line of defense • Three-Homed Firewall Architecture – DMZ handles the traffic between the internal network and firewall, as well as the traffic between the firewall and DMZ • Weak-Screened Subnet Architecture – Used when routers have better high-bandwidth datastream handling capacity • Strong-Screened Subnet Architecture – Both the DMZ and the internal networks are protected by a well-functioning firewall

Designing a DMZ Using IPtables The inside and outside firewalls in a DMZ serve

Designing a DMZ Using IPtables The inside and outside firewalls in a DMZ serve multiple functions.

Designing a Wireless DMZ • Categories of attacks on wireless networks: – Passive attacks

Designing a Wireless DMZ • Categories of attacks on wireless networks: – Passive attacks – Active attacks – Man-in-the-middle attacks – Jamming attacks • Placement of Wireless Equipment – Depends on needed accessibility area for the WLAN • Access to DMZ and Authentication Considerations – Access to DMZ Services – Authentication Considerations

Designing a Wireless DMZ (cont’d. ) • Wireless DMZ Components – – – Access

Designing a Wireless DMZ (cont’d. ) • Wireless DMZ Components – – – Access Points Network Adapters Authentication Servers Enterprise Wireless Gateways and Wireless Gateways Firewalls and Screening Routers • Wireless DMZ Using RADIUS to Authenticate Users – See Figure 5 -12 • WLAN DMZ security best practices include – Perform a risk analysis of the network – Develop relevant and comprehensive security policies

Designing a Wireless DMZ (cont’d. ) A RADIUS server can be used to provide

Designing a Wireless DMZ (cont’d. ) A RADIUS server can be used to provide authentication at an access point.

Specific Operating System Design • Designing a Windows-Based DMZ – Select all the needed

Specific Operating System Design • Designing a Windows-Based DMZ – Select all the needed networking hardware – Scale up the number of connections to the Internet – Add more bandwidth and site-to-site VPN services – Set up a load-balanced solution – Make sure that users can obtain the information they need – Segment Internet-based resources via the DMZ for an added level of safety – Finalize the network layout

Specific Operating System Design (cont’d. ) • Precautions for DMZ Setup – Designer should

Specific Operating System Design (cont’d. ) • Precautions for DMZ Setup – Designer should consider other possible access to and from the DMZ • Security Analysis for the DMZ – After the DMZ network segment design is finalized and the systems are placed where they need to be, the security of such systems should be taken into account • ISA Server Support to DMZ Configuration – ISA firewall network needs to be created for the wireless DMZ segment – ISA firewall networks are defined depending on pernetwork interfaces

Specific Operating System Design (cont’d. ) • Designing a Sun Solaris DMZ – Features

Specific Operating System Design (cont’d. ) • Designing a Sun Solaris DMZ – Features include zones, ZFS, and Reduced Networking Software Group – Placement of Servers • Depends on network requirements • Smaller networks generally place the DMZ server directly behind the router – Advanced Implementation of a Solaris DMZ Server • See Figure 5 -17 – Solaris DMZ Servers in a Conceptual Highly Available Configuration • See Figure 5 -18

Specific Operating System Design (cont’d. ) places a switch between the router and the

Specific Operating System Design (cont’d. ) places a switch between the router and the DMZ server.

Specific Operating System Design (cont’d. ) In this conceptual Solaris configuration, three DMZs are

Specific Operating System Design (cont’d. ) In this conceptual Solaris configuration, three DMZs are connected to the external network switch.

Specific Operating System Design (cont’d. ) • Designing a Sun Solaris DMZ (cont’d. )

Specific Operating System Design (cont’d. ) • Designing a Sun Solaris DMZ (cont’d. ) – Private and Public Network Firewall Rule Set • Private Network Rules • Public Network Rules – DMZ Server Firewall Rule Set • Generally, the best policy is to deny all traffic to the host from all systems – Solaris DMZ System Design (phases) • Planning • Implementation • Maintenance

Specific Operating System Design (cont’d. ) • Designing a Sun Solaris DMZ (cont’d. )

Specific Operating System Design (cont’d. ) • Designing a Sun Solaris DMZ (cont’d. ) – Hardening Checklists for DMZ Servers and Solaris • Has a model or diagram of the host been made? • Is the host physically secured? • Designing a Linux DMZ – Ethernet Interface Requirements and Configuration – Traffic Routing Between Public and DMZ Servers – Protecting Internet Servers (Using DMZ Networks) • Disable all unnecessary services • Run services “chrooted” whenever possible • Use Firewall Security Policy and Anti-IP-Spoofing Features

Specific Operating System Design (cont’d. ) A common Linux DMZ configuration uses a Linux

Specific Operating System Design (cont’d. ) A common Linux DMZ configuration uses a Linux firewall and three Ethernet cards.

DMZ Router Security Best Practices • Checklist for ensuring router security: – Authenticate routing

DMZ Router Security Best Practices • Checklist for ensuring router security: – Authenticate routing updates on dynamic routing protocols – Use ACLs to protect network resources and prevent address spoofing – Secure the management interfaces – Lock down the router services – Disable interface-related services – Disable unneeded services – Keep up to date on IOS bug fixes and vulnerabilities

DMZ Switch Security Best Practices • Checklist to follow to ensure switch security: –

DMZ Switch Security Best Practices • Checklist to follow to ensure switch security: – Secure the management interfaces – Lock down the switch services – Disable unneeded services – Use VLANs to logically segment a switch and PVLANs to isolate hosts on a VLAN – Use port security to secure the input to an interface by limiting and identifying the MAC addresses of hosts that are allowed to access the port – Do not use VTP on DMZ switches – Keep up to date on IOS bug fixes and vulnerabilities, and upgrade if necessary

Six Ways to Stop Data Leaks • Consider: – Get a handle on the

Six Ways to Stop Data Leaks • Consider: – Get a handle on the data – Monitor content in motion – Keep an eye on databases – Limit user privileges – Cover those endpoints – Centralize intellectual property data • Tool: Reconnex – Enables an organization to protect all information assets on its network without requiring up-front knowledge of what needs to be protected

Summary • A DMZ functions as a “neutral zone” between an internal and external

Summary • A DMZ functions as a “neutral zone” between an internal and external network • Multitiered firewalls are often used when there is a need to provide more than one type of service to the public • DMZ designers should be aware of protocol vulnerabilities • It is generally inappropriate to locate a RADIUS or TACACS+ server in a DMZ segment • DMZs for wireless networks must be set up with certain conditions in mind

Summary (cont’d. ) • A three-homed firewall DMZ handles the traffic between the internal

Summary (cont’d. ) • A three-homed firewall DMZ handles the traffic between the internal network and firewall, as well as the traffic between the firewall and DMZ • A site survey can be conducted to determine the proper number of access points needed based on the expected number of users and the specific environment for a WLAN • Authentication may not be desired if a network is publicly accessible • An access point is a layer-2 device that serves as an interface between the wireless network and the wired network