firewall design & mgmt
disadvantage of proxy server that can include firewall functions
single point of failure - try to use several software and hardware products to protect your network
original goal of proxy server
speed up network comm - info is retrieved from proxy cache instead of internet (if info hasn't changed at all)
disabling user accounts
default accounts are created during OS installation - some of these accounts have blank passwords
freeware proxy servers
described as content filters - most don't have features for bus applications ex) squid for linuz
screening router
determines whether to allow or deny packets based on their source and destination IP addresses - or other info in header
security workstation
develops sec policy and deploys it through firewall
main office has a centralized firewall
directs traffic for branch offices and their firewalls
disabling user accounts (2)
disable all user accounts from bastion host - users should not be able to connect to it
dual homed hosts provides
limited security bc firewall depends on same computer used for day to day comm
what allows many internal clients to use same single public NAT interface simultaneously?
many to one NAT
reverse firewall
monitors outgoing connections instead of trying to block what's coming in
protecting DMZ with multiple firewalls
must be configured identically and use same software
commercial proxy servers
offer web page caching, source and destination Ip Address translation, content filtering, and NAT ex) microsoft forefront threat mgmt gateway
primary address translation types
one to one NAT and one to many NAT
how proxy servers work
opens packet and examine data decides to which application it should forward the packet reconstructs the packet and forwards it (replace original header)
NAT
originally designed to help conserve public IP addresses receives requests as its own IP address and forwards them to correct IP address
Port Address Translation (PAT) is for ____ traffic
outbound
reverse firewalls help monitor
outgoing connections attempts that originates from internal users (filters out unauthorized attempts)
proxy server goal
prevent a direct connection between an external computer and internal computer
second firewall controls traffic between
protected network and DMZ - failover firewall
goals of modern proxy servers
provide security at application layer hide internal networks IP addresses control web sites users are allowed to access filtering content
NAT device is assigned to a
public IP address
disabling user accounts (3)
rename admin account - use long, complex passwords
firewalls can be deployed in several ways
screening router, dual homed host, screened host, screened subnet DMZ, multiple DMZ, multiple firewalls, reverse firewall
proxy server
server application that acts as an intermediary between a client requesting a resource and the server providing that resource
copy log files to other computers in your network
should go through firewall to screen for viruses and other vulnerabilities
screened hosts
similar to dual homes host except router is added between the host and internet - to carry out IP packet filtering
in dual homes hosts, host serves as a ______
single point of entry to org - attackers only have to break through 1 layer of protection
proxy server receives _____ before it goes to internet
traffic
many to one NAT
uses TCP and UDP port addresses to distinguish between internal clients
why choose screened subnet DMZ?
when you need to provide services to public
forward proxy
you are connected to internet via the proxy server
essential steps in hardening a computer
backups, detailed record keeping, auditing
dual homer hosts
bastion host has 2 network interface cards - only firewall software can forward packets from 1 interface to another
disadvantages of many to one NAT
- you can hide only so many clients behind a single IP address (performance degrade - doesn't work with some types of VPNs - uses only a single public IP address (cannot provide other services, such as web server)
steps in one to one NAT
-internal client sends packet to its default gateway on NAT device -NAT device repackages the packet so it's public interface appears to be source and sends to external host -external host responds to NAT device -NAT device repackages response and sends it to internal host
many of same commands used to configure Cisco routers and switches are also applicable on
Cisco firewalls
one firewall controls traffic btwn
DMZ and internet
types of proxy servers
HTTP proxy, HTTPS proxy, SOCKS proxy, forward proxy, reverse proxy
load balancing software
Prioritizes and schedules requests and distributes them to servers
screened subnet DMZ : DMZ
Subnet of publicly accessible servers placed outside the internal LAN - common solution is to make servers a subnet of firewall
one to one NAT
The process of mapping one internal IP address to one external IP address
Screening router _______ stop many attacks
does not - especially those that use spoofed or manipulated IP add info
multiple firewalls can implement
a single security policy
screened host can function as
an application gateway or proxy server
proxy servers work at the ______ layer
application
NAT allows admin to
assign private IP address ranges in the internal network
advantage of multiple firewall
can control where traffic goes in 3 networks you are dealing woth
filtering content proxy servers
can open packets and examine data
reverse firewalls—companies concerned with employees:
concerns with how employees use web and other internet services can use reverse firewall to log connections - block sites
client programs
configured to connect to the proxy server instead of the internet ex) web browser and email application
screened host combines
dual homes host and screening router - for perimeter security on corporate network
audit all:
failed and successful attempts to log on to the bastion host any attempts to access or change files
proxy servers can
filter out content that would otherwise appear in a users web browser - block websites with content users shouldn't be viewing - drop executable programs
in dual homes hosts, ____ is placed between the network and internet.
firewall - provides NAT
screening router should be combined with
firewall or proxy server for additional protection
each branch office has its own
firewall, security policy from main office is copied to every firewall
server farm
group of servers connected in their own subnet work together to receive requests with help or load balancing software
proxy servers that can include firewall functions
having an all in one program simplifies installation, product updating, and mgmt
port forwarding is for ___ traffic
inbound
security software doesn't operate on its own
installed on a computer that needs to be as secure as possible
clusters of servers in DMZs help protect
internal network from becoming overloaded - each server farm/DMZ can be protected with its own firewall or packet filter
firewall that protects the DMZ
is connected to the internet and internal network - called 3 homes firewall
network address translation
static NAT, DNAT (IP masquerading), PAT, port forwarding