IS 6973 - PowerPoint PPT Presentation

1 / 14
About This Presentation
Title:

IS 6973

Description:

... DNS information (such as Name Servers, host names, Time To Live (TTL) records, ... Best to separate functions. Web server displays content to the user ... – PowerPoint PPT presentation

Number of Views:88
Avg rating:3.0/5.0
Slides: 15
Provided by: Jan32
Category:

less

Transcript and Presenter's Notes

Title: IS 6973


1
IS 6973
  • Secure Network Design
  • Chapter Eight
  • Common Application Design Considerations

2
Chapter Focus
  • Best Practices for deployment of
  • Email
  • DNS
  • HTTP/HTTPS
  • FTP

3
E-Mail
  • Focus on separating internal and external mail
    and providing for network virus scanning via
    server-based email filtering
  • Basic Two-Tier E-mail Design (Fig. 8-1) Used on
    small and mid-size networks - uses both internal
    and external mail server. Internal mail server
    allows internal communication and forwards mail
    intended for outside to external mail server
  • Distributed Two-Tier E-mail Design - (Fig. 8-2)
    for larger networks multiple servers for POP3
    and SNMP dedicated server(s) for email antivirus
    processing

4
Mail Application Design Recommendations
  • Allow external servers to relay outbound mail
    only when sent from internal servers. Prevents
    others from using your external servers as blind
    relays, allowing forged email, such as spam
  • Lock down the SMTP relay application

5
DNS
  • Dont put all DNS servers in one place makes
    them vulnerable to DoS
  • Have more than one authoritative DNS server
    could still be hit with DoS against authoritative
    server
  • Make external DNS servers non-recursive
    responders only DNS server responds with best
    known answer and will not make further queries
  • Protect internal recursive DNS servers
  • Limit zone transfers to authorized servers
  • An answer to a DNS query to list all DNS
    information (such as Name Servers, host names,
    Time To Live (TTL) records, etc) for a Domain
  • Attacker can use this info for spoofing can also
    compromise DNS data integrity

6
HTTP/HTTPS
  • Dependent upon application security, web
    security, and concerned about limiting exposure
    and gaining visibility of potential attacks

7
Simple Web Design
  • If content is static, design is straightforward
  • Firewall can be configured to allow only TCP 80
    traffic into the web server

8
Two-Tier Web Design (Fig. 8-7)
  • If have web applications and a database server,
    content is dynamic, and will probably need to
    process input from user
  • Best to separate functions
  • Web server displays content to the user
  • Application/database server processes user input
    and generates the content
  • Web server is only device that can communicate
    with application/database server

9
Three-Tier Web Design
  • All of the above plus accommodates the security
    requirements entrusted customer data
  • Separates application and database servers (Fig.
    8-8 (3 firewalls) and Fig. 8-9 (2 firewalls).

10
FTP
  • Active Mode Default FTP mode server opens a
    connection to the client in addition to client
    having a connection with the server
  • Passive Mode more secure option all
    communications are initiated by the client

11
Application Evaluation
  • Is the application worth evaluating? If
    likelihood of attack and potential impact are
    both low, spend your time and money elsewhere
  • Obtain documentation from vendor
  • Use a sniffer to capture packets off the wire.
    Are the payload and/or authentication information
    secure? If not, reassess
  • Sniff to determine how the protocol works. Does
    it use well-known or random ports? Does it
    change ports based on imbedded information?
  • Review the source code, if possible

12
Potential Results of the Evaluation
  • Application highly insecure and not salvageable.
    Quarantine until you can replace
  • Application risk can be mitigated. May need to
    add controls such as cryptology and secure
    tunneling
  • Application is fine as it is

13
For Case
  • Refer to DNS filtering case studies pp.
    308-310.
  • Do you need a web interface? Why? What type of
    web design is best for your company?

14
Chapter Eight Review Questions
  • Discuss the best practices for the deployment of
  • Email
  • DNS
  • HTTP/HTTPS
  • FTP
  • Discuss potential steps for evaluating an
    application.
Write a Comment
User Comments (0)
About PowerShow.com