Network Security Principles

1
Network Security Principles Practices

• By Saadat Malik
• Cisco Press
• 2003

2
Chapter 2 Defining Security Zones

• What are security zones?
• DMZ
• Cisco PIX firewalls

3
Network Architecture

• The topological design of a network is one of the
  best defenses against network attacks.
• Using zones to segregate various areas of the
  network from each other.
• Different zones of the same network have
  different security needs.
• Better scalability

4
Zoning strategies

• Greater security needs, more secure zones
• Controlled access to zones
• Publicly accessed servers are placed in separate
  zones from private servers.
• To achieve highest security, each server is
  placed in a separate zone. Why?
• The defense in depth principle
• - Firewalls are used to separate the zones.

5
DMZ

• Different ways of creating demilitarized zones
• Using a 3-legged firewall
• Placing the DMZ outside the firewall
• Bastion hosts are placed in the DMZ.
• In the path between a firewall and the Internet
• Dirty DMZ
• Rationale ?
• Placing the DMZ between stacked firewalls

6
Cisco PIX Firewall

• Multiple interfaces, each with its own security
  level (lowest 0 .. 100 highest)
• May support multiple security zones, thus
  allowing multiple DMZs to be set up
• In general, a computer/device in a lower security
  zone cannot access computer/device in a higher
  security zone, unless a hole is created.
• Each security zone should have a unique number.

7
Cisco PIX Firewall

• Example configuration
• nameif ethernet0 outside security0
• nameif ethernet1 inside security100
• nameif ethernet2 dmz security50