Messages
Proposals
Get Urgent Writing Help In Your Essays, Assignments, Homeworks, Dissertation, Thesis Or Coursework & Achieve A+ Grades.
Privacy Guaranteed - 100% Plagiarism Free Writing - Free Turnitin Report - Professional And Experienced Writers - 24/7 Online Support
Network Security, Firewalls,
and VPNs
Lesson 6
Firewall Implementation Options
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
1
Ethernet Color Standards
URL of above graphics: https://www.joncamfield.com/oss/schooltools/Reference/EthernetCabling.htm
T-568A Standard
T-568B Standard
Crossover Cable
Diagram of Wiring
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Network Topologies
Network topology: is the name given to the way in which the devices (called nodes) are physically connected in a network.
The network topology chosen typically dictates:
the type of cabling used in the network
The scalability of the network
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Bus Topology
Nodes are connected to a main (bus) cable. If data is being sent sent between nodes then other nodes cannot transmit. If too many nodes are connected then the transfer of data slows dramatically as the nodes have to wait longer for the bus to be clear.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Bus Topology (cont)
Advantages:
The simplest and cheapest to install and extend.
Well suited for temporary networks with not many nodes.
Very flexible as nodes can be attached or detached without disturbing the rest of the network.
Failure of one node does not affect the rest of the bus network.
Simpler than a ring topology to troubleshoot if there is a cable failure because sections can be isolated and tested independently.
Disadvantages:
If the bus cable fails then the whole network will fail.
Performance of the network slows down rapidly with more nodes or heavy network traffic.
The bus cable has a limited length and must be terminated properly at both ends to prevent reflected signals.
Slower than a ring network as data cannot be transmitted while the bus is in use by other nodes.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Ring Topology
In a ring topology, the nodes are connected in a ring and data travels in one direction using a control signal called a 'token'.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Ring Topology (cont)
Advantages:
Not greatly affected by adding further nodes or heavy network traffic as only the node with the 'token' can transmit data so there are no data collisions.
Relatively cheap to install and expand.
Disadvantages:
Slower than a star topology under normal load.
If the cable fails anywhere in the ring then the whole network will fail.
If any node fails then the token cannot be passed around the ring any longer so the whole network fails..
The hardest topology to troubleshoot because it can be hard to track down where in the ring the failure has occurred.
Harder to modify or expand because to add or remove a node you must shut down the network temporarily.
In order for the nodes to communicate with each other they must all be switched on.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Star Topology
In this type of network, a central computer (server) usually forms the main node and the subsidiary nodes are connected to it and to each other through a switch or hub.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Star Topology (cont)
Advantages:
The most reliable because the failure of a node or a node cable does not affect other nodes.
Simple to troubleshoot because only one node is affected by a cable break between the switch and the node.
Adding further nodes does not greatly affect performance because the data does not pass through unnecessary nodes.
Easily upgraded from a hub to a switch for higher performance. Easy to install and to expand with extra nodes.
Disadvantages:
Uses the most cable which makes it more expensive to install than the other two topologies.
The extra hardware required such as hubs or switches further increases the cost.
As the central computer controls the whole system, the whole system will be affected if it breaks down or if the cable link between it and the switch fails.
If the switch, the link to the server or the server itself fails then the whole network fails.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Network Topologies Summary
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
IEEE
IEEE stands for the "Institute of Electrical and Electronics Engineers".
composed of computer scientists, software developers, information technology professionals, physicists, and medical doctors, in addition to IEEE's electrical and electronics engineering core.
For this reason the organization no longer goes by the full name, except on legal business documents, and is referred to simply as IEEE.
The IEEE is dedicated to advancing technological innovation and excellence. It has about 425,000 members in about 160 countries.
The IEEE is one of the leading bodies to produce standards relating to networking.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
IEEE 802 Standards
IEEE 802 refers to a family of standards dealing with local area networks (LAN), wide-area networks (WAN) and metropolitan area networks (MAN).
The 802 number is the name of the IEEE committee that deals with networking standards
Various subcommittees have been created to deal with specific standards. They are denoted by 802.x where x is the number of the subcommittee.
For instance, 802.11 deals with WiFi.
802 typically deals with OSI layers 2 and 1.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.1
802.1 Bridging and Network Management
802.1q Virtual Local Area Networks (VLAN)
In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers.
Traffic is marked (or tagged) to be a part of a specific VLAN
Traffic stays within its own VLAN and must be routed to other VLANs.
In computer networking, a single layer-2 network may be partitioned to create multiple distinct broadcast domains, which are mutually isolated so that packets can only pass between them via one or more routers
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.1x
802.1x Port Based Security
It provides an authentication mechanism to devices wishing to attach to a LAN or WLAN.
defines the encapsulation of the Extensible Authentication Protocol (EAP) over IEEE 802
802.1X authentication involves three parties: a supplicant, an authenticator, and an authentication server.
The supplicant is a client device (such as a laptop) that wishes to attach to the LAN
The authenticator acts like a security guard to a protected network. The supplicant (i.e., client device) is not allowed access through the authenticator to the protected side of the network until the supplicant’s identity has been validated and authorized.
The authentication server determines if the supplicants credentials provided to the authenticator are valid. If they are valid, the supplicant (client device) is allowed to access resources located on the protected side of the network.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.1x (cont)
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.1x Process
On detection of a new supplicant, the port on the switch (authenticator) is enabled and set to the "unauthorized" state. In this state, only 802.1X traffic is allowed; other traffic, such as the Internet Protocol (and with that TCP and UDP), is dropped.
To initiate authentication the authenticator will periodically transmit EAP-Request Identity frames to a special Layer 2 address on the local network segment. The supplicant listens on this address, and on receipt of the EAP-Request Identity frame it responds with an EAP-Response Identity frame containing an identifier for the supplicant such as a User ID. The authenticator then encapsulates this Identity response in a RADIUS Access-Request packet and forwards it on to the authentication server. The supplicant may also initiate or restart authentication by sending an EAPOL-Start frame to the authenticator, which will then reply with an EAP-Request Identity frame.
The authentication server sends a reply (encapsulated in a RADIUS Access-Challenge packet) to the authenticator, containing an EAP Request specifying the EAP Method (The type of EAP based authentication it wishes the supplicant to perform). The authenticator encapsulates the EAP Request in an EAPOL frame and transmits it to the supplicant. At this point the supplicant can start using the requested EAP Method, or do an NAK ("Negative Acknowledgement") and respond with the EAP Methods it is willing to perform.
If the authentication server and supplicant agree on an EAP Method, EAP Requests and Responses are sent between the supplicant and the authentication server (translated by the authenticator) until the authentication server responds with either an EAP-Success message (encapsulated in a RADIUS Access-Accept packet), or an EAP-Failure message (encapsulated in a RADIUS Access-Reject packet). If authentication is successful, the authenticator sets the port to the "authorized" state and normal traffic is allowed, if it is unsuccessful the port remains in the "unauthorized" state. When the supplicant logs off, it sends an EAPOL-logoff message to the authenticator, the authenticator then sets the port to the "unauthorized" state, once again blocking all non-EAP traffic.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.2 Logical Link Control
Defines Logical Link Control (LLC), which is the upper portion of the data link layer of the OSI Model.
The LLC sublayer presents a uniform interface to the user of the data link service, usually the network layer.
Beneath the LLC sublayer is the Media Access Control (MAC) sublayer, which is dependent on the particular medium being used (Ethernet, token ring, FDDI, 802.11, etc.).
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.3 Ethernet
A group of standards that define the physical network media and bandwidth of the network.
Bandwidth: The amount of data that can be transmitted over a given period of time. Examples: 100Mbps or 1Gbps
Type of cable supported: Twisted Pair Cabling (Cat5,6), Fiber optic cable (multimode and single mode) and coax.
Cat 6:1Gbps at 100M, 10Gbps at 33M
Implements Carrier Sense Multiple Access with Collision Detection (CSMA/CD)
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.4 Token Bus
Network implementing the token ring protocol over a "virtual ring" on a coaxial cable.
Disbanded and standard withdrawn
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.5 Token Ring
Defines the MAC layer for token ring networks.
Initially token ring was a proprietary technology of IBM
Maximum bandwidth 15Mbps.
No current research being conducted.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.6 MAN
A Metropolitan Area Network (MAN) is computer network larger than a local area network, covering an area of a few city blocks to the area of an entire city.
MAN links between local area networks have been built with wireless links using either microwave, radio, or infra-red laser transmission.
Most companies rent or lease circuits from common carriers because laying long stretches of cable is expensive.
Some wired technologies used in MANs include
Fiber Distributed (FDDI): provides a 100 Mbit/s optical standard for data transmission in local area network that can extend in range up to 200 kilometers (120 mi). Although FDDI logical topology is a ring-based token network, it did not use the IEEE 802.5 token ring protocol as its basis; instead, its protocol was derived from the IEEE 802.4 token bus timed token protocol.
Asynchronous Transfer Mode (ATM):developed to meet the needs of the Broadband Integrated Services Digital Network, as defined in the late 1980s, and designed to unify telecommunication and computer networks.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.11 WiFi
Standards relating to communication via radio frequency.
Standard Bandwidth Frequency Distance
802.11a 54Mbps 5Ghz 30M
802.11b 10Mbps 2.4Ghz 100M
802.11g 54Mbps 2.4Ghz 100M
802.11n 600Mbps 2.4/5Ghz 250M
802.11ac 6.77Gbps 2.4/5Ghz 250M
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.11 Privacy
Wired Equivalent Privacy (WEP)
Designed to approximate wired hub-based Ethernet environment.
Key entered into both the access point and the clients.
All participants in the WiFi LAN.
Uses a stream cipher to protect data
Key length is the initialization vector (IV) plus the WEP key
128 bit WEP = 104b key + 24 bit IV
64 bit WEP = 40b key + 24b IV
Because RC4 is a stream cipher, the same traffic key must never be used twice. The purpose of an IV, which is transmitted as plain text, is to prevent any repetition, but a 24-bit IV is not long enough to ensure this on a busy network. The way the IV was used also opened WEP to a related key attack. For a 24-bit IV, there is a 50% probability the same IV will repeat after 5000 packets.
Depending on the amount of network traffic, and thus the number of packets available for inspection, a successful key recovery could take as little as one minute.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.11 Privacy (Cont)
WiFi Protected Access (WPA) replaced WEP.
Firmware upgrade
Improved implementation of RC4
Improved implementation of Ivs. (TKIP)
TKIP employs a per-packet key, meaning that it dynamically generates a new 128-bit key for each packet and thus prevents the types of attacks that compromised WEP.
WPA2 replaced WPA
Uses AES encryption instead of RC4
WPA2 is mandatory for a device to bear the WiFi trademark.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
802.15 Bluetooth
Bluetooth
Low power, short distances
Operates at the ISM (Industry, Scientific, Medical) band at 2.45Ghz
10Meter range
721Kbps bandwidth
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Wireless Radio Technologies
Direct Sequence Spread Spectrum (DSSS): Spreads transmissions over a larger frequency band.
The signal is less susceptible to interference at any specific frequency
A pseudo-random noise code is modulated with the signal during transmission.
The resulting signal resembles white noise.
The receiver filters out the noise.
Uses
802.11b
US GPS
Bluetooth
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Wireless Radio Technologies
Frequency Hopping Spread Spectrum (FHSS): a method of transmitting radio signals by rapidly switching a carrier among many frequency channels, using a pseudorandom sequence known to both transmitter and receiver.
Uses
Military communication
Federal Aviation Administration (FAA)
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Wireless Radio Technologies
Orthogonal Frequency Division Multiplexing (OFDM): a signal that is subdivided into frequency sub bands.
Each of these sub bands can be broadcast together without interference.
The basic idea of OFDM is to split a high bandwidth transmission into several lower bandwidth transmissions.
Uses
Digital TV broadcasts
802.11a, 802.11g, 802.11n, 802.11ac
ADSL
LTE, LTE Advanced
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Wireless Radio Technologies
Frequency Division Multiple Access: Subdivides a frequency band and assigns an analog conversation to each sub-band.
Only used in analog cellular
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Wireless Radio Technologies
Code Division Multiple Access (CDMA)
Similar to DSSS
It spreads each call over a wide spectrum and and is tagged with pseudo-random noise code to differentiate the calls
CDMA2000 Is a family of 3G access that uses CDMA channel access (typically, far east)
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Wireless Radio Technologies
Universal Mobile Telecommunications System Time0Dvision Duplexing (UMTS TDD): a third generation mobile cellular system
data transfer rates of 2 Mbps at 5Mhz
data transfer rates of 42 Mbps for HSPA+
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Data Center
Data center is a facility used to house computer systems and associated components, such as telecommunications and storage systems.
Hot Sites: “proactive” hot site allows you to keep servers and a live backup site up and running in the event of a disaster
Warm Sites: A “preventative” warm site allows you to pre-install your hardware and pre-configure your bandwidth needs. Then, if disaster strikes, all you have to do is load your software and data to restore your business systems.
Cold Sites: A “recovery” cold site is essentially just data center space, power, and network connectivity that’s ready and waiting for whenever you might need it.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Different Types of Networks
Local Area Networks (LAN) = room/building
Campus Area Network (CAN) = a complex of adjacent buildings
Metropolitan Area Networks (MAN) = a city
Wide Area Networks (WAN) = a large geographic area (across metropolitan, regional, national or international boundaries)
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Local Area Networks
Usually in one building and uses twisted pair cable.
Usually use some form of a star topology. Sometimes a tree topology if the building is large.
Tree topology: Linking together 2 or more star networks via fiber.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Campus Area Network
LANs within each facility
Connect LANs together with fiber optic cable in a tree topology
Backbone fiber optic cable cable is either ran in a ring or star.
One or more buildings will house the data center(s).
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Wide Area Networks
Typically uses some form of leased connection
Dedicated Links: Establishes a constant network between endpoints.
Hardware: Channel Service Unit Data Service Unit (CSU/DSU)
The endpoints have exclusive use of the circuit and bandwidth
Integrated Services Digital Network (ISDN): Two varieties
Basic Rate Interface (BRI): The 144 kbit/s payload rate is broken down into two 64 kbit/s bearer channels ('B' channels) and one 16 kbit/s signaling channel ('D' channel or data channel). This is sometimes referred to as 2B+D.
Primary Rate Interface (PRI):A PRI has 23 'B' channels and 1 'D' channel for signaling.
T-Carriers
T1: 24x64Kbps = 1.54Mbps
T3: 672x64kbps = 44.7Mbps
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Wide Area Networks
Optical Carrier (OC) Connections
OC1: 51.84Mbps
OC3: 155.52Mbps
OC12: 622.08Mbps
OC48: 2.488Gbps
OC96: 4.977Gbps
OC192: 9.953Gbps
OC3072: 160Gbps
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Wide Area Networks
Metropolitan Ethernet Circuit (Metro E): Provides a cheap Ethernet (802.3) handoff to the customer.
Speeds up to 10Gbps
Very simple to implement
The current industry standard for dedicated circuits.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Wide Area Network Packet Switched Networks
Packet Switching: Devices transport packets via a shared single point-to-point or point-to-multipoint link across a carrier internetwork.
X.25: One of the first WAN protocols
Basis for many WAN protocols that followed
Based on rigorous error correction.
Not really used today.
Frame relay is a standardized wide area network technology that specifies the physical and logical link layers of digital telecommunications channels using a packet switching methodology. Originally designed for transport across Integrated Services Digital Network (ISDN) infrastructure, it may be used today in the context of many other network interfaces
Began as a stripped-down version of the X.25 protocol, releasing itself from the error-correcting burden most commonly associated with X.25. When frame relay detects an error, it simply drops the offending packet.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Commercial vs. Open Source Firewalls
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
40
Commercial
Available for purchase
Open Source
Free
Installs onto your own hardware or operating system
Provides network-level security services
Source code available for review
Not always reliable or trustworthy
Appliance/Hardware Firewalls
Dedicated hardware device specifically built and hardened to support firewall software
Does not require additional hardware or software for deployment
Needs network connections and a power connection
Has dedicated hardware resources not shared with other services
Can protect a single system or an entire network
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
41
Appliance/Hardware Firewall Examples
Barracuda
Cisco
D-Link
Fortinet
Juniper Networks
Linksys (owned by Cisco)
NetGear
SonicWALL
WatchGuard
ZyXEL
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
42
Virtual Firewalls
Includes:
Virtualized software firewalls provide filtering services for a standard physical network
Firewalls running between virtualized client and server operating systems
Benefits: Rapid development, quick prototyping, isolation, traffic management, quick recoveries, testing
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
43
Firewall Design and Implementation Guidelines
Suitability: Can the firewall implement the policy?
Flexibility: Is it easily reconfigurable?
Training: Is training required? What is the cost?
Need: Make a list of traffic you want to allow, filter, or block (see organization’s security policy).
Risk: Make a separate list of all the risks in the network based on the traffic allowed.
Cost: How much will everything cost?
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
These are examples only. Every organization’s needs differ.
3/22/18
44
Firewall Topology: Simple Solution
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
45
Firewall Topology: DMZ
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
46
Firewall Topology: Multi-homed Firewall for Perimeter
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
47
Personal/SOHO Firewall Options
Native firewall built in to operating system
Third-party software firewall
Commercial or open source
Router/wireless access point firewall settings
Hardware/appliance firewall
Virtual firewall
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
48
Selecting a Firewall: Desirable Characteristics
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
49
Security Assurance
Privilege Control
Authentication
Auditing
Flexibility
Performance
Scalability
SmoothWall Features
Open source, Linux-based
Highly compatible (hardware and systems)
Remote access, POP3 e-mail antivirus proxy, Web proxy, Snort IDS
Inline proxy support for instant messaging and VoIP with logging capabilities
Bandwidth management
Outbound traffic blocking with time-based controls
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
50
Additional Features of SmoothWall
Port forwarding
External service access
DMZ pinhole
PPP settings
IP block
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
Port forwarding—Forward ports from firewall to a machine inside the green or orange zones. Hides Web servers behind a single IP address.
External service access—Access any services running on the SmoothWall machine by opening the ports you need.
DMZ pinholes—Opens a pinhole from the DMZ to the green zone. Useful if external servers need to communicate with servers inside the green zone.
PPP settings—Allows you to set up profiles, configure modems, use dial on demand.
IP block—Bans specific IP addresses or ranges.
3/22/18
51
Installing SmoothWall: Network Zones
Color Zone Description
Green Trusted Client local network
Orange Filtered/Special Purpose DMZ, other
Purple Wireless Wireless client
Red Internet External
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
52
Hardware Requirements for SmoothWall
Processor running 166 MHZ or greater
512 MB PC133 synchronous dynamic random access memory (SDRAM)
20 GB hard drive
Two NICs
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
53
SmoothWall Topology
A typical SmoothWall
network interface setup.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
54
SmoothWall Topology
A typical SmoothWall setup with a switch.
Page ‹#›
Network Security, Firewalls, and VPNs
© 2015 Jones and Bartlett Learning, LLC, an Ascend Learning Company
www.jblearning.com
All rights reserved.
3/22/18
55
Managing the Firewall on an ISP Connection Device
Enter IP address of device into a Web browser
If wireless router, change the Service Set Identifier (SSID)
Limit the number of connections
Block unnecessary ports
Test configuration at http://www.grc.com
Free ShieldsUP! port scanning tool
Page ‹#›
Network Security, Firewalls, and VPNs
| Writer | Writer Name | Amount | Client Comments & Rating |
|---|---|---|---|
ONLINE |
Instant Homework Helper |
$36 |
She helped me in last minute in a very reasonable price. She is a lifesaver, I got A+ grade in my homework, I will surely hire her again for my next assignments, Thumbs Up! |
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
Custom Original Solution And Get A+ Grades
| Writer | Writer Name | Offer | Chat |
|---|---|---|---|
|
Writers are writing their proposals. Just wait here to get the offers for your project... |
|||
Let our expert academic writers to help you in achieving a+ grades in your homework, assignment, quiz or exam.