Scribd Logo
Încărcați

Bine ați venit la Scribd!

  • 01 SecurityArchOverview

    Încărcat de

    Moïse Guilavogui
    19 vizualizări21 pagini
    NetScreen is a network security architecture that focuses on Virtual Systems (vSYS) - Zones - policies - Virtual Routers - interfaces. VSYS is a virtual system that consists of a series of Virtual Routers and switches. The VSYS network security architecture is based on the iptables protocol. It consists of several layers of security: frame / Packet Forwarding - Bridging (Layer 2) - Routing (Layer 3) Firewall

    Descriere originală:

    Titlu original

    01-SecurityArchOverview.ppt

    Drepturi de autor

    © © All Rights Reserved

    Formate disponibile

    PPT, PDF, TXT sau citiți online pe Scribd

    Vi se pare util acest document?

    Este necorespunzător acest conținut?

    Raportați acest document
    NetScreen is a network security architecture that focuses on Virtual Systems (vSYS) - Zones - policies - Virtual Routers - interfaces. VSYS is a virtual system that consists of a series of Virtual Routers and switches. The VSYS network security architecture is based on the iptables protocol. It consists of several layers of security: frame / Packet Forwarding - Bridging (Layer 2) - Routing (Layer 3) Firewall

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PPT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    19 vizualizări21 pagini

    01 SecurityArchOverview

    Încărcat de

    Moïse Guilavogui
    NetScreen is a network security architecture that focuses on Virtual Systems (vSYS) - Zones - policies - Virtual Routers - interfaces. VSYS is a virtual system that consists of a series of Virtual Routers and switches. The VSYS network security architecture is based on the iptables protocol. It consists of several layers of security: frame / Packet Forwarding - Bridging (Layer 2) - Routing (Layer 3) Firewall

    Drepturi de autor:

    © All Rights Reserved
    Descărcați ca PPT, PDF, TXT sau citiți online pe Scribd
    Indicator pentru conținut neadecvat
    din 21

    NetScreen Security Concepts

    2
    Objectives
    Identify requirements that must be met by network
    security devices
    Name and describe the function of components of
    the NetScreen security architecture, including
    Virtual Systems (VSYS)
    Zones
    Policies
    Virtual Routers
    Interfaces
    Describe the packet processing sequence in a
    NetScreen device
    Select correct deployment scenarios for NetScreen
    appliances and systems
    3
    Security Device Requirements
    Frame/Packet Forwarding
    Bridging (Layer 2)
    Routing (Layer 3)
    Firewall
    Filter based on contents of IP, TCP/UDP, and application header
    Network/Port Address Translation
    Private to public address translation
    Virtual Private Networks
    Encapsulation, authentication, and encryption
    Primarily implemented using IPSec
    4
    Layer 2 Frame Forwarding
    (Bridging/Switching)
    Transparent Bridge Functions
    Learning (based on Source MAC address)
    Forward/Flood/Filter (based on Destination MAC address)
    Loop prevention (Spanning Tree protocol)
    MAC Address Table
    00c0.01cd.5120 [E1] [E8] 00e0.01ab.cd10
    Destination Address Port
    00c0.01cd.5120 E1
    00e0.01ab.cd10 E8
    5
    Layer 3 Packet Forwarding (Routing)
    Forward IP packets based on destination address
    Maintain Route Table entries
    Static routes
    Dynamic routes (RIP, OSPF, BGP)
    Default routes
    10.1.1.1
    10.3.3.10
    [E8] 10.2.2.1/24
    Network Int. Gateway
    10.1.1.0/24 E1 0.0.0.0
    10.2.2.0/24 E8 0.0.0.0
    10.3.3.0/24 E8 10.2.2.2
    208 Route Table
    [E1] 10.1.1.1/24
    10.2.2.2/24 10.3.3.1/24
    6
    Firewall
    Packet filter based on packet header
    IP (SA, DA, Protocol)
    TCP/UDP (Port #)
    Used to implement security policies
    10.1.10.5
    SRC-IP
    1.1.70.250
    DST-IP
    36033
    SRC-Port
    80
    DST-Port
    6
    Protocol
    7
    Network/Port Address Translation
    Convert private address space to public address
    NAT/PAT
    10.1.1.5 Trust
    10.1.1.1
    Untrust
    201.1.8.1
    10.1.1.5
    SRC-IP
    221.1.8.5
    DST-IP
    36033
    SRC-Port
    80
    DST-Port
    6
    Protocol
    201.1.8.1
    SRC-IP
    221.1.8.5
    DST-IP
    1025
    SRC-Port
    80
    DST-Port
    6
    Protocol
    8
    Virtual Private Networks
    Provide secure tunnels across the
    Internet
    Encapsulation
    Encryption
    Authentication
    Trust
    10.0.0.254
    10.1.20.3




    10.1.20.4
    Untrust
    1.1.1.1
    Untrust
    2.2.2.1
    Trust
    20.1.20.1
    IP Packet
    Encrypted Packet
    IP Packet
    10.0.0.5

    10.0.0.6
    9
    Traditional Firewall Requirements
    Untrust Network
    Internet or another public network
    No control
    Trust Network
    Our private network
    We have control
    Untrust
    Zone
    Trust
    Zone
    10.0.0.5

    10.0.0.6
    10
    Web
    Server
    FTP
    Server
    Mail
    Server
    Emergence of the DMZ
    Additional requirements for public access
    Emergence of DMZ
    Access to services such as Web, Mail, and FTP
    10.0.0.5

    10.0.0.6
    Untrust
    Zone
    Trust
    Zone
    DMZ
    Zone
    11
    Untrust
    Zone
    Next Step: No Trusted Networks
    Security required within our private network
    Introduces new requirements
    Flexible architecture
    Scalability
    Web
    Server
    FTP
    Server
    Mail
    Server
    DMZ
    Zone
    Administration
    Zone
    Marketing
    Zone
    Engineering
    Zone
    12
    NetScreen Security Architecture
    NetScreen solution to new security requirements
    Provides flexible, scalable software architecture
    Components:
    Interfaces
    Zones
    Virtual Routers
    Policy
    Virtual Systems
    13
    NetScreen Device
    VSYS







    Virtual System
    Security Architecture Components






    Virtual Router 1




    Virtual Router 2
    Virtual Router
    R.T.


    R.T.


    Forwarding Table
    Zone A
    Zone B
    Zone C
    Zone D
    Zones
    E1 E2 E3 E4 E5 E6
    E7 E8
    Interfaces
    Flow
    1.2.3.4
    SRC-IP
    5.6.7.8
    DST-IP
    1234
    SRC-Port
    80
    DST-Port
    6
    Protocol
    Session
    5.6.7.8
    SRC-IP
    1.2.3.4
    DST-IP
    80
    SRC-Port
    1234
    DST-Port
    6
    Protocol
    Policy Check
    A -> C



    Policy
    14
    NetScreen Decision Process/Packet Flow
    Inbound
    packet
    Existing
    session?
    Destination
    lookup
    Dest.
    reachable?
    FORWARD
    PACKET
    DROP
    PACKET
    Crossing
    zones/
    intra-zone
    block?
    Policy
    lookup
    OK per
    policy?
    No
    No
    No
    Yes
    Yes
    Yes
    Add to
    session
    table
    FORWARD
    PACKET
    No
    Yes
    15
    External
    Zone
    Private
    Zone
    1.1.70.250
    1.1.70.0/24
    10.1.10.5
    10.1.20.0/24
    B
    10.1.10.0/24
    Public
    Zone
    10.1.20.5
    .254
    200.5.5.5
    A
    B
    C
    D
    10.1.1.0/24
    10.1.2.0/24
    .1 .254
    .1 .254
    1.1.7.0/24
    1.1.8.0/24
    .254 .1
    Packet Flow Example
    16
    Packet Flow Example
    10.1.20.5
    SRC-IP
    200.5.5.5
    DST-IP
    1042
    SRC-Port
    80
    DST-Port
    6
    Protocol
    1. Existing Session?
    No
    Address Pair Protocol Port Pair

    (no match)
    Session Table
    2. Destination Reachable?
    Yes
    Net Int NHR
    10.1.1.0/24 E1 (connected)
    10.1.2.0/24 E2 (connected)
    10.1.10.0/24 E1 10.1.1.5
    10.1.20.0/24 E2 10.1.2.5
    0.0.0.0/0 E8 1.1.8.254
    Routing Table
    3. Inter-Zone Traffic?
    Yes
    Int Zone
    E1 Inside-Private
    E2 Inside-Private
    E7 Inside-Public
    E8 Outside
    Zone Table
    17
    Packet Flow Example (cont.)
    4. Permitted by Policy?
    Yes
    From Private to External
    SA DA Service Action

    10.1.0.0/16 any FTP permit
    10.1.0.0/16 any HTTP permit
    10.1.0.0/16 any ping permit
    any any any deny
    Action: Forward Packet
    10.1.20.5
    SRC-IP
    200.5.5.5
    DST-IP
    1042
    SRC-Port
    80
    DST-Port
    6
    Protocol
    Action: Add to Session Table
    Address Pair Protocol Port Pair
    10.1.20.5 200.5.5.5 6 1042 80
    Session Table
    18
    Deploying NetScreen Devices
    Purpose-Built Security Gateways
    Appliances
    Support one (root) VSYS
    Application: Small office/Home Office, small enterprise
    Systems
    Support for multiple VSYS
    Application: large enterprise, service provider
    NetScreen Remote Client
    NetScreen VPN & Firewall Client Software
    VPN Client provides standard-compliant IPsec and L2TP functionality from
    a desktop or laptop computer across a public or private TCP/IP network.
    Security Client provides personal firewall functionality
    Available in 10, 100 and 1000 user licenses
    Runs on Microsoft Windows OS
    19
    Juniper Networks Firewall/VPN Products
    Carrier/Service
    Provider
    NS-Remote
    Large
    Enterprise
    Medium
    Enterprise
    Small
    Enterprise
    NS-5400
    NS-5200
    NS-500
    NS 5GT/HSC
    ISG-1000/2000
    SSG-20
    SSG 520
    SSG 550
    SSG 5
    Wireless
    SSG 140
    20
    Summary
    In this module we covered:
    Functions that must be performed by a NetScreen Security Gateway
    Components and operation of the NetScreen Security Architecture
    IP Packet processing sequence in a NetScreen device
    NetScreen Product set and guidelines for deployment

    21
    Review Questions
    1. Name four functions that a security gateway must
    perform.
    2. Describe the components that make up the
    NetScreen security architecture?
    3. Describe the IP packet processing sequence in a
    NetScreen security gateway.
    4. How is a NetScreen appliance different from a
    system?

    S-ar putea să vă placă și