Date post: | 03-Jun-2018 |
Category: |
Documents |
Upload: | moise-guilavogui |
View: | 215 times |
Download: | 0 times |
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 1/21
NetScreen Security Concepts
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 2/21
2
Objectives
• Identify requirements that must be met by networksecurity devices
• Name and describe the function of components ofthe NetScreen security architecture, including
– Virtual Systems (VSYS) – Zones
– Policies
– Virtual Routers
– Interfaces
• Describe the packet processing sequence in aNetScreen device
• Select correct deployment scenarios for NetScreen
appliances and systems
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 3/21
3
Security Device Requirements
• Frame/Packet Forwarding – Bridging (Layer 2)
– Routing (Layer 3)
• Firewall
– Filter based on contents of IP, TCP/UDP, and application header
• Network/Port Address Translation
– Private to public address translation
• Virtual Private Networks
– Encapsulation, authentication, and encryption
– Primarily implemented using IPSec
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 4/21
4
Layer 2 Frame Forwarding(Bridging/Switching)
• Transparent Bridge Functions – Learning (based on Source MAC address)
– Forward/Flood/Filter (based on Destination MAC address)
– Loop prevention (Spanning Tree protocol)
MAC Address Table
00c0.01cd.5120 [E1] [E8] 00e0.01ab.cd10
Destination Address Port
00c0.01cd.5120 E1
00e0.01ab.cd10 E8
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 5/21
5
Layer 3 Packet Forwarding (Routing)
• Forward IP packets based on destination address• Maintain Route Table entries
– Static routes
– Dynamic routes (RIP, OSPF, BGP)
– Default routes
10.1.1.110.3.3.10
[E8] 10.2.2.1/24
Network Int. Gateway
10.1.1.0/24 E1 0.0.0.0
10.2.2.0/24 E8 0.0.0.0
10.3.3.0/24 E8 10.2.2.2
208 Route Table
[E1] 10.1.1.1/24
10.2.2.2/24 10.3.3.1/24
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 6/21
6
Firewall
• Packet filter based on packet header – IP (SA, DA, Protocol)
– TCP/UDP (Port #)
• Used to implement security policies
10.1.10.5
SRC-IP
1.1.70.250
DST-IP
36033
SRC-Port
80
DST-Port
6
Protocol
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 7/21
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 8/218
Virtual Private Networks
• Provide secure tunnels across theInternet
– Encapsulation
– Encryption
– Authentication
Trust10.0.0.254
10.1.20.3
10.1.20.4
Untrust1.1.1.1
Untrust2.2.2.1
Trust20.1.20.1
IP Packet
Encrypted Packet
IP Packet
10.0.0.5
10.0.0.6
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 9/219
Traditional Firewall Requirements
• Untrust Network – Internet or another public network
– No control
• Trust Network
– Our private network – We have control
Untrust
Zone
TrustZone
10.0.0.5
10.0.0.6
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 10/2110
Web
Server
FTP
Server
Server
Emergence of the DMZ
• Additional requirements for public access• Emergence of “DMZ”
– Access to services such as Web, Mail, and FTP
10.0.0.5
10.0.0.6
UntrustZone
TrustZone
DMZZone
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 11/2111
UntrustZone
Next Step: No Trusted Networks
• Security required within our private network• Introduces new requirements
– Flexible architecture
– Scalability
Web
Server
FTP
Server
Server
DMZZone
AdministrationZone
MarketingZone
EngineeringZone
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 12/2112
NetScreen Security Architecture
• NetScreen solution to new security requirements• Provides flexible, scalable software architecture
• Components:
– Interfaces
– Zones
– Virtual Routers
– Policy
– Virtual Systems
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 13/2113
NetScreen Device
VSYS
Virtual System
Security Architecture Components
Virtual Router 1 Virtual Router 2
Virtual Router
R.T.R.T.
Forwarding Table
Zone A Zone B Zone C Zone D
Zones
E1 E2 E3 E4 E5 E6 E7 E8
Interfaces
Flow
1.2.3.4
SRC-IP
5.6.7.8
DST-IP
1234
SRC-Port
80
DST-Port
6
Protocol
Session
5.6.7.8
SRC-IP
1.2.3.4
DST-IP
80
SRC-Port
1234
DST-Port
6
Protocol
Policy Check A -> C
Policy
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 14/2114
NetScreen Decision Process/Packet Flow
Inboundpacket
Existingsession?
Destination
lookup
Dest.
reachable?
FORWARDPACKET
DROP
PACKET
Crossingzones/
intra-zoneblock?
Policylookup
OK perpolicy?
No
No
No
Yes
Yes
Yes
Add tosessiontable
FORWARDPACKET
No
Yes
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 15/2115
ExternalZone
PrivateZone
1.1.70.250
1.1.70.0/24
10.1.10.5
10.1.20.0/24
B
10.1.10.0/24
PublicZone
10.1.20.5
.254200.5.5.5
A
B
C
D
10.1.1.0/24
10.1.2.0/24
.1 .254
.1 .254
1.1.7.0/24
1.1.8.0/24
.254 .1
Packet Flow Example
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 16/2116
Packet Flow Example
10.1.20.5
SRC-IP
200.5.5.5
DST-IP
1042
SRC-Port
80
DST-Port
6
Protocol
1. Existing Session?No
Address Pair Protocol Port Pair
(no match)
Session Table
2. Destination Reachable? Yes
Net Int NHR
10.1.1.0/24 E1 (connected)
10.1.2.0/24 E2 (connected)
10.1.10.0/24 E1 10.1.1.5
10.1.20.0/24 E2 10.1.2.5
0.0.0.0/0 E8 1.1.8.254
Routing Table
3. Inter-Zone Traffic? Yes
Int Zone
E1 Inside-Private
E2 Inside-Private
E7 Inside-Public
E8 Outside
Zone Table
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 17/2117
Packet Flow Example (cont.)
4. Permitted by Policy? Yes
From Private to External
SA DA Service Action
10.1.0.0/16 any FTP permit
10.1.0.0/16 any HTTP permit
10.1.0.0/16 any ping permit
any any any deny
Action: Forward Packet 10.1.20.5
SRC-IP
200.5.5.5
DST-IP
1042
SRC-Port
80
DST-Port
6
Protocol
Action: Add to Session TableAddress Pair Protocol Port Pair
10.1.20.5 200.5.5.5 6 1042 80
Session Table
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 18/2118
Deploying NetScreen Devices
• Purpose-Built Security Gateways – Appliances
• Support one (root) VSYS
• Application: Small office/Home Office, small enterprise
– Systems
• Support for multiple VSYS
• Application: large enterprise, service provider
• NetScreen Remote Client
– NetScreen VPN & Firewall Client Software
• VPN Client provides standard-compliant IPsec and L2TP functionality froma desktop or laptop computer across a public or private TCP/IP network.
• Security Client provides personal firewall functionality
• Available in 10, 100 and 1000 user licenses
• Runs on Microsoft™ Windows OS
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 19/2119
Juniper Networks Firewall/VPN Products
Carrier/ServiceProvider
NS-Remote
Large
Enterprise
Medium
EnterpriseSmall
Enterprise
NS-5400
NS-5200
NS-500
NS 5GT/HSC
ISG-1000/2000
SSG-20
SSG 520
SSG 550
SSG 5
WirelessSSG 140
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 20/2120
Summary
• In this module we covered: – Functions that must be performed by a NetScreen Security Gateway
– Components and operation of the NetScreen Security Architecture
– IP Packet processing sequence in a NetScreen device
– NetScreen Product set and guidelines for deployment
8/12/2019 01-SecurityArchOverview.ppt
http://slidepdf.com/reader/full/01-securityarchoverviewppt 21/21
Review Questions
1. Name four functions that a security gateway mustperform.
2. Describe the components that make up theNetScreen security architecture?
3. Describe the IP packet processing sequence in aNetScreen security gateway.
4. How is a NetScreen appliance different from asystem?