Chapter 7 - 02 - Discuss Security Benefits of Network Segmentation - 05_ocred_fax_ocred.pdf

Full Transcript

Certified Cybersecurity Technician Network Security Controls - Technical Controls Exam 212-82 Network Segmentation Example: Demilitarized Zone (DM2Z) O 0 0O A computer subnetwork is placed between the organization’s private network such as a LAN, and an outside public network such as the Internet, and acts as an additional security layer Contains the servers that need to be accessed from an outside network * Web servers = Email servers = DNSservers Threelegged Internal Network Firewall DMZ configurations = Both internal and external networks can connect to the DMZ = Hosts in the DMZ can connect to external networks * But hosts in the DMZ can not connect to internal networks Copyright © by EC-Council Al Rights Reserved. Reproduction s Strictly Prohibited. Network Segmentation Example: Demilitarized Zone (DMZ) A Demilitarized Zone (DMZ) is a small network which is placed in between the organization's private network and an outside public network. It prevents an outsider from gaining direct access to the organization's server. For example, if an attacker uses a public network to access a DMZ host and penetrates it, then only the information on that host will be compromised. In this way, a DMZ acts as an additional security layer for networks and lowers the threat of intrusion in the internal network. A DMZ consists of the following types of servers, which need to be accessible from outside the network: = Web servers = Email servers *= Domain name system (DNS) servers DMZ configurations: = Both internal and external networks can connect to a DMZ ®= Hosts in the DMZ can connect to external networks = Hosts in the DMZ cannot connect to internal networks Module 07 Page 748 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 RS RS R R R AR R R FRE R Internet tzzssssssssssssssssssEssE Internal Network Three-legged Firewall NN EEEEENENEEEESEEEEEREEEEE o NN " SRsRENERENNRERRNERRRRRRRRT RN QRN RRRN "... ". "..... DMZ Network. 566666 - Figure 7.37: Depiction of a DMZ Advantages of DMZ: = Separation of DMZ from LAN enables high-level protection of LAN. = |t provides an increased control of resources. = |t uses multiple software- and hardware-based products of different platforms in order to provide an additional layer of protection. = |t provides a high level of flexibility for internet-based applications such as email, web services, etc. Module 07 Page 749 Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 Different Ways to Create a DMZ Single Firewall DMZ QO In this model, the network architecture containing the DMZ consists of three network interfaces O The first network interface connects the ISP to the firewall, forming network, whereas the second interface forms the internal network O The third interface forms the DM2 g the external...................................................... Firewall Interface 1 A Corporate Network Interface 2................................ BERIESES ot oA Incoming packets IRt e o cercrsasesssnneens H '.'fff.'!?.c.e..a.................. DMz : JRTTPPTPPN pereeneden, : Public web DNS server Extranet server Mail server $ seives Internal Network Copyright © by Different Ways to Create Dual Firewall DMZ L All Rights Reserved. Reproduction is Strictly Prohibited. (Cont’d) O This approach uses two firewalls to create a DMZ O The first firewall allows only sanitized traffic to enter the DMZ, whereas the second firewall conducts a double check on it O Itis the most secure approach in implementing Public Firewall Incoming a DMZ EC-{ a DMZ Internal Firewall Internet packets Public web server DNS server Extranet server Mail server Internal Network Copyright © by I L Al Rights Reserved. Reproduction is Strictly Prohibited. Different Ways to Create a DMZ Two basic methods for designing a network with a DMZ are using a single firewall (three-legged model) and using dual firewalls. It is also possible to extend these configurations according to the network requirements. = Single firewall DMZ: In this model, the network architecture containing the DMZ consists of three network interfaces. The first network interface connects the internet Module 07 Page 750 Certified Cybersecurity Technician Copyright © by EG-Gouncil All Rights Reserved. Reproduction is Strictly Prohibited. Certified Cybersecurity Technician Network Security Controls — Technical Controls Exam 212-82 service provider (ISP) to the firewall, forming the external network, whereas the second interface forms the internal network. The third interface forms the DMZ. The firewall acts as a single point of failure and should be able to manage all the traffic to the DMZ. Firewall ' Interface 1 Incoming packets Internet 7T T. Interface2 : eeieissssssseasessnaaes 5........................... --------------------------------------- Public web server DNS server Extranet server Mail server Internal Network Figure 7.38: Single firewall DMZ = Dual firewall DMZ: The dual firewall approach uses two firewalls to create a DMZ. The first firewall allows only sanitized traffic to enter the DMZ, whereas the second firewall conducts a double check on it. The dual firewall approach is the most secure approach in implementing a DMZ and it also adds the most complexity. Public Firewall Incoming packets Internet Internal Firewall g’ BREE Public web DNS server Extranet server Mail server Internal Network Figure 7.39: Dual firewall DMZ Any server that requires exposure to a public network can be placed in the DMZ. It is possible for security professionals to place servers such as web servers, DNS servers, e-mail servers, and file transfer protocol (FTP) servers in the DMZ clients. Module 07 Page 751 and enable access for internal and external Certified Cybersecurity Technician Copyright © by EG-Council All Rights Reserved. Reproduction is Strictly Prohibited.