Network Security Principles & Practices– Chapter 2 – Defining Security ZonesNetwork ArchitectureZoning strategiesDMZCisco PIX FirewallSlide 7Network Security Principles & PracticesBy Saadat MalikCisco Press2003Network Security 2– Chapter 2 – Defining Security Zones•What are security zones?•DMZ•Cisco PIX firewallsNetwork Security 3Network Architecture•The topological design of a network is one of the best defenses against network attacks.•Using zones to segregate various areas of the network from each other.•Different zones of the same network have different security needs.•Better scalabilityNetwork Security 4Zoning strategies1. Greater security needs, more secure zones2. Controlled access to zones3. Publicly accessed servers are placed in separate zones from private servers.4. To achieve highest security, each server is placed in a separate zone. Why?5. The ‘defense in depth principle’ - Firewalls are used to separate the zones.Network Security 5DMZ•Different ways of creating demilitarized zones:1. Using a 3-legged firewall2. Placing the DMZ outside the firewall‘Bastion hosts’ are placed in the DMZ.a) In the path between a firewall and the Internetb) Dirty DMZRationale ?3. Placing the DMZ between stacked firewallsNetwork Security 6Cisco PIX Firewall•Multiple interfaces, each with its own security level (lowest 0 .. 100 highest)•May support multiple security zones, thus allowing multiple DMZs to be set up•In general, a computer/device in a lower security zone cannot access computer/device in a higher security zone, unless a ‘hole’ is created.•Each security zone should have a unique number.Network Security 7Cisco PIX Firewall•Example configuration:–nameif ethernet0 outside security0–nameif ethernet1 inside security100–nameif ethernet2 dmz
View Full Document