Vous êtes sur la page 1sur 67

Advanced Penetration

Testing and Security


Analysis

Module 7
Designing a DMZ

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Module Objective

This module will familiarize you with:

•DMZ Concepts
•DMZ
DMZ DDesign
i F Fundamentals
d t l
•Security Analysis for the DMZ
•Designing Windows DMZ
•Designing
Designing Sun Solaris DMZ
•Designing WLAN DMZ

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Introduction

A Demilitarized Zone (DMZ) is a computer host or small network inserted as a


neutral zone”
“neutral zone between a company
company’ss private network and the outside public network
network.

It prevents outside users from getting direct access to the company’s server/network.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DMZ Concepts

The DMZ concept was born out of the


need for separation of networks.

Use of a DMZ and its overall design and


implementation
p can b
be relativelyy simple
p
or extremely complex, depending on the
needs of the particular network system.

DMZ has proven to be more secure and to


offer multiple layers of protection for the
security of the protected networks and
machines.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Multitiered Firewall with a
DMZ Flow

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DMZ Design Fundamentals

DMZ design is always a work in progress.

DMZ design carries great flexibility and change


potential to keep the protection levels in an effective
state.

DMZ designs generally consist of firewalls and


segments that are protected from each other by
firewall rules and routing as well as the use of RFC
1918 addressing on the internal network.
network

Planning the topology and figuring out in advance,


traffic flows, logical addressing, and any other factors
that would affect the system’s
system s planned operation is
necessary.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Advanced Design
Strategies
Consider the methods that might be used to provide VPN services to
special
i l connections,
i such
h as Frame Relayl and
d PVCC circuits
i i or
Internet-based home users.

Limit or restrict outbound traffic from the internal network to


inappropriate services,
services such as FTP or messaging services.
services

Provide for out-of-band management capabilities on all DMZ design


segments, as well as intrusion detection services where they are
appropriate
appropriate.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Types of Firewall and
DMZ Architectures
Firewall and DMZ architectures are differentiated according
g
to the design.

Firewall and DMZ architecture types include:

• "Inside
s de vs. Outs
Outside"
de Architecture.
c tectu e.
• "Three-Homed Firewall" DMZ Architecture.
• Weak Screened-Subnet Architecture.
• Strong Screened-Subnet Architecture.
Architecture

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
"Inside vs. Outside"
Architecture
In this architecture, packet-filtering router acts as the initial line of
d f
defense.

There is no direct connection between the Internet or the router to the


internal network.
network

The drawback of this architecture is that SMTP, DNS, and HTTP must
pass through the firewall or internal servers or hosted on the firewall.

This will result into compromising internal server security.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
"Inside vs. Outside"
Architecture (cont
(cont’d)
d)

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
"Three-Homed Firewall"
DMZ Architecture

A three-homed
three homed firewall DMZ network can be accessed by the public;
but it is isolated from the internal network.

It uses following rules while evaluating traffic:

• Internal Network to the DMZ


• DMZ to the Internal Network
• Internet to the DMZ
• DMZ to the
h IInternet
• Internet to the Internal Network
• Internal Network to the Internet

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
"Three-Homed Firewall"
DMZ Architecture (cont
(cont’d)
d)

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Weak Screened Subnet
Architecture
Weak screened subnet architecture is used when routers have better
high-bandwidth data streams handling capacity.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Strong Screened Subnet
Architecture
Strong
g screened subnet architecture is useful as it
supports high volume traffic.

It distributes the workload equally, thus it does not


impact the network's ability.

It also adjusts itself to mixed firewall environments.

Public web servers in the DMZ will be available to


outsiders
t id without
ith t affecting
ff ti ththe iinternal
t l network.
t k

Private systems on the internal network will be


effectively isolated.
isolated

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Strong Screened Subnet
Architecture (cont
(cont’d)
d)

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing DMZ Using IPtables

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing a DMZ using
IPtables

A system for public access can be designed using two firewall systems.

The outside firewall restricts outsiders from accessing the “isolation


isolation network
network”.

The inside firewall restricts insiders from accessing


g the isolation network.

The outsider firewall helps to set up some rules to protect publicly-available


systems.

It allows the use of one public IP address to provide access to several different
Internet servers.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing a DMZ using
IPtables (cont
(cont’d)
d)
# FORWARD: Enable Forwarding and thus IPMASQ
# Allo
Allow all connections OUT and onl
only e
existing/related
isting/related IN
iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state
ESTABLISHED,RELATED -j ACCEPT
iptables
ptab es -A FORWARD
O -i $$INTIF -o
o $
$EXTIF -j
j ACCEPT
CC
# Allow forwarding of incoming Port 80 traffic to DMZ Web
server iptables -A FORWARD -i $EXTIF -o $INTIF -d
192.168.1.6 -p tcp --dport 80 -j ACCEPT
# Catch all rule, all other forwarding is denied and logged.
iptables -A FORWARD -j drop-and-log-it
# Enable SNAT (MASQUERADE) functionality on $EXTIF iptables -
t nat
t -A
A POSTROUTING -o $EXTIF -jj SNAT --to
t $EXTIP
# Enable DNAT port translation to DMZ Web server iptables -t
nat -A PREROUTING -i $EXTIF -d $EXTIP -p tcp --dport 80 -j
DNAT --to
to 192.168.1.6
echo -e " Firewall server rule loading complete\n\n"
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing a DMZ using
IPtables (cont
(cont’d)
d)

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing a DMZ using
IPtables (cont
(cont’d)
d)

The inside firewall is used for the internal traffic restriction.

Inside firewall restricts outgoing traffic to only those services that are
allowed for the isolated network access.

This is accomplished by the command:

iptables -A FORWARD -i $EXTIF -o $INTIF -m state --state


ESTABLISHED RELATED -j
ESTABLISHED,RELATED j ACCEPT

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing Windows DMZ

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing Windows DMZ

• Select all the networking


g hardware yyou will
1 need.

• Scale up the number of connections to the


Internet, since the VPN services, external
2 DNS, and other services will be added
sooner rather than later.

• Add more bandwidth and site-to-site VPN


services off the external Internet routers
3 and make sure that router has crypto cards
(to use IPsec for VPNs) installed.

• Set up a load-balanced solution with


4 multiple IIS servers and a possible backend
database cluster for scalability reasons.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing Windows DMZ

• Make sure that users can obtain the


information they need about your
5 company without accessing the internal
network and accessing only the DMZ.

• Segment Internet-based resources via the


6 DMZ for an added level of safety.
safety

7 • Finalize your network layout.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Precautions for DMZ Setup

Secret, protected, confidential, and proprietary information should be


stored
d behind
b hi d your firewall
fi ll and
d DMZ on your iinternall network.
k

Servers on the DMZ shouldn’t contain sensitive trade secrets, source code,
proprietary information.
information

Thee following
o o g co
components
po e s may
ay reside
es de in DMZ:

• A web server that holds public information.


• Electronic commerce-based
commerce based solutions always wind up on the DMZ.
DMZ
• A mail server that relays outside mail to the inbox.
• VPN solutions are prevalent in the DMZ.
• Security devices.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Security Analysis for the DMZ

Zone 1:
• Zone 1 is most vulnerable to
exploitation.
• Zone 1 is where you need to consider
your externall router and
d switch
i h security
i
as well as the outside port of your
firewall.
• Zone 1 is where you would consider
placing your network-based IDS.
Zone 2:
• It is
i the
h actuall DMZ.
• The DMZ is where we have placed our
Windows 2000 servers and the services
they offer, such as external DNS and
web services.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ISA Server Support to
DMZ Configuration

ISA firewall uses ISA firewall networks to determine connectivity of the


networks.

ISA firewall network is also used to determine the routing relationship


between the source and the destination network.

An IP address can be used only once on an ISA firewall network.

All interfaces installed on the ISA firewall must be located on different


network IDs.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ISA Server Support to DMZ
Configuration (cont
(cont’d)
d)

P f
Perform the
th following
f ll i steps
t to
t create
t the
th DMZ ISA fi
firewall
ll network:
t k

• In the Microsoft Internet Security and Acceleration Server 2004


management console, expand the server name, and then expand the Configuration
node.
d Cli
Clickk the
h Networks
N k node.
d
• On the Networks node, click the Networks tab in the details pane of the ISA
firewall console. In the Tasks tab in the Task Pane, click the Create a New
Network link.
• On the Welcome to the New Network Wizard page, enter DMZ in the Network
name text box. Click Next.
• On the Network Type page, select the Perimeter Network option and click Next.
• On the Network Addresses page, page click the Add Adapter button.
button
• In the Select Network Adapters dialog box, select the DMZ interface and then
put a Information box. Click the OK checkmark in the DMZ interface’s checkbox.
The network information pulled from the Windows routing table appears in the
Network Interfaces
Interfaces.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ISA Server Support to DMZ
Configuration (cont
(cont’d)
d)

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
ISA Server Support to DMZ
Configuration (cont
(cont’d)
d)
• Click Next on the Network Addresses page.
• Click
Cli k Fi
Finish
i h on the
th Completing
C l ti th
the NNew N Network
t k Wi
Wizard
d page.
• The new ISA firewall Network appears in the list of Networks on the
Networks tab.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing Sun Solaris DMZ

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Placement of Servers

Placing the system on the


DMZ depends on network
requirements.

Smaller networks
generally
ll place
l th
the
DMZ server directly
behind the router.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Advanced Implementation
of a Solaris DMZ Server

Basic configuration makes it difficult to


monitor the network outside the DMZ
server with the network IDS tool.

Placing a switch immediately behind the


router
t gives
i us th
the ability
bilit tto expand
d or
contract the network as necessary.

The host is connected to the outside


network to provide monitoring of
attempted attacks.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Solaris DMZ Servers in a Conceptual
Highly Available Configuration

All systems in the cluster maintain an active


connection to other systems in the cluster via
the switch.

The only system in the cluster that maintains


active
ti connections
ti outside
t id th
the f il
failover
information switch is the active DMZ system.

When the primary DMZ system fails, fails it


deactivates via information over the failover
communication network, and the next system
in the cluster brings up its network interfaces
to perform
f the
h job
j b off the
h primary
i DMZ
server.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Private and Public Network
Firewall Ruleset
 A firewall ruleset dictates the exact types of network activity permitted by the DMZ server.
 Commonlyy used firewall rules include a stealth rule that p
prevents anyy direct connection to the firewall.

Rules Implemented on the Solaris DMZ Server Rules Implemented on the DMZ
for Private Network Traffic Server for the Public Network
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DMA Server
Firewall Ruleset
Ideal implementation keeps the DMZ host unreachable from all systems except the
system from which remote administration may be performed.

Example of Rules Implemented on the Solaris


DMZ Server to Protect the DMZ Server

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Solaris DMZ System Design

• Solaris is predominantly used on Sun or Sun-clone


hardware
Hardware
• Sufficient processing power and memory (RAM),
selection: interface cards
• Switches and routers with a Fast Ethernet interface

• Operating system (Solaris) that will run on the


host
• Firewall
Fi ll software
f package:
k
Software
• Check Point FireWall-1
selection: • Check Point Cluster
• Any other third
third-party
party software packages that
might be required, i.e. host security software

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hardening Checklists
for DMZ Servers and Solaris

Has a model or diagram of the host been made?

Is the host physically secured?

Has the host been kept segregated from all networks?

Have all the recommended patches been applied?

H increased
Has i d llogging
i off system
t activity
ti it bbeen iimplemented?
l t d?

Are data backups secure from physical access?

Are data backups secure from being overwritten?

Have all remote administration utilities been sufficiently secured?

Has all unnecessary software been removed?


Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Hardening Checklists
for DMZ Servers and Solaris (cont
(cont’d)
d)

Has the system been hardened manually or by using an automated tool?

Have all unnecessary services been disabled?

H
Have all
ll unnecessary processes b
been di
disabled?
bl d?

Has host security been layered using:


• Role-based
l b d access control? l?
• Granular file access control lists?
• Restrictive environments?
H
Have any additional
dditi l security-enhancing
it h i system
t variables
i bl b been set?
t?

Has the firewall rule policy been implemented for the host?

Has the HIDS been installed?


Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing Wireless DMZ

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Placement of Wireless
Equipment
A wall can block signal or interference from other 2.4GHz
devices,, such as cordless p
phones and microwaves,, or other
access points might cause too much noise and effectively
cancel out your signal.

Conduct a site survey to determine the proper


number of access points you need based on the
expected number of users and your specific
environment.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Access to DMZ and
Authentication Considerations

You should have a firewall in place,


place or at least a router with access control
lists (ACLs), to monitor and control connections in the DMZ.

Use network cards and access points supporting new WPA2 standard.

Use encryption and authentication methods:

• WEP
• EAP and 802.1x

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wireless DMZ Components

Access points, network adapters, authentication servers (Remote Authentication


Dial in User Service (RADIUS) server),
Dial-in server) and wireless gateways

Firewalls and Screening Routers

Other Segmentation Devices

• SSH2 servers
• VPN servers
• Virtual LANs (VLANs)
• Layer 3 switches

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Wireless DMZ using RADIUS
to Authenticate Users

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
WLAN DMZ Security
Best Practices

Perform a risk analysis and develop a comprehensive security policy.

Review available security features of wireless devices to see if they fulfill your
securityy requirements.
q

The 802.11 and Wi-Fi standards specify only a subset of features that are
available on a wide range of devices.

Check the wireless vendors’ websites frequently for firmware updates and apply
them to all wireless devices.

Always use WPA or WPA2 encryption.

Always change the default administrative password and SSIDused to manage


the AP.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
WLAN DMZ Security
Best Practices (cont
(cont’d)
d)
Do not put any kind of identifying information in the SSID, such as the
company name,
name address,
address products,
products divisions,
divisions and so on.
on

If possible, disable SSID broadcasts.

Do not use shared-key authentication.

Try to place it in the center of the building so that interference will hamper the
efforts of.

If possible,
ibl purchase
h an AP that
h allows
ll you to reduce
d the
h size
i off the
h wireless
i l
zone (cell sizing) by changing the power output.

Educate yourself and users in the operation and security of wireless networks
networks.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Designing Linux DMZ

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethernet Interface Requirements
and Configuration

A DMZ network can be designed with the use of single


Linux firewall with three Ethernet cards.

DMZ setup and forwarding public traffic to internal


servers can be done as follows:
• Consider the following DMZ host with 3 NIC:
• eth0 with 192.168.1.1 private IP address - Internal LAN ~ Desktop
system
y
• eth1 with 202.54.1.1 public IP address - WAN connected to ISP router
• eth2 with 192.168.2.1 private IP address- DMZ connected to
mail/web/DNS and other private servers

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethernet Interface Requirements
and Configuration (cont
(cont’d)
d)

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethernet Interface Requirements
and Configuration (cont
(cont’d)
d)

Routing traffic
ff b between a public
bl and
d DMZ server:

• Rules are set to route all the incoming


g SMTP requests
q to the dedicated
mail server .
• Network Address Translation (NAT) calls a Prerouting table to
forward the packets to the proper destination.
• Traffic routing between LAN to DMZ and public interface to DMZ can
be done with appropriate IPtables, where :
• i eth1 : WAN network interface
• d 202.54.1.1 : WAN public IP address
• dport 25 : SMTP Traffic
• j DNAT : DNAT target used sets the destination address of the packet with –
t d ti ti
to-destination
• to-destination 192.168.2.2: Mail server ip address (private IP)
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethernet Interface Requirements
and Configuration (cont
(cont’d)
d)
### end init firewall .. Start DMZ stuff #### # forward traffic
between DMZ and LAN iptables -A FORWARD -i eth0 -o eth2 -m state
--state
state NEW,ESTABLISHED,RELATED
NEW ESTABLISHED RELATED -j
j ACCEPT iptables -AA FORWARD -i
i
eth2 -o eth0 -m state --state ESTABLISHED,RELATED -j ACCEPT
# forward traffic between DMZ and WAN servers SMTP, Mail etc
iptables -A FORWARD -i eth2 -o eth1 -m state --state
ESTABLISHED RELATED -j
ESTABLISHED,RELATED j ACCEPT iptables
i t bl -A
A FORWARD -i
i eth1
th1 -o eth2
th2
-m state --state NEW,ESTABLISHED,RELATED -j ACCEPT
# Route incoming SMTP (port 25 ) traffic to DMZ server 192.168.2.2
iptables -t nat -A PREROUTING -p tcp -i eth1 -d 202.54.1.1 --
dport 25 -j DNAT --to-destination 192.168.2.2
# Route incoming HTTP (port 80 ) traffic to DMZ server load balancer
IP 192.168.2.3 iptables -t nat -A PREROUTING -p tcp -i eth1 -d
202.54.1.1 --dport 80 -j DNAT --to-destination 192.168.2.3
# Route incoming HTTPS (port 443 ) traffic to DMZ server reverse
load balancer IP 192.168.2.4 iptables -t nat -A PREROUTING -p tcp
-i eth1 -d 202.54.1.1 --dport 443 -j DNAT --to-destination
192.168.2.4
### End DMZ .. Add other rules ###

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Ethernet Interface Requirements
and Configuration (cont
(cont’d)
d)

Multiport
p redirection:

• A multiport IPtables module can be used to set source or destination


ports.
• For
F example, l route iincoming
i HTTP (port
( 80
8 ) andd HTTPS ( port 443))
traffic to WAN server load balancer IP 192.168.2.3

iptables -t
t nat -A
A PREROUTING -p
p tcp -i
i eth1 -d
d 202
202.54.1.1
54 1 1
-m multiport --dport 80,443 -j DNAT --to-destination
192.168.2.3

Drawbacks:

• The firewall becomes a single point of failure for the network.


• The firewall host must be able to handle all of the traffic going to the
DMZ as well as the internal network.
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Protecting Internet Servers
(Using DMZ Networks)

The following guidelines are useful in


protecting Internet servers using DMZ
networks:

• Disable all unnecessary services


• Run services “chrooted” whenever possible
• Run services with unprivileged UIDs and GIDs
• Delete or disable unnecessary user accounts
• Configure logging and check logs regularly
• U fi
Use firewall
ll security
i policy
li and d anti-IP-spoofing
i IP fi ffeatures

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DMZ Router Security
Best Practice
Authenticate routing updates on dynamic routing protocols

Use ACLs to protect network resources and prevent address spoofing

Secure the management interfaces:


•UUse SSH instead
i t d off Telnet
T l t andd Di
Disable
bl th
the HTTP server
• If possible, use AAA to authenticate, authorize, and log administrative access to the router using a TACACS+ or
RADIUS server

Lock down the router services:


• If possible, use SNMP version 2. Use ACLs to restrict access to SNMP
• Use authentication and ACLs to secure NTP

Disable interface-related services:


• Disable redirects, Disable ICMP unreachables, Disable directed broadcast, Disable proxy ARP

Disable unneeded services:


• Disable TCP and UDP small services, Disable CDP, Disable finger, Disable password security, Disable IP source
route, Disable the bootp server

Keep up to date on IOS bug fixes and vulnerabilities

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
DMZ Switch Security
Best Practice
Secure the management interfaces:

• Use SSH instead of Telnet and Disable the HTTP server


• If possible, use AAA to authenticate, authorize, and log administrative access to the switch using a TACACS+ or
RADIUS server

Lock down the router services:

• If possible, use SNMP version , use ACLs to restrict access to SNMP


• Use authentication and ACLs to secure NTP

Disable unneeded services:

• Disable TCP and UDP small services, disable CDP, disable finger

Use VLANs to logically segment a switch and PVLANs to isolate hosts on a VLAN

Use port security


i to secure the
h input
i to an interface
i f b
by li
limiting
i i and
d id
identifying
if i MAC addresses
dd off the
h hhosts
that are allowed to access the port

Do not use VTP on the DMZ switches; configure DMZ switches for transport mode

Keep up to date on IOS bug fixes and vulnerabilities and upgrade if necessary

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Six Ways to Stop Data Leaks

• Get a handle on the data


1

• Monitor content in motion


2

• Keep an eye on databases, which can contain a company’s


3 informational crown jewels

• Limit user privileges


4

• Cover those endpoints (use of portable devices in company)


5

• Centralize your intellectual property data


6

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex

Reconnex has developed a high-performance, appliance-


based information protection system that enables an
organization to protect all information assets on its network.

The Reconnex system comprises of two


components:

• iGuard appliance:
• Hardened
Hardened, turnkey appliance solution for information monitoring and
protection
• inSight console:
• Centralized interface for managing security policies across multiple iGuard
devices

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex: Features

• Detect sensitive content at rest and fingerprint this information so it


Discover: can be protected in the future

• Classify and analyze all content in motion—across all ports and


Monitor: protocols—at gigabyte speeds

• Alerting,
g, blocking
g and filtering
g to control what information is being
g
Prevent: sent or stored on the network at all times

• Leverage pre-built and custom policies, plus multi-system


C t l
Control: managementt andd unified
ifi d reporting
ti ffor llarge-scale
l iinformation
f ti
protection

• Gain historic perspective over content assets through classification,


C t
Capture: indexing, search and storage of all network events

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex

Various Solutions: More Cost

Single Solution: Reconnex- iGuard


Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex (cont’d)

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex (cont’d)

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex (cont’d)

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex (cont’d)

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Reconnex (cont’d)

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Summary

In this module, we discussed the techniques for designing DMZs.

W have
We h reviewed
i d DMZ concepts and
d the
h fundamentals
f d l off DMZ d
design.
i

We have discussed security analysis for the DMZ.

We have covered techniques for designing:


• A Windows DMZ.
DMZ
• A Sun Solaris DMZ.
• A WLAN DMZ.

Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited
Copyright © by EC-Council
EC-Council All Rights Reserved. Reproduction is Strictly Prohibited

Vous aimerez peut-être aussi