Gerência de Redes – aula 5 – Parte 1 – DMZ e VPN

logical access dominate we must consider that there are only two types of services that are provided public access service and private access assistances public access services are all your business that will be available to public access via the internet then are the services that must be accessed by spouse their clients and curious and will be accessed by attacks then and public services are the services that will be accessed by everyone are available to everyone and the report contains assistances that are private services are only accessed internally are business then internal to the institution the company exist situations where some private services must be accessed by a remote used ie through the internet so that I can provide remote be made available to a private busines I should i create a secure connection mechanism to that busines so what I want to call attention to in this differentiation is service that a private service that must be accessed remotely is not makes a public service a very simple example there is a system within a company this system is to access through one of a service terminal service virtual desktop or fortunate and me whoever the people are inside the company applies a organisation through a sergio terminal by illustration if this system is for internal exert by the company, that is, it is a service that must be accessed by company employees is not a public service and I I have an employee who remotely needs to access the system it doesnt conclude information systems public information systems remains private and I need then create and if that species of connections the attractivenes of connection that fixes the access to this service remains education commonly is utilized then virtual private snow joinings vpn how we differentiate how we want logical barriers to differentiate the security levels of the types of service that is normally used then is a firewall structure and these headlights will have conventions that will create these limits in these railings then considering still the courses of assistances such as public and private in the public access service private access restricted access we will then have these three elevations where at a first position on the internet separated by a rectify of rules of filtering there is a requirement to nuclear-weapon-free zones that we call demilitarized zone or dmz this demilitarized zone so it is between 111 a safe province that the internet and a safer sphere a level most secure than the internal structure would be so it’s a subnet it’s one we have an isolated ip series for it is a separate network is between the internet and the internal structure which is something we we put in this on redd the servers that have public access for example the authorities concerned will articulated the web server that has the institution’s page we will framed the e-mail server that receives e-mails and is an alternative dns server that has the cp call base that should be accessed is publicly is that all those publicly accessible business that must be accessed by customers, right? internet are put inside that on redd is obviously that politics of filtering rules for accessing servers will be permissive I will allow clients to access these servers via the internet are the same rules will allow even the attacker to access the my assistances on a more restricted level, that is, on another one on a different level of insurance i will keep another dmz a davis and containing my servers curtailed access private access so here will be 100 servers as database server servers hosting internal structures remote terminal epoch server vpn servers system active register server record server are all these services that are only accessories internally however I want you to be protected is granddad i will keep to say I don’t desegregate these servers with my internal structures simply because of the prospect in that only by the possibility of a internal onrush ie an internal computer is infected with software malevolent with the malicious used can try to carry out an intrusion so be pointed out that I have filtering regulates here is filtering rule here to protect my internal servers which was then in this sub network is also isolated so the policies towards the internet right the relevant provisions of internet management are restrictive access rules whether I don’t want anyone able to access the servers from the internet so I’m going to have a fastening so that no internet machine has managed internal success internally a panorama of internal structures on these internal networks now for the servers I have allowable friends for the services offered that these equipment now that these servers are going to provide for me is one of my internal users don’t have lenient powers your access from the internal system so with that generated mantles of security rights where my highest level of security is, right in matters of the servers stay where you are on this internal and my public access get kept a jeopardize from a dmz machine segregated from them and external does not mean to say that my services are compromised in the systems then attacker to got to get instance in the database he will have to carry out an intrusion in an external requisition server is from that server if there is a guideline allowing access by an external dmc server to internal dengue and from that server to be able to carry out the attack then an mz server is internal can imagine for example that I have here the company’s website is that I I have a database of clients the attacker would have to make an invasion on the company’s website and from this and this server’s gear then carried out under the assault in my my database in the database internally how is the treatment of networks is ideal is that I originated networks with insurance regulations with separate security elevations so usually what is done is the creation of isolated networks for each sector of the practice in the educational environment for example after creating an isolated network for each computer lab crate for each apartment for each sector foist a network for the sector within the company, it has a network for chairwoman but to carry such a policy so each sector has its own on redd with that I can create lonelines between these networks, that is, computers from one sphere do not access computers from another sector unless I countenance what happens if the material of a sector of key sectors one here that accesses a area 2 machine it will have to pass for this packet filtering paraphernalium for that disappointed so here this access may not be allowed by the equipment by the fbio and light that does is block everything whether machines in one sector do not access machines in another plus sector the marketing sector wants to make available a file a arrangement for all sectors he does he puts this system is not properly insured within the internal dengue so here i have an access control where the stations don’t talk between sectors right within a sphere undoubtedly is not have the restrain but between sectors and have access control and I have insure access by my internal works I have access dominance for the utilities if a machine in one area is infected with a louse by lesson and is this old man will foul probably only the internal machines in this sector unless I have lenient powers at the beacon that draws this malicious software propagate through the network in the same way if each sector has the your subnet I have the possibility of auditing promoted at the moment when I will have an address is a range of ip residences for each sector so each time an incident of certificate happen and I have the registration of the ipi that originated that was the fate of this security incident i are aware of the fact which area that address belongs simply looking for it to have a better segregation and better access control to better auditing and I also have the promoting the creation of policy enforcement is not because I have a need for example the rh sphere must be able to access facebook I can create a rule on my own http saying that all machines come that subnet are available to that website and right i can create principles by range of ip addresses because each sector has its management range and I create a security policy by sphere I is generated by settles in my firewall structure employing merely these homes right here so if I have its organizational structure well organised I end up creating a hierarchy of ip residences that allows me to create security rules for easy routing imagine here an xyz companionship how do I organize this fellowship the company will use the ip range is 10 then 10,000 rail 8 is a lp from the in-house firm south i’m going to set take on 1051 system I I have a 16 rail here ie all all the equipment from rio grande do sul have the prefix on the network 10 51 in so paulo is 10 11 and in rio de janeiro 10 21 and exclusively justification hierarchy I don’t have machines yet circulate that load in the symbols there I will say that the presidency by instance you 10 51 10 24 or I have here the prefix of pds 41 financing of the going to be 10 51 23 51 13 h 10 th has 14 and so on marketing triumphed five production grew 6 in so paulo the same structure arrived if i have business in so paulo and my business prefix digit 2 and 10 11 2 so in rio de janeiro if i have a fiscal right that is not the case but if i had financial “wouldve been” 10 21 2 so i create a logical design of address distribution that allows me to capture containers from the network I see is already 10 21 and 15 10 is the machine that produced traffic i am aware 10 2011 is rio de janeiro i know 5 is selling so i know that came from a machine that is in the marketing subnet in rio de janeiro is make this a lot easier at the same time i is generated by filtering regulations that that allow for example as I said rh can access facebook then on I “re saying” appear it weight that has origin ds sold 140 24 can access use that start of locates as blocked locates or anyway I I organize the rules according to that network at the same time if I have a rule that says that all machines from so paulo can is access a specific website or can carry out the piece has nothing on the network I will say in my neglected and I will apply a rule like this if it comes from 1100 suggestions neighborhood 16 soon all rigs so paulo se for 1021 are all the equipment in rio de janeiro so I use this hierarchy this structure of ip domiciles to facilitate routing and to facilitate then it is filtering rule etc. so with that there is a network administration is obliged easier I have a logical dispensation of addressing its a simplification defeats ah i need to arrive in rio de janeiro which road is at 21 00 to 16 exits via a particular router so I have this kind of facility I have simplification of the snout regulates as I said and I likewise have the neither facilitating nor facilitating an audit is extremely important and that simplifies the application of the security policy to adoption of a hierarchical address formation without occasion then this firewall formation will be implemented can be implemented abusing multiple equipment, right? The gathering arrangement that I talk about is this formation now right here we look three boxes right but I dont need to be three tubes and three portions of material now, I can construct its organizational structure use the several yes it glances but i can also using the rig one is the only one with various structure posters and various system ports I can get one a competent approach is gear that is to support numerou structure posters has unusually multiple structure bonds system I can use the equipment the only with one or two or whatever system placards you have and adopt hazelnuts the creation of your system and so on so the to the hardware I’m going to use the equipment I’m going to use it can be is of any design regardles the number of equipment is going depend since logically I caused this bed arrangement I have mastery over my rules that respect the structuring of systems isolated from mcs with specific security criteria of a public tv an internal process z girl and so on certainly i can also create as many structures or as numerous isolated subnets and i miss if i want to have the hosting services in a particular one about redd and other services on other subnets and all services are only needed internally I can also do this then the distribution of servers and works it depends on the security rules of the policy that I will specify and this policy has to be reflected in this structure and regulates then from my stimulant design already in relation to now access to it private remote ie i have a private busines has a service which is merely internal fellowship and I need to make this service available remotely that is, through an internet access with remote access so for that we use virtual private virtual systems virtual vpn private systems that are applying an application to these applications client-server ie i will have on one side a pm server and on one on the other hand, a bpn buyer and in this structure, a large server play-acts the encapsulation the compressing and the encryption of traffic so it’s the tighten is voluntary and not undoubtedly reality encapsulation fragile freight there are two types of encapsulation i I can encapsulate my traffic from the level of lassie, that is layer 2 or the from the network level that the signaling we are on we say that there are vpn 2 and 6 3 there are types of vpn forget it according to the type of service that we want to provide there are vpn that serve what we call warner which is vbn of a patron or be it an material personal computers a diary individual employees for the internal system and the website systems of the site who the hell is joinings for example matrix ie it has an entire network connecting to another structure let’s see in these all these situations read two read three goals from immortality and website website the first pattern of vpn that we are going to see is is a real 3 that encapsulates the from the level of red cervix and that connects twice and site of the site so you have to imagine that on this place here I have several machines one entire system right and said I’m here I have another system that is, I have a network for example Porto Alegre and here i have so paulo 10 51 that “ive had” 10 11 wanting to connect porto alegre with 1 to so paulo so I have a station now that has a routing table in this design so 10 51 04 has a network card 10 the escape street there was 10 51 254 which is this network card router 10 then sbt 1254 the network card and 1 200 a grandchild is connected to the external router now from the service provider 200 12 “theyre using” a network with two and have a network bar 30 the route counter of your sbac router right 127 000 saloon 8 for pec it has the internal structure 10 51 10 to 24 via system poster 10 and 200 with 10 ba 30 afi the network card 1 and the router left his is the 200 12 or this person here so these machines have a fire router and this rig gear has as the musician left the next rig and so will on the side of so paulo we also have the internal machines so there is a table their income has 127 00 08 by the beque 10 11 10 to 24 the network interface card 10 of them and the musician left 10 11 12 54 which is this structure placard here this router also has loopback 10 10 24 via 100 and 200 220 to 30 via video poster an etp 200 221 and 202 22 is a folder router so here we have a situation is normal we have one is a network in porto alegre one network in so paulo these two systems are connected to the internet a structure does not speak with each other for now so what happens we have this patch we want to have a connection between these two remote networks for this so we need to install application is a server patient application is operating on these routing gear as routers right this is an alternative to luan linkages that we also use a great deal that are those linkages is miley atm mpsc so we’re going to create a connection between two networks abusing the internet using this consumer server application that happens we install and software on the routers and that software then have consumer software on one side and server software on the other let’s imagine that on this area here we have a server so it’s a new bpn servant feeing on tcp 5 thousand port on the other side we have a client are leading on the door one two three four for example the client connects with the server assembling a tcp connection that if this software is installed in these routers what he does at first he previously generates 08 fixes dbn it creates two virtual system placards are new network posters that will appear through these two routers so here at the router from portugal alegre he created this network poster beings announce 210 for example and here in so paulo likewise generated 10 these virtual structure placards are considered abnormal network posters right by by the operating system so what will happen if the professional is going to work too, right, this is already configured to receive a ip so here we settled the intellectual property rights 172 16 02 saloon 30 and here the 72 16 were button so I have here simply two system cards each with ip addressing merely that it is a tcp connection and everything continues equal in addition to adding these ips then added to the table route if you lend two routes the committee is also follows a line that says the next look at everything 172 16 00 saloon 30 is on this tone 0 plate and everything goes to so paulo or in ten years 10 barroom 24 that communicates through the router 172 16 01 which is this other address here so this is as if these two committees are connected but in reality “theyre not” but it is as if they were connected and what this placard now does is what the application suddenly does is say look there is a network 172 16 00 forbid 30 on this hoax committee on this virtual poster and to are going to the 10/11 network, right and use it, use this one network is 172 16 to get there in so paulo the same thing happens ie placed the ip address on that virtual poster I say 172 16 00 for 30 in that fla if in that class there is nothing hit on I say that to reach the network 10 51 01 24 I then use 172 16 02 which is this other card now so the router itself this software did was create a connection between these two posters and that there are rules making this router send to this illustration 10 everything that is directed to so paulo and this router send to this board 10 everything that is directed to port good glad that happens so imagining that it is this machine she send a package to so paulo is 10 51 11 transporting to 10 11 111 from the door on that three thousand to door 80 that get happens to that package when the general package machine it will see the mp purposed 10 11 11 to 10 11 11 is not an internal system I will have to send the router send the router the router then receive realise a end ten years of one falls into that settle that 10 11 1 prohibit 24,000 7/2 and 6/0 in via plateful egypt 10 that this virtual system card that has software behind it what does this software do it takes this package here and they encrypt all this packet now so he package cryptographer and he computes in front of the parcel a new ip header and a new tcp header so i give this is what we call encapsulation i’m taking a old pack i’m encrypting it i’m changing it and restrained with 38 that is, in data, as if my encrypted carton were my data I’m lending a brand-new lippi top and a brand-new tcp header that intelligence is this well i’m putting the source clip now is my external ip 200 1 and that the my end ip is 200 221 which is this guy here who is the router is from are Paulo and that I’m sent to the door of the 34 then harbours 5 thousand, that is my my vpn consumer application that is sending to the right vpn application then that packet goes back to the router and will be forwarded through the internet on this tcp bond will get there and will be delivered to my software vpn bpn server so where reference is receives this container what he does he will remove this header has been added and will deduce the container that was formed by deciphering this parcel that was encrypted it will take and insert into the router as if this packet was arriving of sheet 10 is going to insert as the package was entering through that plateful virtual and will represent because the pain the player will see what is the fate of these 11 11 will consult their table will see this here is on my sheet not a wizard of structure placard 10 will extradite so it could kill and a return regardles follows the same principle, that is, this machine will talk to redetv with machine 1051 was to get here 1051 is viam is 202 sending out 10 in encryption pods routes through that tcp deduce associate sets again into router and will then hand internal promac so with that simply installing and software and passing this application server patron is what I can create this this connection between the two routers that cases all packets to be decrypted and transmitted over the internet on this tcp attachment by an internet intruder who is captivate that traffic he simply construes a communication between a purchaser vpn server and a vpn server whose data are all encrypted so we don’t can you know what is traveling here imagine that one I have services in porto alegre and i crave the so paulo terminals to access in internal busines they will access through the internal ipi from porto alegre 10 51 something and through this route and pn they will to be able to access this server as if they were inside the network separated by a router but connected directly contests from porto alegre so the user’s viewpoint is that there is a associate there is a wire there is a means of communication between the router is from porto alegre and a router of so paulo and uses bond so make all the port depots alegre access the so paulo stations so this is a vpn that operates in ler 3 it is operating in spoke three because it is in a capsule from the ip header, right and a bpm lotion where I’m connecting two systems certainly if i made over my insurance policy from access between porto alegre and so paulo will have to be implemented in a filtering gear that can be used by this router, or even some some mode here, so at some item in this connection I “re going to have to” residence my material that will apply the safety rules of the retrieves between porto alegre and so paulo the second type of vpn so that’s what we we announce vpn operated lubricant represent i have a computer person or persons can being at home can be at the hotel is on the street and wanting to access a service is an internal server or the internal network so how do I cause this associate if I use sorry and 3 what happens there and why not worked 6 3 because if i create a connection predicted three here i’m going to create an exclusive subnet for this equipment it’s not like this serviceman that this gear was So Paulo this was right, Porto Alegre for example so I met I’ll have to burn an part load array only to for the equipment and this is not what I require what I miss is that this equipment reacts “as if its” connected internally from the companionship i just wanted to set it logically as if to be inside the company so to do this so that I can throw this connected equipment inside the company I dont application predict 3 I don’t use it from ip and I have to use it in pod from layer 2 from there making this machine become this software sells becomes like a connect with a permutation like a aqueduct between that paraphernalium and my network is internal so how does it succeed right relationship so what we have is one thing I require a connection between a depot and a structure and I crave the bpn server to operate as if it were a two-port switch as if it were a connect so I also have a client and a bpn server can substantiate a tcp linkage for example so i have this server now inside the company waiting for alliances and I have this paraphernalium now computer i have bpn client software shooting and software satisfies and what it does is this ibm software it is a little bit more aggressive from the point of view than he changes on the computer he caused a 10 system poster more nonetheless this structure card is as if it encapsulates it if the real network card or be it on top of my real network card everything the general machine network is structure congestion will be addressed to 10 so my poster ethernet network it is either endless or whatever it is dominated by my software to see well what happens i have a bpn patron software that knows my actual routing counter either loopback the internal network here 192 168 1 that this is my router left more what appears for my software for my works is an brand-new network that is zeroed has no foot has no way has nothing then I have one is as if the machine lost its address in having good that happens then the machine will generate a request for example dhcp it needs to get a ip address and it generates a container with a source mac a datum 0 mac with the mexico destination podcast without beginning ip without asking for destination because she make a hcp acquisition that will happen then that machine will play the review should be for my network poster all is that is the vp software the network card it was then that this software will take this hcp application and will encrypt it from grade 2 the parallel on it up and will add a new ip header and the brand-new tcp header in this frame is in that frame there if and will frisk then this ciphered frame will propose the track that everything was lend a header encapsulated encoded encapsulated and will toy and follow the internet this is going to travel on the internet right between the bpn purchaser the server when it arrives at the server the server will receive all this here that he does he remove the encapsulation header it decrypts the entire relation formulate and it the chassis there hurls into the network as if a station had generated then a dhcp petition the dhcp server will respond and and if that server will then send the response via the tcp relationship and this machine then it will receive its ip address then it will receive its ip address internal corporation from that minute it is as if the machine was in here either when the machine wants to navigate she will not surf through the internet through the local link that will happen it will send one for example a navigation is an http connection this will be encrypted by the network card was sent to the company and booed access the internet using the company’s router so if the company has a proxy with access assure for example that does not allows the one that the internal machines so the the facebook site that terminal from that minute there is no access to facebook anymore because all that is it generates network freight “il send” via vpn to the network internal terminal behaves as if it were connected internally firm she will be able to send documents to be printed on the internal printer she will to be able to access the same things that she retrieves when connected to the company suite so you have a lot of versatility because there are mine hires eventually people who are outside the company’s equipment able to have internal access equivalent to an internal process through such a connect and an attacker to the yen face traffic it is as simple as visualize a contact investigate tcp between the bpn buyer and the server epe how does the attacker manage for example to perform any type of attack on its organizational structure he will have to access the penalty will have to enter and detecting the name of the eyes without the authentication mechanism observed a entire in the certificate is the authentication mechanism I am working fpm and then it should be noted that verbenas help multiple authentication mechanisms can be a credential signed off by an internal certifying authority can be a sign access key a usb keychain you have is an access code can be a username username and password can be a mix of all this can be a name and without the over a token plus a certificate ultimately the vpn software will be able to implement the authentication mechanism that is most suitable for the institution where they are operating so what is the users view on this in this structure of construe 2 the user’s notion is that he is connected instantly to the internal network it is as if it leaves the network in which it is today that is a person who is at home at that moment when she substantiates that person supports the vpn connection she leaves the home network is a stone of access to things from the internal structure of her home structure and she starts to access only the things on the institution’s network are like taking the network cable wireless contact or whatever and connect directly to a suite of the company so both dreams are the website of the oil website is a client on a structure or a network to another system where we framed the vpn servers within this mcs organize which are capable of to be considered as a more suitable mixture is when i have a brand-new lubricant be it a station that is connecting to an internal structure vpn server the ideal is that there is a bmc stopped only with the relative server because because the traffic between the depot and that server this traffic it cannot be controlled by the firewall because neither the encrypted traffic imagines that this machine this depot is trying to access this database what she needs to do she needs to connect with the vpn servers this connection will be encrypted and when she questions when she try to connect to a database, its traffic will be encapsulated in it going to be transmitted to the dpn server vpn servers to decipher traffic and casts that proforum traffic again and then the firewall tolerates or not that this traffic go to the database so whatever that machine “ve tried to” do are likely to be if fra all their communications will be encrypted decrypted receives in that beni server and then will then be controlled by the security plan implemented in this bale thread here in this nose so with that we get a control of each each purchaser each is paraphernalium each work each computer that connects to that bpn I can provide the specific ip for each one of them I can have rules here that hold look at the employee one can access this server hire two can access that when remote right the employee when connecting remotely through henin once he will be able to access such and such and such a service, consumer 2 will be able to access other services then with you appointing regulates is represented right specific rules for each employee who going to see connect remotely why a remote associate doesn’t mean i’m going to liberate all is him I have a remote when policy what each one can then access when internally the employee can access all systems for example but when connected remote it will be able to access and if that s with it I can create a policy of internal private access and a other policy and remote private access when I just wanted to connect twice well then I’m connecting routers to another router so I can create and if that connection between enters as there is the entry of that traffic through 10 I can filter what registers and what foliages by 10 as if it were a regular structure placard are the same filtering guidelines are going consider right and what kind of relationship will I accept the head office to the branch and final I talked to the matrix that we talk to the other and I will create these rulers considering the board 10 then “its more” easy to do this administration today I do the other settles where I I employed the other governs either on the router itself on the router itself packet filtering equipment then what is considered to be a suitable robust solution is this when i have a website the network website the conred b i lay my vpn software on the filtering material when I have a side now I placed it so one of them is a subnet just for the dpn server for that control that vpn or petroleum access exploiting dmz vpn servers countenance remote depot congestion to be controlled by packet filter, right, it simply appears after the production of bpn containers when the server depends on you for these packets, right between vpn servers internal network 11 10 thousand times on the site of the site the vpn can be set for the fae it is the package itself that draws the existence of bpn transparent and accepts traffic control at both ends in the same place where I do traffic control between systems between ten occasions between internet and so before everything in the same right in the same material in the same solution today I have restrain that sometimes the network internal can access that layoffs can get out what can enter I have also what can happen of traffic between headquarters and sprig between the two

You May Also Like