• Tidak ada hasil yang ditemukan

OSI, Network Protocols, Security and Infrastructures Slide ke-5 Mata Kuliah: Keamanan Jaringan oleh Setio Basuki

N/A
N/A
Info
Unduh - Bebas
Protected

Academic year: 2018

Membagikan "OSI, Network Protocols, Security and Infrastructures Slide ke-5 Mata Kuliah: Keamanan Jaringan oleh Setio Basuki"

Copied!
51
0
0

Memuat.... (Lihat teks lengkap sekarang)

Unduh sekarang ( 51 Halaman )

Teks penuh

(1)

OSI, Network Protocols,

Security and Infrastructures

Slide ke-5 Mata Kuliah: Keamanan Jaringan

(2)

Course Objectives

• Internet, Extranet, Intranet Components.

Firewall, and Others

• Remote Access Security Management.

• Network and Protocols Security Mechanism.

Secure Comm. Protocols, Dial-Up,

Authentication, Centralized Authentication.

• Avoiding single Point of Failure.

(3)

Internet/Intranet/Extranet

Components

The Internet is host to countless

information services and numerous

applications, including the Web, email, FTP, etc.

• Because of the success and global use of the Internet, many of its technologies were adapted into the private business network.

(4)

Intranet

Intranets provide users with access to the Web, email, and other services on internal servers that are not accessible to anyone outside the private network.

An extranet is a part of an organization’s

network that has been sectioned off so that it acts as an intranet for the private network

(5)
(6)

Firewall

• Network device used to filter traffic and is typically deployed between a private

network and a link to the Internet.

– But it can be deployed between departments within an organization.

• Most firewall offer extensive logging,

auditing, and monitoring capabilities as well as alarms and basic Intrusion

(7)
(8)

Firewall (Cont.)

• There are four basic types of firewalls: – Static packet-filtering firewalls.

– Application-level gateway firewalls. – Circuit-level gateway firewalls.

(9)

Static Packet Filtering Firewall

• Examining data from a Message header, the rules are concerned with source,

destination, and port addresses.

• Known as first-generation firewalls: they operate at layer 3 (the Network layer).

– Unable to provide user authentication or to tell whether a packet originated from inside or

(10)
(11)

Application Level Gateway

Firewall

• Known as proxy firewall. A proxy is a mechanism that copies packets from one network into another;

– The copy process also changes the source and destination addresses to protect the

identity of the internal or private network.

(12)

Application Level Gateway

Firewall (Cont.)

• This type of firewall Negatively affects network performance because each

packet must be examined and processed as it passes through the firewall.

• Application-level gateways are known as second-generation firewalls, and they

(13)
(14)
(15)

Circuit-Level Gateway Firewall

• Communication sessions between trusted partners.

• They operate at the Session layer (layer 5) of the OSI model.

SOCKS (from sockets ,as in TCP/IP ports) is a common implementation of a circuit-level gateway firewall.

– Second-generation firewalls because they

(16)
(17)

Statefull Inspection Firewall

• Known as Dynamic Packet Filtering. • Monitors the state of active connections

and uses this information to determine which network packets to allow through the firewall.

– They are known as third-generation firewalls, and they operate at the Network and

(18)
(19)

Statefull Inspection Firewall

(Cont.)

Outgoing packets that request specific

types of incoming packets are tracked and only those incoming packets constituting a proper response are allowed through the firewall.

• Ports are closed unless an incoming packet requests connection to a specific port and then only that port is opened.

(20)

Multihomed Firewall

Multihomed firewall have at least two

interfaces to filter traffic (they’re also known as dual-homed firewalls).

A bastion host or a screened host is just a firewall system logically positioned between a private network and an untrusted network.

(21)
(22)
(23)
(24)

Firewall Deployment

Architecture

• There are three commonly recognized firewall deployment architectures:

– Single tier, – Two tier, and

(25)
(26)
(27)
(28)
(29)

Remote Access Security

Management

• Telecommuting, or remote connectivity, has become a common feature of business

computing.

Remote access is the ability of a distant client to establish a communication session with a network.

– Using a modem to dial up directly to a remote access server.

– Connecting to a network over the Internet through a

(30)
(31)

Remote Access Security

Management (Cont.) - 1

• When outlining your remote access

security management strategy, be sure to address the following issues:

Remote Connectivity Technology: This can include modems, DSL, ISDN, wireless

networking, and cable modems

(32)

Remote Access Security

Management (Cont.) - 2

• When outlining your remote access security management strategy, be sure to address the following issues:

Authentication Protection: Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Extensible Authentication Protocol (EAP), Remote Authentication Dial - In User Service (RADIUS), and Terminal Access Controller Access Control System (TACACS).

(33)

Network and Protocols Security

Mechanism

• In the next sections, we’ll discuss some of the more common network and protocol

security mechanisms :

Secure Communication Protocols.

Dial-Up Protocols.

Authentication Protocols.

(34)

Secure Communication

Protocols

• Provide security services for application-specific communication channels are called secure communication protocols:

Simple Key Management for IP (SKIP).

SoftWare IP Encryption (SWIPE) .

Secure Remote Procedure Call (S-RPC).

Secure Sockets Layer (SSL).

(35)

Dial-Up Protocols

Dial-up protocols such as those

described in the following list provide this function, not only for true dial-up links, but also for some VPN links:

Point-to-Point Protocol (PPP).

(36)

Authentication Protocols

• Control how the logon credentials are

exchanged and whether those credentials are encrypted during transport:

Challenge Handshake Authentication Protocol (CHAP).

Password Authentication Protocol (PAP).

(37)

Centralized Remote

Authentication Services

• These mechanisms provide a separation of the authentication and authorization processes for remote clients from that

performed for LAN or local clients:

– Remote Authentication Dial - In User Service (RADIUS).

(38)

Avoiding Single Point of Failure

• A single point of failure is simply any element (such as: a device, service,

protocol, or communication link) that would cause total or significant downtime if

compromised, violated, or destroyed. – Affecting the ability of members of your

organization to perform essential work tasks. – The solutions: Redundant Server, Failover

(39)

Redundant Server

• Redundant servers can take numerous

forms. Server mirroring is when you deploy a backup system along with the primary

system.

Periodically, the change document is sent to an offsite duplicate server where the changes are applied.

– This is also known as batch processing

(40)

Redundant Server (Cont.)

• Another type of redundant server is a Cluster. Clustering means deploying two or more

duplicate servers in such a way as to “share the workload“of a mission-critical application.

– A cluster controller manages traffic to and among the clustered systems to balance the workload across all clustered servers.

– As changes occur on one of the clustered

(41)

Redundant Server (Cont.)

(42)

Failover

• When backup systems exist, there needs to be a means by which you can switch over to the backup in the event the

primary system is compromised or fails. • Failover, is redirecting workload or traffic

to a backup system when the primary

(43)

Failover (Cont.)

• Manual rollover (cold rollover) requires an administrator to perform some change in

software or hardware configuration to switch the traffic load over the down primary to a secondary server.

• Automatic rollover (hot rollover) the switch from primary to secondary system is

(44)
(45)

RAID

Redundant Array of Independent Disks (RAID) is a storage device mechanism that uses multiple hard drives in unique

combinations to produce a storage solution that provides better throughput as well as resistance to device failure.

• The two primary storage techniques employed by RAID are mirroring and

(46)

RAID (Cont.)

• Striping can be further enhanced by storing parity information.

• Parity information enables on-the-fly recovery or reconstruction of data lost due to the failure of one or more drives.

– Hardware-based RAID performs all the processing necessary for multidrive access on the drive

controllers.

(47)
(48)

RAID (Cont.)

• RAID 0 offers no fault tolerance, just

performance improvements. RAID 1 and 5

are the most common implementations of RAID.

• There are three forms of RAID drive swapping: hot, cold, and warm.

Hot-swappable RAID allows for failed drives to be removed and replaced while the host

(49)

RAID (Cont.)

• There are three forms of RAID drive swapping: hot, cold, and warm.

Cold-swappable RAID systems require the host server to be fully powered down before failed drives can be removed and replaced. – Warm-swappable RAID allows for failed

drives to be removed and replaced by disabling the RAID configuration via software, then

(50)
(51)

End of Slides

• Available at

Referensi

Unduh sekarang ( PPT - 51 Halaman - 1.07 MB )

Dokumen terkait

LPSE Polda Nusa Tenggara Barat ba penjelasan

Panitia Pengadaan Barang dan Jasa menutup rapat pemberian penjelasan (Aanwijzing) pada jam 16 : 00 , Berita Acara serta Addendum akan disampaikan kepada seluruh peserta

BAB II KAJIAN PUSTAKA 2.1 Kajian Teori 2.1.1 Pendekatan Saintifik - Institutional Repository | Satya Wacana Christian University: Perbedaan Yang Signifikan antara Pendekatan Saintifik Metode Discovery dengan Metode Inquiry terhadap Hasil Belajar IPA Siswa

Dari beberapa pendapat ahli di atas dapat disimpulkan bahwa discovery adalah suatu metode pembelajaran yang dikembangkan berdasarkan pandangan konstruktivisme berpusat

Loading Meshes from X Files

 Setelah DirectX menentukan posisi awal dan akhir dan berapa lama waktu yang dibutuhkan dari satu posisi ke posisi lainnya, DirectX akan menghitung sekumpulan matriks baru untuk

ISLAM DAN KEARIFAN TEMPATAN DI ALAM MELA

Pendekatan ini secara langsung bertentangan dengan paradigma Barat yang berteraskan Materialistik-Mekanisme menganggap alam sebagai sumber utama yang berupa material-

Isolasi dan Identifikasi Senyawa Bahan (1)

Telah dilakukan penelitian isolasi dan identifikasi senyawa metabolit sekunder dari lamun Enhalus acoroides (Linn. f.) Royle serta uji aktivitasnya terhadap bakteri

Representasi Sensualitas Perempuan dalam Iklan Victoria Perfume Body Scent Versi “We are the star” (Studi Semiotika Representasi Sensualitas dalam Iklan Victoria Perfume Body Scent Versi “We are the star”)

IRIANY CHERRY, REPRESENTASI SENSUALITAS PEREMPUAN DALAM IKLAN VICTORIA PERFUME BODY SCENT VERSI “ WE ARE THE STAR ”DI TELEVISI (studi semiotika representasi sensualitas

PEMANFAATAN ENERGI TERLINDUNGI UNTUK MENINGKATKAN EFISIENSI PENGGUNAAN PAKAN PADA DOMBA INDUK

Konsekuensinya efisiensi pemanfaatan ransum (jumlah konsumsi bahan kering selama 8 minggu/total bobot sapih kurang bobot lahir) selama fase laktasi menjadi lebih baik pada

Hubungan Kejadian Trauma Mata dengan penggunaan Alat Pelindung Mata pada Pekerja Konstruksi Perusahaan X

OSHA mewajibkan bahwa para pekerja harus mempunyai alat pelindung mata dan wajah yang sesuai jika para pekerja tersebut mempunyai risiko terpapar dengan bahaya dari

Image