OSI, Network Protocols,
Security and Infrastructures
Slide ke-5 Mata Kuliah: Keamanan Jaringan
Course Objectives
• Internet, Extranet, Intranet Components.
– Firewall, and Others
• Remote Access Security Management.
• Network and Protocols Security Mechanism.
– Secure Comm. Protocols, Dial-Up,
Authentication, Centralized Authentication.
• Avoiding single Point of Failure.
Internet/Intranet/Extranet
Components
• The Internet is host to countless
information services and numerous
applications, including the Web, email, FTP, etc.
• Because of the success and global use of the Internet, many of its technologies were adapted into the private business network.
Intranet
• Intranets provide users with access to the Web, email, and other services on internal servers that are not accessible to anyone outside the private network.
• An extranet is a part of an organization’s
network that has been sectioned off so that it acts as an intranet for the private network
Firewall
• Network device used to filter traffic and is typically deployed between a private
network and a link to the Internet.
– But it can be deployed between departments within an organization.
• Most firewall offer extensive logging,
auditing, and monitoring capabilities as well as alarms and basic Intrusion
Firewall (Cont.)
• There are four basic types of firewalls: – Static packet-filtering firewalls.
– Application-level gateway firewalls. – Circuit-level gateway firewalls.
Static Packet Filtering Firewall
• Examining data from a Message header, the rules are concerned with source,
destination, and port addresses.
• Known as first-generation firewalls: they operate at layer 3 (the Network layer).
– Unable to provide user authentication or to tell whether a packet originated from inside or
Application Level Gateway
Firewall
• Known as proxy firewall. A proxy is a mechanism that copies packets from one network into another;
– The copy process also changes the source and destination addresses to protect the
identity of the internal or private network.
Application Level Gateway
Firewall (Cont.)
• This type of firewall Negatively affects network performance because each
packet must be examined and processed as it passes through the firewall.
• Application-level gateways are known as second-generation firewalls, and they
Circuit-Level Gateway Firewall
• Communication sessions between trusted partners.
• They operate at the Session layer (layer 5) of the OSI model.
– SOCKS (from sockets ,as in TCP/IP ports) is a common implementation of a circuit-level gateway firewall.
– Second-generation firewalls because they
Statefull Inspection Firewall
• Known as Dynamic Packet Filtering. • Monitors the state of active connections
and uses this information to determine which network packets to allow through the firewall.
– They are known as third-generation firewalls, and they operate at the Network and
Statefull Inspection Firewall
(Cont.)
• Outgoing packets that request specific
types of incoming packets are tracked and only those incoming packets constituting a proper response are allowed through the firewall.
• Ports are closed unless an incoming packet requests connection to a specific port and then only that port is opened.
Multihomed Firewall
• Multihomed firewall have at least two
interfaces to filter traffic (they’re also known as dual-homed firewalls).
• A bastion host or a screened host is just a firewall system logically positioned between a private network and an untrusted network.
Firewall Deployment
Architecture
• There are three commonly recognized firewall deployment architectures:
– Single tier, – Two tier, and
Remote Access Security
Management
• Telecommuting, or remote connectivity, has become a common feature of business
computing.
• Remote access is the ability of a distant client to establish a communication session with a network.
– Using a modem to dial up directly to a remote access server.
– Connecting to a network over the Internet through a
Remote Access Security
Management (Cont.) - 1
• When outlining your remote access
security management strategy, be sure to address the following issues:
– Remote Connectivity Technology: This can include modems, DSL, ISDN, wireless
networking, and cable modems
Remote Access Security
Management (Cont.) - 2
• When outlining your remote access security management strategy, be sure to address the following issues:
– Authentication Protection: Password Authentication Protocol (PAP), Challenge Handshake Authentication Protocol (CHAP), Extensible Authentication Protocol (EAP), Remote Authentication Dial - In User Service (RADIUS), and Terminal Access Controller Access Control System (TACACS).
Network and Protocols Security
Mechanism
• In the next sections, we’ll discuss some of the more common network and protocol
security mechanisms :
– Secure Communication Protocols.
– Dial-Up Protocols.
– Authentication Protocols.
Secure Communication
Protocols
• Provide security services for application-specific communication channels are called secure communication protocols:
– Simple Key Management for IP (SKIP).
– SoftWare IP Encryption (SWIPE) .
– Secure Remote Procedure Call (S-RPC).
– Secure Sockets Layer (SSL).
Dial-Up Protocols
• Dial-up protocols such as those
described in the following list provide this function, not only for true dial-up links, but also for some VPN links:
– Point-to-Point Protocol (PPP).
Authentication Protocols
• Control how the logon credentials are
exchanged and whether those credentials are encrypted during transport:
– Challenge Handshake Authentication Protocol (CHAP).
– Password Authentication Protocol (PAP).
Centralized Remote
Authentication Services
• These mechanisms provide a separation of the authentication and authorization processes for remote clients from that
performed for LAN or local clients:
– Remote Authentication Dial - In User Service (RADIUS).
Avoiding Single Point of Failure
• A single point of failure is simply any element (such as: a device, service,
protocol, or communication link) that would cause total or significant downtime if
compromised, violated, or destroyed. – Affecting the ability of members of your
organization to perform essential work tasks. – The solutions: Redundant Server, Failover
Redundant Server
• Redundant servers can take numerous
forms. Server mirroring is when you deploy a backup system along with the primary
system.
– Periodically, the change document is sent to an offsite duplicate server where the changes are applied.
– This is also known as batch processing
Redundant Server (Cont.)
• Another type of redundant server is a Cluster. Clustering means deploying two or more
duplicate servers in such a way as to “share the workload“of a mission-critical application.
– A cluster controller manages traffic to and among the clustered systems to balance the workload across all clustered servers.
– As changes occur on one of the clustered
Redundant Server (Cont.)
Failover
• When backup systems exist, there needs to be a means by which you can switch over to the backup in the event the
primary system is compromised or fails. • Failover, is redirecting workload or traffic
to a backup system when the primary
Failover (Cont.)
• Manual rollover (cold rollover) requires an administrator to perform some change in
software or hardware configuration to switch the traffic load over the down primary to a secondary server.
• Automatic rollover (hot rollover) the switch from primary to secondary system is
RAID
• Redundant Array of Independent Disks (RAID) is a storage device mechanism that uses multiple hard drives in unique
combinations to produce a storage solution that provides better throughput as well as resistance to device failure.
• The two primary storage techniques employed by RAID are mirroring and
RAID (Cont.)
• Striping can be further enhanced by storing parity information.
• Parity information enables on-the-fly recovery or reconstruction of data lost due to the failure of one or more drives.
– Hardware-based RAID performs all the processing necessary for multidrive access on the drive
controllers.
RAID (Cont.)
• RAID 0 offers no fault tolerance, just
performance improvements. RAID 1 and 5
are the most common implementations of RAID.
• There are three forms of RAID drive swapping: hot, cold, and warm.
– Hot-swappable RAID allows for failed drives to be removed and replaced while the host
RAID (Cont.)
• There are three forms of RAID drive swapping: hot, cold, and warm.
– Cold-swappable RAID systems require the host server to be fully powered down before failed drives can be removed and replaced. – Warm-swappable RAID allows for failed
drives to be removed and replaced by disabling the RAID configuration via software, then
End of Slides
• Available at