Thursday, April 4, 2019
Functional Relationship Network Architecture
Functional Relationship Net urinate architectureA computer profits, is referred to as a network, it is a harvest of computers and instruments inter associateed via communication channels that en commensurates communication theory among users and permits users to every(a)ocated resources. Networks may be classified according to a wide range of characteristics. A computer network permits sha put off of resources and knowledge among interconnected devices.Fig1Block diagram of computer networkConnection regularity information processing system networks nates be classified according to the hardw be and softwargon engineering that is accustomed to interconnect the man-to-man devices in the network, such as optical fiber, Ethernet, wireless LAN.Functional relationship (network architecture)Computer networks may be classified according to the functional relationships which exist among the elements of the network, e.g., active networking, customer- horde and peer-to-peer architectu re.Network topologyComputer networks may be classified according to the network topology upon which the network is grounded, such as bus network, star network, ring network, mesh network. Network topology is the coordination by which tools in the network argon organized in their wise family members to one another, independent of physical arrangement. Even if networked computers are physic any(prenominal)y placed in a unidimensional arrangement and are joined combined to a hub, the network has a star topology, alternatively a bus topology. In this regard the visual and operational aspects of a network are distinct. Networks may be classified grounded on the process of knowledge adapted to carry the data these include digital and one-dimensional networks.Fig2. Mesh topologyFig3. Star TopologyFig4. Ring topologyWhat is a firewall?Fig5. firewallA firewall is a function of a computer system or network that is arranged to avoid unauthorized approach w here(predicate) permit agent communication theory. It is a implement or set of tools that is configured to sanction or turn take network transmissions grounded upon a set of administers and other criteria.Firewalls preempt be implemented in either hardware or software, or a combination of two. Firewalls are commonly adapted to prohibit unauthorized profit users from accessing private networks joined combined to the cyberspace, especially intranets. All messages entering or withdrawing the intranet sur poke out through the firewall, which inspects from each one outcome and prevents those that do not find the specified security system criteria.There are several events of firewall techniques computer software slobber Packet tenseing checks each packet that is passing through the network and accepts or refuses it based on particular IP breedes that is user defined. Although difficult to configure, it is effective and mostly transparent to its users. It is defenceless to Internet communications communicat ions protocol spoofing.Fig6. Packet filtersThis typesetters case of packet filtering pays no heed to if a packet is part of an older pullulate of traffic (i.e. it stores no information on continuative order). Instead, it filters each packet based only on information contained in the packet itself .TCP and UDP protocols consists most communication over the net, and because TCP and UDP traffic by convention uses well known ports for some types of traffic, a stateless packet filter tail assembly compare between, and hence control, those types of traffic (such as entanglement browsing, remote printing, email transmission, file transfer), untill the machines on each face of the packet filter are both using the same non-standard ports.Packet filtering firewalls work mainly on the initial three horizontal surfaces of the OSI reference model, which means most of the work is through in between the network and physical layers, with a little bit of peeking into the transport layer to find out source and endpoint port numbers. When a packet originates from the sender and filters through a firewall, the device finds matches to any of the packet filtering rules that are configured in the firewall and removes or rejects the packet accordingly. When the packet goes through the firewall, it checks the packet on a protocol/port number basis (GSS).Application gateway Applies bail mechanisms to some performances, such as transfer master of ceremonies. This is effective, but freighter degrade the performanceFig7.OSI reference modelThe benefit of application layer filtering is that it can understand applications and protocols and it can also detect if an unwanted protocol is sneaking through on a non-standard port or if a protocol is being used in any harmful way.An application firewall to a greater extent secure and reliable as compared to packet filter firewalls as it works on all 7 layers of the OSI reference model, from the application to the physical layer. Thi s is similar to a packet filter firewall but here it also filters information on the basis of content.In 2009/2010 the focus of the best comprehensive firewall security vendors glowering to expanding the list of applications such firewalls are aware of now covering hundreds and in some cases thousands of applications which can be identified automatically. Many of these applications can not only be blocked or allowed but copied by the more advanced firewall products to allow only certain functionally enabling network security administrations to founder users functionality without enabling unnecessary vulnerabilities. As a con term these advanced versions of the Second Generation firewalls are being referred to as Next Generation and bypass the Third Generation firewall. It is expected that due to malicious communications this trend will get to continue to enable organizations to be truly secure.Third generation stateful filtersFig8. Stateful filterThird-generation firewalls, in ad dition to what first- and second-generation look for, regard placement of each packet within the packet series. This applied science is familiarly referred to as a stateful packet inspection as it maintains records of all connections going through the firewall and is able to hold back whether a packet is the start of a new connection, a part of an existing connection, or is an shut-in packet. Though there is still a set of defined rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.This type of firewall can really be exploited by certain refutation-of-service rapes which can fill the connections with illegitimate connections.Circuit-level gateway Applies security mechanisms when a TCP or UDP connection is established. Once the connection has been done, packets can go between the hosts without checking further.Stateful filtersFig8. Stateful filterThird-generation firewalls, in addition to what first- and second-gen eration look for, regard placement of each packet within the packet series. This applied science is referred to as a stateful packet inspection as it maintains records of all connections going through the firewall and is able to determine whether a packet is the start of a new connection, a part of an existing connection, or is an invalid packet. Though there is still a set of passive rules in such a firewall, the state of a connection can itself be one of the criteria which trigger specific rules.This type of firewall can actually be abused by some Denial-of-service attacks which can fill the connection tables with false connections.Proxy serversChecks all messages entering and leaving the network. The placeholder server hides the right network oral communicationes.Fig9.Proxy serverIn computer networks, a legate server is a server that acts as an intermediary for requests from nodes seeking resources from other servers. A client connects to the proxy server, asking for some service, such as a file, connection, blade page, or other resource, getable from a different server. The proxy server processes the request according to its filtering rules. For example, it may filter traffic by IP address. If the request is passed by the filter, the proxy tolerates the resource by connecting to the relevant server and requesting the service on behalf of the client. A proxy server may alter the clients request or the servers response, and sometimes it may pass the request without contacting the specified server. In this case, it stashs responses from the remote server, and sends back subsequent requests for the same content directly.Types of proxy send on proxiesFig10.Forward proxiesA forward proxy taking requests from an midland network and forwarding them to the Internet.Forward proxies are proxies where the client server names the target server to connect to. Forward proxies are able to get from a wide range of sources.The terms forward proxy and forwarding proxy are a general description of behavior (forwarding traffic) and hence ambiguous. Except for Reverse proxy, the types of proxies described on this article are more specialized sub-types of the general forward proxy concepts.Open proxiesFig11.Open proxiesAn open proxy forwarding requests from and to anywhere on the Internet.An open proxy is a forward proxy server that is accessible by any Internet user. Gordon Lyon estimates there are hundreds of thousands of open proxies on the Internet. An anonymous open proxy allows users to conceal their IP address while browsing the Web or using other Internet service.Reverse proxiesFig12.Reverse proxiesA face-lift proxy taking requests from the Internet and forwarding them to servers in an internal network. Those making requests connect to the proxy and may not be aware of the internal network.A abandon proxy is a proxy server that appears to clients to be an ordinary server. Requests are forwarded to one or more origin servers which hand le the request. The response is returned as if it came directly from the proxy server.Reverse proxies are installed in the neighborhood of one or more web servers. All traffic coming from the Internet and with a destination of one of the web servers goes through the proxy server. The use of reverse originates in its counterpart forward proxy since the reverse proxy sits closer to the web server and serves only a restricted set of websites.There are several reasons for installing reverse proxy serversEncryption / SSL quickening when secure web sites are created, the SSL encryption is often not done by the web server itself, but by a reverse proxy that is equipped with SSL acceleration hardware. See Secure Sockets Layer. Furthermore, a host can provide a single SSL proxy to provide SSL encryption for an arbitrary number of hosts removing the adopt for a separate SSL Server Certificate for each host, with the down positioning that all hosts behind the SSL proxy have to share a common DNS name or IP address for SSL connections. This problem can partly be overcome by using the SubjectAltName feature of X.509 certificates.Load rapprochement the reverse proxy can distribute the load to several web servers, each web server serving its own application area. In such a case, the reverse proxy may need to rewrite the URLs in each web page (translation from externally known URLs to the internal locations).Serve/cache static content A reverse proxy can offload the web servers by caching static content like pictures and other static graphical content.Compression the proxy server can optimise and compress the content to speed up the load time.Spoon feeding reduces resource usage caused by slow clients on the web servers by caching the content the web server sent and slowly take away feeding it to the client. This especially benefits dynamically generated pages.Security the proxy server is an additional layer of defense and can foster against some OS and Web Server specif ic attacks. However, it does not provide any protection to attacks against the web application or service itself, which is generally considered the larger threat.Extranet Publishing a reverse proxy server facing the Internet can be used to communicate to a firewalled server internal to an organization, providing extranet access to some functions while keeping the servers behind the firewalls. If used in this way, security measures should be considered to protect the rest of your infrastructure in case this server is compromised, as its web application is exposed to attack from the Internet.VPNA virtual private network (VPN) is a computer network that uses a public telecommunication infrastructure such as the Internet to provide remote offices or individual users with secure access to their organizations network. It aims to avoid an expensive system of owned or leased lines that can be used by only one organization.It encapsulates data transfers between two or more networked devices which are not on the same private network so as to keep the transferred data private from other devices on one or more intervening local or wide area networks. There are many different classifications, implementations, and uses for VPNs.Fig13 VPNVulnerabilities-Unauthorized accessThis simply means that people who shouldnt use your computer serve are able to connect and use them. For example, people outside your company might try to connect to your company accounting machine or to your network file server. There are various shipway to avoid this attack by carefully specifying who can gain access through these services. You can prevent network access to all except the intended users.Exploitation of known weaknessesSome programs and network services were not originally designed with strong security in mind and are inherently vulnerable to attack. The BSD remote services (rlogin, rexec, etc.) are an example. The best way to protect yourself against this type of attack is to disable an y vulnerable services or find alternatives. With Open Source, it is sometimes possible to repair the weaknesses in the software.Denial of service Denial of service attacks cause the service or program to cease functioning or prevent others from making use of the service or program. These may be performed at the network layer by sending carefully crafted and malicious datagrams that cause network connections to fail. They may also be performed at the application layer, where carefully crafted application commands are given to a program that cause it to become super busy or stop functioning. Preventing suspicious network traffic from reaching your hosts and preventing suspicious program commands and requests are the best ways of minimizing the risk of a denial of service attack. Its useful to know the details of the attack method, so you should educate yourself about each new attack as it gets publicized.Spoofing This type of attack causes a host or application to mimic the actions o f another. Typically the attacker pretends to be an innocent host by following IP addresses in network packets. For example, a well-documented exploit of the BSD rlogin service can use this method to mimic a TCP connection from another host by guessing TCP sequence numbers. To protect against this type of attack, verify the authenticity of datagrams and commands. Prevent datagram routing with invalid source addresses. Introduce unpredictability into connection control mechanisms, such as TCP sequence numbers and the allocation of dynamic port addresses.Eavesdropping This is the simplest type of attack. A host is configured to listen to and capture data not belonging to it. Carefully pen eavesdropping programs can take usernames and passwords from user login network connections. Broadcast networks like Ethernet are especially vulnerable to this type of attackHere are a few examples of firewalls -UntangleFortiguardNetnannyWebsenseClearOSThese firewalls can be affected by the supra vu lnerabilities.One way how a firewall/web filter can be bypassed is by using VPN.As studied above we can VPN to some external network and use that network.So we can bypass the firewall by doing VPN to a remote network and using its default gateway.Below are the exact quantitys how to setup a VPN server, Client, AD and LB configurations.Complete VPN ConfigurationBelow is the complete office on how to setup VPN server and client sideNote- Windows XP and Windows 7 both have the content to act as VPN serversVPN Server ConfigurationOpen Network connections and follow the below -Click adjoining on the welcome pageSelect the options highlighted in the below snags -Once you have followed the steps above you are done with the server side configuration.VPN Client ConfigurationBelow snags show the client side configurationOnce the above steps are followed the client side is also setupThe work is still not overPort ForwardPort needs to be forwarded from the modem/LB etc draw the instruction s below to get it rolling -Dial in Rights on ADThe final step is to give the user permissions to VPNFirst RDP to the ADLoginOpen Active DirectoryFind the user and go in propertiesFollow the snag it once the above is done -The best firewall-According to the first hand recognize we found Untangle to be the best firewall as it is free and has a host of functions too.Below is a screenshot of the untangle dashboard-Fig14. Untangle dashboardConclusion-Our aim was to explain what a firewall is and expose a few vulnerabilities in it. We have studied how a firewall works, its architecture, types of firewalls and vulnerabilities. We have thus compared the firewalls on various parameters and have concluded that Untangle is the best firewall with reference to the features and cost of it.
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.