perimeter gateway

Internet Week 2005 T9 CISSP Proxy VPN

perimeter gateway

OK?? F/+VPN Web MAIL/DNS PC PC PC PC PC

NW NW F/W+VPN DMZ F/W NW NW RAS NW DMZ DMZ De-Militarized Zone =

DMZ DMZ DMZ DMZ DMZ DMZ DMZ DMZ DMZ DMZ DMZ

DMZ F/W DMZ F/W F/W F/W DMZ F/W DMZ

Firewall = Firewall = HTTP,SMTP

IP VPN IPSec

IP Proxy Proxy IP ACL Access Control List) ACL Proxy Proxy ACL ACL Proxy ACL (

TCP/IP (IDS IPS

NAT (Network Address Translation) () IP Masquerade, NAPT, PAT etc. proxy L2 IP

A internet any Host A Host B Rsh/rlogin Host A host.equiv(unix)

Ingress/Egress Ingress/Egress F/W 192.168.0/24 R R 192.168.10/24 Ingress 192.168.0 192.168.10 Egress 192.168.0 192.168.10

or UDPIP P=1024 192.168.1.1:1024 192.168.1.2:80 P=80 192.168.1.1:1024 192.168.1.2:80 192.168.1.1 192.168.1.2

HOST-A HOST-B HOST-A HOST-B FTP Client PORT Command ftp Server FTP

VoIP UDP, ICMP Checkpoint C

Proxy HTTP FTP Proxy NAT NAT

NAT(RFC1631) (Static / )NAT

NAT 192.168.1.161.197.xxx.2 61.197.xxx.6 From: 192.168.1.1:1024 To: 61.197.xxx.6:80 From: 61.197.xxx.2:1024 To: 61.197.xxx.6:80 To: 192.168.1.1:1024 From: 61.197.xxx.6:80 To: 61.197.xxx.2:1024 From: 61.197.xxx.6:80 From: 192.168.1.2:1024 To: 61.197.xxx.6:80 From: 61.197.xxx.3:1024 To: 61.197.xxx.6:80 To: 192.168.1.2:1024 To: 61.197.xxx.3:1024 From: 61.197.xxx.6:80 From: 61.197.xxx.6:80 192.168.1.261.197.xxx.3 NAPT, IP Masquerade, PAT 1

N:1 From: 192.168.1.1:1024 To: 61.197.xxx.6:80 To: 192.168.1.1:1024 From: 61.197.xxx.6:80 192.168.1.1:102461.197.xxx.2:32768 From: 192.168.1.2:1024 To: 61.197.xxx.6:80 From: 61.197.xxx.2:32768 To: 61.197.xxx.6:80 To: 61.197.xxx.2:32768 From: 61.197.xxx.6:80 From: 61.197.xxx.2:32769 To: 61.197.xxx.6:80 To: 192.168.1.2:1024 To: 61.197.xxx.2:32769 From: 61.197.xxx.6:80 From: 61.197.xxx.6:80 192.168.1.2:102461.197.xxx.2:32769 61.197.xxx.6 IP FTP IPSec/AH

TransparentProxy Proxy Proxy Web Proxy Proxy Proxy Proxy B>A B<A (AC AC) Access to A B<C B>C Access to A C>A C C<A

L2 Proxy IP L3 TCP/IP Ethernet NIC-1 NIC-2 192.168.0.0/24 192.168.1.0/24

L2 TCP/IP Ethernet NIC-1 NIC-2 192.168.0.0/24 192.168.0.0/24 IPS,IDPS http, ftp, smtp, pop3 URL http URL VPN PC IPsec, L2TP, PPTP

or or DMZ

SMTP,POP3,IMAP4

IF1 NW1NW2 NW3 NW1,NW2 DNS IF2 IF3 IF4 NW3 R R DMZ NW1 NW2 INTN-G DMZ-G SERVER-G CLNT-G ANY DMZ NW3 NW1 NW2 CLNT-OUT DMZ-OUT DMZ-IN SERVER-IN HTTP HTTPS FTP DNS SMTP SMTP DNS HTTP HTTPS DNS FTP HTTP HTTPS NETBIOS(TCP/UDP 135-9)

To IF1 IF2 IF3 IF4 From INTERNET DMZ NW1 NW2 NW3 IF1 INTERNET DMZ-IN NONE NONE IF2 DMZ DMZ-OUT NONE NONE IF3 NW1 CLNT-OUT ANY SERVER-IN NW2 IF4 NW3 NONE ANY ANY

Web DMZ VPN

bps Bps

Proxy 1 Proxy Proxy Proxy Proxy Proxy Proxy Proxy

Proxy URL SPAM VPN

Proxy Proxy Web SPAM IPS( VPN

SLA 2

1 1 Active Passive (Stand-by)

Heart beat IP VRRP

LB LBFW FW FW LB LB LB DMZ LB LB (persistence) ftp : FW VoIP

Syslog syslog

90 Proxy 1 1 90 90

N+ N)

SMTP Ping IRC HTTP HTTP HTTP T13

NMS Ping, SNMP SIM M&A

SIer FW Your next step!)

http://www.shuwasystem.co.jp/cgi-bin/detail.cgi?isbn=4-7980-0880-x Q&A Contact Info. futagi@kazamidori.jp futagi.masaaki@scs.co.jp URL: http://www.kazamidori.jp/security/

FreeBSD CISSP