Internet Week 2005 T9 CISSP Proxy VPN
perimeter gateway
OK?? F/+VPN Web MAIL/DNS PC PC PC PC PC
NW NW F/W+VPN DMZ F/W NW NW RAS NW DMZ DMZ De-Militarized Zone =
DMZ DMZ DMZ DMZ DMZ DMZ DMZ DMZ DMZ DMZ DMZ
DMZ F/W DMZ F/W F/W F/W DMZ F/W DMZ
Firewall = Firewall = HTTP,SMTP
IP VPN IPSec
IP Proxy Proxy IP ACL Access Control List) ACL Proxy Proxy ACL ACL Proxy ACL (
TCP/IP (IDS IPS
NAT (Network Address Translation) () IP Masquerade, NAPT, PAT etc. proxy L2 IP
A internet any Host A Host B Rsh/rlogin Host A host.equiv(unix)
Ingress/Egress Ingress/Egress F/W 192.168.0/24 R R 192.168.10/24 Ingress 192.168.0 192.168.10 Egress 192.168.0 192.168.10
or UDPIP P=1024 192.168.1.1:1024 192.168.1.2:80 P=80 192.168.1.1:1024 192.168.1.2:80 192.168.1.1 192.168.1.2
HOST-A HOST-B HOST-A HOST-B FTP Client PORT Command ftp Server FTP
VoIP UDP, ICMP Checkpoint C
Proxy HTTP FTP Proxy NAT NAT
NAT(RFC1631) (Static / )NAT
NAT 192.168.1.161.197.xxx.2 61.197.xxx.6 From: 192.168.1.1:1024 To: 61.197.xxx.6:80 From: 61.197.xxx.2:1024 To: 61.197.xxx.6:80 To: 192.168.1.1:1024 From: 61.197.xxx.6:80 To: 61.197.xxx.2:1024 From: 61.197.xxx.6:80 From: 192.168.1.2:1024 To: 61.197.xxx.6:80 From: 61.197.xxx.3:1024 To: 61.197.xxx.6:80 To: 192.168.1.2:1024 To: 61.197.xxx.3:1024 From: 61.197.xxx.6:80 From: 61.197.xxx.6:80 192.168.1.261.197.xxx.3 NAPT, IP Masquerade, PAT 1
N:1 From: 192.168.1.1:1024 To: 61.197.xxx.6:80 To: 192.168.1.1:1024 From: 61.197.xxx.6:80 192.168.1.1:102461.197.xxx.2:32768 From: 192.168.1.2:1024 To: 61.197.xxx.6:80 From: 61.197.xxx.2:32768 To: 61.197.xxx.6:80 To: 61.197.xxx.2:32768 From: 61.197.xxx.6:80 From: 61.197.xxx.2:32769 To: 61.197.xxx.6:80 To: 192.168.1.2:1024 To: 61.197.xxx.2:32769 From: 61.197.xxx.6:80 From: 61.197.xxx.6:80 192.168.1.2:102461.197.xxx.2:32769 61.197.xxx.6 IP FTP IPSec/AH
TransparentProxy Proxy Proxy Web Proxy Proxy Proxy Proxy B>A B<A (AC AC) Access to A B<C B>C Access to A C>A C C<A
L2 Proxy IP L3 TCP/IP Ethernet NIC-1 NIC-2 192.168.0.0/24 192.168.1.0/24
L2 TCP/IP Ethernet NIC-1 NIC-2 192.168.0.0/24 192.168.0.0/24 IPS,IDPS http, ftp, smtp, pop3 URL http URL VPN PC IPsec, L2TP, PPTP
or or DMZ
SMTP,POP3,IMAP4
IF1 NW1NW2 NW3 NW1,NW2 DNS IF2 IF3 IF4 NW3 R R DMZ NW1 NW2 INTN-G DMZ-G SERVER-G CLNT-G ANY DMZ NW3 NW1 NW2 CLNT-OUT DMZ-OUT DMZ-IN SERVER-IN HTTP HTTPS FTP DNS SMTP SMTP DNS HTTP HTTPS DNS FTP HTTP HTTPS NETBIOS(TCP/UDP 135-9)
To IF1 IF2 IF3 IF4 From INTERNET DMZ NW1 NW2 NW3 IF1 INTERNET DMZ-IN NONE NONE IF2 DMZ DMZ-OUT NONE NONE IF3 NW1 CLNT-OUT ANY SERVER-IN NW2 IF4 NW3 NONE ANY ANY
Web DMZ VPN
bps Bps
Proxy 1 Proxy Proxy Proxy Proxy Proxy Proxy Proxy
Proxy URL SPAM VPN
Proxy Proxy Web SPAM IPS( VPN
SLA 2
1 1 Active Passive (Stand-by)
Heart beat IP VRRP
LB LBFW FW FW LB LB LB DMZ LB LB (persistence) ftp : FW VoIP
Syslog syslog
90 Proxy 1 1 90 90
N+ N)
SMTP Ping IRC HTTP HTTP HTTP T13
NMS Ping, SNMP SIM M&A
SIer FW Your next step!)
http://www.shuwasystem.co.jp/cgi-bin/detail.cgi?isbn=4-7980-0880-x Q&A Contact Info. futagi@kazamidori.jp futagi.masaaki@scs.co.jp URL: http://www.kazamidori.jp/security/
FreeBSD CISSP