enterprise secure networks 15129145
TRANSCRIPT
-
7/26/2019 Enterprise Secure Networks 15129145
1/7
Enterprise Secure NetworksMuhammad Waqas Moin Sheikh (15129145, BJTU)
Practice Course: Information Security
I.
Abstract
An enterprise network is an enterprise's communications backbone that helps connect
computers and related devices across departments and workgroup networks,
facilitating insight and data accessibility. An enterprise network reduces
communication protocols, facilitating system and device interoperability, as well as
improved internal and external enterprise data management The primary purpose of
this report is to describe why, for many customers, traditional network firewalls will
not be required for their network traffic associated with multi-tier application
workloads within a z-Enterprise Ensemble. This report covers Network Firewall
introduction, Enterprise System Network Security Overview and Exploiting External
Firewalls.
II.
Introduction
The key purpose of an enterprise network is to eliminate isolated users and
workgroups. All systems should be able to communicate and provide and retrieve
information. Additionally, physical systems and devices should be able to maintain
and provide satisfactory performance, reliability and security. Enterprise computing
models are developed for this purpose, facilitating the exploration and improvement of
established enterprise communication protocols and strategies.In scope, an enterprise network may include local and wide area networks
(LAN/WAN), depending on operational and departmental requirements. An enterprise
network can integrate all systems, including Windows and Apple computers and
operating systems (OS), Unix systems, mainframes and related devices like
smartphones and tablets. A tightly integrated enterprise network effectively combines
and uses different device and system communication protocols.
-
7/26/2019 Enterprise Secure Networks 15129145
2/7
III. A Typical Enterprise Secure Network Design.
Figure 1: Typical PCS Network Topology
IV. Network Firewall Introduction
One of the core security technologies common in most, if not all, network-attached
computing environments, large or small, is the firewall. Firewalls take many shapes
and forms, from host-based solutions targeting the personal computer as an integrated
security suite to large dedicated purpose built appliance hardware protecting high
volume traffic at the networks edge. There are hundreds of variations on firewall
solutions and their uses, each with their own value add or benefit in a particular
situation, but there is one clear requirement that firewalls bring to the table no matterwhat size or how many bells and whistles are present. Firewalls must have the ability
to block access or connectivity that is deemed as unauthorized, while still letting
authorized traffic reach the intended target system or application.
In its simplest form the firewall acts as a basic packet filter, looking at each packet and
checking a set of rules or policy to determine which packets are granted access, passing
through the firewall, and which packets are denied. This basic packet filtering
capability can be found in both network firewalls (either hardware or software based)
and host firewalls. Host solutions, like that found in IBMs Proventia Server for
Linux on IBM System z or z/OS Communications IP Filters, run within the server
image and are used to protect network traffic flowing into and out of the server. These
types of host solutions are targeted at self-protection. Another firewall solution that
might be found on the host is an application firewall, designed to protect a particular
-
7/26/2019 Enterprise Secure Networks 15129145
3/7
application or server, such as a Web server, FTP, database, Telnet, etc. from
unauthorized or malicious attack.
Figure 2: Basic DMZ
V. Enterprise SystemNetwork Security Overview
This section provides an overview of the z-Enterprise physical infrastructureassociated with network communications. Key concepts such as the node, how a cluster
of nodes can be formed into an Ensemble, and finally how network communication
is provided for within the Ensemble are also introduced in this section. The resources
within the ensemble are managed across heterogeneous platforms by an innovative z-
Enterprise function called Unified Resource Manager. Unified Resource Manager
will orchestrate various forms of platform management and virtualization by
interacting with various elements of platform firmware and hardware.
Figure 3: System z-Enterprise
-
7/26/2019 Enterprise Secure Networks 15129145
4/7
The z-Enterprise provides a dedicated system data network. This data network spans
all nodes within the Ensemble reaching all servers within each node across the entire
ensemble. The security attributes and considerations associated with z-Enterprise
network communications is the primary focus of this document.
Figure 4: System z-Enterprise Node
z-Enterprise Security Framework
The industry leading system security related features of the zEnterprise System are
achieved by providing a security framework that spans multiple tiers of the zEnterprise
platform. This multiple layer security model is very similar to previous System z
platforms, but it is enhanced with Unified Resource Manager network related functions
associated with the IEDN. The following figure provides an overview of the multi-tier
security model.
-
7/26/2019 Enterprise Secure Networks 15129145
5/7
Figure 5: IBM Security Framework
VI. Exploiting External Firewalls
It is recognized that in some environments customers will still be required to force
traffic back out of the IEDN to route some network connections through a specificfirewall. This can be achieved by using standard network routing within the OS of the
virtual servers.
If you want to ensure that all packets that cross VLAN boundaries in the IEDN go
through a firewall router, create a static default route whose next hop is the address of
the firewall router. If you require all traffic to go through this firewall, this is sufficient.
If traffic that is not crossing VLAN boundaries does not have to go through the firewall,
you can create a static subnet route to direct that traffic to go directly where it needs to
go on the VLAN. For example, if you are attached to a VLAN with subnet, and traffic
to destinations within that subnet do not require firewall use but all packets leaving
that VLAN do, you create the following static routes:
Route destination Outgoing interface Next Hop comment
0.0.0.0 Your interface
attached to the
VLAN
The firewall
router's IP
address on the
VLAN you are
attached to
Default route.
Causes all packets
not routed by any
other routes to be
routed to the
firewall
-
7/26/2019 Enterprise Secure Networks 15129145
6/7
The VLANs
subnet address
Your interface
attached to the
VLAN
none Direct route to
destinations in the
VLAN subnet, will
ARP for the
destination address
and go directlythere, bypassing
the firewall.
Table 1: Routing Table Overview Accessing External Firewall
The Following figure will illustrate the approach.
Figure 6: Exploiting an External Firewall
VII. Conclusion.
This report has provided a basic review of the notion of a network firewall and
considerations regarding the requirements for deploying one in a zEnterprise
environment. It has also described the internal networking support introduced with the
IBM zEnterprise and how, due to its enhanced physical and logical security, in many
cases it may eliminate the need for a network firewall to protect network traffic withina zEnterprise environment. Finally, it has described how you can use an external
-
7/26/2019 Enterprise Secure Networks 15129145
7/7