enterprise secure networks 15129145

7/26/2019 Enterprise Secure Networks 15129145

1/7

Enterprise Secure NetworksMuhammad Waqas Moin Sheikh (15129145, BJTU)

Practice Course: Information Security

I.

Abstract

An enterprise network is an enterprise's communications backbone that helps connect

computers and related devices across departments and workgroup networks,

facilitating insight and data accessibility. An enterprise network reduces

communication protocols, facilitating system and device interoperability, as well as

improved internal and external enterprise data management The primary purpose of

this report is to describe why, for many customers, traditional network firewalls will

not be required for their network traffic associated with multi-tier application

workloads within a z-Enterprise Ensemble. This report covers Network Firewall

introduction, Enterprise System Network Security Overview and Exploiting External

Firewalls.

II.

Introduction

The key purpose of an enterprise network is to eliminate isolated users and

workgroups. All systems should be able to communicate and provide and retrieve

information. Additionally, physical systems and devices should be able to maintain

and provide satisfactory performance, reliability and security. Enterprise computing

models are developed for this purpose, facilitating the exploration and improvement of

established enterprise communication protocols and strategies.In scope, an enterprise network may include local and wide area networks

(LAN/WAN), depending on operational and departmental requirements. An enterprise

network can integrate all systems, including Windows and Apple computers and

operating systems (OS), Unix systems, mainframes and related devices like

smartphones and tablets. A tightly integrated enterprise network effectively combines

and uses different device and system communication protocols.


2/7

III. A Typical Enterprise Secure Network Design.

Figure 1: Typical PCS Network Topology

IV. Network Firewall Introduction

One of the core security technologies common in most, if not all, network-attached

computing environments, large or small, is the firewall. Firewalls take many shapes

and forms, from host-based solutions targeting the personal computer as an integrated

security suite to large dedicated purpose built appliance hardware protecting high

volume traffic at the networks edge. There are hundreds of variations on firewall

solutions and their uses, each with their own value add or benefit in a particular

situation, but there is one clear requirement that firewalls bring to the table no matterwhat size or how many bells and whistles are present. Firewalls must have the ability

to block access or connectivity that is deemed as unauthorized, while still letting

authorized traffic reach the intended target system or application.

In its simplest form the firewall acts as a basic packet filter, looking at each packet and

checking a set of rules or policy to determine which packets are granted access, passing

through the firewall, and which packets are denied. This basic packet filtering

capability can be found in both network firewalls (either hardware or software based)

and host firewalls. Host solutions, like that found in IBMs Proventia Server for

Linux on IBM System z or z/OS Communications IP Filters, run within the server

image and are used to protect network traffic flowing into and out of the server. These

types of host solutions are targeted at self-protection. Another firewall solution that

might be found on the host is an application firewall, designed to protect a particular


3/7

application or server, such as a Web server, FTP, database, Telnet, etc. from

unauthorized or malicious attack.

Figure 2: Basic DMZ

V. Enterprise SystemNetwork Security Overview

This section provides an overview of the z-Enterprise physical infrastructureassociated with network communications. Key concepts such as the node, how a cluster

of nodes can be formed into an Ensemble, and finally how network communication

is provided for within the Ensemble are also introduced in this section. The resources

within the ensemble are managed across heterogeneous platforms by an innovative z-

Enterprise function called Unified Resource Manager. Unified Resource Manager

will orchestrate various forms of platform management and virtualization by

interacting with various elements of platform firmware and hardware.

Figure 3: System z-Enterprise


4/7

The z-Enterprise provides a dedicated system data network. This data network spans

all nodes within the Ensemble reaching all servers within each node across the entire

ensemble. The security attributes and considerations associated with z-Enterprise

network communications is the primary focus of this document.

Figure 4: System z-Enterprise Node

z-Enterprise Security Framework

The industry leading system security related features of the zEnterprise System are

achieved by providing a security framework that spans multiple tiers of the zEnterprise

platform. This multiple layer security model is very similar to previous System z

platforms, but it is enhanced with Unified Resource Manager network related functions

associated with the IEDN. The following figure provides an overview of the multi-tier

security model.


5/7

Figure 5: IBM Security Framework

VI. Exploiting External Firewalls

It is recognized that in some environments customers will still be required to force

traffic back out of the IEDN to route some network connections through a specificfirewall. This can be achieved by using standard network routing within the OS of the

virtual servers.

If you want to ensure that all packets that cross VLAN boundaries in the IEDN go

through a firewall router, create a static default route whose next hop is the address of

the firewall router. If you require all traffic to go through this firewall, this is sufficient.

If traffic that is not crossing VLAN boundaries does not have to go through the firewall,

you can create a static subnet route to direct that traffic to go directly where it needs to

go on the VLAN. For example, if you are attached to a VLAN with subnet, and traffic

to destinations within that subnet do not require firewall use but all packets leaving

that VLAN do, you create the following static routes:

Route destination Outgoing interface Next Hop comment

0.0.0.0 Your interface

attached to the

VLAN

The firewall

router's IP

address on the

VLAN you are

attached to

Default route.

Causes all packets

not routed by any

other routes to be

routed to the

firewall


6/7

The VLANs

subnet address

Your interface

attached to the

VLAN

none Direct route to

destinations in the

VLAN subnet, will

ARP for the

destination address

and go directlythere, bypassing

the firewall.

Table 1: Routing Table Overview Accessing External Firewall

The Following figure will illustrate the approach.

Figure 6: Exploiting an External Firewall

VII. Conclusion.

This report has provided a basic review of the notion of a network firewall and

considerations regarding the requirements for deploying one in a zEnterprise

environment. It has also described the internal networking support introduced with the

IBM zEnterprise and how, due to its enhanced physical and logical security, in many

cases it may eliminate the need for a network firewall to protect network traffic withina zEnterprise environment. Finally, it has described how you can use an external


7/7

enterprise secure networks 15129145

Documents