Describe the three-tier design of demilitarized zone (DMZ), and further extend on how a VLAN can prevent all the servers

Home, - Describe the three-tier design of demilitarized zone

Question - (a) Alice works for a company, the main office is located in the UK and they have another branch located in Australia. Alice is tasked to implement suitable IPSec policies firstly to enable all the company staff in the UK office to connect with the server in their Local Area Network, and secondly to enable the same staff to establish a connection with the server located in their Australia branch. Assess the suitability of different IPSec modes on these scenarios and provide your recommendation with suitable justification. Your recommendations must assure authentication, data integrity and encryption. Also extend on how your chosen mode ensures security that you wanted to achieve, along with an insight into the overheads involved.

Answer - (Bookwork/Application) For the staff to connect with the server located in their Local Area Network, Transport mode should be used. The transport mode ensures authentication and integrity with the Authentication Header (AH) and the encryption of the payload is ensured with the Encapsulation Pay Load (ESP). The transport mode introduces less overhead as the original IP header is not encapsulated, so that the IP header can be routed as normal. For staff to connect with the server in the Australia, the Tunnel mode serves the best level of security. Tunnel model should be a used as the routing is performed through the public internet. For site-to-site VPNs, the tunnel model uses AH and ESP to encapsulate the IP packet, and further the entire IP header is encapsulated and added with a trailer for additional security. Although this encapsulation brings additional overheads, the tunnel model should still be used for site-to-site VPN connections for the achieved additional level of security.

(b) Describe the functionalities of the various protocols involved in the SSL Protocol Stack.

Answer - (Bookwork) The SSL protocol stack is comprised of SSL Handshake Protocol, SSL Change Cipher Spec Protocol, SSL Alter Protocol and SSL Record Protocol. The SSL record protocol divides the data into smaller fragments of 214 byte chunks, and further compresses the fragments, the compressed fragments are appended with MAC and encrypted, and finally the record header is appended. The SSL handshake protocol is completed prior to any data transmission, this is generally to establish a session state between the sender and the server. During the establishment of the session, the handshake protocol involves authentication of the sender and server, negotiation of encryption and MAC algorithms and the negotiation of session keys. The change cipher spec protocol is a part of the handshake protocol; during the negotiation of the cipher suites, mutually available protocols along with the cipher type and the size of the initialisation vector are agreed between the server and the client. The SSL alter protocol send a message of two bytes to convey any alters during the process; one byte to notify the level severity and other is used for presenting the alter code. An alert is sent when the record protocol encounters an unexpected message, bad record MAC, illegal parameters during the handshake, expired and unknown certificates etc.

(c) Describe the three-tier design of demilitarized zone (DMZ), and further extend on how a VLAN can prevent all the servers in the DMZ being compromised at a given time.

Answer - (Bookwork) De-Militarised Zone (DMZ) is a zone with an intermediate trust level, situated between the Internet and a trusted internal network. A three-tier design of DMZ is comprised of trusted networks, which is usually the internal network comprising confidential and sensitive assets requiring higher level of security; semi-trusted networks, located between the trusted internal network and the public untrusted network, which provides access to some important resources to the internal users; and un-trusted networks which is external to the firewall, located outside of the trusted zone. A VLAN helps the devices connected to the same physical network to create their own broadcast domain, so that logical separation can be achieved. DMZ usually comprises multiple servers, and when one server is attacked all the other servers can be easily compromised when these servers uses the same broadcast domain. Using VLAN to logical separate all the servers in their own broadcast domain by designating each switch port of the DMZ as private VLANs can avoid all the servers being compromised at one given time.

(d) Here is a configuration of a standard ACL, provide a brief summary of this configuration. access-list 89 permit tcp host any eq www.

Answer - (Bookwork/Application) This is a standard ACL configuration, which allows traffic by matching the IP address of the source against the IP address in the ACL. This ACL configuration is configured to permit www traffic which generally operates on port 80, which is a tcp protocol.

(e) Shortly explain the context in which confidentiality, integrity and authentication are used in the SET protocol. You will have to be specific with the SET protocol rather presenting a general description.

Answer - (Bookwork) Confidentiality is used to ensure that the sensitive information of clients such as their credit/debit card details are not accessible and available to the merchants. Integrity is used to ensure that no changes can be maliciously imposed on to the client's order information. Authentication is used to assure the trustworthiness of the merchants and clients with the used of certificates.

Leave a comment


Related :-