Security Topologies

Widyawan
Security Topologies
Defines the network design and
implementation from a security perspective
Unlike network topology, we are more
concerned with access method, security and
technology used
Cover four main area
Design Goals
Security Zone
Technologies
Business Requirement

Design goal
Confidentiality: prevent unauthorised
disclosure of information
Integrity: prevent unauthorised modification
of information
Availability: prevent unauthorised with-
holding of information or resources
Others, e.g: accountability: make system
accountable for change and detect and
investigate intrusions

Security Zones
Describe design method that isolate
systems from other systems or network
Key aspect of creating and designing
security zones
Internet
Intranet
Extranet
Private Connection
VPN
DMZ

Technologies
VLAN
Networks are grouped logically instead of
physically
NAT
Allow presenting a single address for all
computer connection
Can be achieved by router or NAT server
Tunneling
Ability to create a virtual dedicated connection
between two systems or network


Business Requirements
Business requirements of security
environments
Asset Identification
Risk assessment/ analysis
Threat Identification
Vulnerabilities
Asset Identification
The process in which a company attempts
to place a value on the information and
systems in place
In some cases, it may be as simple as
counting systems and software license
The more difficult is to assign value on
information
You would not assign the same value for the
recipe of coca cola with your mothers recipe
Risk Assessment
From highly scientific formula-based
methods to conversation wit the owner
An attempt to identify the costs of replacing
stolen data or systems, cost of downtime
and virtually any other factor
Then evaluate the like hood that certain
types and outcome will occur
Have any single person is planned for
September 11 attack
Threat Identification
Implementing a security policy requires that we
evaluate the risk of both internal and external
threats
Internal threats
Theft
Financial abuse and embezzlements
Sabotage
Espionage
External threats
Natural disaster
Burglar
Attacker
Vulnerabilities
Operating System Vulnerabilities
TCP/IP vulnerabilities
Primarily experimental and used by
schools and governmental agencies for
research
Very robust in error handling
It is by its nature unsecured
Many modern attack occur through
TCP/IP
Case Studies: Initial Risk
Assessment
Estimate potential lossesSingle Loss
Expectance = Asset Value x Exposure
Factor.
Conduct a threat analysisThe goal
here is to estimate the Annual Rate of
Occurrence (ARO). This numeric value
represents how many times the event
is expected to happen in one year.

Determine Annual Loss Expectancy
(ALE), ALE = Single Loss Expectancy
(SLE) x Annualized Rate of
Occurrence (ARO).
Exposure Value
ARO
Once a year, ARO = 1
Once in 10 year = 0.1
JTETI: Initial Risk Assessment
Items Asset
Value
Threat Exposure
Factor
ARO Annual Loss
Expectancy
Server
Farm
50M Hardware
Failure
0.25 0.5 6.25M
Web
Server
10M DoS 0.25 0.2 0.5M
Computer
System
2B Short-term
Outage
0.05 10 500M
506.75M
Quizz
What is the security goal? Explain with examples
Explain this term below
VPN, NAT, DMZ
Mega Bank open a branch office in Yogyakarta and
has appoint you as their security consultant. If it
wants to connect to headquarters in Jakarta what
kind of security zone would you suggest and
explain why?
Give examples of initial risk assessment of any
company of your choice