Basic Security Concepts, Strengths, and Vulnerabilities of Security Topologies

The concepts of security topologies are based on securing the communication between devices on the network. Topologies consist of security zones that are created using hardware devices. This section provides an overview of how firewalls are used to segment the network into security zones and create various security topologies. It will also help you understand basic security concepts, strengths, and vulnerabilities of security topologies and be able to explain the strengths and vulnerabilities of these topologies.

Security Zones

To understand security zones, we must first discuss the major types of firewall architectures or security topologies. They are as follows :

Bastion host
Screened host gateway
Screened subnet gateway

Bastion Host

A bastion host is the first line of security that a company allows to be addressed directly from the Internet. Figure 6.2 shows how a bastion host works. It is designed to screen the rest of its network from security exposure. It is the device that the firewall software is installed on, and it supports packet filtering, proxy, and hybrid firewall applications, such as a dual- homed host, where there are two NICs. A bastion host can be a router running access lists or a PC running an operating system that supports some kind of routing rules definition or traffic-filtering mechanism. Bastion hosts can also be used for Web, email, FTP, or DNS servers.

Figure 6.2. A bastion host.

graphics/06fig02.gif

Bastion host solutions are most common to small networks or remote locations. Because each host has a specific role, all unnecessary services and protocols should be uninstalled . The server's operating system and software also needs to be hardened . This process is discussed in Chapter 7.

Screened Host Gateway

A screened host gateway is implemented using a screening router and a bastion host. The bastion host is on the private network and communicates directly with a border router. The screening router blocks traffic by packet filtering; it may also block traffic on specific ports, as shown in Figure 6.3. The bastion host serves as a choke point through which all traffic flows. This network design includes an application gateway. Traffic coming in from the Internet gets filtered through the router based on what is allowed. If it is allowed, the traffic gets forwarded to the application gateway. The application gateway then redirects it to the appropriate server or a workstation. The process works essentially backwards for outgoing communications.

Figure 6.3. A screened host gateway.

graphics/06fig03.gif

Compared to bastion host, the screened host gateway is more likely to let certain types of offending traffic in. In the case of a bastion host, all rules are configured on one device. With application gateways, two devices need to be configured. This leaves room for error. Another reason why this could be less secure is because the packet filter is configured quite liberally, usually allowing "all or none." The requests are then forwarded to the application gateway, where the majority of the filtering is done. If configured properly, this is a good solution because two devices would have to be compromised.

Screened Subnet Gateway

The third type is called a screened subnet gateway . Screened subnet gateway architecture includes two screened host gateway devices that isolate the LAN from the Internet. Essentially, this is an isolated subnet between the Internet and the internal network, as shown in Figure 6.4.

Figure 6.4. A screened subnet gateway.

graphics/06fig04.gif

With a screened subnet, two local subnet IP addresses are needed. Both the Internet and the private network have access to the screened subnet, but neither can access each other. Therefore, one subnet is needed for the internal network and one is needed for the screened subnet. This type of setup is recommended because traffic is controlled more finely and it isolates the internal network by more than one layer of security. Public inbound traffic is allowed only in the DMZ subnet. Outbound traffic flows through the DMZ, which creates anonymity for the requesting clients on the LAN.

Disadvantages of this architecture are complex implementation and possible breaches when packets are allowed from the borderline firewall through the DMZ and into the internal network. This topology is by far the most flexible and secure, where one can completely eliminate direct outside-to-inside communications and conduct everything through a strictly controlled area called a DMZ.

DMZ

A demilitarized zone (DMZ) is a small network between the internal network and the Internet that provides a layer of security and privacy. This configuration is described in the previous screened subnet gateway section. Both internal and external users have limited access to the servers in this area. Often Web and mail servers are placed in the DMZ. Because these devices are exposed to the Internet, it is important that they are hardened and patches are kept current. See Table 6.1 for a list of the most common services and ports that are run on servers inside the DMZ.

You should know the various types of services and the ports they are executed on.

Table 6.1. Commonly Used Ports

Port	Service
21	FTP
22	SSH
25	SMTP
53	DNS
80	HTTP
110	POP3
443	HTTPS

Intranet

An intranet is a portion of the internal network that uses Web-based technologies. The information is stored on Web servers and accessed using browsers. Although Web servers are used, they don't necessarily have to be accessible to the outside world. This is possible because the IP addresses of the servers are reserved for private, internal use. We will go over private IP addresses in the "NAT" section, later in this chapter. If the intranet can be accessed from public networks, it should be through a VPN for security reasons.

Extranet

An extranet is the public portion of the company's IT infrastructure that allows resources to be used by authorized partners and resellers that have proper authorization and authentication. This type of arrangement is commonly used for business-to-business relationships. Because an extranet can provide liability for a company, care must be taken to ensure that VPNs and firewalls are configured properly and that security policies are strictly enforced.

VLANs

VLAN is short for virtual local area network , and its purpose is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. VLANs provide a way to limit broadcast traffic in a switched network. This creates a boundary and, in essence, creates multiple, isolated LANs on one switch. Because switches operate on layer 2 of the OSI model, if data is to be passed from one VLAN to another, a router is required.

The purpose of a VLAN is to logically group network nodes regardless of their physical location.

Frame tagging is the technology used for VLANs. The 802.1Q standard defines a mechanism that encapsulates the frames with headers, which then tags them with a VLAN ID. VLAN-aware network devices look for these tags in frames and make appropriate forwarding decisions. A VLAN is basically a software solution that allows creating unique tag identifiers to be assigned to different ports on the switch. For more information on frame tagging and VLANs, see the "Need to Know More?" section at the end of the chapter.

The most notable benefit of using a VLAN is that it can span multiple switches. Because users on the same VLAN don't have to be associated by physical location, they can be grouped by department or function. Here are the benefits that VLANs provide:

Users can be grouped by department rather than physical location.
Moving and adding users is simplified. No matter where a user physically moves, changes are made to the software configuration changes in the switch.
Because VLANs allow users to be grouped, applying security policies becomes easier.

Keep in mind that using a VLAN is not to be considered an absolute safeguard against security infringements. It does not provide the same level of security as a router. A VLAN is a software solution and cannot take the place of a well- subnetted or routed network. It is possible to make frames hop from one VLAN to another. This takes skill and knowledge on the part of an attacker, but it is possible.

NAT

Network Address Translation (NAT) acts as a liaison between an internal network and the Internet. It allows multiple computers to connect to the Internet using one IP address. In this situation, the internal network uses a private IP address. Special ranges in each IP class are used specifically for private addressing. These addresses are considered nonroutable on the Internet.

Here are the private address ranges:

Class A 10.0.0.0 network. Valid host IDs are from 10.0.0.1 to 10.255.255.254.
Class B 172.16.0.0 through 172.31.0.0 networks. Valid host IDs are from 172.16.0.1 through 172.31.255.254.
Class C 192.168.0.0 network. Valid host IDs are from 192.168.0.1 to 192.168.255.254.

For smaller companies, NAT can be used in the form of Windows Internet Connection Sharing (ICS), where all machines share one Internet connection, such as a dial-up modem. NAT can also be used for address translation between multiple protocols, which improves security and provides for more interoperability in heterogeneous networks.

Keep in mind that NAT and IPSec do not work well together. NAT has to replace the headers of the incoming packet with its own headers before sending the packet. This may not possible because IPSec information is encrypted.

Another address range to keep in mind when designing IP address space is Automatic Private IP Addressing (APIPA). Microsoft implemented this in Windows 98 and 2000 clients. In the event that no Dynamic Host Configuration Protocol (DHCP) server is available at the time that the client issues a DHCP lease request, it will be automatically configured with an address from the 169.254.0.1 through 169.254.255.254 range.

IP Classes

In case you are unclear about IP classes, the following information will help you review or learn about the different classes. IP address space is divided into five classes: A, B, C, D, and E. The first byte of the address determines which class an address belongs to:

Network addresses with the first byte between 1 and 126 are Class A and can have about 17 million hosts each.
Network addresses with the first byte between 128 and 191 are Class B and can have about 65,000 hosts each.
Network addresses with the first byte between 192 and 223 are Class C and can have about 250 hosts.
Network addresses with the first byte between 224 and 239 are Class D and are used for multicasting.
Network addresses with the first byte between 240 and 255 are Class E and are used as experimental addresses.

Tunneling

Tunneling involves one network sending its data through the connection of another network. It works by encapsulating a network protocol within packets carried by the public network. A common approach to tunneling is Point-to-Point Tunneling Protocol (PPTP) technology, which embeds its own network protocol within the TCP/IP packets carried by the Internet. Layer 2 Tunneling Protocol (L2TP) can also be used. Tunneling should not be used as a substitute for encryption. The strongest level of encryption possible needs to be used within the VPN.

The downside of tunneling is that for the firewall to establish the tunnel, a set of rules needs to be configured to permit such activity. Once the VPN tunnel is created, it is considered a channel that has already passed security checks. In addition, when encryption is used within a tunnel, it is not possible to filter the packets because the firewall does not see the encrypted contents.

Practice Questions

Question 1	Your company is in the process of setting up a DMZ segment. You have to allow email traffic in the DMZ segment. Which TCP ports do you have to open ? [Check all correct answers.] A. 110 B. 139 C. 25 D. 443
A1:	Answers A and C are correct. Port 110 is used for POP3 incoming mail, and port 25 is used for SMTP outgoing mail. POP3 delivers mail only and SMTP transfers mail between servers. Answer B is incorrect because UDP uses port 139 for network sharing. Port 443 is used by HTTPS; therefore, answer D is incorrect.
Question 2	The main fan in your server died on Wednesday morning. It will be at least two days before it can be replaced . You decide to use another server instead but need to restore the data from the dead one. You have been doing incremental backups and the last full backup was performed on Friday evening. The backup doesn't run on weekends. How many backup tapes will you need to restore the data? A. Two B. Four C. One D. Three
A2:	Answer D is correct. You will need the full backup from Friday, the incremental tape from Monday, and the incremental from Tuesday. Answer A is incorrect because two tapes would be needed if the backup type was differential. Answer B is incorrect because Wednesday's backup hasn't happened yet. Answer C is incorrect because one tape would be enough only if full backups were done daily.
Question 3	Your company is in the process of setting up a management system on your network, and you want to use SNMP. You have to allow this traffic through the router. Which UDP ports do you have to open? [Check all correct answers.] A. 161 B. 139 C. 138 D. 162
A3:	Answers A and D are correct. UDP ports 161 and 162 are used by SNMP. Answer B is incorrect because UDP uses port 139 for network sharing. Answer C is incorrect because port 138 is used to allow NetBIOS traffic for name resolution.
Question 4	You are having problems with your email server. No one seems to be receiving any mail. You're not exactly sure where the problem lies. You go to a remote office, open a DOS prompt, and type which command? A. netstat B. tracert C. ipconfig D. nslookup
A4:	Answer B is correct. Tracert traces the route a packet takes and records the hops along the way. This is a good tool to use to find out where a packet is getting hung up. Netstat displays all the ports on which the computer is listening; therefore, answer A is incorrect. Answer C is incorrect because IPConfig is used to display the TCP/IP settings on a Windows machine. Answer D is also incorrect because Nslookup is a command-line utility used to troubleshoot a Domain Name Server (DNS) database
Question 5	You have implemented a proxy firewall technology that can distinguish between an FTP get command and an FTP put command. What type of firewall are you using? A. Proxy gateway B. Circuit-level gateway C. Application-level gateway D. SOCKS proxy
A5:	Answer C is correct. An application-level gateway understands services and protocols. Answer A is too generic to be a proper answer. Answer B is incorrect because a circuit-level gateway's decisions are based on source and destination addresses. Answer D is incorrect because SOCKS proxy is an example of a circuit-level gateway.
Question 6	You want to use NAT on your network, and you have received a Class C address from your ISP. What range of addresses should you use? A. 10.x.x.x B. 172.16.x.x C. 172.31.x.x D. 192.168.x.x
A6:	Answer D is correct. In a Class C network, valid host IDs are from 192.168.0.1 to 192.168.255.254. Answer A is incorrect because it is a Class A address. Valid host IDs are from 10.0.0.1 to 10.255.255.254. Answers B and C are incorrect because they are both Class B addresses; valid host IDs are from 172.16.0.1 through 172.31.255.254.
Question 7	You are setting up a switched network and want to group users by department. Which technology would you implement? A. DMZ B. VPN C. VLAN D. NAT
A7:	Answer C is correct. The purpose of a VLAN is to unite network nodes logically into the same broadcast domain regardless of their physical attachment to the network. Answer A is incorrect because a DMZ is a small network between the internal network and the Internet that provides a layer of security and privacy. Answer B is incorrect because a Virtual Private Network (VPN) is a network connection that allows you access via a secure tunnel created through an Internet connection. Answer D is incorrect because NAT acts as a liaison between an internal network and the Internet.
Question 8	You have a Web server that needs to be accessed by both the employees and by external customers. What type of architecture should be implemented? A. Bastion host B. Screened subnet C. Screened host D. Bastion subnet
A8:	Answer B is correct. A screened subnet is an isolated subnet between the Internet and the internal network. A bastion host is the first line of security that a company allows to be addressed directly from the Internet; therefore, answer A is incorrect. A bastion host on the private network communicating directly with a border router is a screened host; therefore, answer C incorrect. Answer D is fictitious and therefore incorrect as well.
Question 9	An exposed device that's the foundation for firewall software to operate on is called a ______. A. Bastion host B. Screened subnet C. Screened host D. Bastion subnet
A9:	Answer A is correct. A bastion host is the first line of security that a company allows to be addressed directly from the Internet. Answer B is incorrect because a screened subnet is an isolated subnet between the Internet and the internal network. A bastion host on the private network communicating directly with a border router is a screened host; therefore, answer C is incorrect. Answer D is fictitious and therefore incorrect as well.
Question 10	You have recently had some security breaches in the network. You suspect it may be a small group of employees. You want to implement a solution that will monitor the internal network as well as external traffic. Which of the following devices would you use? [Check all correct answers.] A. A router B. A network-based IDS C. A firewall D. A host-based IDS
A10:	Answers B and D are correct. Because you want to monitor both types of traffic, the IDSs should be used together. Network-based intrusion-detection systems monitor the packet flow and try to locate packets that are not allowed for one reason or another and may have gotten through the firewall. Host-based intrusion-detection systems monitor communications on a host-by-host basis and try to filter malicious data. These types of IDSs are good at detecting unauthorized file modifications and user activity. Answer A is incorrect because a router forwards information to its destination on the network or the Internet. A firewall protects computers and networks from undesired access by the outside world; therefore, answer C is incorrect.