Chapter 28

Section: Part VII:  Bringing It All Together

Chapter 28. Network Architecture Considerations

IN THIS CHAPTER

        Network Architecture

        Protecting the Castle

This chapter discusses considerations for network architecture that enhance the security of the computing and network environment.


 

Section: Chapter 28.  Network Architecture Considerations

Network Architecture

The Internet is known as the network of networks. Each network plays an important part in the greater security of the Internet. By emphasizing security when designing and implementing your network, you can make your little corner of the Internet a safer place to be. The creation of a network environment for an organization should be thought out well in advance, rather than simply plugging equipment together. The goal of this chapter is to present you with important considerations for your network design that will enhance the security of your organization and those with which it interoperates.

The term "network architecture" collectively describes the requirements, organization, methods, and equipment used to create a network including its physical components and security awareness. A secure network architecture is arrived at by considering all of these elements, their use and their relationship to each other. Before you can make a network architecture secure, it is important to know the components used to create the network and the threats against them. Once the organization of the components and their threats is understood, a valid architecture can be designed.

Network Components

Without network components, there is no network, and without consideration for these components, there is no security! The first step toward a secure network topology is to examine the devices and systems used to implement it. The following considerations and types of equipment are common to an organization:

        Access devices

        Security devices

        Servers and systems

        Organization and layout

Access Devices

The access device is the piece of network equipment that provides Internet access and intercommunication between networks and is the first element required for an Internet-accessible organization. Organizations may not need an access device, but if they want to communicate with other networks or to provide access from the outside to employees or Internet users, an access device is needed. Access devices come in many forms; the most common are modems and routers.

There are generally two (or more) interfaces on an access device. The interfaces to which the network of the organization connects are considered the internal interface of the router (or other equipment). The interfaces that connect to the Internet service provider (ISP) are the external interfaces. The internal network comprises those systems and equipment on the internal side of the router. The network or networks accessible from the Internet form the external network.

The use of the access device has a direct effect on the security of a network topology because it helps define the Internet access model used in the organization and is the first point where defense is needed. There are many access models that designers can use, including highly restrictive exception-based access, open, and a combination in between. Exception-based access models apply a default restriction that disallows all access, followed by exceptions for needed services and connectivity. This is a commonly used method of protection where the firewall is configured to block traffic to all but a few specified protocols and services on specific systems. An example of exception-based access is to disallow all traffic to the Web server except for TCP traffic to port 80 (the IP protocol and service port (HTTP) that the Web server uses). Exception-based access models are useful in simple network environments where there is little network diversity or need for complex filtering rules.

An open model allows access to everyone unless otherwise explicitly prohibited. This model focuses on only the services provided by a network and its systems. It uses firewall rules to allow or disallow access from specific networks and systems to explicit services such as a Web server or email and provides granular access control. This model takes no action on the remainder of the ports and protocols that are not in use, however, which can present a security risk in some network environments.

The following examples demonstrate the usefulness and dangers of an open access model.

In a simple network environment, where the Web server is connected directly to the Internet, an open model might create unnecessary security risks. In this case, the firewall allows access to the Web server from specific friendly networks and systems, but does not affect any other traffic to or from the Web server, including hostile traffic from the Internet. This presents a danger if an attacker compromises the Web server. The attacker can then set up a new and unauthorized service on that system, which runs unaffected by the firewall. An exception-based model would protect against this.

Open models are useful to provide granular access control and protect against unauthorized traffic to specific services, as is often used with domain name servers and email servers. Domain name servers and email servers often have secondary relays that provide service to Internet systems and protect the primary system from exposure to the Internet. The primary systems can be configured with an open access model that allows network traffic to the domain name and email services only from the relay servers. This example also assumes that the net work topology protects the primary servers from external attack.

There are several schools of thought when determining which model of access should be used. The exception-based model is more restrictive and places the brunt of the security responsibilities on the firewall's strengths. The open model relies more on the systems in use to assure that they are configured securely and provide minimal possibility for compromise and modification.

Security Devices

Firewalls, Virtual Private Network (VPN) servers, and intrusion detection systems (IDS) are commonly used examples of security devices. Firewalls are used to protect the internal network from external threats by allowing or disallowing certain types of network traffic and data. Firewalls are not meant only for the edge of the network, but anywhere that traffic restrictions are required or recommended. VPN devices are used to provide secure remote access from the Internet to users by creating an encrypted tunnel through which the remote computer accesses the internal network of an organization. Intrusion detection systems provide active monitoring and notification of known attacks on systems and networks by watching network data. These devices provide the first and most obvious level of security and are vital to any network topology.

Servers and Systems

Servers and systems are all of the computers used within the organization. These systems include Web, mail, login, file and print servers, desktop computers, and network management systems. The requirements for these systems influence the network architecture and include the network services offered, and they also dictate to whom access is provided. Each service provided affects the security of the network and the system on which it runs. Consideration given to these effects results in a network architecture that minimizes the risks and effects of a security breach.

As you have learned throughout this book, attackers will often scan for servers that provide services to both the Internet and internal networks; the compromise of these systems allows the attacker a doorway into the organization. Servers that run multiple services also present security risks because each service provides a potential doorway into that particular system. It is particularly important to examine the history of an application or service for security vulnerabilities. Email, Web, DNS, and FTP servers have a long history of vulnerabilities, and their simultaneous use on a single system provides several access points for an attacker.

Organization and Layout

The organization and layout of the network takes into consideration the implementation of these components. This includes the physical placement and organization of the network equipment and wiring, as well as the method by which Internet access is provided. Identifying network service requirements and the relationship of users to these services is important to the security of a network architecture.

Many operating systems and arrive configured by default to provide every service it supports, despite the fact that an organization rarely needs or uses all of them. If an organization needs file sharing, printing, Web, and email capabilities, the servers that provide these services should have all their other services disabled. If these services are provided to different groups within the organization or if a clear need for these services to share information is not established, they should be run on different systems and networks that reflect the users'access needs.

Threats

The threats to a network should be known in advance of the design. The threats outlined here are organized into three categories:

        External attacks

        Internal attacks

        Physical attacks

Understanding the threats posed to a network connected to the Internet has several key benefits. This knowledge allows the network designers to protect against attack and compromise of systems, limit the effects of vulnerabilities, and isolate their interactions. The secure network architecture affects the ability of an organization to react quickly to an incident and to recover safely without loss while also adding to reliability and performance. The threats to a network and its systems are partially mitigated with a secure network architecture. Other factors that help alleviate risk are good security maintenance and diligence with regard to analysis of new and better security technologies.

External Attacks

External attacks are those that originate either from the Internet or from systems beyond the access device and target internal or external systems. External attacks are the most publicized and the most well-known form of attack. Stories of Web page defacements, viruses, Trojan programs, and denial of service by malicious system crackers and cyber-terrorists are common. Although invasive, reconnaissance probes and scans are not attacks. They are often precursors to an attack, however, because they provide vulnerability information to the attacker. The network components and their organization can minimize the risk associated with these attacks. External attacks occur against accessible services, systems, and networks; protection against external attacks includes the use of firewalls, network monitoring devices, distribution of services across multiple networks, and the establishment of bandwidth restrictions by protocol and service.

To protect against external attacks, it is useful to run services such as domain name servers, Web servers, and mail servers on separate systems and to restrict network access to them with a firewall. It is also beneficial to isolate these systems so they are unable to access any other system.

These methods protect the systems from compromise by establishing only one point of access to each system. Multiple services on a single system might present higher risk for denial of service and system compromise because there are several points to attack and the compromise of one service can provide access to the data for all other services on that system. The example of a single system that acts as a mail, Web, and domain name server establishes three targets for attack. Denial of service against any of these targets results in a loss of service to all of them, and compromise of any one service provides the attacker with access to the data of the remaining two.

Internal Attacks

As the name implies, internal attacks originate from inside the organization. Despite the media attention given to external attacks, internal attacks are more widespread and frequent than those committed by outsiders. Disgruntled employees, curious users, or accidental misuse all contribute to the frequency of internal attacks. Defense against these attacks is more complex because designers attempt to provide high security without restricting the needed functionality of the network. Users should only be given enough access and privileges to accomplish their work and to protect against internal threats. Examining network data paths and splitting services across multiple networks and systems help provide higher security and minimize the effects of attack.

Users should not, for example, be given full network access to all systems, servers, and network equipment. Most organizations do not want all users to have access to financial systems, or for all users to have access to sensitive project materials. The use of multiple networks and servers to differentiate between groups and departments allows enforcement of these restrictions.

Physical Attacks

Physical access is the final threat category. The ability to walk up to a system or piece of network equipment is the most dangerous of the risks. Simple actions such as unplugging equipment, rearranging cables, or physically damaging components can render the network unusable for long periods of time and at a high expense for repair. The location and access to the equipment that provides network service should be organized and secured. Aside from physical damage to network equipment, another aspect of physical attacks is the ability for a user to see and analyze network traffic that travels over the same network wires of the user's desktop computer. If the network is not physically laid out safely, the user can use a packet sniffer to intercept and read the passwords and private information of other users. This can be prevented by physically isolating network traffic, based on the needs of a particular system.

Approach to Network Architecture

The approach to network architecture and its design is the philosophy and model used to outline the network requirements and components for an organization. Although there are several schools of thought on this subject, the approach used here reflects a compromise between the idealistic and the realistic implementations. The ideal implementation provides complete and guaranteed security. The realistic model recognizes the need for services that have a higher potential for vulnerabilities. These services provide important aspects of service to the organization and to its customers and partners. In an ideal networked world, there are no vulnerabilities, and no services that are risky are used, which provides complete security.

As you know, there is no such concept as guaranteed or total security. The reality of the environment presses the network designer toward a high degree of security across the infrastructure. The level of security required in an organization should also be determined based on its needs rather than on following a generic recipe. Despite the creation of a secure network architecture, security is still a continuous process that requires constant vigilance. Unfortunately, few organizations have dedicated teams to security development, implementation, and maintenance, though a greater focus and presence of security-specific staff is now developing. Due to the lack of dedicated personnel, organizations tend to focus security efforts on those areas deemed most vulnerable the "squeaky wheel" approach to security. This often precludes the maintenance and upkeep of security for the internal network and systems because they are considered protected by firewalls and other security mechanisms. Although lax internal security is not ideal, it emphasizes the need for a strong network architecture and infrastructure at its earliest stages of design. The higher the initial level of security, the easier it will be to develop and follow standards and procedures to maintain that level.

You can measure the security of a network architecture by its capability to manage risk and mitigate the effects of attack. The organization of functionality into levels of security relative to network access is a reasonable method to begin the design. When the threats to a network are understood, network designers should carefully consider the requirements, components, and features that are used in the network and their relationships with each other. The requirements establish the purpose for the network such as supporting the ability of its users to share data, communicate among each other, and interact with external sources. The components of a network include the actual hardware used to create the network and the organization and layout of the topology. The features are those capabilities and requirements outside of the initial needs that conform to a set of best practices and ancillary functionality. Finally, it is important to understand the relationships of all of these components because security is only as strong as the weakest link in the chain.

Security Zones

Several zones of security are common to networks, and the consideration designers give to them affects the network architecture used. These zones outline security in relation to network access and provide the initial sections of the network architecture. The security zones are organized into the external, the internal, and the intermediary tier.

The Great Beyond

The external network is, generally and in practice, the most open of the tiers and consists of everything from the access device outward to the Internet. The organization has little or no control over the information, systems, and equipment that exist in this domain. The security of the ISP and all of the external organizations to which it connects should not be assumed. It is useful to investigate the security practices and features that an ISP provides including the control and management of the access device and the filtering and network topology of the ISP. Many ISPs manage the access device and secure it to prevent access and tampering by anyone other than the ISP; others require the organization to manage it. Many ISPs perform some level of packet filtering and firewalling on their own to detect and block improper data and attacks before they have a chance to reach the ISPs'customers. The network topology of the ISP also plays a role in the security for an organization. The physical relation between the individual customers of an ISP and the data paths established should be identified. Ideally, the amount of data from different organizations that travels across the same network wires should be minimized. This limits the effects on multiple customer networks in the event that the ISP falls victim to attack. The use of a common gateway by the ISP leads to a potential performance bottleneck and security risk as a single point of failure. ISPs with diversified networks and multiple points of access can provide higher security and reliability against attacks.

These considerations are beneficial to the organization, but finding a provider that implements many security measures may be difficult and expensive. An important philosophy to keep in mind when creating a secure network architecture is to secure the elements controlled by the organization as strongly as possible. Many organizations rely on the security provided by the ISP or any intermediary networks and fail to implement any internal security measures. Therefore, the consideration of ISP security is important, but the emphasis should be placed on the creation of a secure network architecture for the organization. Solutions that mitigate weak ISP security include the creation of a Public Key Infrastructure and the use of encrypted network communications with applications such as Secure Shell (SSH), SSL-enabled Web servers, and Virtual Private Networks (VPNs).

Internal Networks

The second zone is the internal network, where the vital computing assets should be safely protected. This area often has the most restrictive security measures and is where the majority of users operate on a daily basis. The internal network is generally the least open and has multiple layers of protection for the servers, desktops, and other computer systems and equipment used in the organization. The use of firewalls, multiple networks, and constraints on network data paths provides a higher level of security. The discussion on internal networks continues in greater depth in the section "Protecting the Castle."

Intermediate Networks

The third zone is a compromise between the previous two zones and consists of the networks that provide services to both the internal and external networks. In general, it is considered very dangerous to make a single server or device exist simultaneously on an internal and an external network. A system configured in this manner is called a multihomed system and should be avoided. Secure network architectures begin to differentiate between those systems and services to which the Internet has access and those to which it does not.

Two intermediate networks are common in organizations. The first is a place for publicly accessible services such as the mail server, Web server, and Domain Name servers to internal users and those on the Internet. The second is a semiprivate network used by the organization, its business partners, and customers; this network requires specialized access only to those parties. This first area is often referred to as the "service network," or the De-Militarized Zone (DMZ), and is seen as a less protected area of the entire network infrastructure because it provides network services to the Internet.

A service network generally exists between the router to the ISP and the internal network. It can be created by adding another interface to the firewall, or by placing systems on the same network as the firewall. It is useful and more secure to create and protect the service network through another firewall interface in order to provide more restrictions of network access to the service network. Using this method, the organization can then restrict access to those services to authorized networks and systems, and prevent known hostile sites and competitors from accessing the Web site. The service network also benefits from a redundant or extra network link. With a single network connection to the ISP, a denial of service attack that utilizes all of the network bandwidth by attacking a system in the service network also denies service to the corporate network.

Although expensive and more complex, incorporating multiple network access points and connections to provide different network paths for a single or multiple service networks and the internal network helps provide a higher degree of security and reliability. Should an attacker attempt a denial of service attack, the access point under attack can be temporarily shut down, while the network remains operational through the secondary access point. People often con sider the service network as less secure and internal networks as more secure, but this is inaccurate. The internal network has a more restrictive protection method that severely limits access from the Internet. The service network has different requirements in that it needs to allow access from the Internet to certain services. Systems in the service network often have a higher degree of individual system security with a less restrictive protection method. More care is often given to systems on the service network due to their increased exposure. In order to prevent compromise, an organization should maintain and patch the server software and operating system, protect them with strong filtering and access control policies, and monitor network traffic. In the ideal world, the same security considerations are given to all machines, regardless of their locations, but in practice, most organizations become more lax with the security of internal systems because of the other, broader security protection methods defined by the network architecture. The firewall used to protect the internal network is seen as the foolproof defense mechanism. Equal focus should be placed on firewall policies such as access control and service restrictions, as well as system configuration and maintenance that keep the systems at their highest possible security levels.

The service network is a protective buffer zone for the company and is not the only intermediary network that may be needed by an organization. Many organizations partner with various other companies, provide support to customers, and share information between them. This function creates the need for an extranet in order to restrict access to sensitive information and resources from external users. The extranet is a semiprivate network that shares data between the organization and its partners and customers. The information accessible on this network is often a subset of the information available on the corporate intranet, and requires explicit security measures to secure it. An extranet can be created by dedicating a piece of the network to these semiprivate servers and protecting them with a firewall. The access granted by the firewall should reflect the organizations that need it. Restricting access only to the networks and systems of the partner organizations instead of the entire Internet increases the security of the extranet.


 

Section: Chapter 28.  Network Architecture Considerations

Protecting the Castle

In this section, the discussion focuses on the architecture of the internal network. The security considerations for network design are applicable to all areas of network architecture, however.

Isolation and Separation

The idea of isolation and separation might seem contradictory to the concept of a network, where all things are connected, but the secure network architecture considers the relationship of each component and function to determine whether it needs to interact with the others. Separation of networks is the use of multiple physical and virtual networks to establish boundaries between unrelated network functions where no intercommunication is needed. It can also come in the form of physically disconnected networks, or virtually separate, wherein the devices do not allow network data to pass between them.

There are two levels to consider when dealing with isolation and separation. The organization of the packet or the low-level network data that travels electronically across the wire is the first level, and the organization of the systems that comprise the network is the second.

The relationships between users, groups of users, departments, and multiple locations within an organization require the network designer to consider the use of distinct networks in their network architecture. Some users may require access to the Internet without any other internal access, whereas others may need access to vital corporate information. The security of the network infrastructure becomes weak if these requirements are not assessed and if no distinction is made.

An organization often has several different and unrelated functions. A security risk is presented if these different groups are provided access to the networks and systems of the other. Publicly accessible terminals, for example, should not be on the same network as file, authentication, and email servers for the organization because that allows unauthorized individuals to access these systems.

Network Data

Network architecture does not focus only on the orientation of computer systems and their locations relative to each other, but also on the organization of network data. Security and performance are enhanced if consideration is given to the paths taken by packets. The topics discussed here are:

        Networking concepts

        Segments

        Switches and hubs

        Routers

        Network numbers

        Physical considerations

Each of these topics has an important role in the security of a network architecture and should be examined prior to its design.

Networking Concepts

Before delving too far into the technical aspects of network data, it is important to further clarify the levels of networking that are discussed here. The term network refers to several facets of intercommunication between systems. The highest level of networking concerns the orientation of systems in relation to each other. The external and internal networks, service networks, extranets, and firewalls refer to the relationship of networked systems to each other.

Wading deeper into the technical details of networking, the next level is that of the protocol. Networks communicate via a number of different protocols. These protocols are independent of each other but often exist simultaneously. The most prominent of the protocols is the Internet Protocol (IP). Every system that interacts with the Internet uses IP. Each IP network is defined by a set of numbers that establish a range of values that can be assigned to systems. Routers are used to transfer information from one IP network to another. Although this discussion focuses on IP networks, other commonly recognized protocols include IPX/SPX, Systems Network Architecture (SNA), and AppleTalk.

An organization often has several different IP networks in use to isolate functional areas. The differentiation of IP networks has already been introduced with discussion of the service network and internal network. The internal network of an organization often consists of several networks including a corporate network for all of the users, management networks for network management of systems and devices, test networks to isolate laboratory systems, server networks, and even individual department networks. The need for all of these different functions requires consideration when designing the network. The decision to establish multiple networks in an organization is made by examining the function and organization of systems, the relationships they have with other systems in the organization, and determining which data sharing is acceptable.

The next area of networking discussed here is at the physical and electrical level. The wires and equipment used to create the network, their layout, and the factors used to determine the layout present a third area for consideration. The design of a secure network architecture examines all of these components and determines the requirements and appropriate methods for their implementation.

Segments

Think of a segment as a single piece of wire, onto which several computers can attach for network access. Each computer that attaches to a single segment can see all of the network traffic on that segment and shares the total bandwidth available for that segment. In the case of a 100Mb/s network with several computers attached via a hub, they all share the bandwidth available. In the event that one of the machines is performing a network-intensive task, the availability of bandwidth for the other systems is diminished. Should a malicious person attack one of the systems on this segment and utilize the entire network bandwidth, denial of service occurs for every system on that segment. If a single system is compromised by an attacker, it is possible for that individual to watch all of the network traffic that is on that segment, identify the other systems, and proceed to compromise them. This includes communication between individual machines on that segment and any communication between one of these machines and other segments, networks, or the Internet.

Network segmentation is an important consideration when determining the relation and prox imity of various systems. When designing a network architecture, it is important to understand the types of network data that will be traveling on the network. Web, file, and printer data are the commonly known information types that are first recognized. Information such as user credentials, including usernames, passwords, encryption keys, and other private or sensitive information, such as financial data and company private information, also passes along the network segment and poses even greater security threats. An attacker can view and steal sensitive information when care is not taken to define secure network segments. In the highest security environment, careful concern is given to the segmentation of systems. In the best-case scenario, user credentials and other sensitive information is not observable from any other system and the electrical path taken by the data forms a direct line to the destination system.

Switches and Hubs

Network segmentation is affected by the network equipment chosen to provide service. Ethernet switches and hubs are two of the most common pieces of network equipment used in an organization. Along with Ethernet, many organizations use Asynchronous Transfer Mode (ATM) or Token Ring for their network interface type. Switches and hubs allow multiple systems to be connected to the same network. The difference is in the electrical methods by which this sharing occurs. All of the systems connected to a hub share the same segment. When data arrives on one port, the hub multiplexes the data to all of the other ports on that hub. Network switches provide a higher level of security. Every port on a switch forms a separate segment from all other ports on that switch. When data arrives on one port, the switching technology determines to which port it needs to go, and switches it to that port instead of multiplexing it to all of its ports. The only time a switch will multiplex data occurs when it receives a broadcast packet.

Broadcasts are special transmissions that have no particular machine as a destination. All systems see broadcasts and respond depending on their relation to the message. Broadcast storms occur under circumstances where one system sends an incorrect packet that causes all other systems to respond simultaneously, causing every system to again respond to those incorrect packets. This creates an endless cycle of broadcasts that saturates the network and causes a loss of service to the broadcast domain. Broadcast domains describe a single LAN, or network, wherein broadcast traffic propagates, and the desire to keep network traffic from permeating certain areas of the network or reaching particular machines should be examined.

Collisions are related to broadcasts. Whereas broadcasts occur at the IP layer of networking, collisions occur at the Ethernet layer. Collisions occur when two systems transmit network data simultaneously. All network transmissions occur as a series of electrical signals over the network wire. When two systems transmit data simultaneously, these signals collide, and the resulting signal and packet are corrupt. Collision domains are those areas wherein collisions are propagated, similarly to IP broadcasts. Hubs propagate collisions, but switches do not. Collisions also affect the performance of a network, so the use of Ethernet switches provides higher reliability.

By connecting a single system to each port on a switch, no system on the switch can view network traffic from another, unless they are communicating directly with each other. Careful thought during network architecture design allows for the creation of a well-organized and secure network. Using a switched network, it is feasible to ensure that each system has a direct electrical path to servers and important systems, thereby protecting it from eavesdropping. The benefit of a switched Ethernet is also weakened when a hub is connected to a switch because it causes network traffic to be available to multiple systems. When attaching hubs to a switch in order to provide network access to more systems, the types of network traffic and the sensitivity of the information should be considered.

Routers

The use of routers at the network access point has been mentioned earlier in the discussion, but routers are not only useful at the edge of the network; they are used to create the separate networks and broadcast domains within an organization to form several internal networks isolated by function, data, or department. The equipment and management cost associated with routers versus network switches is higher, but in some cases a routed network makes more sense for the preferred architecture. Broadcast messages are transmitted across switches but not across routers. The use of routers is important to an organization for network isolation, as well as to add reliability. Routers allow the simultaneous use of multiple paths to a given destination and are capable of changing between them automatically in the event of failure. Routers often incorporate security measures akin to firewalls that allow restriction of network data types to and from its networks. Diversification, redundancy, and security of internal networks can be achieved at a higher degree with routers, at some expense to simplicity and ease of management and higher cost.

The configuration of the router is pivotal to the security of the network because an attacker can modify the path of network traffic via changes to the router. Detailed information on secure router configuration for Cisco routers (the most commonly used router products) can be found at "Improving Security on Cisco Routers," http://www.cisco.com/warp/public/707/21.html. You can also refer to Chapter 22.

Network Numbers

IP network numbers can be organized in many different ways, with various sizes. Consideration for the security of a network architecture when creating an IP network is useful to protect against rogue systems. A network is defined by a set of four numbers and an associated network mask. The network mask defines a network by carving out a range of numbers that are considered one network. All of the systems on a single network are configured with the same network mask, thereby ensuring that they can all communicate with each other. Subnetting is the method of dividing networks into small, arbitrarily sized chunks. In the early days of the Internet, networks were divided into several classes A, B, C, and the special D/E classes of networks. These classes can accommodate different numbers of hosts:

        Class A ~16 million hosts

        Class B ~65 thousand hosts

        Class C 254 hosts

Network classes D and E were specialized ranges of network addresses, reserved for multicast and experimental use. As the use of the Internet grew rapidly, these network ranges became impractical for organizations. Few organizations could utilize a complete class A network, but may have had slightly more than could be accommodated in a class B network; a similar effect occurs between class B and class C networks. The use of Variable Length Subnet Masking (VLSM) and Classless Inter-Domain Routing (CIDR) resolves the problem by allowing for the creation of small-sized networks and allowing for dynamic routing of data between them. This is now the standard method by which ranges of IP addresses are given to companies by their ISP and traffic routed to and from those networks.

These concepts are useful to an organization when creating a security-conscious network architecture. The temptation to implement large network classes is present because of their ease of use, but this is often not the best solution for security. The relationship between the network numbering and the organization of equipment needed to sustain it has an effect on the security of the network architecture. Large, flat networks where all machines in an organization are on one network create several security risks. The effects of denial of service attacks via network data storms are widespread, affecting all of the systems on the network. The network equipment required to maintain a flat network of this nature often results in many shared segments that can leave systems vulnerable to compromise. An attacker can easily add another machine to a flat network of this kind because the ability to monitor and maintain a large network becomes difficult and unwieldy. This system can then be used to attack other systems or steal information as it travels over the network. Establishing a smaller-sized network is useful when determining which systems should be members of a single broadcast domain. You should take care to ensure that the network is not defined so small as to limit its scalability. As noted, the definition of network ranges should consider the ability of users and intruders to incorporate foreign network equipment into the environment.

The introduction of foreign computers and network equipment into the environment can adversely affect the network. Common cases of this occur when users initialize new systems and mistakenly configure them with an IP address that is already in use, or incorrectly configure the network address for the system. Two systems attempting to utilize the same IP address will attempt to fight for that address; this causes network confusion in the network equipment and loss of service or unreliable service for those machines. This is especially dangerous if the system attempts to use the IP address of an important system, such as the gateway or server, because all systems on the network will then flood the badly configured system and will lose connectivity to the intended server or network. Attackers can use this tactic to assume the identity of a specific system such as an email server or authentication server. Spoofing these servers by assuming their addresses and identities causes other systems to unwittingly transmit information to the falsified computer. The attacker can then gather information that allows her to compromise other systems.

A badly configured network address also causes an inability to communicate with other systems on the network and results in abnormal network performance. Tightly controlled network addresses and subnet definitions help defend against these negative effects. The security of a network architecture is enhanced by defining and organizing networks based on relationship and function to each other. Desktop computers often exist on the same IP network, using different physical segments to communicate with servers and gateways. This minimizes the ability of an attacker to compromise the servers and limits the zone of vulnerability to desktop computers with limited privilege. Servers can be placed on different networks with higher bandwidth capacities in order to serve multiple clients without performance degradation. This is also useful to serve multiple networks that do not need to or should not communicate with each other, such as customer and internal networks. The separation by function also limits the effects of misuse and malfunction. The previous example of a user system misconfigured as the gateway would not affect the entire organization in a diversified network environment.

Other technologies that have increased the flexibility and security of internal networks are Network Address Translation (NAT) and proxy servers. This functionality allows greater control and restriction of network traffic and the protection of internal systems. With NAT, the network addresses of the internal network to remain hidden while still providing access to external resources. The router or firewall that performs NAT translates all of the network traffic that passes outward so it appears to originate from that firewall or router. This is a useful capability because it obscures the layout of the internal network, as the external systems see network data arriving from the firewall only. Attacks directed toward internal servers are then made more difficult because NAT also protects the internal network. Unless configured explicitly to redirect incoming network data to a system on the internal network, a NAT device will only allow the return traffic for an internal system to pass. NAT also has the added benefit of allowing for the creation of new networks without acquiring new IP address ranges from the ISP.

A common example of Network Address Translation use for security occurs when an internal network is configured with a "reserved" set of IP addresses. The so-called RFC Networks are specified as private and internal networks that can be used by any organization simultaneously because they are not routed. See RFC #1597, "Address Allocation for Private Internets," http://www.ietf.org/rfc/rfc1597.txt?number=1597 for more information.

In this case, the internal network is a private network, and NAT is used to make all traffic appear to come from the NAT device the firewall or router. The attacker can only scan and probe the NAT device, and has little or no information about the topology of the internal network and its systems. Consequently, the attacker cannot target specific systems, making compromise more difficult. The potential for denial of service does exist, though, because an attacker can target the NAT device if it is the single ingress and egress point for the network.

Proxy servers provide a similar functionality to NAT, but without any packet data modification. They obscure the internal network and system topology and allow restrictive filtering rules to be applied. A proxy establishes a single system, or set of systems, that acts as the point of contact for a particular service. For example, a Web proxy server is the contact point for all internal Web-surfing users. The users'Web browser software is configured to point at the proxy server. Instead of contacting the remote Web server for a particular site, the Web browser sends the request to the proxy server, which then retrieves the appropriate Web content and passes it back to the requesting browser. The use of proxy servers allows a more restricted and controlled set of filter rules to be established on the firewall because all Web traffic to and from the Internet focuses on a single machine, the proxy server, instead of many different user systems. It also affords internal systems some protection against malicious content because it can be filtered and analyzed by the proxy server before transmission to the requesting system.

Physical Considerations

The physical wiring used to create the network also requires consideration for security. As with most technology, there are several ways of obtaining a single result. Networking is no different, and the selection of cable types and implementation affects the security, reliability, and performance of a network. Twisted-pair telephone-style cable is the most commonly used in the networks of today. The use of twisted-pair cable forces a star topology for the network. A star has a center point with several tines protruding from it. Each individual cable forms a separate network segment that can be combined into a larger segment only via a hub. When connected to an Ethernet switch, the connection between the computer and the switch forms a single, private segment. Only one computer at a time is connected to the switch via twisted-pair cables. Other, older cable types are still in use today, including coaxial cable, often called thin-net. Coaxial cable allows for a less expensive network, but also a network with less bandwidth. This network cable is shared by several or many systems at one time and forms a single segment on which each computer can see the traffic of the others.

When evaluating the cable type used for an organization, most designers will standardize on twisted-pair cabling. It is important to understand the benefit to security that is gained from the physical wiring, and to know that its inherent security benefits can be nullified with a poor network architecture. The privacy provided by a single segment can be done away with by the use of hubs that multiplex network traffic. In turn, the use of Ethernet switches does not guarantee privacy of the data if their use is not consistent and well-organized throughout the organization.

Along with the cable type, the location and organization of equipment also plays an important role in the security of a network architecture. As outlined in the discussion of threats to a net work, physical disruption produces more difficult, expensive, and widespread effects on network service. Organizations need to consider the placement of vital network equipment and systems, including routers, access devices, firewalls, and servers. These important components should be physically secured from access by unauthorized individuals. Networking closets are often used for cable termination points and are also securely locked. A malicious user or unauthorized intruder should be prevented from modifying the network topology and adding a system to the network for the purposes of eavesdropping. Organizations that have large networks and multiple locations also build distributed redundancy into their network architecture. The ability to secure the network and systems is the basic need for a secure network architecture. The flexibility and resilience of a network in the face of incidents provides the high level of security that separates adequate functionality from the robustness of a strong network.

Network Separation

Separation of networks often comes in the form of specialized network functionality such as network management, monitoring, and remote access. Access to these functions may merit separation from the remainder of the network infrastructure. Different broadcast domains and network numbers communicate among each other via routers and by adding extra network interfaces to servers and network equipment.

Network Management

Network management refers to the control, configuration and maintenance of the network hardware used throughout an organization. Many of these devices provide network, terminal, and Web browser-based access to administer and configure them. It is advisable to disallow the ability to manage these devices from the Internet and other in-band networks. In-band network management occurs when the administrators connect to the device over one of the networks that the device services. In-band management of a router, for example, occurs when the administrator connects to it from the Internet over the external interface or from the internal network over the internal interface. Remote management of a router that ties the Internet to a service network or internal network should not be allowed from the Internet. Although outsiders cannot access the router directly from the Internet, they can access it from an Internet-accessible system in the service network. Compromise of a service network-based system provides the attacker with access to the network equipment. If possible, it is best to establish a management network on a third network interface and to restrict management access to the router from only that special network.

A management network is often a separate physical connection to the devices and on which there are only a handful of dedicated management stations. No other network should have connectivity to the management network, unless controlled through a single, high-security system; access otherwise occurs by physical presence at one of the management stations. The use of a management network severely limits the ability of an attacker to access important systems and equipment, which decreases the risk of compromise.

Monitoring

Network monitoring is a useful function that aids in the security of a network by debugging problems and maintaining performance. The separation of network data may hinder the ability to monitor sections of the network. Therefore, it is important to consider what monitoring should be used and where and to incorporate the required changes or equipment into the network architecture.

Several methods of network monitoring should be considered, as well as their placement in the design of the network. Intrusion detection is a relatively new innovation that is proving useful in the network. These intrusion detection systems (IDS) are placed throughout the network and actively monitor for known signs of attack. The placement of an IDS is often useful at network access points, including the service network, near the inside and outside of firewalls, remote access devices including VPNs and dial-in servers, and near key systems. Firewalls also act as a form of monitoring for a network. Their role is more active in that they manipulate network traffic by allowing or disallowing information to pass through. The effects of many attacks can be limited by regular and frequent analysis of these monitoring methods, including log analysis and configuration of the equipment to notify administrators in the event of an attack condition.

Other considerations for monitoring include the ability for administrators to monitor network traffic and analyze it for insecurities as part of the regular maintenance. The network and its implementation affect the ability to monitor traffic in this way. Network equipment often supports monitoring with SNMP and RMON, two standardized protocols used for this purpose. A final method of network monitoring is via complex network management software suites. These packages use a number of different protocols and methods to acquire and analyze information and provide fast alert and responses to anomalous conditions. These tools often utilize special agents that run in conjunction with the systems and equipment being monitored; these packages are not affected by the physical orientation of the network, however.

Remote Access

If remote access methods are needed in the organization, the methods to provide it should be considered during the creation of the network architecture. Two methods are commonly used: VPN solutions and dial-in modem access. VPN solutions come in two forms the hardware device and software application. The hardware VPN device provides several benefits; it is a specialized device that often provides a high level of performance and incorporates its own security methods. The software VPN solution runs as an application or service on existing server systems and often relies on the security mechanisms of its respective operating system.

The effects on the network architecture required to support a VPN are similar for each solution. VPN devices can be more easily integrated in a secure manner into the network environment because the access to and control of the device are more easily dictated. The software service requires more attention. To achieve the highest security, the VPN software should run on a dedicated server and be treated as a device with no other services present. The operating system should be configured in a secure manner and no other internally used services should be run on the system in order to prevent access to the internal network. Software VPN solutions are affected by the vulnerabilities of the operating system as well as any insecurities in the software.

Dial-in support via modems and access servers provides a direct connection to the internal network. The considerations for dial-in methods include the use of a management network to control the device to protect it from unauthorized configuration changes. The dial-in server often relies on other servers on the network to provide authentication of its users. The network path used for authentication should also be private. Finally, dial-in servers should disallow remote networks to route traffic across their dial-in lines. Attackers will often use "war-dialing" software to scan phone numbers for dial-in servers. While the scanning cannot be prevented, the proper organization and configuration of dial-in equipment will limit the risk of compromise.

There are several considerations given to the placement of VPN and dial-in systems in order to protect the internal network. When defining the network architecture, the designers should identify the functionality supported and provided by the remote access. VPNs can provide transparent access to all of the resources of a network, allowing the remote system to appear and function as it would if it were physically located at the organization. Dial-in access, unless combined with a VPN solution, is often used to provide more limited services such as email and Web access. Despite the differences in methods, both supply the same basic functionality access from remote, distrusted networks and locations. Therefore, it is advisable to place remote access servers on a separate network and to control access to the facilities which it uses. The previously mentioned management network should also be used to control and configure these systems.

The placement of remote access equipment follows the same logic used for other network equipment: the limitation of the effects should an attack occur. Attackers will attempt to find the targets that provide them with the most access to other systems and equipment. Remote access devices are easily identifiable targets and should be protected adequately.

Network Isolation

Network isolation is a slightly different concept than separation. Isolation of networks affects the flow of network data, which services run on particular systems, and where they are located. It does not affect any of the internal or external network data from traveling across those same paths. Isolation is often used to enhance the security and efficiency of the network by isolating certain network traffic to certain physical wires and networks. Network isolation is achieved with the use of multiple physical and virtual networks within a single organization to separate functionality. Network designers can enhance security by organizing the network into its functional areas and considering the impact that each of these functions has on security.

One example of network isolation is to design the network so that the credentials of remote access users do not travel across any network wires or circuits that are exposed to users or other systems. The simplest method to provide this security is to connect the remote access server directly to the authentication server with a single cable. Another method is to use a switched network topology, keeping the authentication server and remote access device on their own private segments. The data sent from one to the other will then travel between only the two systems and their segments, where no other system can view it.

Isolation is discussed in the following contexts:

        Service differentiation

        VLANS

        Firewalls

The first and most obvious concept is the isolation of external from internal network traffic. Service differentiation is the identification and categorization of network services. The network services provided by an organization can be categorized as external-only, internal-only, or bridge services. As the name implies, external- and internal-only services provide functionality to either the external or internal network, but not both. Bridge services provide functionality to both the internal network and the external network. External services should be isolated in a service network, or hosted by the ISP for the organization. Also, the management of these services should occur via the previously mentioned management network. Internal services should be protected from external Internet or service network access.

It is considered dangerous to attach systems and equipment directly to the Internet without some form of protection, so be sure to protect service networks with protection mechanisms such as a firewall.

The simplest network topology takes a router and connects one interface to the ISP and the other to a multiplexing device such as a hub. All of the internal systems are then connected to the hub. Without getting into the detail of network numbering, this is effective to provide Internet access to all of the internal systems in the organization, but it also allows all systems on the Internet to communicate directly with each system on the internal network. Each system is susceptible to attack, and the entire computing infrastructure could be compromised.

The requirement for Internet access should be categorized into outgoing and incoming access. Outgoing access refers to the most common concept of Internet access the ability to communicate with Web servers, send email, and download files. Most systems require outbound Internet access, but typically need securing from arbitrary inbound Internet traffic. All network communication and protocol detail aside, the ability to perform these actions does not require internal systems to provide access to those on the Internet. When defining a network architecture, it is important to identify the services and systems that do require access initiated by Internet-based systems. The security considerations for the network architecture now take a basic shape as three organizational classes of network the external, the intermediary, and the internal network.

Services Differentiation

The computing services provided by an organization form the basis of the network. Aside from the configuration and security methods used to protect the individual servers and operating systems, isolation of the network services is an important security tactic because it protects from attack and restricts the effects of an attack. The services are those features that the users require and are provided by computers and network equipment. Common services include:

        Domain Name System (DNS)

        Email

        Web serving

        File sharing

        Printing

        Network login

DNS

The Domain Name System servers in an organization often serve the internal users as well as the external Internet. The application that provides DNS services has a history of vulnerabilities (as you learned in Chapter 20, "UNIX" ) that have allowed attackers to compromise the system on which it runs and to corrupt its records. Given this history, careful attention to security is required. If the organization maintains their own DNS server, it is often best suited for the service network in order to protect the internal network from adverse effects of attack. As part of the network architecture, security is also bolstered by redundancy. The use of multiple DNS servers provides a level of reliability in the event of failure or attack on one, and the placement of these merits consideration in the network architecture. Multiple DNS servers should not be placed on the same network; the purpose of redundancy is to provide a high level of reliability in the event of the failure of one network. If both DNS servers are located on the same network or on a single service network, they can both be taken out of service by a single attack. The ideal solution is to locate redundant DNS servers on separate networks that have differing paths to them. This prevents attackers from disabling all domain name services without a complex attack method. DNS servers should be protected by a firewall, and primary servers should be configured with access control restrictions that disallow arbitrary queries and DNS zone transfers to unknown servers.

The separation of DNS usage also requires consideration. Many organizations use a single DNS server, with or without redundancy, to answer both internal and external queries. This means that the Internet-based systems have access to the name server, as well as the internal systems. This bridging of the internal and external networks may present a high security risk if the name server is compromised. Another security risk when using a common name server is the revelation of information. The common DNS server stores all of the name and network information for both internally and externally accessible systems. An attacker can glean this information from the server, arrive at a reasonable idea of the internal network architecture, and identify potential target systems.

One solution to these problems is a split-DNS topology, which creates two distinct name servers one for systems on the internal network and one for those on the Internet to use. The records in each are then updated independently, and external systems have no access to information about internally networked systems. The attacker no longer has a potential bridge between the internal and external networks, and the effects of the attack are limited.

For further information about securing specific DNS servers, see Securing Domain Name Service at http://www.securityportal.com/cover/coverstory19990621.html.

Email

Email is one of the most important network services to an organization, and the establishment of email services in the network architecture requires careful planning. It is inadvisable to support email with a single mail server. Mail servers often store the contents of users'mailboxes, including company private and confidential information. A single point of failure is present when using only one server. It is equally dangerous to provide access to the primary mail server from the Internet because an attacker may expose or have access to its private information. One solution is to establish mail relays at different locations on the network and then allow access to the primary mail server only from those relay systems. The mail relays are often located on the service network and further away at the ISP to provide several levels of redundancy in the event of attack or connectivity issues with the organization.

If an attacker can succeed in compromising the primary mail server, the attacker can then access many other sensitive resources of the organization. The use of a mail relay defends the primary mail server and limits the effects of the attack. The mail relay can and should be protected with strong filtering rules on the firewall, and the primary mail server should also be strictly access-controlled to allow inbound mail only from the relay servers.

Specific information regarding the configuration and security of email server software can be found at http://www.securityportal.com/lasg/servers/email/. See also Securing corporate email at http://www.zdnet.co.uk/itweek/brief/1999/41/network/.

Web Serving

Many companies have a corporate Web site that provides the virtual storefront to the Internet and an intranet, or internally located Web site that contains private company information. The corporate and internal Web sites should be hosted on separate machines in order to isolate the information accessible by Internet users from employees. The network location of corporate Web sites should be determined based on how much traffic the site sees. An extremely popular Web site located on the service network with other network services such as mail relays and DNS servers may put those servers at risk in the event of a denial of service attack. The entire bandwidth can be consumed, rendering the other services unusable. The careful placement of redundant and distributed Web servers helps minimize the risks associated with this service. Web sites can be located on remote servers hosted by the ISP, or Web traffic can be load- balanced among several servers placed in close proximity to each other or even in remote areas.

Further useful information to secure your Web server can be found in Securing Public Web Servers at http://www.cert.org/security-improvement/modules/m11.html.

File and Printer Sharing

File sharing is a staple of network life that is utilized at a majority of organizations. It is also one of the more common insecurities found on a network. The network architecture that supports security and services that hold potential risks does so by carefully controlling the network access to the file servers. When sharing filesystems among multiple systems on the internal networks, access should not be available to the extranets, service network, or Internet. File sharing should never be allowed from unknown or external systems.

A useful article on the topic of securing multiple network server types can be found in Securing Network Servers at http://www.cert.org/security-improvement/modules/m07.html.

Network Login

Network logins are the methods used by users to authenticate to a remote or local system. This includes interactive access to UNIX accounts, Windows Domain authentication, authentication to Web sites, and any other service that requires user credentials for access. There are many methods for network login, many of which are very insecure. The insecurities of network logins come from the use of cleartext authentication methods wherein the user credentials are transmitted over the network without any encryption or other data obfuscation.

Security considerations for a network design include the isolation of traffic that carries credentials to minimize the opportunity for eavesdropping and the use of VPN systems to provide encrypted communication that protects the credentials during transit. Other protection mechanisms include firewall rules to disallow the protocols that are known to function insecurely from passing the boundary of the internal networks.

Telnet, remote shells, and FTP are commonly used services whose traffic should not be allowed outside of the internal network, if used at all. These services transmit user credentials without any form of encryption, allowing an attacker to eavesdrop and intercept the information.

VLANS

The use of Virtual Local Area Networks (VLANs) is a relatively new approach to network topology that arose with the development of new network equipment. VLANs provide an alternative to the normal routed and switched network topology by simplifying diverse networks through more intelligent hardware. The VLAN allows groups of systems on different physical networks and segments to communicate seamlessly without the need for a router. One of the drawbacks of routed and switched networks is that the physical location of systems often dictates their presence on a particular network. For example, putting two systems that are physically in the same room onto two different networks requires that the network cables terminate at two different places, one at each network access point. If the network equipment is not physically located in the same area, this becomes quite unmanageable. VLANs allow for this capability and do so transparently.

The use of VLAN technology also has security considerations that may encourage their use. The nature of virtual and dynamically specified networks allows for fine-grained tuning of network traffic. The ability to shape the flow of network traffic is the ability to control it, which provides very flexible security capabilities that make it more difficult for network eavesdropping and provide for more easily thwarted denial of service attempts. It is important to note that part of the benefit of VLAN technology comes from its manageability. Administrators can more easily monitor network information, gather statistical information, and notice and resolve anomalous conditions.

Firewalls

The use of firewalls in a network architecture is generally seen as a requirement for any organization that has Internet access. As you learned in Chapter 10, firewalls are useful tools, and their use in the network architecture provides greater security. As mentioned earlier, firewalls are often used to protect internal networks from access by unauthorized Internet-based systems. They can also be used to protect service networks and extranets. The use of firewalls is not a guaranteed preventative method, however. When designing a network, it is important to determine the restrictions needed for the organization and where the firewall is most beneficial. Multiple firewalls are often utilized to protect network access points, and specialized networks throughout the infrastructure.

Firewalls come in several different forms including dedicated firewall appliances, software-based firewall suites, and as built-in functionality of network equipment. When considering security for a network architecture, it is often useful to utilize more than one of these methods. Routers are useful for the application of generic filtering rules such as disallowing access to particular port numbers or services. Hardware and software firewalls can then work in conjunction with the routers to perform more fine-grained filtering based on more granular details such as protocol flags and options.


 

Section: Chapter 28.  Network Architecture Considerations

Summary

The key to establishing a strong and secure network architecture is to identify the features and functionality needed by the organization, to understand the relative security risks, and to make decisions about their implementation based on this knowledge. When designing the network, identify the parties who use it, their purposes for using it, and their requirements for effective work and functionality. Create a balance between security and functionality in order to arrive at a network architecture that is both secure and usable. When these aspects of network design are considered, along with the technical details presented here, a network architecture that is secure, strong, and flexible is more easily created.


 



Enterprises - Maximum Security
We Only Played Home Games: Wacky, Raunchy, Humorous Stories of Sports and Other Events in Michigans
ISBN: 0000053155
EAN: 2147483647
Year: 2001
Pages: 38

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net