Review of Security Design Criteria | Inside Network Perimeter Security (2nd Edition)

Before we start our discussion of the case studies, let's review what we have covered so far in the design section of this book. In Chapter 12, "Fundamentals of Secure Perimeter Design," we described the factors that must be considered when designing your network's perimeter. Put simply, this means you must incorporate the answers for each of the following three questions in every design you create:

What needs to be protected?
What are the threats?
What are the business requirements?

Before embarking on the design of the perimeter, you must establish what it is you are protecting. At one level, this will be the servers, workstations, databases, and other network devices located on the network. At a deeper level, though, it is the information contained on the network along with the services the network must offer. To begin your design, you must determine what will compose your network. If you are starting from scratch, this is relatively easy, but when adding security to an existing network, the discovery process can be difficult. This is especially true when the network is large and not well documented.

Where Does This Wire Go?

During an assignment to add a private WAN link between two government organizations, I discovered an unlabeled T1 line in one of the network closets that was connected directly to the first organization's backbone network. No one in the organization seemed to know what it was being used for. The management of this organization was concerned with security and had spent a small fortune on the installation of firewalls and other perimeter security devices, so I was a bit surprised they allowed this line to exist. When I asked the IT group why they allowed the connection, they told me it had been installed before any of them had joined the organization, and they were afraid that if they disconnected it, someone might complain. For the record, they did eventually unplug the line, and no one ever complained.

Next, you need to determine what threats you should be concerned about. All networks attached to the Internet need to worry about external attack. Whether the attack is from a script kiddy or malicious code, you can be guaranteed that if you're hooked up to the Internet, you are under attack. Some organizations, though, need to consider more directed attacks. If your organization is famous in any way (or has a name that is close to someone who is) or has information that would be useful to an attacker (such as credit card data), you will almost certainly come under attack from determined outsiders. These attackers will spend significant time analyzing the security of your network. Protecting against these attackers requires significantly more effort than preventing access by amateurs. Even more difficult to protect against is the determined insider. Preventing individuals who have been already granted some access to your network from gaining more can be extremely difficult and requires you to consider considerably more internal security controls than you would need to defend against purely external attacks.

Extortion Is a Common Motive for Attack

In the early days of the Internet, computer attackers were in it for the challenge, the glory, or just simply malicious intent. That is rapidly changing as criminal elements have started to learn how to make money off of the Internet. Consider the case of Authorize.Net, a large Internet-based credit card processing service. In the fall of 2004, it began receiving extortion requests. It did not pay the extortionists, so starting on September 15th, the extortionists began a crippling distributed denial of service (DDoS) attack. This attack prevented Authorize.Net from processing thousands of credit card transactions for its customers, causing an untold amount of financial loss. Given this type of result, it's no wonder that many victims decide to pay. However, extortionists rarely disappear once they've found a willing participant. It is much better to be fully prepared for these attacks, which is how Authorize.Net has responded. The company has redoubled its security efforts to create a network it feels is ironclad against future DDoS attacks.

When designing the security perimeter, you must also determine what the business requirements for the network are. As we have emphasized throughout the book, network security is a means to an end, not an end to itself. It is important that the business reasons and business constraints are taken into account as you design your security architecture. To begin with, you need to know what services need to be provided to your users and customers. You also need to determine how reliable and accessible these services need to be. A network that provides a basic website describing a company's services might not need to be as reliable and fast as a network that hosts an e-commerce site that processes all the sales requests for a large company.

You must also consider the amount of resources in terms of money and time that should reasonably be spent to secure the network. We would like every network we build to have every security control we can think of, but we must always be cognizant that the purpose of the network is to support the business. A network design that is unaffordable but securely designed will never be implemented.

As we go through the case studies that follow, try to keep in mind these three basic design criteria. To focus your attention, ask yourself the following questions as you review each design:

Does the design sufficiently protect the major resources of the network?
Does the design place the emphasis on protecting the right resources?
Does the design sufficiently account for the likely ways it might be attacked?
Does the design support the business goals, or are the security controls likely to impact business operations negatively?