The security topology of your network defines the network design and implementation from a security perspective. Unlike a network topology, we are more concerned with access methods, security, and technologies used. Security topology covers four primary areas of concern:
The design goals of a security topology must deal with issues of confidentiality, integrity, availability, and accountability. Addressing these four issues as an initial part of your network design will help you ensure tighter security. You will often see the confidentiality, integrity, and availability referred to as the CIA of network security. The accountability component is equally important. Design goals must additionally identify who is responsible for what aspects of computer security.
The next few sections introduce the four components that need to be addressed in the design goals to improve network and information security.
The goal of confidentiality is to prevent or minimize unauthorized access and disclosure of data and information. In many instances, laws and regulations require specific confidentiality of information. Social security records, payroll and employee records, medical records, and corporate information are high value assets. This information can possibly create liability issues or embarrassment if it falls into the wrong hands. Over the last few years, there have been a number of cases in which bank account and credit card numbers were published on the Internet. The costs of these types of breaches of confidentiality far exceed the actual losses from the misuse of this information.
If confidentiality issues are addressed early in the design phase, the steps that must be taken to minimize this exposure will become clear.
The goal of integrity is to make sure that the data being worked with is actually the correct data. Information integrity is critical to a secure topology. Organizations work with and make decisions using the data they have available. If this information is not accurate or is tampered with by an unauthorized person, the consequences can be devastating.
Take the case of a school district that lost all of the payroll and employment records for the employees in the district. When the problem was discovered, the school district had no choice but to send out applications and forms to all of the employees asking them how long they had worked in the school district and how much they made.
How does an organization know that the information they are using to make decisions is accurate and hasn't been tampered with or altered? In some cases, it would almost be better to have the information destroyed than to have it be inaccurate. People assume that the information they are using is accurate. What if it has been tampered with?
The goal of availability is to protect data and prevent its loss. Data that can't be accessed is of little value. If a mishap or attack occurs that brings down a key server or database, that information will not be available to the people who need it. This can cause havoc in an organization. Your job is to provide maximum availability to your users while ensuring integrity and confidentiality.
The hardest part of this process is determining what balance of these three aspects must be maintained to provide acceptable security for the information and resources of the organization.
The final and often overlooked goal of design concerns accountability. Many of the resources used by an organization are shared between various departments and individuals. If an error or incident occurs, who is responsible for fixing it? Who determines whether or not the information is correct?
It is a good idea to become clear about who owns the data or is responsible for making sure that it is accurate. You also want to be able to track and monitor data changes to detect and repair the data in the event of loss or damage. Most systems will track and store logs on system activities and data manipulation, and they will also provide reports on problems.
The term security zone describes design methods that isolate systems from other systems or networks. When discussing security zones in a network, it is helpful to think about them as rooms. You may have some rooms in your house or office that anyone can enter. You will have other rooms where access is limited to specific individuals for specific purposes. Establishing security zones is a similar process in a network. Security zones allow you to isolate systems from unauthorized users. The following sections present the key aspects of creating and designing security zones.
Overview of Networks
Over time, networks become complex beasts. They may even appear to have lives of their own. It is common for a network to have connections between departments, companies, countries, and public access using private communications paths and through the Internet. Everyone in a network does not need to have access to all of the assets in the network. You can isolate networks from each other using hardware and software. A router is a good example of a hardware solution. You can configure some machines on the network to be in a certain address ranges and others to be in a different address range. This separation makes the two networks invisible to each other unless a router connects them. Some of the newer data switches will also allow you partition networks into smaller networks or private zones. Here are the four most common security zones you will encounter:
The next few sections identify the topologies used to create security zones to provide security. The Internet has become a boon to individuals and to businesses, but it creates a challenge for security. By implementing Intranets, Extranets, and DMZs you can create a reasonably secure environment for your organization.
The Internet is a global network that connects computer and networks together. The Internet can be used by anybody who has access to an Internet portal or an Internet Service Provider. The Internet is an environment that you should assume involves a low-trust level of people who use it. You must assume that the person visiting your website may have bad intentions. They may also be people who want to buy your product or hire your firm. Externally, you have no way of knowing until you monitor their actions. Figure 1.10 illustrates an Internet network and its connections.
Figure 1.10: A typical LAN connection to the Internet
Intranets are private networks implemented and maintained by an individual company or organization. Intranet access is limited to systems within the Intranet. Intranets use the same technologies used by the Internet. Intranets can be connected to the Internet but are not available for access to users that are not authorized to be part of the Intranet. Access to the Intranet is granted to trusted users inside the corporate network or to users in remote locations. Figure 1.11 displays an Intranet network.
Figure 1.11: An Intranet network
Extranets extend Intranets to include outside connections to partners. An Extranet allows you to connect to a partner by a private network or a connection using a secure communications channel using the Internet. Extranet connections involve connections that are between trustworthy organizations. An Extranet is illustrated in Figure 1.12. Note that this network provides a connection between the two organizations. This connection may be through the Internet. If so, these networks would use a Tunneling protocol to accomplish a secure connection.
Figure 1.12: A typical Extranet between two organizations
A Demilitarized Zone (DMZ) is an area where you can place a public server for access by people you might not trust otherwise. By isolating a server in a DMZ, you can hide or remove access to other areas of your network. You can still access the server using your network, but others are not able to access other resources in your network. This can be accomplished using firewalls to isolate your network. The assumption you make when establishing a DMZ is that the person accessing the resource is not necessarily someone you would trust with other information. Figure 1.13 shows a server placed in a DMZ. Notice that the rest of the network is not visible to external users. This lowers the threat of intrusion in the internal network.
Figure 1.13: A typical DMZ
Designing Security Zones
Security zone design is an important aspect of computer security. You have many different approaches to accomplish a good solid design. Some of the design tradeoffs involve risk and involve money. You can create layers of security to protect systems from less secure connection, and you can use address translation to hide resources. New methods and tools to design secure networks are being introduced on a regular basis. What is important to remember is that a good security design is something that you will want to revisit on a regular basis based on what you learn about your security risks.
One of the nice things about technology is that it is always changing. One of the bad things about technology is that it is always changing. Several relatively new technologies have become available to help you create a less vulnerable system. The three technologies this section will focus on are Virtual Local Area Networks (VLANs), Network Address Translation (NAT) and Tunneling. These technologies allow you to improve security in your network at very little additional cost.
A VLAN allows you to create groups of users and systems and segment them on the network. This segmentation allows you to hide segments of the network from other segments and control access. VLANs can also be set up to control the paths that data takes to get from one point to another. You can think of a VLAN as a good way to contain network traffic to a certain area in a network. Figure 1.14 illustrates the creation of three VLANs in a single network.
Figure 1.14: A typical segmented VLAN
NAT creates a unique opportunity to assist in the security of a network. Originally, NAT extended the number of usable Internet addresses. NAT allows an organization to present a single address to the Internet for all computer connections. The NAT server provides IP addresses to the hosts or systems in the network and tracks inbound and outbound traffic. A company that uses NAT presents a single connection to the network. This connection may be through a router or a NAT server. The only information that an intruder will be able to get is that the connection has a single address.
NAT effectively hides your network from the world. This makes it much harder to determine what systems exist on the other side of the router. The NAT server effectively operates as a firewall for the network. Most new routers support NAT translation. It provides a simple inexpensive firewall for small networks. Figure 1.15 shows a router providing NAT services to a network. The router presents a single address for all external connections on the Internet.
Figure 1.15: A typical Internet connection to a local network
Tunneling refers to the ability to create a virtual dedicated connection between two systems or networks. The tunnel is created between the two ends by encapsulating the data in a mutually agreed upon protocol for transmission. In most tunnels, the data passed through the tunnel appears at the other side as part of the network. Tunneling protocols usually include data security as well as encryption. Several popular standards have emerged for tunneling. These protocols are covered in greater depth in Chapter 3, "Infrastructure and Connectivity." Figure 1.16 shows a connection being made between two networks across the Internet. This appears to be a single connection to each end of the network.
Figure 1.16: A typical tunnel
Your company has just signed an agreement with a large wholesaler to sell your products. This company has an extensive network that utilizes a great deal of technology. This technology will be a great benefit to you and improve your profitability. You must design a network security topology that will allow mutual access to some of each other's systems and information while protecting the confidentiality of your critical records and information. How might you accomplish this?
A good implementation would be to connect your network to theirs using a VPN across the Internet. You could use a secure tunneling protocol to ensure that unauthorized parties would not be able to sniff or access information streams between the companies. This would create an Extranet environment for you and your new business partner.
The challenge lies in creating secure areas in your network that they will not have access to. This can be accomplished by either establishing VLANs in your internal network that are not visible to the Extranet. VLANs can be implemented using routers, firewalls, and network segmentation.
An organization or business is well served if they make a conscious examination of the security situation they are in. This includes identifying assets, doing a comprehensive risk assessment, identifying threats, and evaluating vulnerabilities. These four components will help the business principals understand what they are up against and how to cost effectively address these issues. Figure 1.17 shows the relationship between the four business requirements.
Figure 1.17: The business requirements of a security environment
The following sections explain the various business requirements that need to be addressed when designing a security topology. The failure to consider any one of these aspects can cause the entire design to be flawed and ineffective.
Every business or organization has assets and resources that are valuable. These assets must be accounted for, both physically and functionally. Asset identification is the process in which a company attempts to place a value on the information and systems in place. In some cases, it may be as simple as counting systems and software licenses. These types of physical asset evaluations are part of the normal accounting process a business must perform routinely.
The more difficult part of an asset identification process is attempting to assign value to information. In some cases, you may find yourself only able to determine what would happen if the information were to become unavailable or lost. If absence of this information would effectively shut down the business, this information is priceless. If you have this type of information, determining which methods and approaches you should take to safeguard the information becomes easier.
You would not necessarily assign the same value to the formula for Coca-Cola that you would to your mother's chicken and rice recipe. The Coke formula would be worth a fortune to a person who stole it. They could sell it to competitors and retire; your mother's recipe would make a nice dinner, but would not be particularly valuable from a financial perspective.
There are several ways to perform a risk assessment or risk analysis. They range from highly scientific formula-based methods to a conversation with the owner. In general, you will want to attempt to identify the costs of replacing stolen data or systems, the costs of downtime, and virtually any other factor you can imagine.
Once you have determined the costs, you can then evaluate the likelihood that certain types of events will occur and what is the most likely outcome if the occur. If you work in New York City, what is the likelihood of damage to your business from an earthquake? Will your risk assessment place the high probability of an earthquake on your list of primary concerns? On the other hand, how could a reasonable person possibly have imagined or even planned for the September 11, 2001, attack on the World Trade Center? Many ISPs, data centers, and businesses have had to rethink risk assessments because of that tragedy.
Implementing a security policy requires that you evaluate the risks of both internal and external threats to the data and network. It does very little good to implement a high-security environment to protect your company from the outside if the threat is mostly internal. If a member of your team brings a disk containing a virus into the office and loads it onto a computer, the virus may spread throughout the entire network and effectively be immune to your external security measures. This is a very common problem in schools, libraries, and environments where people regularly used shared resources. If a library offers computers for public use, and those computers are in a network, a virus could infect all of the systems throughout the network. External security measures will not prevent potential damage or data loss.
Internal threats also include employee fraud, abuse or alteration of data, and theft of property. These threats require that both policies and systems be put into place to detect and mitigate these possibilities. Investigating and making recommendations to management on procedural changes and policies are a key role for computer security professionals. Figure 1.18 depicts some examples of internal and external threats.
Figure 1.18: Internal and external threats in an organization
Most well-publicized internal threats involve financial abuses. Some of these abuses are outright fraud or theft. These types of threats, especially in a computer intensive environment, can be very difficult to detect and investigate. These threats are typically ongoing and involve small transactions over long periods. A recent incident of fraud that occurred in a large software manufacturer involved an accounting professional who generated bogus checks in payment for work that never occurred. This employee was able to get over $100,000 in fraudulent payments made to companies that she or relatives had created over a few months. It took a considerable amount of investigation by computer and financial auditors to determine how this occurred. From a computer security perspective, this was an internal threat that was the result of failures in both financial, operational, and computer security controls. These types of incidents probably occur more frequently than anyone wants to admit.
Another incident involved an employee who was using corporate computer resources to operate a financial accounting service. This employee had been running this business for several years. When the company found out about this, they immediately fired the employee and confiscated his records.
During the investigation, the process used to collect evidence inadvertently tainted it. The chain of evidence in this case was broken. When the employee went to court over this situation, his attorney was able to have the evidence thrown out of court. Even though this employee was clearly guilty, the judge dismissed the case due to a lack of admissible evidence.
He then sued the company for wrongful discharge, harassment, and several other charges. He won those suits, and he got his old job back. In this instance, the internal policies and systems put into place to detect, investigate, and correct this problem broke down. It cost the company huge amounts of money and allowed a known embezzler back into the company. We will discuss chains of evidence, incident response, and the "proper" way to conduct investigations later in the book. For now, it is important to know that finding and dealing with internal threats is a key aspect of the computer security job.
Many of the internal threats that a company must deal with have procedures and methods that are standard across industries. External threats, on the other hand, are increasing at an alarming rate. A few years ago, most of the computer incidents occurred by groups of kids or "hobbyists" who were primarily in it for the fun. Most of the time these incidents were malicious in nature. A few of them did involve alterations or destruction of data and records.
Today, many companies use online databases, take orders, process payments, track shipments, manage inventory, and manage other key information using complicated systems. These systems are connected to other systems that contain private corporate records, trade secrets, strategic plans, and many other types of valuable information.
Unfortunately, when these systems are compromised, an entire business can be compromised. Incidents have occurred where security breaches remained open for years with no knowledge by the company that a compromise ever occurred. One of the greatest joys of a professional criminal is to create and exploit this type of security breach.
Early methods of cracking systems were primitive and labor intensive. Today, software packages exist that find targets automatically and then systematically attack the target to find its vulnerabilities. Many of these tools use graphical user interfaces that require little technical expertise by the would-be hacker. Many computer systems are being repeatedly and methodically attacked by the curious or by criminals attempting to commit a crime.
The job of a computer security professional in this situation is to detect the attack, find ways to counter it, and assist law-enforcement in investigating the activity. This type of work is very interesting and involves many of the skills that you will learn in this book.
Probably the biggest area of concern that a computer security specialist will have revolves around the security capabilities of the software and systems used in the business. Until recently, many operating systems manufacturers only paid lip service to security. One very popular operating system used a logon and password scheme for security. When the logon prompt occurred, all you had to do was hit the cancel button and the system would provide most of the network capabilities and local access to all resources. If the screen saver was password protected, you either had to enter the password to unlock the system or reboot it to have the system be unsecure. This was worst than having no security. Many users thought this meant they had a secure computer system. They did not, and many thefts of data by coworkers occurred as a result.
The TCP/IP (Transfer Control Protocol/Internet Protocol) network protocol, used by most corporate networks, was designed to allow communications in a trustful environment. This protocol was primarily experimental and used by schools and governmental agencies for research. While it is very robust in its error handling, it is by its very nature unsecured. Many modern network attacks occur through the TCP/IP protocol. Chapter 2, "Know Your Enemy," discusses TCP/IP and the security issues associated with it. Unfortunately, TCP/IP is more secure than many of the protocols still installed on PC networks today.
Operating systems and applications programs have long been vulnerable to external and internal attacks. Software companies want to sell software that is easy to use, graphically driven, and easily configured. Users want the same thing. Unfortunately, this creates additional security problems in many networks.
One of the most popular products in use today allows e-mail and attachments to start executing programs or instructions embedded in a message. This allows e-mail messages to have fancy formatting, but it also allows e-mails to carry viruses that can damage networks or spread to other networks. The manufacturer of this software is now releasing security updates, but it seems that every time they introduce a security update, someone comes up with a new way around the updates.
Many operating system manufacturers are completely rethinking security measures. They have recognized that the products they produce cannot protect the companies that use them from data loss or abuse. It has become such a major problem for many customers that security support is now becoming available by most operating system and network software manufacturers. In the past, security vulnerabilities were hidden by software manufacturers; now they are being published and solutions are provided as soon as a vulnerability is discovered. This of course helps hackers who know that these changes will not be made on many computer systems for a while.
In a most basic sense, progress is the computer security expert's worst nightmare. As a Security+ holder, you are part of the team that must evaluate threats to the systems currently installed.