Protecting the Castle
In this section, the discussion focuses on the architecture of the internal network. The security considerations for network design are applicable to all areas of network architecture, however.
Isolation and Separation
The idea of isolation and separation might seem contradictory to the concept of a network, where all things are connected, but the secure network architecture considers the relationship of each component and function to determine whether it needs to interact with the others. Separation of networks is the use of multiple physical and virtual networks to establish boundaries between unrelated network functions where no intercommunication is needed. It can also come in the form of physically disconnected networks, or virtually separate, wherein the devices do not allow network data to pass between them.
There are two levels to consider when dealing with isolation and separation. The organization of the packet or the low-level network data that travels electronically across the wire is the first level, and the organization of the systems that comprise the network is the second.
The relationships between users, groups of users, departments, and multiple locations within an organization require the network designer to consider the use of distinct networks in their network architecture. Some users may require access to the Internet without any other internal access, whereas others may need access to vital corporate information. The security of the network infrastructure becomes weak if these requirements are not assessed and if no distinction is made.
An organization often has several different and unrelated functions. A security risk is presented if these different groups are provided access to the networks and systems of the other. Publicly accessible terminals, for example, should not be on the same network as file, authentication, and email servers for the organization because that allows unauthorized individuals to access these systems.
Network architecture does not focus only on the orientation of computer systems and their locations relative to each other, but also on the organization of network data. Security and performance are enhanced if consideration is given to the paths taken by packets. The topics discussed here are:
Switches and hubs
Each of these topics has an important role in the security of a network architecture and should be examined prior to its design.
Before delving too far into the technical aspects of network data, it is important to further clarify the levels of networking that are discussed here. The term network refers to several facets of intercommunication between systems. The highest level of networking concerns the orientation of systems in relation to each other. The external and internal networks, service networks, extranets, and firewalls refer to the relationship of networked systems to each other.
Wading deeper into the technical details of networking, the next level is that of the protocol. Networks communicate via a number of different protocols. These protocols are independent of each other but often exist simultaneously. The most prominent of the protocols is the Internet Protocol (IP). Every system that interacts with the Internet uses IP. Each IP network is defined by a set of numbers that establish a range of values that can be assigned to systems. Routers are used to transfer information from one IP network to another. Although this discussion focuses on IP networks, other commonly recognized protocols include IPX/SPX, Systems Network Architecture (SNA), and AppleTalk.
An organization often has several different IP networks in use to isolate functional areas. The differentiation of IP networks has already been introduced with discussion of the service network and internal network. The internal network of an organization often consists of several networks including a corporate network for all of the users, management networks for network management of systems and devices, test networks to isolate laboratory systems, server networks, and even individual department networks. The need for all of these different functions requires consideration when designing the network. The decision to establish multiple networks in an organization is made by examining the function and organization of systems, the relationships they have with other systems in the organization, and determining which data sharing is acceptable.
The next area of networking discussed here is at the physical and electrical level. The wires and equipment used to create the network, their layout, and the factors used to determine the layout present a third area for consideration. The design of a secure network architecture examines all of these components and determines the requirements and appropriate methods for their implementation.
Think of a segment as a single piece of wire, onto which several computers can attach for network access. Each computer that attaches to a single segment can see all of the network traffic on that segment and shares the total bandwidth available for that segment. In the case of a 100Mb/s network with several computers attached via a hub, they all share the bandwidth available. In the event that one of the machines is performing a network-intensive task, the availability of bandwidth for the other systems is diminished. Should a malicious person attack one of the systems on this segment and utilize the entire network bandwidth, denial of service occurs for every system on that segment. If a single system is compromised by an attacker, it is possible for that individual to watch all of the network traffic that is on that segment, identify the other systems, and proceed to compromise them. This includes communication between individual machines on that segment and any communication between one of these machines and other segments, networks, or the Internet.
Network segmentation is an important consideration when determining the relation and prox imity of various systems. When designing a network architecture, it is important to understand the types of network data that will be traveling on the network. Web, file, and printer data are the commonly known information types that are first recognized. Information such as user credentials, including usernames, passwords, encryption keys, and other private or sensitive information, such as financial data and company private information, also passes along the network segment and poses even greater security threats. An attacker can view and steal sensitive information when care is not taken to define secure network segments. In the highest security environment, careful concern is given to the segmentation of systems. In the best-case scenario, user credentials and other sensitive information is not observable from any other system and the electrical path taken by the data forms a direct line to the destination system.
Switches and Hubs
Network segmentation is affected by the network equipment chosen to provide service. Ethernet switches and hubs are two of the most common pieces of network equipment used in an organization. Along with Ethernet, many organizations use Asynchronous Transfer Mode (ATM) or Token Ring for their network interface type. Switches and hubs allow multiple systems to be connected to the same network. The difference is in the electrical methods by which this sharing occurs. All of the systems connected to a hub share the same segment. When data arrives on one port, the hub multiplexes the data to all of the other ports on that hub. Network switches provide a higher level of security. Every port on a switch forms a separate segment from all other ports on that switch. When data arrives on one port, the switching technology determines to which port it needs to go, and switches it to that port instead of multiplexing it to all of its ports. The only time a switch will multiplex data occurs when it receives a broadcast packet.
Broadcasts are special transmissions that have no particular machine as a destination. All systems see broadcasts and respond depending on their relation to the message. Broadcast storms occur under circumstances where one system sends an incorrect packet that causes all other systems to respond simultaneously, causing every system to again respond to those incorrect packets. This creates an endless cycle of broadcasts that saturates the network and causes a loss of service to the broadcast domain. Broadcast domains describe a single LAN, or network, wherein broadcast traffic propagates, and the desire to keep network traffic from permeating certain areas of the network or reaching particular machines should be examined.
Collisions are related to broadcasts. Whereas broadcasts occur at the IP layer of networking, collisions occur at the Ethernet layer. Collisions occur when two systems transmit network data simultaneously. All network transmissions occur as a series of electrical signals over the network wire. When two systems transmit data simultaneously, these signals collide, and the resulting signal and packet are corrupt. Collision domains are those areas wherein collisions are propagated, similarly to IP broadcasts. Hubs propagate collisions, but switches do not. Collisions also affect the performance of a network, so the use of Ethernet switches provides higher reliability.
By connecting a single system to each port on a switch, no system on the switch can view network traffic from another, unless they are communicating directly with each other. Careful thought during network architecture design allows for the creation of a well-organized and secure network. Using a switched network, it is feasible to ensure that each system has a direct electrical path to servers and important systems, thereby protecting it from eavesdropping. The benefit of a switched Ethernet is also weakened when a hub is connected to a switch because it causes network traffic to be available to multiple systems. When attaching hubs to a switch in order to provide network access to more systems, the types of network traffic and the sensitivity of the information should be considered.
The use of routers at the network access point has been mentioned earlier in the discussion, but routers are not only useful at the edge of the network; they are used to create the separate networks and broadcast domains within an organization to form several internal networks isolated by function, data, or department. The equipment and management cost associated with routers versus network switches is higher, but in some cases a routed network makes more sense for the preferred architecture. Broadcast messages are transmitted across switches but not across routers. The use of routers is important to an organization for network isolation, as well as to add reliability. Routers allow the simultaneous use of multiple paths to a given destination and are capable of changing between them automatically in the event of failure. Routers often incorporate security measures akin to firewalls that allow restriction of network data types to and from its networks. Diversification, redundancy, and security of internal networks can be achieved at a higher degree with routers, at some expense to simplicity and ease of management and higher cost.
The configuration of the router is pivotal to the security of the network because an attacker can modify the path of network traffic via changes to the router. Detailed information on secure router configuration for Cisco routers (the most commonly used router products) can be found at "Improving Security on Cisco Routers," http://www.cisco.com/warp/public/707/21.html. You can also refer to Chapter 22.
IP network numbers can be organized in many different ways, with various sizes. Consideration for the security of a network architecture when creating an IP network is useful to protect against rogue systems. A network is defined by a set of four numbers and an associated network mask. The network mask defines a network by carving out a range of numbers that are considered one network. All of the systems on a single network are configured with the same network mask, thereby ensuring that they can all communicate with each other. Subnetting is the method of dividing networks into small, arbitrarily sized chunks. In the early days of the Internet, networks were divided into several classes A, B, C, and the special D/E classes of networks. These classes can accommodate different numbers of hosts:
Class A ~16 million hosts
Class B ~65 thousand hosts
Class C 254 hosts
Network classes D and E were specialized ranges of network addresses, reserved for multicast and experimental use. As the use of the Internet grew rapidly, these network ranges became impractical for organizations. Few organizations could utilize a complete class A network, but may have had slightly more than could be accommodated in a class B network; a similar effect occurs between class B and class C networks. The use of Variable Length Subnet Masking (VLSM) and Classless Inter-Domain Routing (CIDR) resolves the problem by allowing for the creation of small-sized networks and allowing for dynamic routing of data between them. This is now the standard method by which ranges of IP addresses are given to companies by their ISP and traffic routed to and from those networks.
These concepts are useful to an organization when creating a security-conscious network architecture. The temptation to implement large network classes is present because of their ease of use, but this is often not the best solution for security. The relationship between the network numbering and the organization of equipment needed to sustain it has an effect on the security of the network architecture. Large, flat networks where all machines in an organization are on one network create several security risks. The effects of denial of service attacks via network data storms are widespread, affecting all of the systems on the network. The network equipment required to maintain a flat network of this nature often results in many shared segments that can leave systems vulnerable to compromise. An attacker can easily add another machine to a flat network of this kind because the ability to monitor and maintain a large network becomes difficult and unwieldy. This system can then be used to attack other systems or steal information as it travels over the network. Establishing a smaller-sized network is useful when determining which systems should be members of a single broadcast domain. You should take care to ensure that the network is not defined so small as to limit its scalability. As noted, the definition of network ranges should consider the ability of users and intruders to incorporate foreign network equipment into the environment.
The introduction of foreign computers and network equipment into the environment can adversely affect the network. Common cases of this occur when users initialize new systems and mistakenly configure them with an IP address that is already in use, or incorrectly configure the network address for the system. Two systems attempting to utilize the same IP address will attempt to fight for that address; this causes network confusion in the network equipment and loss of service or unreliable service for those machines. This is especially dangerous if the system attempts to use the IP address of an important system, such as the gateway or server, because all systems on the network will then flood the badly configured system and will lose connectivity to the intended server or network. Attackers can use this tactic to assume the identity of a specific system such as an email server or authentication server. Spoofing these servers by assuming their addresses and identities causes other systems to unwittingly transmit information to the falsified computer. The attacker can then gather information that allows her to compromise other systems.
A badly configured network address also causes an inability to communicate with other systems on the network and results in abnormal network performance. Tightly controlled network addresses and subnet definitions help defend against these negative effects. The security of a network architecture is enhanced by defining and organizing networks based on relationship and function to each other. Desktop computers often exist on the same IP network, using different physical segments to communicate with servers and gateways. This minimizes the ability of an attacker to compromise the servers and limits the zone of vulnerability to desktop computers with limited privilege. Servers can be placed on different networks with higher bandwidth capacities in order to serve multiple clients without performance degradation. This is also useful to serve multiple networks that do not need to or should not communicate with each other, such as customer and internal networks. The separation by function also limits the effects of misuse and malfunction. The previous example of a user system misconfigured as the gateway would not affect the entire organization in a diversified network environment.
Other technologies that have increased the flexibility and security of internal networks are Network Address Translation (NAT) and proxy servers. This functionality allows greater control and restriction of network traffic and the protection of internal systems. With NAT, the network addresses of the internal network to remain hidden while still providing access to external resources. The router or firewall that performs NAT translates all of the network traffic that passes outward so it appears to originate from that firewall or router. This is a useful capability because it obscures the layout of the internal network, as the external systems see network data arriving from the firewall only. Attacks directed toward internal servers are then made more difficult because NAT also protects the internal network. Unless configured explicitly to redirect incoming network data to a system on the internal network, a NAT device will only allow the return traffic for an internal system to pass. NAT also has the added benefit of allowing for the creation of new networks without acquiring new IP address ranges from the ISP.
A common example of Network Address Translation use for security occurs when an internal network is configured with a "reserved" set of IP addresses. The so-called RFC Networks are specified as private and internal networks that can be used by any organization simultaneously because they are not routed. See RFC #1597, "Address Allocation for Private Internets," http://www.ietf.org/rfc/rfc1597.txt?number=1597 for more information.
In this case, the internal network is a private network, and NAT is used to make all traffic appear to come from the NAT device the firewall or router. The attacker can only scan and probe the NAT device, and has little or no information about the topology of the internal network and its systems. Consequently, the attacker cannot target specific systems, making compromise more difficult. The potential for denial of service does exist, though, because an attacker can target the NAT device if it is the single ingress and egress point for the network.
Proxy servers provide a similar functionality to NAT, but without any packet data modification. They obscure the internal network and system topology and allow restrictive filtering rules to be applied. A proxy establishes a single system, or set of systems, that acts as the point of contact for a particular service. For example, a Web proxy server is the contact point for all internal Web-surfing users. The users'Web browser software is configured to point at the proxy server. Instead of contacting the remote Web server for a particular site, the Web browser sends the request to the proxy server, which then retrieves the appropriate Web content and passes it back to the requesting browser. The use of proxy servers allows a more restricted and controlled set of filter rules to be established on the firewall because all Web traffic to and from the Internet focuses on a single machine, the proxy server, instead of many different user systems. It also affords internal systems some protection against malicious content because it can be filtered and analyzed by the proxy server before transmission to the requesting system.
The physical wiring used to create the network also requires consideration for security. As with most technology, there are several ways of obtaining a single result. Networking is no different, and the selection of cable types and implementation affects the security, reliability, and performance of a network. Twisted-pair telephone-style cable is the most commonly used in the networks of today. The use of twisted-pair cable forces a star topology for the network. A star has a center point with several tines protruding from it. Each individual cable forms a separate network segment that can be combined into a larger segment only via a hub. When connected to an Ethernet switch, the connection between the computer and the switch forms a single, private segment. Only one computer at a time is connected to the switch via twisted-pair cables. Other, older cable types are still in use today, including coaxial cable, often called thin-net. Coaxial cable allows for a less expensive network, but also a network with less bandwidth. This network cable is shared by several or many systems at one time and forms a single segment on which each computer can see the traffic of the others.
When evaluating the cable type used for an organization, most designers will standardize on twisted-pair cabling. It is important to understand the benefit to security that is gained from the physical wiring, and to know that its inherent security benefits can be nullified with a poor network architecture. The privacy provided by a single segment can be done away with by the use of hubs that multiplex network traffic. In turn, the use of Ethernet switches does not guarantee privacy of the data if their use is not consistent and well-organized throughout the organization.
Along with the cable type, the location and organization of equipment also plays an important role in the security of a network architecture. As outlined in the discussion of threats to a net work, physical disruption produces more difficult, expensive, and widespread effects on network service. Organizations need to consider the placement of vital network equipment and systems, including routers, access devices, firewalls, and servers. These important components should be physically secured from access by unauthorized individuals. Networking closets are often used for cable termination points and are also securely locked. A malicious user or unauthorized intruder should be prevented from modifying the network topology and adding a system to the network for the purposes of eavesdropping. Organizations that have large networks and multiple locations also build distributed redundancy into their network architecture. The ability to secure the network and systems is the basic need for a secure network architecture. The flexibility and resilience of a network in the face of incidents provides the high level of security that separates adequate functionality from the robustness of a strong network.
Separation of networks often comes in the form of specialized network functionality such as network management, monitoring, and remote access. Access to these functions may merit separation from the remainder of the network infrastructure. Different broadcast domains and network numbers communicate among each other via routers and by adding extra network interfaces to servers and network equipment.
Network management refers to the control, configuration and maintenance of the network hardware used throughout an organization. Many of these devices provide network, terminal, and Web browser-based access to administer and configure them. It is advisable to disallow the ability to manage these devices from the Internet and other in-band networks. In-band network management occurs when the administrators connect to the device over one of the networks that the device services. In-band management of a router, for example, occurs when the administrator connects to it from the Internet over the external interface or from the internal network over the internal interface. Remote management of a router that ties the Internet to a service network or internal network should not be allowed from the Internet. Although outsiders cannot access the router directly from the Internet, they can access it from an Internet-accessible system in the service network. Compromise of a service network-based system provides the attacker with access to the network equipment. If possible, it is best to establish a management network on a third network interface and to restrict management access to the router from only that special network.
A management network is often a separate physical connection to the devices and on which there are only a handful of dedicated management stations. No other network should have connectivity to the management network, unless controlled through a single, high-security system; access otherwise occurs by physical presence at one of the management stations. The use of a management network severely limits the ability of an attacker to access important systems and equipment, which decreases the risk of compromise.
Network monitoring is a useful function that aids in the security of a network by debugging problems and maintaining performance. The separation of network data may hinder the ability to monitor sections of the network. Therefore, it is important to consider what monitoring should be used and where and to incorporate the required changes or equipment into the network architecture.
Several methods of network monitoring should be considered, as well as their placement in the design of the network. Intrusion detection is a relatively new innovation that is proving useful in the network. These intrusion detection systems (IDS) are placed throughout the network and actively monitor for known signs of attack. The placement of an IDS is often useful at network access points, including the service network, near the inside and outside of firewalls, remote access devices including VPNs and dial-in servers, and near key systems. Firewalls also act as a form of monitoring for a network. Their role is more active in that they manipulate network traffic by allowing or disallowing information to pass through. The effects of many attacks can be limited by regular and frequent analysis of these monitoring methods, including log analysis and configuration of the equipment to notify administrators in the event of an attack condition.
Other considerations for monitoring include the ability for administrators to monitor network traffic and analyze it for insecurities as part of the regular maintenance. The network and its implementation affect the ability to monitor traffic in this way. Network equipment often supports monitoring with SNMP and RMON, two standardized protocols used for this purpose. A final method of network monitoring is via complex network management software suites. These packages use a number of different protocols and methods to acquire and analyze information and provide fast alert and responses to anomalous conditions. These tools often utilize special agents that run in conjunction with the systems and equipment being monitored; these packages are not affected by the physical orientation of the network, however.
If remote access methods are needed in the organization, the methods to provide it should be considered during the creation of the network architecture. Two methods are commonly used: VPN solutions and dial-in modem access. VPN solutions come in two forms the hardware device and software application. The hardware VPN device provides several benefits; it is a specialized device that often provides a high level of performance and incorporates its own security methods. The software VPN solution runs as an application or service on existing server systems and often relies on the security mechanisms of its respective operating system.
The effects on the network architecture required to support a VPN are similar for each solution. VPN devices can be more easily integrated in a secure manner into the network environment because the access to and control of the device are more easily dictated. The software service requires more attention. To achieve the highest security, the VPN software should run on a dedicated server and be treated as a device with no other services present. The operating system should be configured in a secure manner and no other internally used services should be run on the system in order to prevent access to the internal network. Software VPN solutions are affected by the vulnerabilities of the operating system as well as any insecurities in the software.
Dial-in support via modems and access servers provides a direct connection to the internal network. The considerations for dial-in methods include the use of a management network to control the device to protect it from unauthorized configuration changes. The dial-in server often relies on other servers on the network to provide authentication of its users. The network path used for authentication should also be private. Finally, dial-in servers should disallow remote networks to route traffic across their dial-in lines. Attackers will often use "war-dialing" software to scan phone numbers for dial-in servers. While the scanning cannot be prevented, the proper organization and configuration of dial-in equipment will limit the risk of compromise.
There are several considerations given to the placement of VPN and dial-in systems in order to protect the internal network. When defining the network architecture, the designers should identify the functionality supported and provided by the remote access. VPNs can provide transparent access to all of the resources of a network, allowing the remote system to appear and function as it would if it were physically located at the organization. Dial-in access, unless combined with a VPN solution, is often used to provide more limited services such as email and Web access. Despite the differences in methods, both supply the same basic functionality access from remote, distrusted networks and locations. Therefore, it is advisable to place remote access servers on a separate network and to control access to the facilities which it uses. The previously mentioned management network should also be used to control and configure these systems.
The placement of remote access equipment follows the same logic used for other network equipment: the limitation of the effects should an attack occur. Attackers will attempt to find the targets that provide them with the most access to other systems and equipment. Remote access devices are easily identifiable targets and should be protected adequately.
Network isolation is a slightly different concept than separation. Isolation of networks affects the flow of network data, which services run on particular systems, and where they are located. It does not affect any of the internal or external network data from traveling across those same paths. Isolation is often used to enhance the security and efficiency of the network by isolating certain network traffic to certain physical wires and networks. Network isolation is achieved with the use of multiple physical and virtual networks within a single organization to separate functionality. Network designers can enhance security by organizing the network into its functional areas and considering the impact that each of these functions has on security.
One example of network isolation is to design the network so that the credentials of remote access users do not travel across any network wires or circuits that are exposed to users or other systems. The simplest method to provide this security is to connect the remote access server directly to the authentication server with a single cable. Another method is to use a switched network topology, keeping the authentication server and remote access device on their own private segments. The data sent from one to the other will then travel between only the two systems and their segments, where no other system can view it.
Isolation is discussed in the following contexts:
The first and most obvious concept is the isolation of external from internal network traffic. Service differentiation is the identification and categorization of network services. The network services provided by an organization can be categorized as external-only, internal-only, or bridge services. As the name implies, external- and internal-only services provide functionality to either the external or internal network, but not both. Bridge services provide functionality to both the internal network and the external network. External services should be isolated in a service network, or hosted by the ISP for the organization. Also, the management of these services should occur via the previously mentioned management network. Internal services should be protected from external Internet or service network access.
It is considered dangerous to attach systems and equipment directly to the Internet without some form of protection, so be sure to protect service networks with protection mechanisms such as a firewall.
The simplest network topology takes a router and connects one interface to the ISP and the other to a multiplexing device such as a hub. All of the internal systems are then connected to the hub. Without getting into the detail of network numbering, this is effective to provide Internet access to all of the internal systems in the organization, but it also allows all systems on the Internet to communicate directly with each system on the internal network. Each system is susceptible to attack, and the entire computing infrastructure could be compromised.
The requirement for Internet access should be categorized into outgoing and incoming access. Outgoing access refers to the most common concept of Internet access the ability to communicate with Web servers, send email, and download files. Most systems require outbound Internet access, but typically need securing from arbitrary inbound Internet traffic. All network communication and protocol detail aside, the ability to perform these actions does not require internal systems to provide access to those on the Internet. When defining a network architecture, it is important to identify the services and systems that do require access initiated by Internet-based systems. The security considerations for the network architecture now take a basic shape as three organizational classes of network the external, the intermediary, and the internal network.
The computing services provided by an organization form the basis of the network. Aside from the configuration and security methods used to protect the individual servers and operating systems, isolation of the network services is an important security tactic because it protects from attack and restricts the effects of an attack. The services are those features that the users require and are provided by computers and network equipment. Common services include:
Domain Name System (DNS)
The Domain Name System servers in an organization often serve the internal users as well as the external Internet. The application that provides DNS services has a history of vulnerabilities (as you learned in Chapter 20, "UNIX" ) that have allowed attackers to compromise the system on which it runs and to corrupt its records. Given this history, careful attention to security is required. If the organization maintains their own DNS server, it is often best suited for the service network in order to protect the internal network from adverse effects of attack. As part of the network architecture, security is also bolstered by redundancy. The use of multiple DNS servers provides a level of reliability in the event of failure or attack on one, and the placement of these merits consideration in the network architecture. Multiple DNS servers should not be placed on the same network; the purpose of redundancy is to provide a high level of reliability in the event of the failure of one network. If both DNS servers are located on the same network or on a single service network, they can both be taken out of service by a single attack. The ideal solution is to locate redundant DNS servers on separate networks that have differing paths to them. This prevents attackers from disabling all domain name services without a complex attack method. DNS servers should be protected by a firewall, and primary servers should be configured with access control restrictions that disallow arbitrary queries and DNS zone transfers to unknown servers.
The separation of DNS usage also requires consideration. Many organizations use a single DNS server, with or without redundancy, to answer both internal and external queries. This means that the Internet-based systems have access to the name server, as well as the internal systems. This bridging of the internal and external networks may present a high security risk if the name server is compromised. Another security risk when using a common name server is the revelation of information. The common DNS server stores all of the name and network information for both internally and externally accessible systems. An attacker can glean this information from the server, arrive at a reasonable idea of the internal network architecture, and identify potential target systems.
One solution to these problems is a split-DNS topology, which creates two distinct name servers one for systems on the internal network and one for those on the Internet to use. The records in each are then updated independently, and external systems have no access to information about internally networked systems. The attacker no longer has a potential bridge between the internal and external networks, and the effects of the attack are limited.
For further information about securing specific DNS servers, see Securing Domain Name Service at http://www.securityportal.com/cover/coverstory19990621.html.
Email is one of the most important network services to an organization, and the establishment of email services in the network architecture requires careful planning. It is inadvisable to support email with a single mail server. Mail servers often store the contents of users'mailboxes, including company private and confidential information. A single point of failure is present when using only one server. It is equally dangerous to provide access to the primary mail server from the Internet because an attacker may expose or have access to its private information. One solution is to establish mail relays at different locations on the network and then allow access to the primary mail server only from those relay systems. The mail relays are often located on the service network and further away at the ISP to provide several levels of redundancy in the event of attack or connectivity issues with the organization.
If an attacker can succeed in compromising the primary mail server, the attacker can then access many other sensitive resources of the organization. The use of a mail relay defends the primary mail server and limits the effects of the attack. The mail relay can and should be protected with strong filtering rules on the firewall, and the primary mail server should also be strictly access-controlled to allow inbound mail only from the relay servers.
Specific information regarding the configuration and security of email server software can be found at http://www.securityportal.com/lasg/servers/email/. See also Securing corporate email at http://www.zdnet.co.uk/itweek/brief/1999/41/network/.
Many companies have a corporate Web site that provides the virtual storefront to the Internet and an intranet, or internally located Web site that contains private company information. The corporate and internal Web sites should be hosted on separate machines in order to isolate the information accessible by Internet users from employees. The network location of corporate Web sites should be determined based on how much traffic the site sees. An extremely popular Web site located on the service network with other network services such as mail relays and DNS servers may put those servers at risk in the event of a denial of service attack. The entire bandwidth can be consumed, rendering the other services unusable. The careful placement of redundant and distributed Web servers helps minimize the risks associated with this service. Web sites can be located on remote servers hosted by the ISP, or Web traffic can be load- balanced among several servers placed in close proximity to each other or even in remote areas.
Further useful information to secure your Web server can be found in Securing Public Web Servers at http://www.cert.org/security-improvement/modules/m11.html.
File and Printer Sharing
File sharing is a staple of network life that is utilized at a majority of organizations. It is also one of the more common insecurities found on a network. The network architecture that supports security and services that hold potential risks does so by carefully controlling the network access to the file servers. When sharing filesystems among multiple systems on the internal networks, access should not be available to the extranets, service network, or Internet. File sharing should never be allowed from unknown or external systems.
A useful article on the topic of securing multiple network server types can be found in Securing Network Servers at http://www.cert.org/security-improvement/modules/m07.html.
Network logins are the methods used by users to authenticate to a remote or local system. This includes interactive access to UNIX accounts, Windows Domain authentication, authentication to Web sites, and any other service that requires user credentials for access. There are many methods for network login, many of which are very insecure. The insecurities of network logins come from the use of cleartext authentication methods wherein the user credentials are transmitted over the network without any encryption or other data obfuscation.
Security considerations for a network design include the isolation of traffic that carries credentials to minimize the opportunity for eavesdropping and the use of VPN systems to provide encrypted communication that protects the credentials during transit. Other protection mechanisms include firewall rules to disallow the protocols that are known to function insecurely from passing the boundary of the internal networks.
Telnet, remote shells, and FTP are commonly used services whose traffic should not be allowed outside of the internal network, if used at all. These services transmit user credentials without any form of encryption, allowing an attacker to eavesdrop and intercept the information.
The use of Virtual Local Area Networks (VLANs) is a relatively new approach to network topology that arose with the development of new network equipment. VLANs provide an alternative to the normal routed and switched network topology by simplifying diverse networks through more intelligent hardware. The VLAN allows groups of systems on different physical networks and segments to communicate seamlessly without the need for a router. One of the drawbacks of routed and switched networks is that the physical location of systems often dictates their presence on a particular network. For example, putting two systems that are physically in the same room onto two different networks requires that the network cables terminate at two different places, one at each network access point. If the network equipment is not physically located in the same area, this becomes quite unmanageable. VLANs allow for this capability and do so transparently.
The use of VLAN technology also has security considerations that may encourage their use. The nature of virtual and dynamically specified networks allows for fine-grained tuning of network traffic. The ability to shape the flow of network traffic is the ability to control it, which provides very flexible security capabilities that make it more difficult for network eavesdropping and provide for more easily thwarted denial of service attempts. It is important to note that part of the benefit of VLAN technology comes from its manageability. Administrators can more easily monitor network information, gather statistical information, and notice and resolve anomalous conditions.
The use of firewalls in a network architecture is generally seen as a requirement for any organization that has Internet access. As you learned in Chapter 10, firewalls are useful tools, and their use in the network architecture provides greater security. As mentioned earlier, firewalls are often used to protect internal networks from access by unauthorized Internet-based systems. They can also be used to protect service networks and extranets. The use of firewalls is not a guaranteed preventative method, however. When designing a network, it is important to determine the restrictions needed for the organization and where the firewall is most beneficial. Multiple firewalls are often utilized to protect network access points, and specialized networks throughout the infrastructure.
Firewalls come in several different forms including dedicated firewall appliances, software-based firewall suites, and as built-in functionality of network equipment. When considering security for a network architecture, it is often useful to utilize more than one of these methods. Routers are useful for the application of generic filtering rules such as disallowing access to particular port numbers or services. Hardware and software firewalls can then work in conjunction with the routers to perform more fine-grained filtering based on more granular details such as protocol flags and options.