Lesson 4: Exploring Secure Topologies

Lesson 4: Exploring Secure Topologies

This lesson focuses on network designs that enhance security. Many networks today are in some way connected to the Internet. The presence of malicious software and hackers makes the Internet a potentially dangerous network. Organizations that provide their internal users and clients with Internet access expose their networks to potential attacks. Organizations that provide services to Internet users also open their resources to attack. Organizations providing connections or services to the Internet must realize the need for protective equipment, software, and secure topologies.

---

After this lesson, you will be able to

• List different types of security zones

• Explain the purpose of a perimeter network

• Describe the function of network address translation (NAT)

• Identify uses for virtual private networks (VPNs)

• Explain the use of virtual local area networks (VLANs)

Estimated lesson time: 20 minutes

---

Security Zones

Organizations often create security zones by placing firewalls between internal and external networks. Multiple firewalls are often used to create multiple layers of protection between the internal and external networks, as previously discussed. Some network designs place a network segment between two firewalls. This network segment between the firewalls is called a perimeter network (also known as a DMZ, demilitarized zone, or screened subnet). The creation of a perimeter network creates a division of the network infrastructure into three separate subordinate network structures called security zones. Security zones help organizations classify, prioritize, and focus on security issues based on the services that are required in each zone. These security zones are as follows:

• Intranet.

  The organization's private network; this is used by employees and those internal to the organization (such as contractors and on-site partners).

• Perimeter network.

  Used to provide services to users on the Internet and sometimes those inside the organization.

• Extranet.

  Depending on the security devices used and the network layout, the external network might be called a wide area network (WAN), Internet, public network, or untrusted network. For example, some three-pronged firewalls label the external network connection as a WAN, and others as the Internet.

The following three sections of this lesson discuss intranet, perimeter network, and external security zones in greater detail.

Intranet

The security zone closest to the company is called the intranet. This is also known as the internal network, private network, local area network (LAN), trusted network, protected network, and company or organizational network. The intranet is typically the network (or networks) that contains most of the organization's private resources, including computers, users, data, printers, and other network infrastructure equipment.

Organizations typically don't expect malicious attacks from their own intranets. This is why this security zone is often considered the trusted network. However, former and current employees and contractors might attack resources on the intranet. Intranet users could wittingly or unwittingly install viruses, and they could also try to access or spy on confidential resources. Additionally, internal users probably have access to some part of or possibly the entire physical network. Physical access could enable users to unplug equipment, destroy equipment, or attach unauthorized devices to the network. Security for the intranet security zone typically includes the following measures:

• Firewall protection from the external network and the perimeter network

• Installing and updating virus-scanning software

• Observing and auditing confidential resources

• Using host-based firewalls for computers that maintain confidential data

• Documenting and auditing the physical infrastructure and critical systems configurations to ensure there are no unauthorized devices or connections

• Restricting and monitoring access to critical systems, services, and confidential information

• Removing unnecessary services from mission-critical servers

VLANs and VPNs can also be used to further secure the intranet. These concepts are introduced separately later in this lesson.

Perimeter Network

The perimeter network provides a semisafe zone in which a private organization can provide limited services to an external network. Typically, the external network is the public Internet, and a perimeter network could be set up between any two networks.

A perimeter network is sometimes referred to as a demilitarized zone, or DMZ. DMZ is a military term for an area in which two warring groups are not allowed to bring weapons. Such an area is established to allow peaceful negotiation and create a buffer between the militaries of each opposing force. In network security terms, DMZ is a metaphor for a buffer zone between two networks.

An example implementation of a perimeter network follows. Assume you are the network administrator for your company. You wish to provide Web services to users on the Internet, but want to prevent those users from accessing your company's intranet. Additionally, you want to protect your company's Web server as much as possible. You decide to use a configuration similar to the one shown in Figure 4-3. Using this configuration, the Web server is protected by a firewall that allows access to the Hypertext Transfer Protocol (HTTP) for Web services, but all other protocols are restricted. A separate firewall is used to protect the intranet from all Internet access (including HTTP access).

Figure 4-3. Perimeter network configuration example

Some firewalls, called three-pronged firewalls, are able to separate the intranet and external networks while also creating a perimeter network. In this case, the firewall has three separate network interfaces: one for the external network, one for the intranet, and another for the perimeter network. This type of perimeter network configuration is not as secure as the previously illustrated one using two separate firewalls. In a perimeter network created by a three-pronged firewall, there is a single device protecting both the perimeter network and intranet. A failure or compromise of the three-pronged firewall could lead to the compromise of the perimeter network and intranet simultaneously. Figure 4-4 shows an example of a three-pronged firewall.

Figure 4-4. Perimeter network created by a three-pronged firewall

Firewall manufacturers often label the ports of a three-pronged firewall as LAN, DMZ, and WAN.

In cases in which only a single host is required to provide services to the Internet, the three-pronged firewall can be pointed directly to that host. In this case the host is called a bastion host or screened host (see Figure 4-5). The host itself should be as secure as possible to protect it from attack. Such a configuration doesn't necessarily require a three-pronged firewall. The bastion host could be placed on a network segment before the firewall. In any configuration, the security of the bastion host is provided on the host itself.

Figure 4-5. Three-pronged firewall with a bastion host

Other firewalls create a perimeter network without a physically separate third connection for the perimeter network. Instead, these firewalls have two physical connections: internal and external network. However, they have a software configuration that enables the routing of additional protocols to one or more hosts, which are considered perimeter network hosts. Although this type of configuration also creates a perimeter network, it is less secure than the previous two methods described. The lack of a third physical connection in this configuration means that the separation between the perimeter network and intranet is entirely programmatic and not based on any type of physical connection. Just as with a three-pronged firewall, a compromise of this firewall could lead to a compromise of the perimeter network and intranet simultaneously. Security for the perimeter network security zone typically includes the following components:

• Firewall protection from the external network

• Limiting the services provided and removing all unnecessary services

• Auditing of all services

• Name resolution services that are separate from the internal network

• Removal or restriction of remote management services

• Careful documentation and auditing of all physical and logical configurations

• Frequent data and configuration backups

Web and File Transfer Protocol (FTP) servers are commonly placed in a perimeter network.

Extranet

Another security zone that is optionally created by an organization is known as an extranet. The extranet is typically used for partner access to resources. For example, the United Nations has an extranet that provides secure access to shared resources for the various member nations.

Extranets are similar to perimeter networks in that they are semisecure zones. The purpose of an extranet is to share information and technology between members of multiple organizations. Extranets are typically created using VPN connections, which are encrypted connections that can be used on a private or public network. Two VPN servers or a VPN client and a VPN server can create a VPN connection. The two devices utilize an agreed-on encryption method to implement a secure encrypted connection with one another. If two servers implement the VPN, they can encrypt communication between two points. Figure 4-6 shows an example of two partner networks connected by two VPN servers.

Figure 4-6. VPN with partner network

Two intranets, two perimeter networks, or one of each can be used to create the extranet. The idea is that the two connected networks are used to share resources between the partner organizations. Some organizations implement multiple perimeter networks to handle such configurations. The first perimeter network is used to provide services to Internet users and the second is used to provide extranet services to partner organizations, as shown in Figure 4-7. Security for the extranet security zone typically includes the following components:

• Firewall protection from the external network

• Limiting the services provided and removing all unnecessary services

• Auditing of all services

• Use of VPN connections

  

  Figure 4-7. VPN with separate perimeter network

Implementing NAT

NAT is a Network and Transport layer translation technique that allows an organization's publicly assigned IP addresses to be different from its private IP addresses. NAT translates the internal IP address range to an external IP address or address range. NAT can be implemented in a firewall, a router, or a workstation or server computer. A device running NAT is placed between an internal network and an external network.

NAT is described in more detail in RFC 3022.

NAT can be used to solve a few different issues. The type of NAT in use depends on the configuration and purpose for which it is being used. Here are the different types of NAT configurations you might encounter:

• Static NAT.

  Static NAT maps an internal IP address to an external IP address on a one-to-one basis. For example, if you have an internal IP address of 192.168.1.1, you could map that to a single public IP address. The security benefit to using this type of NAT is that external clients do not have direct access to your internal clients (nor can they obtain the actual IP address of the internal client). Further, your firewall could be configured to block the private IP range from traversing it. This prevents IP spoofing attacks from the external network.

• Dynamic NAT.

  Dynamic NAT maps a range of internal IP addresses to a range of external IP addresses. For example, a range of five internal addresses might be mapped to a range of five external IP addresses. The security benefits of this type of NAT are similar to static NAT. One additional benefit is that the external-to-internal address mappings can change, which might further complicate attacks focused on an individual network host.

• Overloading NAT.

  Overloading NAT is also known as port address translation (PAT). This is a possibly the most poplar form of NAT because a single Internet address can provide Internet access to multiple private clients. Overloading can be implemented with a single or multiple Internet addresses. The NAT server keeps track of the IP addresses in use. Different TCP and UDP ports are used to keep track of different connections, as shown in Table 4-1. Security benefits of this type of NAT go beyond static and dynamic NAT. The external IP structure can be completely different from the internal network structure with PAT. For example, hundreds of internal hosts might be communicating with hundreds of different Internet hosts using a single IP address.

As a reminder, private IP ranges are 10.x.x.x, 172.16.x.x 172.31.x.x, and 192.168.x.x. Also, the range for Automatic Private Internet Protocol Addressing (APIPA) is 169.254.x.x. You should already be familiar with the difference between private, public, and APIPA addresses.

To illustrate how NAT works, assume you are a network administrator who must connect three computers to the Internet simultaneously. One problem is that you only have a single Internet address: 131.107.1.1. To connect all three hosts, you create an internal address range using 192.168.1.1 192.168.1.3. Then you use a NAT device to share the Internet address (131.107.1.1) with all three internal hosts. The three internal clients are Host A (IP address 192.168.1.1), Host B (IP address 192.168.1.2), and Host C (IP address 192.168.1.3). To illustrate how NAT devices can keep track of multiple simultaneous connections to the Internet, look at Table 4.1 and consider the following:

• Hosts A and B are communicating with an Internet Web server with IP address 131.107.178.205.

• Host C is communicating with an FTP server with IP address 131.107.37.221 over TCP ports 21 and 20.

Table 4-1. NAT Port-Mapping Table

Local Socket	Translated Socket	Remote Socket
192.168.1.1:1025	131.107.1.1:1025	131.107.178.205:80
192.168.1.2:1027	131.107.1.1:1026	131.107.178.205:80
192.168.1.3:1025	131.107.1.1:1027	131.107.37.221:20
192.168.1.3:1026	131.107.1.1:1028	131.107.37.221:21

The NAT device keeps track of each connection by mapping a unique port to each connection. Notice that all IP address and port combinations (IP sockets) are unique in the table. The NAT device uses the official IP address 131.107.1.1 repeatedly, assigning a unique TCP port each time.

NAT obscures and protects the internal network (also known as the stub network). The NAT server could still be a target for attack from the external network. If the NAT server is compromised, the organization's Internet access could be lost. Further, hosts inside the private network might also be compromised. The NAT server needs protection, such as a virus scanner, firewall, and intrusion-detection software (discussed in the next lesson). If the NAT server allows remote administration, disable this feature or configure the most secure methods for authentication and encryption available.

Using VLANs

Intranet switches can be used to create VLANs on the intranet. VLANs are essentially virtual subnets that are created by switches and supported by routers that are VLAN enabled. Switches create VLANs by tagging the data frames that they receive from hosts. Each port on the switch can be associated with a VLAN, which behaves like an IP subnet and might require routing to communicate with hosts on other VLANs. Although the physical connections on the network might not change, VLANs can change the network infrastructure. For example, you can use VLANs to segment all of the servers on your network into one subnet.

Frame tagging is not the only method for creating a VLAN, but it is the generally accepted method standardized by IEEE 802.1q. You can locate this specification on the Institute of Electrical and Electronics Engineers, Inc. Web site at http://ieee.org.

VLANs control broadcast traffic and each VLAN is considered a broadcast domain because all hosts on a VLAN are able to send broadcast traffic to all hosts on a VLAN. Broadcast traffic is not allowed to pass beyond the logical confines of the VLAN. Routers are typically used to connect VLANs, so that hosts on separate VLANs are able to communicate.

As a security benefit, VLANs can hide the true physical configuration of your network. They can also be used to isolate certain hosts without costly reconfiguration of your physical network infrastructure.

Because switches create VLANs, compromising a switch could compromise the VLAN. If an attacker takes control of (or sabotages) a switch hosting one or more VLANs, VLAN hosts might also be vulnerable to compromise. At a minimum, communications traversing the switch might be exploited or disrupted in such an attack.

To protect your VLANs, you must ensure that your switches, VLAN-enabled devices, and the segments between them are secure. Keep up with security bulletins concerning your VLAN-enabled devices and apply all software patches as soon as they are available.

Exercise: Selecting Infrastructure Security Measures

Each of the statements in the left column describes a technology discussed in this chapter. Match the terms in the right column with the descriptions in the left column.

Used to secure and encrypt network data transmitted between partner networks The area between the internal and external network typically used to provide semisecure services to the external network A device that can be used to create screened subnets and separate the internal network from the external network Can mask your internal IP address range and allow multiple hosts to share a single IP address

Perimeter network NAT VPN Firewall

Lesson Review

The following questions are intended to reinforce key information presented in this lesson. If you are unable to answer a question, review the lesson and then try the question again. Answers to the questions can be found in Appendix A, "Questions and Answers."

1. What is the purpose of dividing a network into security zones?

2. What are the major benefits of a perimeter network?

3. How can NAT be used to protect your network?

4. How are VPNs used?

5. What are the benefits of VLANs?

Lesson Summary

• Security zones help organizations classify, prioritize, and focus on security issues based on the services that are required in each zone. When a perimeter network is present there are at least three security zones: intranet, perimeter network, and extranet. The perimeter network is a semisecure network used to provide services to clients on the external network. The internal network is the most secure network (at least two firewalls separate it from the external network). The external network is the least trusted network and the location from which the organization can most expect to be attacked.

• Some organizations require a separate security zone called an extranet, which is an extension of the private network (or a portion of that network) to provide services to trusted partners.

• NAT can be used to protect your internal network-addressing scheme from discovery by hosts on the external network. This helps prevent attacks against individual hosts and obscure the number of hosts and services provided by the internal network. NAT can also allow multiple internal hosts to share one or more IP addresses and connections to the Internet.

• VLANs can combine or subdivide internal physical network segments logically using switches and frame tagging. VLANs can change the logical structure of your network without the need for physical reconfiguration. VLANs can be used to isolate hosts and segments and control broadcast traffic.