Information Security

Week 04
INFOSEC Network
Architecture Design Rules
 If you are installing a large network, then you may have to create more than one
network segment.
 Practically, if there are a very large number of nodes on an Ethernet network, then
separate physical networks must be created.
 These separate networks can be connected together via a router.
 Such a large network space increases the risk of network security problems.
 Therefore, traffic between separate networks must be restricted only to those systems
that need to access data.
 This limited access will decrease the number of users that may compromise each
separate physical network.
5.1 Physical Separation
1. Restrict access:

 Restrict access between separate physical networks via a filtering router.

 A filtering router must be used to restrict access between network segments.
 Filtering routers or packet-screening routers control the flow of IP packets between two
or more network segments based on a set of rules as shown in Figure 5-1.
 A filtering router has the ability to filter IP traffic using filtering rules.
Physical Separation:
2. Single network segment
 When there is more than one physical network segment, connect information systems
that need to be universally accessible within an organization on a single network
segment.
 By placing all servers that need to be universally accessible across multiple networks
onto a single network segment, users from separate networks can have access to these
common systems without opening their own networks to inter-segment traffic.
 This network access control can be done at the router that connects the individual
networks.
 If performance becomes a problem on the common shared network segment,
upgrade the segment to a higher bandwidth.
Physical Separation :
3. Use a switch
 Use a switch to isolate traffic between servers, groups of users, and departments.
 Use a switch to separate traffic between servers and departments within an organization
in order to prevent the unnecessary flow of network traffic throughout an organization.
 Therefore, if a hacker or internal user starts to monitor the network from a specific PC,
then he or she will only have a restricted view of all the packets that are travelling
along that specific segment.
5.2 LOGICAL SEPARATION
 Another method of restricting access within a single network is to divide the network
into separate logical partitions.
 Each logical partition appears as a separate network, has a separate user accounts
database, and has a preconfigured trust relationship between other logical network
 partitions.
 Access to resources within a logical network partition is controlled by each domain
administrator.
 Separating the network logically also restricts users from having universal access to all
resources on the network and thereby increases information and network security.
 Typically, one logical network will not be able to access some resources on another
logical network unless there is a trust relationship set up between the networks.
5.2 LOGICAL SEPARATION
 The downside is that it requires more work to administer the separate logical partitions.
 Dividing the network into too many partitions can be inefficient, make it difficult to
administer the network, and add more complexity to the network and network security.
 Typically, there should be a logical separation between large departments or large
 groups of users.
 For example, the MIS department may want to have its own logical partition since they
need to restrict access to their computers from the general population and would like to
have control over additional security on their network.
 As a practical matter, however, it is much easier to manage a network with a single
logical partition having a single accounts database.
5.2 LOGICAL SEPARATION
1. Logical Network Separation:
 Set up logical network separation where you want to increase network security for a
group of users.
 Set up one or more servers to belong to each logical network partition.
 Each set of users will be authenticated by a single server in each logical partition and
have access only to those resources within it.
 Logical separation will restrict access to servers by users belonging only to that logical
partition and thereby increase security within a single network.
5.3 FIREWALL ARCHITECTURE

 Securing your network from the internet and other external communication links
requires that your site have a firewall that properly isolates the external network from
your internal network.
 A firewall is a device or collection of devices and software that securely connects a
trusted network with an untrusted or public network.
 Packets must flow past the firewall and be controlled by the firewall by a set of rules
that authorize packets to pass between the two networks.
 Rules are set up at the firewall to enforce the site’s security policy.
5.3 FIREWALL ARCHITECTURE (cont)

 It is absolutely necessary that your organization’s internal network be protected from an

external public network such as the internet.
 The internet is a public network which operates using the TCP/IP protocol.
 There are millions of connected machines on the network capable of sending mail via
SMTP, logging into a computer via telnet, transferring files via FTP, and doing web
browsing using HTTP.
 Connecting to the internet essentially merges your network with the large internet
network.
 In order to be connected your site must establish a connection with an internet service
provider (ISP).
 Connections are established by a leased line, phone line or cable line to the service
provider using a modem and for higher speed applications a modem and router (e.g.,
operating at 56Mbps, 128Mbps, 256Mbps, T1 or some speed in between.).
5.3 FIREWALL ARCHITECTURE
Use Firewall
 Use a firewall to separate your internal network from the internet.
 If you have a network connected via a leased line, DSL or cable connection to the
internet, then you will need to use a firewall.
 DSL and cable modems provide fast connection speeds at inexpensive prices for
business or home use, but differ from dial-up modems in that there is a continuous
internet connection as long as the PC is turned on.
 For single PCs connected to the internet in a small office/home office SOHO setting,
implement an inexpensive software-based firewall solution that resides on your PC.
 Inexpensive commercial firewall packages and free public domain software exist
specifically to address the DSL and cable modem security problem.
 These packages can either monitor your PC for intrusion/attack or create a firewall that
filters packets according to your own predefined rules.
5.3 FIREWALL ARCHITECTURE
Use Firewall
 An organization’s internal networks will need to be protected by using a hardware-
based firewall solution.
 SOHO environments can use inexpensive firewall /router hardware that is oriented
specifically for the DSL and cable modem market.
 Businesses that require publicly accessible machines such as mail and web servers will
need to implement a firewall with a DMZ (for “demilitarized zone,” an area where
publicly accessible machines must be located).
 ISPs may offer their own firewall solutions that can be leased.
 Filtering routers are often provided and maintained by the ISP as gateways to the
internet.
 It is desirable to have full control of your gateway router so that you do not have an
external party controlling access to your organization’s network.
5.3 FIREWALL ARCHITECTURE
Use Firewall
 However, if you do not have the personnel to maintain this device, then an ISP is a good
choice.
 Most large ISPs are security conscious and maintain your router configuration with
adequate security.
 In order to connect your network to the internet, a gateway computer such as a screening
router must be used.
 The gateway computer is a router that “routes” IP packets between two IP networks (i.e.,
networks with different IP addresses such as 206.5.94 and 206.5.93).
 This connection must not allow for the free flow of IP packets between networks, but must
filter packets into your network via a set of rules.
 A screening router will give you this capability. The router must be set up to filter packets
not needed for your environment (i.e., FTP, NEWS, FILE, TELNET, any other unnecessary
TCP ports).
 Enable only those ports that you will use.
5.3 FIREWALL ARCHITECTURE
Use Firewall
 Filtering routers are used as the gateway and first level of security to the internet.
 Filtering routers usually have a Unix-based kernel and have filtering software that allows
the administrator to create rules that control the filtering of IP packets.
 Below is an example of rules set up on a filtering router.
 Most filtering routers do not sit on top of a full operating system, but implement a scaled-
down version specifically tailored for the router and security application.
5.3 FIREWALL ARCHITECTURE
Create a perimeter subnet
 Create a perimeter subnet on which all publicly accessible servers must be located.
 Any machines to which you want to allow public access (i.e., users on the internet) must be
separated from your internal company network.
 Publicly accessible machines should be placed on a perimeter subnet which is located
between your internet gateway and a device (i.e., filtering router, application firewall, etc.)
which separates the perimeter subnet from your internal network.
5.3 FIREWALL ARCHITECTURE

 Mail servers are needed for intranet mail communications within your organization and for
sending mail to other organizations over the internet.
 Since users on the internet can send you mail, locate this mail server on the DMZ and
protect this system with extra security measures.
 Disable FTP on the mail server and set up file protection.
 For restricted mail communication between known sites, set up secure authentication
between servers.
5.3 FIREWALL ARCHITECTURE

 Devote a separate machine to FTP serving.

 A remote user logs into the FTP server in order to transfer files to or from the server.
 FTP servers can be attacked by an attacker sending very large files to fill up the disk drive
and monopolize the processor.
 Once a hacker logs into a machine, he will try to probe it for weaknesses.
 Also, malicious files may be deposited onto the system.
 Keep this server separate from other public applications.
5.3 FIREWALL ARCHITECTURE

 Set up a separate machine for website serving.

 Websites are key targets for attack by a hacker.
 Breaking into a website and posting hacker-composed material is a favorite activity.
 It is important to secure this machine by using a reasonably secure operating system such
as NT or UNIX and to setup file protections.
 Since this computer is a favorite target, keep your mail system separate.
5.3 FIREWALL ARCHITECTURE

 Use a dual-homed application gateway or a filtering router to separate the internal

network from the perimeter subnet.

 Choose a firewall software package that has been favorably reviewed by the NCSA.

 Use a proxy server located on the DMZ to hide the internal IP addresses from external
users.

 Filter out incoming packets from the Internet that have source addresses belonging to
the internal network.

 Block all IP traffic into the internal network except from authorized sources.
5.3 FIREWALL ARCHITECTURE

 Filter out incoming packets to turned off TCP ports.

 Most TCP ports are not used on a machine with TCP/IP capability.
 The filtering router between your internal and external network should filter out all port
traffic except that which is authorized for applications such as web service (port 80), mail
service (port 25), POP3 traffic (port 110), FTP service (port 21 for commands, data port is
negotiated), and any other ports that are used for database access and secure transactions.
5.3 FIREWALL ARCHITECTURE

 Allow outbound, but no inbound, TELNET sessions.

 Log all firewall events.

 Audit the firewall.

 Do not connect computers with extremely sensitive information to the internet, even
indirectly using a firewall.
5.4 WAN-BASED NETWORK
ARCHITECTURE
 Locate all WAN connections on a central hub that is separated from public
communication links by a firewall.

 Use a single Internet connection for a WAN.

5.5 MODEM SERVER NETWORK
ARCHITECTURE
 A modem is used for dialing into an organization from remote locations during travel or
from home.
 A connection is established when a user dials in over a phone line to a modem in order to
connect to a computer, logon, and access some internal application or service.
 Some users may also use modems to establish a dial-out connection to an external
computer.
 These types of connections are decreasing because of the internet.
5.5 MODEM SERVER NETWORK
ARCHITECTURE
 Do not allow any modems on individual machines.

 Locate modem servers on the internal network.

5.6 VIRTUAL PRIVATE NETWORK SECURITY

 Use a Virtual Private Network (VPN) over the internet between two sites in place of a
leased line connection for less sensitive site-to-site communications.

 Use hubs to isolate traffic in order to make it more difficult for hackers to perform
sniffing of the network.