-
Network Architecture
Design principles, physical configuration, functional
organization, operational procedures, and data formats for design,
construction, and operation of a network.
Security
The condition achieved when designated systems and information
are protected from espionage, sabotage, subversion, and terrorism,
as well as against loss or unauthorized use and/or disclosure.
The measures necessary to achieve this condition.
Sosecurity architecture is the intersection of these
definitions. Section 15: Security Architecture
-
Security Architecture - An Unprotected Network
-
Internal Network
Internet
RemoteOffice
RemoteOffice
Leased Line
Dial-UpService
Remote Control
Voice Trunks
1-800 Service
ISDN, DSL orCable Modem
DSL or Cable Modem
Home User
ISP
Web & ftpServices
Physical Media(e.g., cd or floppy)
Router
Physical Path
WirelessNetwork
-
The only interface to the Internet is a simple router.
All IP addresses and services on the internal network are
exposed to the the Internet.
The network topology and services are easily mapped with any of
the mapping tools readily available at both the IP (address
mapping) and TCP (port mapping) layers.
There is no intrusion detection.
This is a common architecture through the late 1990s, is now
beginning to change.
What then are the principles that should guide this change?
Security Architecture - An Unprotected Network
-
Security Architecture high level principles
Principle - A consistent access architecture across all
domainsWireless WiredHome or Small OfficeVPN + SecurID, Optional
wireless LAN in home, 56k/DSL/ISDN/wireless to homeCampusVPN +
SecurID, wireless LANTravelDial-in modem or VPN + SecurID/LANSTAFF
MOBILITY
-
1. Control external visibility of the network. Make only those
resources visible that are necessary to conduct business.
2. Control access to all systems on the network (e.g., routers,
switches, servers, and workstations).
3. Control transmission across all security boundaries, internal
and external.
4. Monitor, detect, and act on all suspicious behavior within
the network and at it boundaries.
All of this begins by clearly and completely understanding the
network topology of the security domain that needs to be protected.
Security Architecture - Core Principles Protected network
-
1. Expose only that part of the DNS name/address space
appropriate for external view (addresses that must be externally
resolved).
2. Eliminate all unnecessary external services enabling only
those required to interact with external users.
3. Locate publicly accessible resources on a network that does
not expose the internal network - has no visibility of the internal
network and cannot be used as an entry point to the internal
network.
For example, anonymous ftp and public web servers go here, with
no ability for the ftp server to establish a 2-way connection with
an internal device - all connections should be one-way, in-to-out
(push). Security Architecture - Control External Visibility
-
Security Architecture - Control User Access to Systems
IP source routing is prohibited. Limits a users ability to
specify routeswhich could be hazardous.
2. Each internal system should require positive authentication
before auser is granted access - only exception is anonymous
access.
Passwords, 2-factor, or biometric authentication
3. Remote access services should impose security restrictions
equivalent to those imposed on internal users.
4. Access authorizations should be based on need-to-know.
-
Security Architecture - Boundary Control
The entire network boundary needs to be identified and
controlled.
Internet Wireless networksRemote officesDial-up access and
ISDNAlways-on access (dsl, cable modems)Carry-in access (media like
CDs, floppies, zip cartridges)
Any external network attached behind the firewall (e.g., remote
office) must comply with the same security policy as the internal
network since that traffic does not go through the boundary control
device (i.e., no unsecured back doors).
-
Security Architecture Internet AccessInternet access is
typically controlled by a filtering devicefiltering routerstateful
inspection firewallproxy firewall These devices operate in
accordance with a set of security policy rules that are enforced by
the router or firewall. Traffic crossing the boundary is allowed or
denied in accordance with the rules.Most of these devices can
implement automatic alerts to notify a system administrator when an
adverse event occurs in many cases these alerts are turned off or
ignored because of large event volume. Logs are enabled on these
devices and should be read regularly.
-
Wireless networks represent a rapidly emerging set of
technologies that will be widely deployed in the future. These
networks bring with them a new set of vulnerabilities and security
issues.
Three classes of networks are being developed:
Wide Area Networks (worldwide in extent)Local Area networks
(restricted to a campus/building setting)Personal Area Networks
(restricted to an office/person setting)
Wide area and local area networks are similar in extent and
services to their wired counterparts.
The personal area network does not have a wired counterpart.
Security Architecture Wireless Networks
-
Security Architecture - Monitor, Detect, and Act
1. Logs should be turned on and reviewed.
2. Intrusion detection should be implemented (network and/or
host).
3. Vulnerability scanning should be implemented.
4. Virus scanning at the firewall, mail server, and desktop
should beimplemented.
5. An incident response procedure should be implemented.
-
Security Architecture - A Protected Network
-
Internal Network
Internet
RemoteOffice
RemoteOffice
Leased Line
Voice Trunks
1-800 Service
DSL or Cable Modem
Home User
ISP
Public Services
Firewall
Physical Media(e.g., cd or floppy)
Router
Remote AccessService
ISDN Dial-up
WirelessNetwork
-
The public network attached to the firewall is often called the
DMZ.
It is a public area, its addresses are externally advertised,
users can access servers here (e.g., web, ftp, external DNS)
without authentication.
Consequently, these machines are 100% likely to be attacked.
So
Keep them patched, scan them often, read logs daily.Do not allow
them to see any traffic flowing throughthe firewall - user a
separate Ethernet interface.Make their files read-only, remove
other servicesDo not allow them access to the internal
networkAdministrative access should be console only - not remote
Security Architecture - The Demilitarized Zone (DMZ)
-
Security Architecture - With Intrusion Detection
-
Internal Network
Internet
RemoteOffice
RemoteOffice
Leased Line
Voice Trunks
1-800 Service
DSL or Cable Modem
Home User
ISP
Public Services
Firewall
Physical Media(e.g., cd or floppy)
Net Switch
Remote AccessService
ISDN Dial-up
Router
IntrusionDetection
-
Add a network switch with port mirroring (interface for the ID
system to capture and observe all traffic).
ID device is connected to an interface on a mirrored port.
ID device has large storage capacity and signature
capability.
Could be put behind the network router, but if router filtering
is used, the ID device would not see all the traffic. Position
depends on the extent of the traffic the device needs to see.
Could also be put on the internal network for internal ID
(insider).
Most systems support multiple probes that can observe traffic at
multiple locations. Each probe contains a unique signature
capability. Security Architecture - Intrusion Detection
-
Have treated the internal network as a homogeneous security
domain (i.e., same level of security everywhere). This means all
segments must be equally secure - not always desirable (cost, ease
of use).
Consider the concept of an enclave, where an enclave is a
network or sub-net that has a consistent set of security
requirements.
There may be multiple enclaves within an enterprise network.
(e.g., a student enclave with relatively low security requirements
and an administrative enclave with more restrictions - often done
today by having a single network enclave and locking down certain
hosts (e.g., ones containing student grades).
In a large environment, this becomes very difficult.
Security Architecture - Internal Network
-
Consider a network with four enclaves:
1. A public space (web, anonymous ftp) - open to anyone over the
Internet.
2. A user facility that provides computing cycles to the
international research community at large - must be capable of
supporting remoteand local access to researchers from all over the
world.
3. The general Intranet for employees - provides in-house web,
mail, and other network service - needs to support employees, but
restrict access to outsiders (web may contain IP, product design,
etc.).
4. A business computing environment containing the organizations
official books (profit, loss, project, cost data) as well as the
Human Resources system (payroll, salaries, etc.) - only accessible
to a limited set of internal staff members.Security Architecture -
Internal Network
-
Security Architecture - Internal NetworkNOYES
-
Internal Network
Firewall
Router
Public Enclave
BusinessEnclave
IntranetEnclave
User Facility Enclave
-
The firewall is actually multiple firewalls, or may be a single
firewall for the entire network with additional firewalls or
filtering routers between internal enclaves.
An internal enclave might be an entire sub-net or a single
system depending on the number of systems being protected.
The point is, staff are not free to move around everywhere, but
must pass through a protection zone (e.g., a firewall) before
movingbetween internal enclaves.
The motivation here is that each enclave has different
protection requirements.Security Architecture - Internal
Network
