Secure Network Design
“Security is always excessive until it’s not enough.” (Sinclair) To the average user, an established network is a lot like plumbing, it’s just supposed to work. Often the only time that it is even considered is when something goes wrong, or if money needs to be invested in it. Unfortunately, a poorly designed network can be as or more costly than bad plumbing. The damage done though isn’t usually physical, it’s digital. Intellectual property can be stolen, secrets revealed, and worst of all customers’ trust in one’s company can be lost. It is for this reason that a secure network design needs to be at the forefront of any modern institution’s agenda.
The basics of any secure network’s design can begin simply with the physical hardware involved and how those physical elements are joined together. The order is of course important. No one would build a castle and put the moat on the inside of the walls or design it so that the gates could be opened from the outside. The same applies to networks. Here is an example of the basic elements:
For the sake of space some essential but standard equipment has been left out of the design such as switches and a more detailed layout of client machines. Also, this design assumes the following;
- The network is contained within one fairly large, multi-floor building.
- There are at least some number of external user’s using VPN’s
- The firewalls, routers, modems etc… may be separate devices but are shown as a single element (the firewall) in the graphic
As it is shown in the illustration, this network is not going to be isolated from the internet since there are very few instances in the world today where that is even desired. Mitchell Kapor, the founder of the Lotus Development Corporation (Kapor, Bio, 2010), is quoted as saying that “Getting information off the internet is like taking a drink from a fire hydrant.” (Kapor, Internet Quotation Appendix) In order to manage that flow the first element in the design is a Firewall. In reality, this component could be a single device or possibly even three separate ones performing the functions of modem, router, firewall, packet filter, and even VPN. The first part regardless of this is going to be the modem, which is connecting the entire network to the internet. Without it the need for all but the routing functions would be non-existent. The second is going to be the firewall and packet filter. These may be separate software entities but their functions are linked together by both rejecting requests to closed ports and filtering out illegitimate packet requests from legitimate ones. This first line of defense can go a long way in keeping the rest of the network safe. The packet filter will need a list of instructions as to what to filter and in what order. The best methodology with this, as with everything on the network, is that everything that is not specifically permitted is denied. There are two important reasons for this. One reason is simply time. Specifically denying everything that doesn’t need to occur would be a very long and tedious process. The sheer number of possibilities means that the likelihood of missing a critical protection is almost guaranteed. Instead, only the things which have been considered and approved will be allowed to function on the network. With the filter this means dumping certain packets, forwarding certain requests, and making exceptions only when it is absolutely necessary. It is important to note that the devices in this element will need to be able to handle a great deal more than the average network traffic in order to mitigate DDoS attacks.
Included in this element is the VPN. Depending on the router that is used, which in this case it is likely to be one of Cisco’s highly programmable models, the VPN can be an internal function. It is places in this firewall and not the one on the inside of the DMZ, is so that requests can be handled without having to enter the intranet. This design should also allow for the VPN to use a RADIUS server for authentication, helping to protect against man-in-the-middle attacks.
On the other side of this first firewall is the DMZ. This area is a “perimeter” network, or a network that has limited access to the intranet but is still behind the first line of defense. In this network’s DMZ there are four devices. Three of these have functions that are central to office productivity: a mail server, a web server, and an FTP server. The reasons for having these three servers in the DMZ is actually quite simple, they generally require almost direct access to the Internet and this makes them extremely juicy targets. As a part of the firewall and packet filter rules, mail, web, and FTP requests are routed to their respective servers. It is possible that these three servers are hosted on a single machine using virtualization or potentially just a single server OS install (this however, isn’t necessarily recommended).
The fourth element in the DMZ, however, needs to be separated from the others. This particular machine is the honeypot. The assumption in network security is that the network is going to be attacked, period. With this in mind a baited trap, the honeypot, is setup and rarely touched except through monitoring. Though it will not always be the case, it can serve as a “canary in the coal mine” for potentially larger attacks. It is also expected to attract the more casual attacker because it’s designed to be an easy target. The overall intent is to give notice and extra time to respond to attacks on other network assets.
On the other side of the DMZ is another firewall that is to protect the intranet from potential compromises of the DMZ. The intranet on the other side of this firewall contains the remaining parts of an operational network. Though not disclosed in the diagram, a multi-story building that is occupied by the same company is likely to have hundreds if not thousands of client machines depending on what the company’s function is. The needs that this number of user’s will require are going to include a directory server (if not more than one) and network storage, which is not represented on the diagram due to space constraints. Another two important components in this intranet are the RADIUS server and any wireless access points (WAP’s). All the elements in this diagram make up the basic infrastructure of the network.
The physical structure, however, is not the entirety of the security structure; it is just a part of it. Structural elements such as the use of a DMZ, firewalls, and filters (for both packets and even “SPAM” email) lend to security by design. There are other elements that are no less essential that aren’t physical, but digital. One such element is the authentication methods that are used throughout the network. Password policies for example are a vital part of security. People, if left to their own choices, will almost always choose passwords that are short, simple, and easy to remember. Unfortunately, this often makes them easy to guess or crack using software. Requiring passwords to be a certain length, strength, and changed on a regular basis can help alleviate the “human” problem in this part of the security, but it will not eliminate it. This would also include the use of a RADIUS server in circumstances where it is needed. A second security structure that can be put in place would be some type of Intrusion Detection System. Though this would include the honeypot, it should branch out into other areas through the use of monitoring software, which will be expanded on a little later. The overall security structure is a synthesis of different security elements, both physical and digital (software).
The software portion of this structure does not entirely stand on its own as it often overlaps with certain hardware devices and depends on their being setup properly. The RADIUS server is a good example. It performs multiple functions for security in the area of authentication. As mentioned earlier, it can be used in conjunction with a VPN to authenticate external user’s trying to gain access to the intranet. In doing so it helps to avoid man-in-the-middle-attacks. VPN’s themselves also help secure a network from intrusion. If a business requires the ability to have access to the intranet from outside the physical network a VPN is almost the only way to do it securely if the internet is the connecting medium.
A RADUIS server can also be used in Wireless Security. The last decade has seen the proliferation of Wi-Fi to a point that it is practically expected in every working environment to serve not just laptops, but PDA’s, smart phones, and other hand held devices. The issue that this creates is that physical intranets are protected a great deal by their physical isolation that is compromised only by an internet connection. Wi-Fi, conversely, removes the physical barrier of a building’s walls and Ethernet ports and builds a wireless bridge to anyone within range of the signal. In network design it could be considered the biggest security risk to any network. This is true in part because as the processing power of computers has advanced, so has the ability to break encryption. WEP encryption is now useless and even WPA encryption can be cracked or at least breached using specially engineered packets. WPA encryption using a RADIUS server for authentication on the other hand is extremely secure and makes cracking it nearly futile in terms of the time needed to do so. Wi-Fi can be a great tool for productivity, but the risks have to be managed.
The security of a network also relies on the reporting of different devices and software on the network. The existence of all the security elements, while important, is not the end all in network security. Without some kind of network monitoring and human intervention it would be extremely ineffective. There are limits to automation. Devices can be configured to log certain information and send that information somewhere to be audited. The logs need to be audited in order to be effective though. Packet filters also can be set to inform someone that certain packets (and therefore a possible attack) are hitting the network and being discarded. If those notices are left unchecked actions may not be taken to protect against it. There are, however, some routers that can be configured to respond certain ways to certain attacks. These can alter the filter and firewall rules to an extent to stave off attacks for a short time. Along with this kind of logging, there are also security tools that can be run on a network regularly to check for changes, vulnerabilities, and even compromised machines. Certain programs like NESSUS, snort, and OpenVAS (Lyon, 2010) can be used for that purpose. Finally, penetration testing is something to consider when attempting to secure an existing network. Network security professionals can be incredibly competent at their jobs and will do their best to secure a network, but at times it takes someone who doesn’t know the network from the inside out to find vulnerabilities that have been overlooked.
One area that some might not see as connected with security is the backup methods and policies. Backing up data is not often overlooked by network administrators. They know that in order to assure a business’ survival there needs to be an up to date redundant backup of user’s documents, the company’s financial data, and other business critical information. There is vital information however that is not stored in network storage or tape backups. The configuration that exists on the routers themselves, which includes filter lists, routing tables, and firewall configurations need to be backed up on a regular basis to ensure continuity should something happen to the hardware. Also, as networks grow they become increasingly hard to conceptualize. This unfortunately means that even though sections of the network may be documented in some way, it may be that there is no comprehensive network documentation that could be used in the event that a network security administrator were to leave for some reason. The loss of that “big picture” understanding of the network could prove costly to rebuild. It is exceedingly important that both the physical and security structure of the network be documented in such a way that in the event of a disaster, natural or otherwise, the rebuilding of the network will at least be as secure as the original if not more so.
In conclusion, building a secure network is not a simple task. The different elements that make up such a network overlap and interact in ways that can lead to conflicts with security. Also, the fact that networks are used by people should be an obvious consideration. Any security that is put in place will have to be able to survive regular use by individuals that may do things to compromise the security of the network. This “human” factor is also true of those who attempt to attack a network. Human ingenuity and creativity knows few bounds, and those who attack networks will change tactics and adapt constantly. It is because of these things that there is no one size fits all solution to network security. Network Security professionals, in order to be successful, will need to take the basic principles and apply them to the situation at hand. Learn, adapt, innovate, successful network security depends on it.
References
Cheswick, W. R., Bellovin, S. M., & Rubin, A. D. (2003). Firewalls and Internet Security Second Edition: Repelling the Wily Hacker. Boston: Addison-Wesley.
Kapor, M. (2010). Bio. Retrieved July 15, 2010, from Kapor.com: http://www.kapor.com/bio/index.html
Kapor, M. (n.d.). Internet Quotation Appendix. Retrieved 7 9, 2010, from Harvard Cyber Law: http://cyber.law.harvard.edu/archived_content/people/reagle/inet-quotations-19990709.html
Lyon, G. (2010). Top 100 Network Security Tools. Retrieved July 15, 2010, from SecTools.org: http://sectools.org/
Sinclair, R. (n.d.). Security Awareness Quotations: Quips and Quotes. Retrieved July 14, 2010, from nativeintelligence.com: http://www.nativeintelligence.com/ni-free/itsec-quips-02.asp