The Basic Architecture of a Secured Network - Case Study Example

August 17, 2008 Solution Part The network diagram shows the basic architecture of a Secured Network. It is essential to understand the importance and application of DMZ before looking at the network architecture. The application of a computer network is to share data for the users on the network. Computers with specific hardware and large amounts of processing capability are classified as Servers. These servers can be a part of a corporate network where users can store, share data, and run complex applications. The simplest example could be an information database system. Depending on the function of the servers they are further classified as Web Servers, E-Mail Servers, File Servers, and Database Servers etc. The data available on these servers can be made available to users outside the corporate network by connecting through a WAN or simply the internet. Hence the security of these servers becomes an important issue when it is exposed to such an un-trusted network. A DMZ is a network implementation aiming at securing the internal network of an organization. It isolates the external connections requiring public services from the hosts on the internal private network. The architecture of the network shown in the diagram is to provide web-based services to the external (internet) users and LAN services to the internal (corporate staff) users by employing a certain level of security. In the network diagram, the implementation can be easily understood by looking into the function of each block involved, and thus the reason for using such a network design gets explained. Dual Firewall Network The system here employs a dual firewall based DMZ implementation. If two different firewalls (from different vendors) having different security implementations can be used, the system becomes more secured. This is because if an intruder manages to get through the first firewall, the same algorithm cannot be used to get through the second one. Ample time would be available for the company’s network administrators to trace and shut down the intrusion. When we look at the function of the components used, the reason for why this network has been laid in this manner can be understood. 1. The “Outer and Inner Firewalls” The Outer firewall usually has two network interfaces; one for Internet and the other one for the DMZ. The firewall hides the addresses of the DMZ servers by using NAT (Network Address Translation) so their public addresses are the same as the address of the Outer firewall. The setup is called “back-to-back perimeter network” and is located in between two firewalls. Having a DMZ in between two firewalls adds an extra layer of security since the inner firewall and the border firewalls can come from different vendors or be of different types if the DMZ is attacked, there is still a firewall left between the attacker and the internal network. The outer firewall Allows traffic destined to both DMZ and Internal Network Protects the web and the ftp servers Tunnels the VPN users to access internal resources The inner firewall Prevents internet users from accessing the back-end and internal network Second level of security when the first firewall is breached Uses a different vendor/system than the outer firewall Easy to get entry to SQL databases if they are exposed directly to the internet The inner firewall has more rules than the outer firewall, like TCP-port 80 (HTTP) is closed since it does not need to be open in order for the workstations of regular users, only for web servers. The firewall usually has two network interfaces: one for the DMZ and one for the internal network 2. The DMZ A DMZ is a neutral zone, where controlled public access is allowed between an external network and a private network. The servers placed in the zone, like web-server DNS-server and mail server, can still benefit from some protection from the firewall. Traffic allowed in to a DMZ could for example be over TCP ports 80 and 443 to a web server, TCP port 25 to a mail server, and UDP port 53 to a DNS server. If the servers in the DMZ are compromised, the inner firewall stands between the attacker and the internal network. The computers in the internal network can initiate requests outbound to the demilitarized zone. Computers in the DMZ will in turn respond, forward or re-issue requests out to the Internet or other public network but they can not initiate inbound requests. Computers on the Internet should not have access to anything other than the services on the servers in the DMZ. The Web-DMZ and the Backend DMZ are separated due to the following reasons The Database and E-Commerce Server does not serve users from the internet. Applications internal to the company are also hosted on this server. A simple example could be an Integrated ERP service. The data required by the internet users from the database/e-com server is presented by the web-server The amount of data transfer and the criticality of data transfer are high between the internal network and the back-end. 3. Internal Network The internal network consists of the user workstations for the company’s staff. All the departments could be connected over a LAN and to the servers. If the company has implemented an ERP solution, the data flow between the various departments and the servers have to be controlled. 4. VPN Trusted Vendors here refers to VPN Client Server programs. These programs have their own security and authentication systems to allow remote users to connect to the corporate network. Users connecting to either the corporate network or the web-servers do not cause any kind of threat to the network. Moreover, the VPN system does not allow any guest user or anonymous access. A secure-id mapped to a digital certificate may also be used to increase the level of security. 5. Department Firewalls Department firewalls comes into picture where there are critical components located within the local network. The departments are placed on different virtual networks or (VLAN’s) which prevents unauthorized access between them. VLAN’s can be viewed as a group of devices on different physical LAN segments which can communicate with each other as if they were all on the same physical LAN segment. VLAN’s use 802.1Q tags for communication in between. (801.1Q is a networking standard). The key to safely using 802.1Q tags for policy decisions is to design a network where switch trunks get connected to the firewall interface where decisions will be made based on VLAN tags. If there are other routes to this firewall interface, the possibility that packets with spoofed VLAN tags increases. The switches themselves must be properly configured, with trunk ports specifically configured for trunking, and added to a non-default VID. For example, these components can be related to medical, banking or sensitive research data. Hence the data flow between the departments should also be looked into. Solution Part 2 A standard security policy is usually put in place for all the equipment of a company which is outside the corporate network, since they are vulnerable to intrusions. The security issues that arise can be looked at considering each section of the entire system. When we consider the different components of the system, we can determine the potential threats with each component and provide a solution. 1) Network Design The DMZ servers need to have open TCP ports to permit local systems to connect and to connect to the other servers on the internal network. Email replication systems are employed to replicate emails, calendars, global address books etc. A hacker program can change the replication mechanisms and also propagate the same to the back-end internal network. The solution is to physically disconnect the internal network from using TCP communication by employing an air-gap system which would relay the required data only at the application level to the internal network. The data between the DMZ servers and the internal network servers are not usually encrypted and can be sniffed from the external network. It is essential to secure the servers on the internal network with SSL certificates and encrypted keys to enhance protection. Sources: John Manning, Compaq Computer Corporation, ISSA-New England Chapter, DMZ [online] Available at http://www.issa-ne.org/documents/johnmanning-dmz.pdf [accessed 17 August 2008] 2) Web Server security There are number of software applications like the webmail deployed on the web-server. These software’s contain large and complex programs which are not 100% bug free and hackers can compromise these program flaws to get entry to the server. This compromised web-server can be used to extract data such as sensitive emails, encryption keys and digital certificates; use the id’s of internal users for spamming and also get complete access to the other servers. The web-server thus becomes a launch-pad to create damage to the company’s internal network and also gain access to the other servers. The set of rules applied in the external firewall does not suffice, the company should be using tools designed to monitor requests to the web-server at the application level. The traffic to the web-server has to be regulated and confine requests to a valid set of known ones at the application level The web server should not interact directly with the back-end or databases. An appropriate application server must be deployed to communicate in between. This would prevent a hacker from running programs to obtain user details of the databases which has a low level of security implementation. Sources: Joseph Steinberg, 1 May 2002, SC Magazine Asia, Untangling Security Issues to Enable Web-based Email Access [online] Available at http://www.scmagazine.com/asia/news/article/419781/untangling-security-issues-enable-web-based-email-access/ [accessed 17 August 2008] 3) FTP Server security FTP servers are used to transfer data when the files are large or more in number. They also allow customers to download files when the company running the ftp server is a product company. Non-customers and prospective customers are assigned anonymous logins for data transfers. The following points FTP Servers should never be used to transfer critical information that belongs to the company’s internal network, since there is no end-to-end encryption available. The following needs to be taken care of her Create drop-boxes for incoming files, these files can be screened offline and analyzed by the administrators Allow directory creations with write-only permissions, which will prevent execution of any threats Download directories with read-only permissions Enable logging of all connections, to keep a record of all the users connecting to the serves. By limiting the disk space on the FTP server, hackers looking for web-space to store files are eliminated When the server is not hosting public downloads, time restricted logins can be used to prevent users from connecting to the server If the set of networks and domains accessing the server is known, then IP based restrictions can be enabled to avoid users from other domains and networks to access. Sources: Ray Zadjmool, July 08, 2003, Updated on July 20 2004, 10 Steps to a Secure FTP Server [online] Available at http://www.windowsecurity.com/articles/Secure_FTP_Server.html [accessed 17 August 2008] 4) Firewall Configurations Sometimes firewalls are poorly configured due to historical or political reasons. Common firewall flaws include passing Microsoft Windows networking packets, passing services, and having trusted hosts on the business LAN. The most common configuration problem is not providing outbound data rules. This may allow an attacker who can sneak a payload onto any control system machine to call back out of the control system LAN to the business LAN or the Internet Sources: Cisco, Catalyst 2820 and 1900 Enterprise Edition Software Guide, Configuration Examples Related to VLAN Features [online] Available at http://www.cisco.com/en/US/docs/switches/lan/catalyst2900xl_3500xl/catalyst1900_2820/version8.00.03/scg/AleakyV.html [accessed 17 August 2008] 5) Back-End Servers – Database Servers Every production control system logs to a database on the DMZ network, which is mirrored into the internal network. If the database environment is not secure enough, a skilled attacker can gain access to the database on the business LAN and use specially crafted SQL statements to take over the database server on the DMZ (e-commerce server). All modern databases allow this type of attack if not configured properly to block it. Sources: Microsoft TechNet Magazine, Jesper Johansson, 2005, ‘Hacking: Fight Back How A Criminal Might Infiltrate Your Network’ [online] Available at http://technet.microsoft.com/en-us/magazine/cc160808.aspx [accessed 17 August 2008] 6) VPN Connections The most common method for Administrators of the Company Network to get connected to the Internal LAN is using the VPN. An attacker can attempt to take over a machine and wait for the legitimate user to VPN into the control system LAN and piggyback on the connection. Once this connection to the internal network is established, the DMZ gets compromised. Sources: Amy Kucharik, 26 June 2007, ‘Network security: Overlay versus perimeter security model’ [online] Available at http://searchnetworking.techtarget.com/news/interview/0,289202,sid7_gci1262114,00.html [accessed 17 August 2008] 7) New Devices Added to the corporate network There has to be a policy in place for any device or component that is being added, removed or taken off for service. This policy defines the methods to be used to test such devices for security threats. Newer devices that are internet enabled devices and are managed from the outside world should have all the necessary security built in. These devices need a direct connection to the internet on specific TCP ports and the company’s firewalls need to exclude these ports for access restrictions. These exposed ports are vulnerable and tend to create a path to access all the other resources of the network. The responsibility of the IT department is to negotiate and maintain long-distance communication lines and it is common to find one or more pieces of the communications pathways controlled and administered from the business LAN. A skilled attacker can reconfigure or compromise those pieces of communications gear to control field communications Sources: Patricia Hawkins, Eric Johansson and Edward Steinfeld, 2001, Automata International Marketing, ‘Securing Internet Enabled Devices’ [online] Available at http://www.go-embedded.com/Security.pdf [accessed on 17 August 2008] 8) Storage Area Network (SAN) Another important component which is common to both the internal and external network is the Network Storage system, which is often not looked into when designing a DMZ for a corporate network. Storage systems are not safe just because they are behind the firewalls. Since these systems serve a number of networks, they create a bridge bypassing the firewalls and network segments. In an event of breach, if the attacker gets past the security of one of the DMZ servers, he has a perfect path to the internal networks Corporate networks with newly designed infrastructures using SAN make sure that when each sub-system is integrated to the network, there are no vulnerable paths for the DMZ’s. Whereas the other corporate networks that would be using a SAN as an addition to the existing network have more work to do. Each separate network has to be checked for vulnerable paths and if it cannot be assured that this method would not rule out all possibilities, better defense systems for storage needs to be employed. Sources: Kevin Beaver, April 1, 2007, Storage security and the firewall DMZ problem [online] Available at http://searchstorage.techtarget.com/tip/0,289483,sid5_gci1236895,00.html [accessed on 17 August 2008] 9) Security Modeling Each and every component of the entire network can be simulated using a model and the theoretical values of Overall Security Values can be determined. This would help in rightly choosing the modifications required to the existing network to enhance the security. Theoretically it is found that The security values increase with Multiple Firewalls Using only windows based systems Sources: Amy Kucharik, 26 June 2007, ‘Network security: Overlay versus perimeter security model’ [online] Available at http://searchnetworking.techtarget.com/news/interview/0,289202,sid7_gci1262114,00.html [accessed 17 August 2008] References 1) Scenario: DMZ Configuration [Support] - Cisco Systems, ‘Scenario: DMZ Configuration’, [online], Available at http://www.cisco.com/en/US/docs/security/pix/pix72/quick/guide/dmz_p.html [accessed 17 August 2008] 2) Cisco ASA 5505 Getting Started Guide, Version 7.2, ‘Scenario: DMZ Configuration’, [online], Available at http://www.cisco.com/en/US/docs/security/asa/asa72/getting_started/asa5505/quick/guide/dmz.html [accessed 17 August 2008] 3) Axigen - Articles and white papers, ‘How to Install a Demilitarized Zone for Your Servers’, [online], Available at http://www.axigen.com/articles/how-to-install-a-demilitarized-zone-for-your-servers_24.html [accessed 17 August 2008] 4) Brooke Paul, July 9, 2001, Building an In-Depth Defense, [online], Available at http://www.networkcomputing.com/1214/1214ws12.html [accessed 17 August 2008] 5) Computer Science Department, Stony Brook University, ‘Internet DMZ Equipment Policy’, [online], Available at http://www.cs.sunysb.edu/files/policies/Internet_DMZ_Equipment_Policy.pdf [accessed 17 August 2008] Read More