Secure Network Architecture
Essay by 24 • October 23, 2010 • 1,637 Words (7 Pages) • 1,804 Views
The security of your network is evaluated daily. A rich question to ask is, "Are you the one doing it?" The answer, hopefully, is that someone on your side is involved in assessing the effectiveness of your defenses; however, overwhelming evidence reports that you are not the only party probing your network's perimeter. Internet-facing systems--computers with IP addresses that can be reached from the Internet--receive between several and hundreds or even thousands of attack attempts every day. Many of these are simple scans that we know how to defend against, but others catch us by surprise, unexpectedly shifting us into incident investigation and cleanup mode.
Does your organization have access to expertise in all aspects of perimeter security, including networking, firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), Virtual Private Networks (VPNs), UNIX security, and Windows security? In the pages ahead, we will show you how all these protective measures work together. Can you definitively say how secure or insecure your network is? Does everyone in your organization understand the policies related to information security and their implications? One hint that they do not is the famous expression, "But we have a firewall!" If you work in information security, you probably hear this phrase more often than you would like to, because it seems to express the opinion of many people, both technical and nontechnical.
One of the most challenging aspects of securing modern networks, even those that already have firewalls, is that they exhibit porous properties. Wireless connections, portable storage devices, mobile systems, and links to partner sites offer a multitude of ways in which data can get in and out of our networks, bypassing our border defenses. This is one of the reasons why a single security component cannot properly defend a network. However, many components working together can. Defense in depth, a major theme of this chapter and this book, is the process of layering these components to capitalize on their respective strengths. It is flexible, in that it allows us to select components based on technical, budgetary, and organizational constraints and combine them in a way that doesn't compromise the overall security or usability of the network.
We will begin this chapter by defining some common terms of the trade to ensure that we're all on the same page. Then we'll discuss core components of defense in depth, to illustrate how various aspects of the security perimeter can complement each other to form a balanced whole. We will close with a discussion of the Nimda worm and show how defense in depth can help protect your network against such an attack.
Terms of the Trade
We need a common frame of reference when it comes to terms used throughout the book, because one person's definitions might not be the same as someone else's. To that end, we'll define the perimeter, the border router, a firewall, an IDS, an IPS, a VPN, software architecture, as well as De-Militarized Zones (DMZs) and screened subnets.
The Perimeter
What exactly is the perimeter? Some people, when they hear the term perimeter, may conjure up an image of a small squad of soldiers spread out on the ground in a circular formation. Others may come up with the circling-the-wagons image. Before we move on, ask yourself, "What is a perimeter?"
In the context of this book, a perimeter is the fortified boundary of the network that might include the following aspects:
Border routers
Firewalls
IDSs
IPSs
VPN devices
Software architecture
DMZs and screened subnets
Let's take a look at these perimeter components in closer detail.
Border Routers
Routers are the traffic cops of networks. They direct traffic into, out of, and within our networks. The border router is the last router you control before an untrusted network such as the Internet. Because all of an organization's Internet traffic goes through this router, it often functions as a network's first and last line of defense through initial and final filtering.
Firewalls
A firewall is a chokepoint device that has a set of rules specifying what traffic it will allow or deny to pass through it. A firewall typically picks up where the border router leaves off and makes a much more thorough pass at filtering traffic. Firewalls come in several different types, including static packet filters, stateful firewalls, and proxies. You might use a static packet filter such as a Cisco router to block easily identifiable "noise" on the Internet, a stateful firewall such as a Check Point FireWall-1 to control allowed services, or a proxy firewall such as Secure Computing's Sidewinder to control content. Although firewalls aren't perfect, they do block what we tell them to block and allow what we tell them to allow.
Intrusion Detection Systems
An IDS is like a burglar alarm system for your network that is used to detect and alert on malicious events. The system might comprise many different IDS sensors placed at strategic points in your network. Two basic types of IDS exist: network-based (NIDS), such as Snort or Cisco Secure IDS, and host-based (HIDS), such as Tripwire or ISS BlackICE. NIDS sensors monitor network traffic for suspicious activity. NIDS sensors often reside on subnets that are directly connected to the firewall, as well as at critical points on the internal network. HIDS sensors reside on and monitor individual hosts.
In general, IDS sensors watch for predefined signatures of malicious events, and they might perform statistical and anomaly analysis. When IDS sensors detect suspicious events, they can alert in several different ways, including email, paging, or simply logging the occurrence. IDS sensors can usually report to a central database that correlates their information to view the network from multiple points.
Intrusion Prevention Systems
An IPS is a system that automatically detects and thwarts computer attacks against protected resources. In contrast to a traditional IDS, which focuses on notifying the administrator of anomalies,
...
...