Network design and defense

by Don Parker [Published on 16 Aug. 2006 / Last Updated on 16 Aug. 2006]

I have mentioned before that every network has its own quirks and design needs. Due to that, one can only offer generic advice on a network’s security posture. Let’s take a look at a typical network and comment on it.

Computer network design can vary wildly from one corporation to the next. That said most networks follow the same design principles. By design principles I mean there is generally a demilitarized zone of DMZ where servers such as the mail, dns, and web server are found. This DMZ is kept relatively unprotected, and in turn is firewalled off from the rest of the internal network or intranet. This DMZ is there for good reason as services which companies have to offer like their web and email server are accessible via the Internet. If they are accessible then they are vulnerable to attack. We all know that there is a tremendous amount of “white noise” aka port scans, bot activity, and so on seen on the Internet at any given time. Bearing the constant threat it only makes sense then to have your publicly accessible servers firewalled off from the rest of the network.

A picture is worth a thousand words

What we shall now do is take a look at the below noted visio diagram of a typical DMZ network configuration. Please note that I said typical here as there are some wildly opposing ideas as to what constitutes a DMZ. That is one fiery debate I will simply side step by offering up this accepted DMZ design seen below. I will be commenting on a network that is mid-size to large ie: several hundred plus computers.

Well as with many things it is likely wise to start at the top and work our way down. That said, personally I prefer advising that you should harden your network from the workstation on outwards. With that in mind let's take the generally accepted approach of hardening from the router on down. First off you need to figure out who should have admin access to the router itself. Once done make sure that they are the only ones who do. Secondly, I greatly encourage having the router itself physically locked away somewhere so as to prevent simple access to it. Can you imagine an angry employee making some obscure change to a long list of ACL’s? It might well take you days to track down the problem.

Another rather handy tactic to employ is to configure your router so that all bogon ranges are dropped. Taking this a step further, it is also a very good policy to do egress filtering as well on your router. Allow out of your network only those addresses which originate in your network. A router, if properly configured, can make for a very potent first line of defense. Though as you will also read, if you check out the hyperlink I just supplied, not all DDoS attacks use bogon ranges, however every little added defense helps.

Switches

There will undoubtedly be switches in a corporate network. These layer two devices handle some rather high volumes of traffic, and are a favorite target for the internal attacker. The reason one uses switches in a network is to segment the network into logical pieces. Unless you want to fall to very easy attacks against your switches you would be wise to hard code the MAC addresses to the interfaces. This will prevent the internal malicious presence from pulling off ARP floods in an effort to see all traffic on that segment. You should also follow the example set out above as it pertains to physical access to the switch or router ie: physically restrict access to them by means of lock and key! All of your defenses are useless if someone has physical access to them.

What about our DMZ?

Just what was the whole point of having a DMZ anyways? Well it was to separate servers which offer services via Internet from the corporate intranet. Seeing as these servers are exposed to the Internet they are then prey to countless attacks. Should one of them fall to an exploit then there is nowhere else to go for the attacker. He cannot translate this compromised server to the internal network for there is no direct path to it. That is the beauty and simplicity of having a DMZ. This begs the question though of just how do you manage the servers? Well you do so by configuring the firewall to allow one internal IP to connect to the server in the DMZ. This management console located in the corporate intranet should also only connect to the server via a secure tunnel ie: ssh. Can all this be accomplished with a good enterprise class firewall? Absolutely! There are many excellent enterprise class firewalls out there. You don’t have to always go with a Cisco PIX for your needs.

Isolating subnets

An awful lot of networks are simply flat in design. By that I mean they are not segmented into logical segments. For example, have all of the sales department organized into one segment and so on for the other departments in the corporate network. That makes sense, and is also easier in terms of security to design a very robust network. Did I hear someone say “give me an example!”. Fair enough then.

We all remember the famous claim attributed to the designers of the Titanic, “it is unsinkable”. As we all know the ship did indeed sink. Think of a computer network then that is logically divided via routers. These routers in turn are configured to not forward broadcasts, and only allow upstream connectivity. Most bots and malware spread via network shares, and other server type services. Well if you have properly segmented your network with routers or another type of device then you will have successfully contained a malware outbreak to only one network segment. It is a rather nifty way of further hardening what is typically a very soft internal network.

Wrap up

Though the above described network is only a generic one it does serve the purpose of giving one a high level view of network security. It also illustrates the power of the router as it impacts your network, and its ability to enforce network security policy. Properly configuring, and then maintaining a router can be a lengthy task. Though it is one that will pay off dividends from day one. Not to be forgotten either is the switch that interconnects the actual workstation to the rest of the network, and ultimately the Internet.

You should practice at least some type of switch hardening in order to foil some of the attacks seen in internal networks. Though I only touched on the subject of DMZ’s you should pay close attention to the design of it. Much as I mentioned earlier, there are various interpretations of just what a DMZ is. That said, just make sure you employ one in an effort to further your network defenses. This was just an overview of some of the changes one should make to their internal network, and certainly not an exhaustive one. Should your company be able to afford it I would seriously consider getting an internal pen test done in order to ascertain your network’s security posture as seen from the inside. Well as always I hope you enjoyed the article, and as always I welcome your feedback. Till next time!

Advertisement

Featured Links