Professional Documents
Culture Documents
Secure networks are crucial for IT systems and their proper operation. Essential to their
design is the security architecture describing the network segmentation and security layers.
S
ecure networks are crucial for IT systems and their • Cost optimization by an appropriate IT resource loca-
proper operations as most applications work in the tion and segmentation, and deployment of adequate
networking environment and closely depend on its safeguards for requirement compliance (e.g., IT re-
performance, reliability, and security. Improper network de- sources requiring expensive safeguards according to
sign can be very expensive for a company (i.e., loss of business PCI DSS, SOX, or other standards are located in sepa-
continuity, security incidents, costs of network rebuilding, rate security zone)
etc.). Essential to network design is the security architecture In practical implementations the security zone is a network
that describes the network segmentation (i.e., security zones) segment connected to a physical interface or sub-interface
and security layers (i.e., access control, intrusion preven- (801.2q VLAN) of an access control device (e.g., network
tion, content inspection, etc.). An appropriate design of the firewall) that separates it from the rest of the network. The
architecture provides many advantages (e.g., isolation of low network communication between different zones is strictly
trust systems, limitation of a security breach’s scope, costs controlled. The security layers are implemented on the net-
savings). work devices (i.e., dedicated safeguards, security modules on
During network design in order to avoid errors and achieve the routers and switches). In the design of network security
project cost-effectiveness, recognized principles should be architecture, the safeguards are named as security layers be-
taken into account: compartmentalization, defense in depth, cause the protection scope covers an entire zone (i.e., IT re-
adequate protection, etc. However, there is not one standard sources located in the network segments).
network security architecture. Different IT systems have The concept of security layers was adopted by approved
specific and differing requirements that their individual ar- guidelines and standards (e.g., ISO/IEC 18028-2:2006). The
chitectures should fulfill. The article provides guidelines for security layers identify where protection must be addressed
designing the network security architectures and an overview in products and solutions by providing a sequential perspec-
of the architectures of IT systems with high security require- tive of network security. Mapping of the safeguards to secu-
ments such as e-commerce and data centers. rity layers allows determining how the elements in one layer
An appropriate design of the network security architecture can rely on protection provided by other layers.
provides many advantages:
• Isolation of low-trust network areas, which can be Design principles
potentially used to launch attacks against strategic IT In practice, deployment of the security products does not al-
system resources ways improve the safety of IT system resources. Due to design
• Limitation of the security breach scope to one system or configuration errors, the safeguards may not perform their
or network segment as well as limiting the incident tasks properly, causing an illusive sense of security. Designing
spreading to other systems an appropriate network security architecture is not an easy
task, mainly because in the network there are many different
• Accurate network access control to IT system resourc- protections, often integrated one with another, such as ac-
es as well as monitoring and auditing resource usage cess control, intrusion prevention, encryption, user authen-
and management tication, content inspection, etc. The network protections
• Quick identification of IT systems security incidents operations depend on the IT system environment, i.e., the
based on the events detected in the network areas, safeguards do not create an autonomous system but rather a
where these events should not occur protection layer complementing and ensuring operating sys-
tem, application, and database security.
34
Network Security Architecture | Mariusz Stawowski ISSA Journal | May 2009
Defense in Depth – Protection of IT system resources is based on many Defense in Multiple Places – Security elements are distributed in different places of IT system.
security layers which complement and ensure one another (known also as Defense through Diversification – Safety of IT system resources should be based on the protection
Layered Protections). layers consisting of different kinds of safeguards (also known as Diversity of Defense).
Adequate Protection – Protections should be relevant to the threats and Simplicity – The design and safeguards configuration should be simple and clear, and if technically
values of the resources being protected (i.e., risk analysis results), compliant possible, based on widely approved standards.
with law and other regulations, and properly cooperative with other IT Due Diligence – Ensuring IT system safety requires continual activities that test that the protection
system elements. mechanisms are operational and that security incidents are being detected and resolved.
Information Hiding – The IT system makes available only the information that is necessary for the
company’s business operations (also known as Security through Obscurity). In the designs of intru-
Least Privilege – Subjects should have minimal privileges to IT resources sion prevention systems the principle is known as Attack Surface Reduction.
which are necessary to perform company’s business tasks.
Need To Know – IT system users and administrators should have access to the information relevant to
their position and performed duties.
Single Point of Failure – Protection against failures is achieved by using redundant elements, so
called High-Availability (HA).
Weakest Link in the Chain – Security level of IT system depends on the Fail-Safe Stance – Access to IT system resources should be denied automatically in case of the
least secured element of the system. safeguards failure (important for data-sensitive assets).
Fail-Open Stance – Network communication is passed through without control in case of the safe-
guards failure (important for mission-critical assets).
Recognized principles should be adhered to when designing the IT resources and should enable quick identifica-
a network security architecture in order to avoid errors and tion and elimination of the abnormalities/threats.
achieve project cost-effectiveness. The design should apply In medium- and large-scale networks the simplicity principle
the following guidelines: plays an important role, stating that security design and safe-
1. The security zones in the network should be planned ac- guard configuration should be simple, clear, and if technically
cording to the compartmentalization principle: IT system possible based on widely approved standards. Complicating
resources of different sensitivity levels (i.e., different con- the security design undoubtedly makes its recognition and
fidentiality class, value, and threat susceptibility) should subsequent attack possibility more difficult for the intruders.
be located in different network segments, guarded by ap- However, from the IT systems resources safety perspective, it
propriate protections. Prior to designing the zones, a risk is more important that the safeguards are properly designed,
analysis should be performed. IT resources that require configured, and managed. An error in the design or in the
special protections according to law, standards, or other security system configuration usually creates a potential vul-
regulations should be located in dedicated zones nerability to breach the IT system resources security.
2. The security layers in the network should be planned ac- There are other principles useful in the network security de-
cording to the adequate protection and defense-in-depth signs. Table 1 summarizes these principles. Deeper explana-
principles: tion can be found in “The Principles of Network Security De-
• Adequate protection – IT system resources protec- sign,” published in October 2007 edition of The ISSA Journal.
tion should be relevant to the threats and values of the
resources being protected (i.e., risk analysis results) as E-commerce architecture
well as compliant with law and other regulations. The E-commerce systems provide IT services in an open net-
principle helps ensure that protections are deployed working environment and should be ready to handle Inter-
in a cost-effective way. net threats (i.e., hackers, malicious code, DoS attacks). They
• Defense in depth – network security protections deploy a multi-tier network security architecture consisting
should be designed and deployed in such a way that of Web, application, and database server zones and appropri-
they effectively ensure and complement other layers, ate security layers. Today the Internet provides standard ac-
i.e., protection means in the operating systems, appli- cess for most e-commerce applications, e-banking, and data
cations, and databases. In the case of improper opera- centers. It is convenient and cost-effective because geographi-
tion of one layer (e.g., configuration error, software cally distributed users do not need to install, configure, and
error, security operation disruptions), the protection upgrade any client application.
of other layers should not allow for an easy attack of Figure 1 shows an e-commerce network security architecture.
The zones construction is relevant to the functional elements
35
Network Security Architecture | Mariusz Stawowski ISSA Journal | May 2009
Hardware
NIC NIC Platform NIC Security Layers: Virtual Machines
vSwitch vSwitch vSwitch
Hardware
Security Layers: Network Devices NIC NIC
Platform
NIC
Figure 2 – Concepts of network security architectures in virtualized environment
36
Network Security Architecture | Mariusz Stawowski ISSA Journal | May 2009
2 Core network devices provide both advanced L2 and L3 services, and they can be
1 Sometimes called Security Operations Center (SOC). named as a switch or router.
37
Network Security Architecture | Mariusz Stawowski ISSA Journal | May 2009
mended) as well as other services like load balancing and However, specific threats related to virtualization should be
SSL acceleration. The devices can work inline or the traffic taken into account early in the design phase. The main risk
can be redirected by core routers/switches. of virtualization results from the fact that overloading one
• Application and data services: L2/L3 switches provide of the virtual systems can disrupt operations of other vir-
network connectivity for data center servers and the net- tual systems that share the same hardware platform and as
work storage. a result disrupt operations of other customers’ IT systems.
Virtual systems should be properly controlled in respect of
There is also the backbone network that provides connectiv- shared hardware resources usage (i.e., CPU, RAM, network
ity between primary and backup data center facilities. bandwidth, etc.).
Ensuring high availability of the data center’s services re-
quires IT systems deployment in fault-tolerant, redundant Summary
configurations. Additionally IT systems should be geographi- Secure networks are important for proper operation of IT
cally distributed in primary and backup locations to be ready systems as most applications work in the networking envi-
for any kind of disaster recovery. Data center protection ronment. An essential part of the network design is the secu-
against massive DoS network attacks can be implemented on rity architecture that describes security zones and layers. An
the edge routers. They are the first defense layer against exter- appropriate design of the network security architecture pro-
nal attacks. The routers can provide the traffic inspection in a vides many advantages (e.g., isolation of low-trust systems,
different way than the network firewalls, i.e., stateless inspec- limitation of the security breach’s scope, cost savings). When
tion. They can drop unwanted traffic types based on many designing the architecture to avoid the errors and achieve
criteria (e.g., protocol type, flags settings). Carrier-class rout- project cost-effectiveness, recognized principles should be
ers can filter the traffic at high speed in the hardware mod- taken into account (i.e., compartmentalization, defense in
ules. What is important is that the stateless inspection on the depth, adequate protection, etc.). There is not one standard
routers allows for the filtering of traffic asymmetrically. This architecture. Different IT systems have specific requirements
means that traffic does not need to follow a specific path for that the network security architecture should fulfill.
ingress and egress traffic (as required by stateful inspection
firewalls). This flexibility is needed in places like data center
access to the Internet and WAN where there is no guarantee
References
of routing symmetry. —Daswani. N., Kern C., Kesavan. A. 2007. Foundations of Security,
Apress.
—ESX Server Security Technical Implementation Guide. 2008 DISA.
Security virtualization
—Government Data Center Network Reference Architecture. 2008
Usually data centers store IT assets and provide services for Juniper Networks.
many different companies. The companies have their own —ISO/IEC 18028-2 (ITU X.805) Network security architecture. 2006
security polices and may require access to logs, alerts, and ISO/IEC.
reports related to their IT assets. The protected assets and
the security means of one customer must not be visible to About the Author
other customers. A conventional way to fulfill these require- Mariusz Stawowski, Ph.D., is Director of
ments has the provider deploy a large number of network and Professional Services of CLICO, a security
security devices (i.e., separate devices for each customer), technologies distributor and service pro-
which translates to very high costs. A better solution is se- vider located in Poland. For more than 10
curity virtualization, i.e., one security device is divided into years he has been responsible for manage-
many parts – so called virtual systems – designated for the ment of security projects. He holds CISSP
protection of different IT resources. Virtual systems are iso- and PRINCE2 certificates. His doctoral
lated from one another and have their own autonomy (i.e., dissertation was elaborated at the Military University of Tech-
individual security policy, routing table, network interfaces). nology in the special field of IT systems security auditing and
network protections designing. Mariusz can be contacted at
Virtualization can also be utilized in the security manage-
mariusz.stawowski@clico.pl.
ment field. Data center customers may require some admin-
istrative access to their part of the security system. Deploy-
ment of a separate management server for each customer is
not efficient. The solution defines management domains in
one management server (i.e., management virtualization).
Each management domain contains its own configuration
and logs as well as separate administrator accounts. Although
it is one physical system, the administrators of one manage-
ment domain do not see other domains.
The virtualization of the security devices and management
systems allows for cost-effective data center deployments.
38