Section 15: Security Architecture

Network Architecture
Design principles, physical configuration, functional organization,
operational procedures, and data formats for design, construction,
and operation of a network.
Security
The condition achieved when designated systems and information
are protected from espionage, sabotage, subversion, and terrorism, as
well as against loss or unauthorized use and/or disclosure.
The measures necessary to achieve this condition.
Sosecurity architecture is the intersection of these definitions.
15-1

Security Architecture - An Unprotected Network

15-2

Security Architecture - An Unprotected Network

The only interface to the Internet is a simple router.
All IP addresses and services on the internal network are exposed to
the the Internet.
The network topology and services are easily mapped with any of
the mapping tools readily available at both the IP (address mapping)
and TCP (port mapping) layers.
There is no intrusion detection.
This is a common architecture through the late 1990s, is now
beginning to change.
What then are the principles that should guide this change?
15-3

Security Architecture high level principles

Principle - A consistent access architecture across all domains

Home or Small Office

Wireless
Wired

VPN + SecurID,
Optional wireless LAN in home,
56k/DSL/ISDN/wireless to home

STAFF
MOBILITY
Travel
Dial-in modem or
VPN + SecurID/LAN

Campus
VPN + SecurID,
wireless LAN

15-4

Security Architecture - Core Principles Protected network

1. Control external visibility of the network. Make only those
resources visible that are necessary to conduct business.
2. Control access to all systems on the network (e.g., routers,
switches, servers, and workstations).
3. Control transmission across all security boundaries, internal and
external.
4. Monitor, detect, and act on all suspicious behavior within the
network and at it boundaries.
All of this begins by clearly and completely understanding the
network topology of the security domain that needs to be protected.
15-5

Security Architecture - Control External Visibility

1. Expose only that part of the DNS name/address space appropriate
for external view (addresses that must be externally resolved).
2. Eliminate all unnecessary external services enabling only those
required to interact with external users.
3. Locate publicly accessible resources on a network that does not
expose the internal network - has no visibility of the internal network
and cannot be used as an entry point to the internal network.
For example, anonymous ftp and public web servers go here, with no
ability for the ftp server to establish a 2-way connection with an
internal device - all connections should be one-way, in-to-out (push).

15-6

Security Architecture - Control User Access to Systems

1. IP source routing is prohibited. Limits a users ability to specify routes
which could be hazardous.
2. Each internal system should require positive authentication before a
user is granted access - only exception is anonymous access.
Passwords, 2-factor, or biometric authentication
3. Remote access services should impose security restrictions equivalent
to those imposed on internal users.
4. Access authorizations should be based on need-to-know.

15-7

Security Architecture - Boundary Control

The entire network boundary needs to be identified and controlled.
Internet
Wireless networks
Remote offices
Dial-up access and ISDN
Always-on access (dsl, cable modems)
Carry-in access (media like CDs, floppies, zip cartridges)
Any external network attached behind the firewall (e.g., remote
office) must comply with the same security policy as the internal
network since that traffic does not go through the boundary control
device (i.e., no unsecured back doors).
15-8

Security Architecture Internet Access

Internet access is typically controlled by a filtering device
filtering router
stateful inspection firewall
proxy firewall
These devices operate in accordance with a set of security policy
rules that are enforced by the router or firewall. Traffic crossing the
boundary is allowed or denied in accordance with the rules.
Most of these devices can implement automatic alerts to notify a
system administrator when an adverse event occurs in many cases
these alerts are turned off or ignored because of large event volume.
Logs are enabled on these devices and should be read regularly.
15-9

Security Architecture Wireless Networks

Wireless networks represent a rapidly emerging set of technologies
that will be widely deployed in the future. These networks bring with
them a new set of vulnerabilities and security issues.
Three classes of networks are being developed:
Wide Area Networks (worldwide in extent)
Local Area networks (restricted to a campus/building setting)
Personal Area Networks (restricted to an office/person setting)
Wide area and local area networks are similar in extent and services
to their wired counterparts.
The personal area network does not have a wired counterpart.
15-10

Security Architecture - Monitor, Detect, and Act

1. Logs should be turned on and reviewed.
2. Intrusion detection should be implemented (network and/or host).
3. Vulnerability scanning should be implemented.
4. Virus scanning at the firewall, mail server, and desktop should be
implemented.
5. An incident response procedure should be implemented.

15-11

Security Architecture - A Protected Network

15-12

Security Architecture - The Demilitarized Zone (DMZ)

The public network attached to the firewall is often called the DMZ.
It is a public area, its addresses are externally advertised, users can
access servers here (e.g., web, ftp, external DNS) without
authentication.
Consequently, these machines are 100% likely to be attacked. So
Keep them patched, scan them often, read logs daily.
Do not allow them to see any traffic flowing through
the firewall - user a separate Ethernet interface.
Make their files read-only, remove other services
Do not allow them access to the internal network
Administrative access should be console only - not remote
15-13

Security Architecture - With Intrusion Detection

15-14

Security Architecture - Intrusion Detection

Add a network switch with port mirroring (interface for the ID
system to capture and observe all traffic).
ID device is connected to an interface on a mirrored port.
ID device has large storage capacity and signature capability.
Could be put behind the network router, but if router filtering is used,
the ID device would not see all the traffic. Position depends on the
extent of the traffic the device needs to see.
Could also be put on the internal network for internal ID (insider).
Most systems support multiple probes that can observe traffic at
multiple locations. Each probe contains a unique signature capability.
15-15

Security Architecture - Internal Network

Have treated the internal network as a homogeneous security domain
(i.e., same level of security everywhere). This means all segments must
be equally secure - not always desirable (cost, ease of use).
Consider the concept of an enclave, where an enclave is a network or
sub-net that has a consistent set of security requirements.
There may be multiple enclaves within an enterprise network. (e.g., a
student enclave with relatively low security requirements and an
administrative enclave with more restrictions - often done today by
having a single network enclave and locking down certain hosts (e.g.,
ones containing student grades).
In a large environment, this becomes very difficult.
15-16

Security Architecture - Internal Network

Consider a network with four enclaves:
1. A public space (web, anonymous ftp) - open to anyone over the
Internet.
2. A user facility that provides computing cycles to the international
research community at large - must be capable of supporting remote
and local access to researchers from all over the world.
3. The general Intranet for employees - provides in-house web, mail,
and other network service - needs to support employees, but restrict
access to outsiders (web may contain IP, product design, etc.).
4. A business computing environment containing the organizations
official books (profit, loss, project, cost data) as well as the Human
Resources system (payroll, salaries, etc.) - only accessible to a limited
set of internal staff members.
15-17

Security Architecture - Internal Network

YES

NO

15-18

Security Architecture - Internal Network

The firewall is actually multiple firewalls, or may be a single firewall

for the entire network with additional firewalls or filtering routers
between internal enclaves.
An internal enclave might be an entire sub-net or a single system
depending on the number of systems being protected.
The point is, staff are not free to move around everywhere, but must
pass through a protection zone (e.g., a firewall) before moving
between internal enclaves.
The motivation here is that each enclave has different protection
requirements.
15-19