Modeling Secure Network Architecture


(Author note: This paper published here anonymously)

1. Introduction

Confidentiality, Integrity and Availability were the three main pillars for information security. In this report, we would discuss a typical scenario of a small and medium enterprise (SME) organization infrastructure and what measures we could take to secure infrastructure and counter the vulnerabilities moderately.

This paper we have illustrated the technical issue and policies to implement secure network system. We have also examined to network segmentations and defined network topology and how it was secure system based on security level for each segment. The segments were outside (Internet), internal, DMZ (demilitarize zone), and remote users.

We assumed in this paper that a network system is implemented from scratch but this paper will also work very well for existing network provided considering factors like brief study of existing system and service offering and how new security system implementation affects relevant system and services as well as plan downtime.

Since 100% secure system doesn’t exist so we designed a moderate secure network system consists with product and services such as: edge router, switches, firewall, network and host base IDS/IPS, authentication server (active directory), policy and access control server (Right management server) webserver, email server, fileserver, DNS, Applications servers, workstations and Remote access users.

[http://www.sans.org/reading_room/whitepapers/hsoffice/design_secure_network_segmentation_approach_1645]

2.       Literature review / requirement gathering / Analysis current system / threat analysis

Internet Protocol (IP) forms the heartbeat of an organization. IP network enables effective communication between departments and even to the outside world. Up to date, IP form 90% of the whole world networks. Making it the most widely adapted technology, the reason for its popularity consists of several reasons. One reason would be ease of implementation and maintenance, but it would also be its biggest weakness. IP was designed and developed without any security context, thus revealing many loopholes which the hacker could exploit.

To better understand how IP functions, we would need to understand how a IP packet was deliver from a host of one end of a network to another host. Below diagram show the TCP/IP model and it is made up of 4 layers, namely Application Layer, Transport Layer, Internet Layer and Network Access Layer.


http://www.learn-networking.com/wp-content/oldimages/tcp-ip-headers.jpg

After the host network interface card (NIC) initiates the IP packet sending process, the packet would go through a encapsulation process. The 4 respective layers would add their own header to the packet which contains information about the network and system. Once the receiver host NIC receives the packet, it would begin the decapsulation process. As it unwrap the packet, the header would contain instructions and information about how to process the packet.

Each layer provides a vital role in network communication and every layer has its own important function to perform. It would be important to protect the 4 layer so that it would be safe from hackers exploiting the 4 layer vulnerabilities.

3.    Sample network architecture

Following diagram shown typical network infrastructure system for typical company and common to most of the origination where security is a least concern.

Figure 1.

3.       Propose secure network architecture:

Following diagram shown entire overview of our proposed secure network architecture. We have placed firewall and IDS/IPS to secure each segment of system and deployed SSL and IPSec encryption for secure communication among remote users and offices.

Figure 2.

Network Topology:

Generally SME network is simple and does not require dividing it to many segments. However whatever segments we required we need to analyze weakness points to protect is adequately. Modest way to segment a network based on security needed for each segment thus it helped us to configure network appliances such as firewall rules, IDS/IPS policy and other relevant policy and controls.

In our proposed design we segmented our network system (infrastructure) to the following:

  1. Outside segment:
    Out segment is where Internet connection meet edge router [shown figure 2] we have no control on incoming traffic but we can implement access-list (ACL) to decide which traffic can get-in or which traffic to discard.
  2. Service segment (DMZ):
    This segment contain servers or resources which we are looking to provide service to the public. In networking terms placement of server to his segment called DMZ (demilitarize zone). This segment has exposure to outside world and we have placed firewall and network based IDS/IPS as well as host based IDS/IPS to safe guard these servers from external threats. We also maintained a policy to secure every server from internal threat as well by placing firewall, IDS/IPS to appropriate entry points and all servers.
  3. Internal segment:
    Internal segment of network system is behind the firewall and accessible by only internal network users and remote vpn users. Internal resources are extremely secured by Firewall, Router access list, NAT (network address translation), Network and host based IDS/IPS to safe protect confidential company’s information and also mission critical severs like finance, HR, Active directory (authentication) and other critical servers. All servers, workstations and vpn users also equipped with anti-virus and internal firewall turn on.
    Servers and workstations and network equipment (Route, firewall, layer three switches), operating systems are also hardened accordingly and deployed group policy to achieve maximum secure system and its performance.
  4. Remote user segment (remote uses and remote branch office):
    This segment is most critical in terms for secure them. This segment of system using untrusted public network (Intenet) to access local internal resources. We implemented stringent remote access policy and encryption (IPSec, SSL) technique secure resources from unauthorized access.

4.       Network security

Using a layered defense approach, we should protect our network with the help of security technology.

Application Layer – install anti-virus software, update patches

Transport Layer – shutdown unnecessary services, close unnecessary ports

Internet Layer – implement IPSec for secure IP communication, Virtual Local Area Network (VLAN)

Network Access Layer – Medium-Access-Control lockdown

Using a layered defense approach, we should protect our network with the help of security technology.

Physical layer security:

We need to ensure all the system and network resource are physically secure from unauthorized access. Physical security is equally important to safeguard system from possible stealing information by attached external storage, sabotage and unauthorized modification of hardware.

Proper network cabling, lock computer room with biometric access control and CCTV monitoring can be used for such purpose.

Data Link layer: Medium-Access-Control lockdown; arp poison

Ethernet,

Network layer: PKI (SSL, Encryption) , VLAN, VPN (remote access), IPSec, Firewall, Proxy, IPS/IDS, security policy and auditing, authentication etc

Transport layer: TCP UDP, shutdown unnecessary services, close unnecessary ports

Session Layer : Sockets / Stream, session high jack
Presentation Layer: RPC

Application layer: install anti-virus software, update patches; hardening OS, Router

Internet Layer – implement IPSec for secure IP communication, Virtual Local Area Network (VLAN)

Meeting the security requirement:

Authentication and authorization:

It is a process of identify and verify users. In active directory (AD) environment; NTLM/Kerberos cryptography use to authenticate users securely. In our design we used widows AD for secure authentication for users.

We have also deployed Windows right management server (RMS) to ensure authorize users are allowed to access the resources.

Policy:

Various security policies have been enforced by the Widows domain group policy and firewall/IDS/IPS. We also routinely monitor and analyze to stay relevant.

Integrity:
Integrity of the system is crucial; packet traveling in the network can be tampered; malicious users can modify, repay or forge packets and code. So we deploy Network and host based IDS/IPS for such purpose.

For remote users: IPSec and SSL encryption is being used to safeguard data during transit.

5.       Security awareness (for end user training)

According to an interview conducted on June 2007, 80% of security attacks come from insiders. (http://www.ebizq.net/blogs/news_security/2007/06/podcast_80_percent_of_security.php) Some of the attackers were intended, but majority of the attacks were unintentional. Employees were not aware of the things that they had done on the network which could be exploited by the hackers or outsiders. Human would always be the weakest link in information security, and only through organizational security education, employees would be able to learn best practices, have a better understanding of security in an organizational context thus create the security awareness.

6       Monitoring and management: Security incident, vulnerabilities and countermeasure

Nagios, system center operation manger, IDS/IPS console, reports all these will come here.

Since availability is one of the security goals, while designing the secure network architecture, we also need to take into account the data and service availability. For example, if the SME Company is providing services like e-Commerce, some network devices and tools can help to improve the service availability. By deploying load balancer, web farm and some redundant network connections, the company can achieve almost 100% uptime for the services they provided. However, it’s a tradeoff between cost and availability ratio, the more percentage of uptime required, the more investment the company need to put on designing the secure network.

Nagios is another tool which can help to improve service availability by monitoring the status of the company’s IT infrastructure. In case of any service outage, alert can be triggered immediately to inform administrator to take action.


7.       Trend analysis / Future trends

Cloud Security issues are hot topics in the RSA Conference 2010 just concluded in San Francisco, 1st March – 5th March. [http://www.rsaconference.com/2010/usa/agenda-and-sessions/keynote-speakers.htm]

Cloud computing is a method of delivering hosted services — Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS) and Software-as-a-Service (SaaS) – over the Internet in a fast, cost-effective way. The technology has gained popularity in a weakened economy as enterprises seek ways to save money, but as always, this emerging technology presents certain risks, and it could open an organization to security vulnerabilities and threats. The use of single-service VPN access to the cloud is considered the most secure and can decrease vulnerability exposure to both the client and the server. However, the client must still remain aware of the cloud server(s) architecture and must extend as much of his security model into the cloud as possible.

[http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1359161,00.html]

1 Example here: Amazon VPC

Amazon Virtual Private Cloud (Amazon VPC) is a secure and seamless bridge between a company’s existing IT infrastructure and the AWS (Amazon Web Service) cloud. Amazon VPC enables enterprises to connect their existing infrastructure to a set of isolated AWS compute resources via a Virtual Private Network (VPN) connection, and to extend their existing management capabilities such as security services, firewalls, and intrusion detection systems to include their AWS resources.


[http://aws.amazon.com/vpc/]

IP was designed and developed initially without security intention, but as more and more networks emerge. There was a need to address to the limited address that IPv4 can support, IPv4 only supports up to 2^32 IP address. IP version 6 was introduced to counter this limitation as well as addressing to the security issue. IPv6 supports up to 2^128 addresses which was more that what we could ask for. For IPv4, IPSec was an optional option and it was not built into IPv4. IPv6 inbuilt IPSec into its operation and forces the mandatory use of IPSec on all network communication.

9.   Conclusion

In the past Internal network used to be very flat and it was alienated only from the Internet by a single firewall. Rapid increase of use electronic services like e-mail, web, e-commerce, intranet, extranet and internal network

parted department boundaries.

A growing security concern of the value for confidential information (such as financial services, e-commerce, collaboration with external applications)

and intra dependency on different infrastructure led to think of further security measures.

Malware, viruses and worm has been spreading without user intervention and worm also able to replicate to other system in the network quickly thus imposes a shocking threat to non-secure flat network.

People in the organization (employee) or out site the organization (hackers, script kiddies) possess equal threats. Thus, additional protection for networks against each other, as well as for systems within these networks, is required.

By applying those methods and policies discussed in this paper, anyone can achieve to simple network with good level of security. The security is not a product it is a process. Therefore we need continuously monitoring, inspection and fixing issues and repeat these processes over again and again to stay secure.

[SANS Institute (2005). Design Secure Network Segmentation Approach. Retrieved March 01, 2101 from http://www.sans.org/reading_room/whitepapers/hsoffice/design_secure_network_segmentation_approach_1645%5D

Advertisements

About Robiul

Robiul has 15 years of continuous successful career experience in ICT with extensive background in System Engineering, IT infrastructure design, operations and service delivery, managing IT projects / MIS functions for local and multi-national companies with in-depth knowledge of multiple operating systems as well as construct / manage small to medium size Data Center. Proven ability to design and implement medium to semi-large scale LAN/WAN/WLAN and system infrastructures. Academic qualification: Master of Science in Information Systems. Professional certifications are: MCSE, CCNA, ITIL and FoundStone Security Professional, VCP, NetAPP, CISSP etc.
This entry was posted in Security, Thesis and tagged . Bookmark the permalink.