Weaknesses in the network architecture make it more susceptible to undetected intrusions or to catastrophic service failures. Typical weaknesses include:
- Single points of failure—a “pinch point” relying on a single hardware server or appliance or network channel.
- Complex dependencies—services that require many different systems to be available. Ideally, the failure of individual systems or services should not affect the overall performance of other network services.
- Availability over confidentiality and integrity—often it is tempting to take “shortcuts” to get a service up and running. Compromising security might represent a quick fix but creates long term risks.
- Lack of documentation and change control—network segments, appliances, and services might be added without proper change control procedures, leading to a lack of visibility into how the network is constituted. It is vital that network managers understand business workflows and the network services that underpin them.
- Overdependence on perimeter security—if the network architecture is “flat” (that is, if any host can contact any other host), penetrating the network edge gives the attacker freedom of movement.
Cisco’s SAFE architecture guidance refers to Places In the Network (PIN)
- a good starting point for understanding the complex topic of network architecture design
- The SAFE guidance refers to Places In the Network (PIN). These represent types of network locations, including campus networks, branch offices, data centers, and the cloud. There are two special locations in these networks—Internet Edge and WAN—that facilitate connections between locations and with untrusted networks.
Each PIN can be protected with security controls and capabilities, classified into a series of secure domains, such as threat defense, segmentation, security intelligence, and management.
Network architecture is principally about supporting business workflows. You can illustrate the sorts of decisions that need to be made by analyzing a simple workflow, such as email:
- Access—the client device must access the network, obtaining a physical channel and logical address. The user must be authenticated and authorized to use the email application. The corollary is that unauthorized users and devices must be denied access.
- Email mailbox server—ensure that the mailbox is only accessed by authorized clients and that it is fully available and fault tolerant. Ensure that the email service runs with a minimum number of dependencies and that the service is designed to be resilient to faults.
- Mail transfer server—this must connect with untrusted Internet hosts, so communications between the untrusted network and trusted LAN must be carefully controlled. Any data or software leaving or entering the network must be subject to policy-based controls.
You can see that this type of business flow will involve systems in different Places In the Network. Placing the client, the mailbox, and the mail transfer server all within the same logical network “segment” will introduce many vulnerabilities. Understanding and controlling how data flows between these locations is a key part of secure and effective network design.
segment
In the context of security, a network segment is one where all the hosts attached to the segment can communicate freely with one another.
Segregation
means that the hosts in one segment are restricted in the way they communicate with hosts in other segments. They might only be able to communicate over certain network ports, for instance.
Segregation and isolation of hosts or applications can also be accomplished using virtualization. When a host is running as a guest OS on a hypervisor, connectivity with or isolation from other networks can be completely controlled via the hypervisor.
virtual LANs (VLANs)
Because enterprise networks typically feature hundreds of switching appliances and network ports (not to mention wireless access and remote access), segmentation is more likely to be enforced using virtual LANs (VLANs). Any given switch port can be assigned to any VLAN in the same topology, regardless of the physical location of the switch. The segmentation enforced by VLANs at the data link layer can be mapped to logical divisions enforced by IP subnets at layer 3.
An isolated segment is one that has no connectivity with other segments. A host or network segment that has no sort of physical connectivity with other hosts or networks is referred to as air gapped.
topology
A topology is a description of how a computer network is physically or logically organized. It is essential to map the network topology when designing a computer network and to update the map when any changes or additions are made to it. The logical and physical network topology should be analyzed to identify points of vulnerability and to ensure that the goals of confidentiality, integrity, and availability are met by the design.
zone
The main building block of a security topology is the zone. A zone is an area of the network where the security configuration is the same for all hosts within it. Zones should be segregated from one another by physical and/or logical segmentation, using VLANs, subnets, and possibly virtualization. Traffic between zones should be strictly controlled using a security device, typically a firewall.
firewall
A firewall is software or hardware that filters traffic passing into and out of a network segment. The firewall bases its decisions on a set of rules called an access control list (ACL). For example, a basic firewall can allow or deny a host access based on its IP address, by the port it is requesting, or a combination of both. Different types of firewalls (and other filtering devices) can apply different—often more sophisticated—criteria in their ACLs.
Dividing a campus network or data center into zones implies that each zone has a different security configuration. The main zones are as follows:
• Private network (intranet)—this is a network of trusted hosts owned and controlled by the organization.
Note: Hosts are trusted in the sense that they are under your administrative control and subject to the security mechanisms (anti-virus software, user rights, software updating, and so on) that you have set up to defend the network.
- Extranet—this is a network of semi-trusted hosts, typically representing business partners, suppliers, or customers. Hosts must authenticate to join the extranet.
- Internet/guest—this is a zone permitting anonymous access (or perhaps a mix of anonymous and authenticated access) by untrusted hosts over the Internet.
Demilitarized Zones (DMZs)
The most important distinction between different security zones is whether a host is Internet-facing. An Internet-facing host accepts inbound connections from and makes connections to hosts on the Internet. Internet-facing hosts are placed in one or more Demilitarized Zones (DMZs). A DMZ is also referred to as a perimeter network. The idea of a DMZ is that traffic cannot pass through it. A DMZ enables external clients to access data on private systems, such as web servers, without compromising the security of the internal network as a whole.
If communication is required between hosts on either side of a DMZ, a host within the DMZ acts as a proxy. For example, if an intranet host requests a connection with a web server on the Internet, a proxy in the DMZ takes the request and checks it. If the request is valid, it re-transmits it to the destination. External hosts have no idea about what (if anything) is behind the DMZ.
Both extranet and Internet services are likely to be Internet-facing. The hosts that provide the extranet or public access services should be placed in one or more demilitarized zones. These would typically include web servers, mail and other communications servers, proxy servers, and remote access servers.
To configure a DMZ, two different security configurations must be enabled: one on the external interface and one on the internal interface. A DMZ and intranet are on different subnets, so communications between them need to be routed.
bastion hosts
The hosts in a DMZ are not fully trusted by the internal network because of the possibility that they could be compromised from the Internet. They are referred to as bastion hosts. A bastion is a defensive structure in a castle. The bastion protrudes from the castle wall and enables the defenders to fire at attackers that have moved close to the wall. A bastion host would not be configured with any services that run on the local network, such as user authentication.
We’ve already noted a difference between services designed to be accessible to a public Internet versus those for an extranet. Some other examples are:
- Dedicated DMZ for employee web browsing and proxy services.
- DMZ for email, VoIP, and conferencing servers.
- Isolate remote access/Virtual Private Network (VPN) traffic.
- Isolate traffic for authorized cloud applications.
- Multi-tier DMZ to isolate front-end, middleware, and backend servers.
These different functions could be implemented either by completely separate DMZs or by using segmented demilitarized zones.
subnet
A subnet is a subdivision of a larger network, isolated from the rest of the network by means of routers (or layer 3 switches). Each subnet(work) is in its own broadcast domain. Subnets can be used to represent geographical or logical divisions in the network. Geographical divisions might represent different floors of an office or networks connected by WAN links. Logical divisions might represent departmental functions or distinguish servers from clients. Subnets will usually be mapped to VLANs. The VLAN establishes a logical grouping of hosts at layer 2 of the OSI model (Data Link), and a subnet gives the hosts in a particular VLAN a distinct network address at layer 3 of the OSI model (Network).
Subnets are useful for security, as traffic passing between each subnet can be subjected to filtering and access control at the router.
important use of subnets
implement a DMZ. Two firewalls are placed at either end of the DMZ. One restricts traffic on the external interface; the other restricts traffic on the internal interface.
three-legged (or triple-homed) firewall
A DMZ can also be established using a single router/firewall appliance. A three-legged (or triple-homed) firewall is one with three network ports, each directing traffic to a separate subnet.
screened host
Smaller networks may not have the budget or technical expertise to implement a DMZ. In this case, Internet access can still be implemented using a dual-homed proxy/ gateway server acting as a screened host.
Some other examples of zone types are:
- Guest—a zone that allows untrusted or semi-trusted hosts on the local network. Examples would include computers that are publicly accessible or visitors bringing their own portable computing devices to your premises.
- Wireless—traffic from Wi-Fi networks might be less trusted than from the cabled network. You might also operate unauthenticated open access points or authenticated guest Wi-Fi networks, which should be kept isolated from the main network.
- Honeynet—a network containing honeypot hosts, designed to attract and study malicious activity. When deploying a honeynet, it is particularly important to ensure that compromised hosts cannot be used to “break out” of the honeynet and attack the main network.
Network topology designs
implemented by installing physical network links and connecting hosts and zones using switches, routers, and firewalls. Network architecture design starts with the way the OSI model Physical and Data Link layers are implemented.
Cisco recommends designing a campus network with three layers of hierarchy:
- Access—allowing end-user devices, such as computers, printers, and smartphones, to connect to the network. Another important function of the access layer is to prevent the attachment of unauthorized devices.
- Distribution—provides fault-tolerant interconnections between different access blocks and either the core or other distribution blocks. The distribution layer is often used to implement traffic policies, such as routing boundaries, filtering, or Quality of Service (QoS).
- Core—provides a highly available network backbone. Devices such as clients and server computers should not be attached directly to the core. Its purpose should be kept simple: provide redundant traffic paths for data to continue to flow around the access and distribution layers of the network.
layer 2 Ethernet switches
The access layer is implemented for each site using structured cabling and network ports for wired access and access points for wireless access. Both are ultimately connected to one or more layer 2 Ethernet switches. A basic Ethernet switch might also be referred to as a LAN switch, data switch, or workgroup switch. There are unmanaged and managed types. On a corporate network, switches are most likely to be managed and stackable, meaning they can be connected together and operate as a group. On a large enterprise network, the switches are likely to be modular (as opposed to fixed), meaning they can be configured with different numbers and types of ports to support network links other than basic copper wire Ethernet. On a SOHO network, switches are more likely to be unmanaged, standalone units that can just be added to the network and run without any configuration.
Managed switches can be configured with Virtual LANs (VLANs). The VLANs are used to implement logical segregation of traffic. For example, ports 1 through 10 and 11 through 20 on a switch could be configured as two separate VLANs, typically each with their own subnet address. Communication between the groups of ports would only be possible via a router or layer 3 switch. Port-based switching is the simplest means of configuring a VLAN (static VLANs). Others (dynamic VLANs) include using the host’s MAC address, protocol type, or even authentication credentials.
As well as representing organizational departments and/or overcoming physical barriers between different locations, it is common practice to isolate server-to-server traffic from client-server traffic and to isolate administration/management traffic; channels used for inbound management of appliances and servers. Another standard configuration option is to create a null VLAN that is non-routable to the rest of the network. This VLAN is used for any ports that do not have authorized connected equipment.
The distribution and core layers provide switching and routing between different access layer locations and server groups. This function can be implemented by several devices:
- Router—provides connectivity between subnetworks based on their IP address.
- Layer 3 switch—router appliances are capable of many different types of routing, especially over wide area networks (WAN), and tend not to have many interface ports. On a campus Ethernet network, the internal routers will typically be moving traffic between VLANs and have no need to perform WAN routing. This functionality is now commonly built into all but the cheapest Ethernet switches. Such switches with the ability to route traffic efficiently between VLANs are called layer 3 switches.
- Aggregation switch—these are functionally similar to layer 3 switches, but the term is often used for high-performing switches deployed to aggregate links in a large enterprise or service provider’s routing infrastructure. Rather than 1 Gbps access ports and 10 Gbps uplink ports (as would be typical of an access layer switch), basic interfaces on an aggregation switch would be 10 Gbps and uplink/backbone ports would be 40 Gbps.
hubs
Early Ethernet networks used hubs as a means of connecting network segments. A hub is a multiport repeater; it takes the signal generated by a node and retransmits it to every port on the hub. All the ports are said to be in the same collision domain. A bridge could be used to divide a network overloaded with hosts and suffering from excessive collisions into separate segments at the physical layer. Each of the segments experiences lower traffic loads since the bridge only passes signals from one segment to another if appropriate. The bridge can identify in which segment a host is located by its MAC address and only forwards traffic for that host over that interface.
Bridge appliances have all been replaced by switches, but the function of a bridge continues to have an impact on network security because a user may accidentally (or maliciously) create a bridge from one network to another. A typical example is a laptop with a bridged connection between the wireless and Ethernet adapters.
ad hoc network
A computer could allow wireless clients to connect to it in either an ad hoc network or by being configured as a soft access point. An ad hoc network is created when wireless stations are configured to connect to one another in a peer-to-peer topology. This would not normally be part of a secure network design, but might be required in some special circumstances, such as communicating with a wireless host that is physically remote from other network infrastructure.
Generally speaking, bridged and ad hoc connections could be a potential network backdoor or could cause a switching loop. These issues can be mitigated with loop protection and port security.
-
Lesson 1: Comparing and Contrasting Attacks68
-
Lesson 2: Comparing and Contrasting Security Controls47
-
Lesson 3: Assessing Security Posture with Software Tools71
-
Lesson 4: Explaining Basic Cryptography Concepts57
-
Lesson 5: Implementing a Public Key Infrastructure54
-
Lesson 6: Implementing Identity and Access Management Controls60
-
Lesson 7: Managing Access Services and Accounts80
-
Lesson 8: Implementing a Secure Network Architecture57
-
Lesson 9: Installing and Configuring Security Appliances89
-
Lesson 10: Installing and Configuring Wireless and Physical Access Security & Lesson 11: Deploying Secure Host, Mobile, and Embedded Systems189
-
Lesson 12: Implementing Secure Network Access Protocols43
-
Lesson 13: Implementing Secure Network Applications61
-
Lesson 14: Explaining Risk Management and Disaster Recovery Concepts103
-
Lesson 15: Summarizing Secure Application Development Concepts69
-
Lesson 16: Explaining Organizational Security Concepts43
