Network Perimeter Security Design
Firewalls, VPNs, security policies, security awareness were some of the topics that were covered in previous posts. We also discussed the layered security or defense in depth approach. We will now see how see these different topics come together to form network perimeter security design for a fictitious ecommerce site. Perimeter security is securing the network (servers, workstations, databases to name a few) with different concepts. The network must be designed securely to withstand any type of attack.
Before designing an effective security plan for the network, there are three questions that have to be answered:
What is it that we are trying to protect?
We will have to determine what are the workstations, servers, databases and other devices that have to be protected.
What are the threats?
Next, we determine what are the different type of threats. Internet facing systems are always under the possibility of an attack. Other threats can also be from former employees who have access to vital resources.
And finally the business requirements of the organization.
Last but not least, the security design must meet the business goals of an organization. An ecommerce site with more online transactions will need a more robust security design than a site which just needs an online presence.
Now we will move onto designing the security plan for the fictitious ecommerce site. These are a few details on which we will base our security design:
Customer data of the ecommerce site along with crucial and vital information such as birthdates, social security numbers, credit card numbers needs to be protected.
The site has to be always online 24 hrs a day, 7 days a week.
Employee workstations have to be protected as well
Employees might need to access the business resources from an offsite location too
None of the design elements can be outsourced
And the security budget is limited keeping in mind the size of the organization
For the above case, we could design the perimeter security the following way:
There will be two separate network services – public network and the internal network. The public network will hold public services such as web servers, email servers. These servers have to be public because the customers must place their Internet orders and send email notifications. The Internal network will hold workstations and servers that are shielded from public access.
A border router is placed before the organization’s traffic tries to reach the Internet. This router acts as the “cop” and is the first in the line of defense against malicious elements. Inbound packets that have illegal addresses will be blocked in this line of defense. Outbound packets that do not have a valid IP address will also be blocked. Valid outbound packets are blocked so that the servers are not used in any type of attack.
Next in line of defense will be the “firewall”. As we have already seen “firewalls” are the “chokepoints” of the network. It has a set of rules that will determine what goes through it and what cannot. The firewall rules will be configured to protect customer information. Thus, a firewall acts as a type of access control regulating traffic.
IDS or Intrusion Detection systems are placed so that they listen for malicious activities and raise an alarm.
VPN access will be given to the employees to access the corporate data using the existing public infrastructure such as the Internet, LAN or WAN. It can be recollected that the information is encrypted on the sender’s end and decrypted on the receiver’s end.
The employee workstations can be placed on the internal network and can access the Internet only through a proxy firewall. This ensures that they are protected as well.
Apart from these security controls, patch management will also be applied to patch vulnerabilities in applications.
All these security controls when applied will secure the ecommerce environment. This is one way of designing a security plan for the fictitious ecommerce website. However it is important to remember that the security design will be different for different types of organizations and their business goals.
Stephen Northcutt, L. Z. Inside Network Perimeter Security.