CHAPTER 9 Internet Architecture 133 Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use. T he Internet has great potential in terms of new businesses, reduced costs of selling, and improved customer service. It also has great potential to increase the risk to an organization’s information and systems. With proper security architecture, the Internet can truly become an enabler rather than a security risk. SERVICES TO OFFER The first question that must be answered with regard to Internet architecture is: What ser - vices will the organization provide via the Internet? The services that will be offered and who will be accessing them will greatly impact the overall architecture and even the choice of where services may be hosted. Mail If mail service is available, it is generally offered to internal employees to send and re - ceive messages. This service requires that at least one server be established to receive in- bound mail. If higher availability is required, at least two mail servers are required. Outbound mail can move through this same server or the organization can allow desktop systems to send mail directly to the destination system. NOTE: Allowing desktop systems to send mail directly to the destination systems is not a recom- mended solution. However, if your mail systems are hosted on the Internet, each desktop will send and receive mail from your hosted system. In this case, it is wise to limit outbound mail connections from desktops to just the hosted server. An organization may also choose to establish public mail relays for such things as e-mail discussion groups. Such systems are normally referred to as list servers. These sys - tems will allow external people to send mail to the system and the system resends that message to the subscribers of the list. List servers can reside on the same servers as the or - ganization’s primary mail systems but the larger traffic requirements should be taken into account in the overall architecture of the Internet connection. Web If an organization chooses to publish information to customers or partners via the World Wide Web, it needs to establish a Web server and place some amount of content there for public viewing. This Web server may be hosted at another location or it may be hosted internally. Web servers can provide simple, static content or they can be linked to e-commerce systems (see Chapter 11) that provide dynamic content and allow the taking of orders. Access to the Web site can be public or it can be restricted through some authentication mechanism (usually a user ID and password). If some content on the site is restricted or 134 Network Security: A Beginner’s Guide Chapter 9: Internet Architecture 135 sensitive, you should use HTTPS. HTTPS works over port 443 instead of port 80, which is normal for Web traffic. HTTPS is the encrypted version of HTTP, which is used for stan - dard Web traffic, and is normally used for Web pages that contain sensitive information or require authentication. The choice of how the Web site is constructed will impact the amount of traffic to expect and the criticality of the Web server itself. The organization may choose to provide a File Transfer Protocol (FTP) server as part of the Web server. An FTP server allows external individuals to get or send files. This ser - vice can be accessed via a Web browser or an FTP client. It can also be anonymous or it can require a login ID and password. Internal Access to the Internet How employees access the Internet should be governed by organization policy (see Chapter 5). Some organizations allow employees to access the Internet using any service they choose including instant messaging, chat, and streaming video or audio. Others only allow certain employees to access the Internet using a browser to access only certain Web sites. The choice will impact the amount of traffic to expect and the perceived criti- cality to the employees. A common set of services that employees are allowed to use includes: Service Description HTTP (port 80) and HTTPS (port 443) Allows employees to access the Web FTP (ports 21 and 22) Allows employee to transfer files Telnet (port 23) and SSH (port 22) Allows employees to create interactive sessions on remote systems POP-3 (port 110) and IMAP (port 143) Allows employees to access remote mail accounts NNTP (port 119) Allows employees to access remote network news servers NOTE: Even if the organization determines not to allow streaming video and audio, many sites are now offering these services over HTTP; therefore, this traffic will not appear to be different than regular Web traffic. Likewise, there are several peer-to-peer services on the Internet that can be configured to use port 80. These types of services open up the risk of having unauthorized individuals gaining ac - cess to internal systems. External Access to Internal Systems External access to sensitive internal systems is always a touchy subject for security and network staff. Internal systems in this case are those systems primarily used for internal processing. These are not the systems that are set up just for external access such as Web or mail servers. External access can take two forms: employee access (usually from remote locations as part of their job) or non-employee access. Employee access to internal systems from re - mote locations is usually accomplished through the use of a virtual private network (VPN) over the Internet (see Chapter 10), dial-up lines into some type of remote access server, or a leased line. The choice of method will impact the Internet architecture of the organization. Greater impact will occur if external organizations require access to internal systems. Even access by trusted business partners must be mediated to manage risk. External ac - cess may be accomplished through the use of VPNs, dial-up lines, or leased lines or by di - rect, unencrypted access (such as telnet) over the Internet, depending on the purpose of the connection. CAUTION: Unencrypted access over the Internet is not a recommended practice; however, some business agreements require this type of access. If this is the case, every effort should be made to move the systems to be accessed out of the internal network and into some restricted network (see the section “Demilitarized Zone” later in this chapter). Control Services Some services will be required for the smooth function of the network and your Internet connection. Whether or not you should allow these services depends on orga- nization policy. DNS The Domain Name Service (DNS) is used to resolve system names into IP addresses. Without this function, internal users would not be able to resolve Web site addresses and thus would find the Internet unusable. Normally, internal systems query an inter - nal DNS to resolve all addresses. The internal DNS is able to query a DNS at the ISP to resolve external addresses. The rest of the internal systems do not query external DNS systems. DNS must also be provided to external users who wish to access your Web site. To do this, your organization can host the DNS or your ISP can host it. This choice will im - pact the Internet architecture. If you choose to host your own DNS, this system should be separate from the internal DNS. Internal systems should not be included in the ex - ternal DNS. ICMP Another control service that helps the network to function is the Internet Control Mes - sage Protocol (ICMP). ICMP provides such services as ping (used to find out if a system is up). In addition to ping, ICMP provides messages such as “network and host unreach - able” and “packet time to live expired.” These messages help the network to function effi - ciently. They can be turned off but this may impact the way the network functions. 136 Network Security: A Beginner’s Guide NTP The Network Time Protocol (NTP) is used to synchronize time between various systems. There are sites on the Internet that can be used as primary time sources. If you choose to use this service, one system on your site should be the primary local time source and only that system should be allowed to communicate to the Internet with NTP. All other inter - nal systems should take time from that primary local time source. SERVICES NOT TO OFFER The Internet architecture should be designed to accommodate the services that are required. Services that are not required should not be offered. By designing the Internet architecture in this way, a number of services that create significant risk will not be offered. Specific services that should not be offered due to significant security risks include: Service Description NetBios Services (ports 135, 137, 138, and 139) Used by Windows systems for file sharing and remote commands. Unix RPC (port 111) Used by Unix systems for remote procedure calls. NFS (port 2049) Used for the Network File Services (NFS). X (ports 6000 through 6100) Used for remote X Windows sessions. “r” Services (rlogin port 513, rsh port 514, rexec port 512) Allow remote interaction with a system without a password. Telnet (port 23) Not recommended because the user ID and password travel in the clear over the Internet and thus can be captured. If an interactive session must be allowed inbound, SSH is recommended over telnet. FTP (port 21 and 22) Not recommended for the same reason as telnet. If this capability is required, files can be transferred over SSH. TFTP (Trivial File Transfer Protocol) (port 69) Similar to FTP but it does not require user IDs or passwords to access files. Netmeeting Potentially dangerous because it requires a number of high ports to be opened in order to work properly. Instead of opening these ports, an H.323 proxy should be used. Chapter 9: Internet Architecture 137 Service Description Remote Control Protocols Include programs like PC Anywhere and VNC. If these protocols are required to allow remote users to control internal systems, they should be used over a VPN. SNMP (Simple Network Management Protocol) (port 169) May be used for network management of your organization’s internal network but it should not be used from a remote site to your internal systems. COMMUNICATIONS ARCHITECTURE When developing a communications architecture for an organization’s Internet connec - tion, the primary issues are throughput requirements and availability. Throughput is something that must be discussed with the organization’s Internet Service Provider (ISP). The ISP should be able to recommend appropriate communication lines for the services to be offered. The availability requirements of the connection should be set by the organization. For example, if the Internet connection will only be used by employees for non-business criti- cal functions, the availability requirements are low and an outage is unlikely to adversely affect the organization. If the organization is planning to establish an e-commerce site and have the majority of its business moving through the Internet, availability is a key to the success of the organization. In this case, the design of the Internet connection should include fail-over and recovery capabilities. Single-Line Access Single-line access to the Internet is the most common Internet architecture. The ISP sup - plies a single communications line of appropriate bandwidth to the organization, as shown in Figure 9-1. Generally, the ISP will supply the router and the Channel Service Unit (CSU) for the link. The local loop is the actual wire or fiber that connects the organization’s facility with the phone company’s central office (CO). The ISP will have a point of presence (POP) somewhere nearby. The link to the ISP will actually terminate at the nearest POP. Even though the POP is not at the closest CO, the local loop connection will require that the line go through the closest CO. From the POP, the link goes through the ISP’s network to the Internet. If we analyze the connection shown in Figure 9-1, we see that there are a number of points where an equipment failure will cause an outage. For example: ▼ The router could fail. ■ The CSU could fail. 138 Network Security: A Beginner’s Guide . (port 443) Allows employees to access the Web FTP (ports 21 and 22) Allows employee to transfer files Telnet (port 23) and SSH (port 22) Allows employees to create interactive sessions on remote. server itself. The organization may choose to provide a File Transfer Protocol (FTP) server as part of the Web server. An FTP server allows external individuals to get or send files. This ser - vice. the Internet connection. Web If an organization chooses to publish information to customers or partners via the World Wide Web, it needs to establish a Web server and place some amount of content