Service Description Remote Control Protocols Include programs like PC Anywhere and VNC. If these protocols are required to allow remote users to control internal systems, they should be used over a VPN. SNMP (Simple Network Management Protocol) (port 169) May be used for network management of your organization’s internal network but it should not be used from a remote site to your internal systems. COMMUNICATIONS ARCHITECTURE When developing a communications architecture for an organization’s Internet connec - tion, the primary issues are throughput requirements and availability. Throughput is something that must be discussed with the organization’s Internet Service Provider (ISP). The ISP should be able to recommend appropriate communication lines for the services to be offered. The availability requirements of the connection should be set by the organization. For example, if the Internet connection will only be used by employees for non-business criti- cal functions, the availability requirements are low and an outage is unlikely to adversely affect the organization. If the organization is planning to establish an e-commerce site and have the majority of its business moving through the Internet, availability is a key to the success of the organization. In this case, the design of the Internet connection should include fail-over and recovery capabilities. Single-Line Access Single-line access to the Internet is the most common Internet architecture. The ISP sup - plies a single communications line of appropriate bandwidth to the organization, as shown in Figure 9-1. Generally, the ISP will supply the router and the Channel Service Unit (CSU) for the link. The local loop is the actual wire or fiber that connects the organization’s facility with the phone company’s central office (CO). The ISP will have a point of presence (POP) somewhere nearby. The link to the ISP will actually terminate at the nearest POP. Even though the POP is not at the closest CO, the local loop connection will require that the line go through the closest CO. From the POP, the link goes through the ISP’s network to the Internet. If we analyze the connection shown in Figure 9-1, we see that there are a number of points where an equipment failure will cause an outage. For example: ▼ The router could fail. ■ The CSU could fail. 138 Network Security: A Beginner’s Guide ■ The local loop could be cut. ■ The CO could suffer damage. ▲ The ISP’s POP could fail. It should be noted that not all of these failures have an equal chance of occurring. A router has a much greater likelihood of having a hardware failure than a CO does of suf - fering damage, for instance. However, cables do suffer damage on occasion and this may cause a significant outage. This list also does not include failures that may occur within the ISP itself. Such failures do occur from time to time due to weather, cable cuts, or denial-of-service attacks. Given the potential failure scenarios, this architecture is recommended only for non-business-critical Internet connections. Chapter 9: Internet Architecture 139 Figure 9-1. Standard single-line access architecture Multiple-Line Access to a Single ISP One way to overcome the single point of failure issues with the single ISP architecture shown in Figure 9-1 is to use multiple lines to the same ISP. Different ISPs offer different services in this regard. Some call it a shadow link while others call it a redundant circuit.In any case, the goal is to provide a second communication link should a failure occur. Single-POP Access An ISP can provide fail-over access by setting up a redundant circuit to the same POP (see Figure 9-2). The redundant circuit may include a redundant router and CSU or a single router may be used. The two circuits are configured so that if the primary circuit fails, the second circuit will take over the load. 140 Network Security: A Beginner’s Guide Figure 9-2. Redundant circuit access to a single POP TEAMFLY Team-Fly ® This architecture addresses failures in the router, the CSU, the phone company circuit to the CO, and the ISP equipment at the end of the connection. These failures are the more common types of outage. It does not, however, address less frequent, but no less severe failures such as a local loop cut, damage to the CO itself, or a failure of the ISP’s POP. Likewise, if the ISP should suffer a major outage, service would still be disrupted. One benefit to this architecture is the low cost of the redundant circuit. Most ISPs will provide the redundant circuit at a cost that is lower than a second full circuit. Multiple POP Access Additional availability and reliability can be purchased by running the second connection to a second POP (see Figure 9-3). In this case, the second connection can be a redundant connection or it can be up and running continuously. Chapter 9: Internet Architecture 141 Figure 9-3. Multiple connections to multiple POPs For this type of architecture to work properly, the ISP should be running the Border Gateway Protocol (BGP). BGP is a routing protocol that is used to specify routes between entities with these types of dual connections. Care must be taken with BGP to set routing policies properly. It should also be noted that this configuration still has two single points of failure: the local loop and the CO. These points of failure cannot be overcome unless the organiza - tion’s facility has two local loop connections. If it does, the architecture can be modified, as shown in Figure 9-4. This type of architecture reduces the points of failure to just one: the ISP itself. If the ISP has a significant outage, the organization may still suffer degraded service or a com - plete loss of connectivity. 142 Network Security: A Beginner’s Guide Figure 9-4. Multiple connections via multiple local loops Multiple-Line Access to Multiple ISPs Given the potential failure points with using a single ISP, why not use more than one? On the surface, this seems like a good idea (and for some organizations, it is) but don’t be - lieve that this removes all of the issues and risks with the Internet architecture. The use of multiple ISPs can, if architected correctly, reduce the risk of loss of service dramatically (see Figure 9-5). However, a number of other issues come up in choosing the ISPs and in the addressing scheme to use for the organization. Choice of ISPs The complexity of establishing an architecture that uses two different ISPs is high and it requires significant knowledge and experience in the ISPs that are used. One area of knowledge that is essential is knowledge of BGP. BGP will be used to route traffic to the organization and it must be configured properly within and between the ISPs. Chapter 9: Internet Architecture 143 Figure 9-5. Internet architecture using multiple ISPs Another issue that may impact the choice of ISPs has to do with the physical routing of the connections. The local loop may continue to be a single point of failure if the organi - zation’s facility does not have multiple local loop connections. If there is only a single lo - cal loop, redundancy can still be accomplished by choosing an ISP that uses wireless communication for the last mile connection (see Figure 9-6). The use of a wireless link does not remove all the availability issues as the wireless link may be lost or degraded due to atmospheric conditions, storms, or birds. However, the likelihood of both a severe degradation of the wireless link and a major outage to the traditional ISP becomes very small. 144 Network Security: A Beginner’s Guide Figure 9-6. Using a wireless ISP to improve availability NOTE: The choice of a wireless ISP should be governed by the same requirements as that for a tra - ditional ISP. Any ISP should be able to provide a service-level agreement and back up that agreement with sound management practices. Addressing Another issue that must be resolved when working with multiple ISPs is the issue of addressing. Normally, when working with a single ISP, the ISP assigns an address space to the organization. The ISP configures routing so that traffic destined for the organization finds its way to the organization’s systems. The ISP also broadcasts the route to those addresses to other ISPs so that traffic from all over the Internet can reach the organization’s systems. When multiple ISPs are involved in the architecture, you must determine which ad - dresses will be used. One ISP or the other may supply the addresses. In this case, the rout - ing from one ISP works as normal and the other ISP must agree to broadcast a route to address space that belongs to the first ISP. This configuration requires a strong under - standing of the way BGP works so that traffic routes appropriately. Another option is for the organization to purchase a set of addresses itself. While this resolves some of the issues, it creates others. Now both ISPs must be willing to advertise routes to addresses that they do not own. NOTE: The addressing and routing issues should be discussed with the ISPs before contracts are signed. This issue is not easy to resolve without the full cooperation of both the ISPs. The final option is to use addresses from both ISPs. In this case, some systems will be given addresses from one ISP and other systems will be given addresses from the other ISP. This architecture does not truly resolve the availability issues and should not be used if it can be avoided. DEMILITARIZED ZONE DMZ stands for “demilitarized zone.” It is commonly used to refer to a portion of the net - work that is not truly trusted. The DMZ provides a place in the network to segment off systems that are accessed by people on the Internet from those that are only accessed by employees. DMZs can also be used when dealing with business partners and other out - side entities. Defining the DMZ The DMZ is created by providing a semi-protected network zone. The zone is normally delineated with network access controls, such as firewalls or heavily filtered routers. The network access controls then set the policy to determine which traffic is allowed into the Chapter 9: Internet Architecture 145 . from those that are only accessed by employees. DMZs can also be used when dealing with business partners and other out - side entities. Defining the DMZ The DMZ is created by providing a semi-protected