NOTE: The choice of a wireless ISP should be governed by the same requirements as that for a tra - ditional ISP. Any ISP should be able to provide a service-level agreement and back up that agreement with sound management practices. Addressing Another issue that must be resolved when working with multiple ISPs is the issue of addressing. Normally, when working with a single ISP, the ISP assigns an address space to the organization. The ISP configures routing so that traffic destined for the organization finds its way to the organization’s systems. The ISP also broadcasts the route to those addresses to other ISPs so that traffic from all over the Internet can reach the organization’s systems. When multiple ISPs are involved in the architecture, you must determine which ad - dresses will be used. One ISP or the other may supply the addresses. In this case, the rout - ing from one ISP works as normal and the other ISP must agree to broadcast a route to address space that belongs to the first ISP. This configuration requires a strong under - standing of the way BGP works so that traffic routes appropriately. Another option is for the organization to purchase a set of addresses itself. While this resolves some of the issues, it creates others. Now both ISPs must be willing to advertise routes to addresses that they do not own. NOTE: The addressing and routing issues should be discussed with the ISPs before contracts are signed. This issue is not easy to resolve without the full cooperation of both the ISPs. The final option is to use addresses from both ISPs. In this case, some systems will be given addresses from one ISP and other systems will be given addresses from the other ISP. This architecture does not truly resolve the availability issues and should not be used if it can be avoided. DEMILITARIZED ZONE DMZ stands for “demilitarized zone.” It is commonly used to refer to a portion of the net - work that is not truly trusted. The DMZ provides a place in the network to segment off systems that are accessed by people on the Internet from those that are only accessed by employees. DMZs can also be used when dealing with business partners and other out - side entities. Defining the DMZ The DMZ is created by providing a semi-protected network zone. The zone is normally delineated with network access controls, such as firewalls or heavily filtered routers. The network access controls then set the policy to determine which traffic is allowed into the Chapter 9: Internet Architecture 145 DMZ and which traffic is allowed out of the DMZ (see Figure 9-7). In general, any system that can be directly contacted by an external user should be placed in the DMZ. Systems that can be directly accessed by external systems or users are the first systems to be attacked and potentially compromised. These systems cannot be fully trusted since they could be compromised at any time. Therefore, we try to restrict the access that these systems have to truly sensitive systems on the internal network. General access rules for the DMZ are to allow external users to access the appropriate services on DMZ systems. DMZ systems should be severely restricted from accessing in - ternal systems. If possible, the internal system should initiate the connection to the DMZ system. Internal systems can access the DMZ or the Internet as policy allows but no exter - nal users may access internal systems. Systems to Place in the DMZ So now we have a general policy for the DMZ and we have a list of services that will be of - fered over the Internet. What systems should actually be placed in the DMZ? Let’s take a look at each specific service. Mail Figure 9-8 shows the services that may be offered in a DMZ. Notice that there is an inter- nal and an external mail server. The external mail server is used to receive inbound mail 146 Network Security: A Beginner’s Guide Figure 9-7. General DMZ policy rules and to also send outbound mail. New mail is received by the external mail server and is passed on to the internal mail server. The internal mail server passes outbound mail to the external server. Ideally, this is all done by the internal mail server requesting the mail from the external mail server. Some firewalls offer a mail server. If the firewall mail server is used, it functions as the external mail server. In this case, the external mail server becomes redundant and can be removed. NOTE: If mail servers are truly critical to operations, redundant mail servers should be placed both inside and in the DMZ. Chapter 9: Internet Architecture 147 Figure 9-8. Layout of systems between the DMZ and the internal network Web Publicly accessible Web servers are placed in the DMZ. From Figure 9-8, you can also see an application server in the DMZ. Many Web sites offer active content based on user in - put. This user input is processed and information is called up from a database. The data - base contains the sensitive information and thus is not a good choice for the DMZ. The Web server itself could communicate back to the database server but the Web server is ac - cessible from the outside and thus is not completely trusted. In this case, it is best to use a third system to house the application that actually communicates with the database. The Web server receives the user’s input and provides it to the application server for process - ing. The application server calls the database to request the appropriate information and provides the information to the Web server for delivery to the user. While this may seem complicated, this architecture provides protection to the data - base server and offloads the query processing from the Web server. Externally Accessible Systems All externally accessible systems should be placed in the DMZ. Keep in mind as well that if a system is accessible via an interactive session (such as telnet or SSH), the users will have the capability to perform attacks against other systems in the DMZ. You may prefer to create a second DMZ for such systems to protect other DMZ systems from attack. Control Systems External DNS servers should exist in the DMZ. If your organization plans to host its own DNS, the DNS server must be accessible for queries from the outside. DNS will also be a critical part of your organization’s infrastructure. Because of this, you may choose to have redundant DNS systems or to have your ISP act as an alternate DNS. If you choose to do the latter, the ISP’s DNS will need to perform zone transfers from your DNS. No other system should need to perform these transfers. If you choose to use NTP, the primary local NTP server should exist in the DMZ. Inter - nal systems then will query the primary local NTP server for time updates. Alternatively, the firewall can act as your primary local NTP server. Appropriate DMZ Architectures There are many DMZ architectures. As with most things in security, there are advantages and disadvantages to each of them and it becomes a matter of determining which archi - tecture is most appropriate for each organization. In the next three sections, we will look at three of the more common architectures in detail. NOTE: Each of the DMZ architectures discussed here includes firewalls, which are discussed in de - tail in the “Firewalls” section later in this chapter. 148 Network Security: A Beginner’s Guide Router and Firewall Figure 9-9 shows a simple router and firewall architecture. The router is connected to the link from the ISP and to the organization’s external network. The firewall controls access to the internal network. The DMZ becomes the same as the external network and systems that are to be ac - cessed from the Internet are placed here. Since these systems are placed on the external network, they are completely open to attack from the Internet. To somewhat reduce the risk of compromise, filters can be placed on the router so that the only traffic that is al - lowed into the DMZ is traffic to services offered by DMZ systems. Another way to reduce the risk to the systems is to lock them down so that the only services running on each system are those that are being offered on the DMZ. This means that Web servers are only running a Web server. Telnet, FTP, and other services must be shut down. The systems should also be patched to the most current level and watched carefully. In many cases, the router will belong to and be managed by the ISP. If this is the case, it may become a problem to change the filters or to get them set correctly. If the router is owned and managed by the organization, this is not as much of a problem. However, keep in mind that routers tend to use command line configuration controls and the filters must be set appropriately and in the correct order to work properly. Chapter 9: Internet Architecture 149 Figure 9-9. Router and firewall DMZ architecture Single Firewall A single firewall can be used to create a DMZ. When a single firewall is used, the DMZ is differentiated from the external network, as shown in Figure 9-10. The external network is formed by the ISP router and the firewall. The DMZ is established off a third interface on the firewall. The firewall alone controls access to the DMZ. Using the single-firewall architecture, all traffic is forced through the firewall. The firewall should be configured to allow traffic only to the appropriate services on each DMZ system. The firewall will also provide logs on what traffic is allowed and what traf - fic is denied. The firewall does become a single point of failure and a potential bottleneck for traffic. If availability is a key security issue in the overall architecture, the firewall should be in a fail-over configuration. Likewise, if the DMZ is expected to attract a large amount of traffic, the firewall must be able to handle it as well as internal traffic destined for the Internet. Administration of this architecture is simplified over the router and firewall in that only the firewall must be configured to allow or disallow traffic. The router does not re - quire filters, although some filtering may make the firewall more efficient. In addition, the systems in the DMZ are somewhat protected by the firewall and thus the need to com- pletely secure them is reduced. 150 Network Security: A Beginner’s Guide Figure 9-10. Single-firewall DMZ architecture TEAMFLY Team-Fly ® NOTE: I am not suggesting that insecure systems may be left in the DMZ. I am only suggesting that the firewall provides protection in the same manner as the filtering router and thus alleviates some of the need to remove unnecessary services. Dual Firewalls A third architecture for a DMZ is shown in Figure 9-11. This architecture uses two fire - walls to separate the DMZ from the external and internal networks. The external network is still defined by the ISP router and the first firewall. The DMZ now exists between firewall #1 and firewall #2. Firewall #1 is configured to allow all DMZ traffic as well as all internal traffic. Firewall #2 is configured with a much more restrictive configuration so as to only allow outbound traffic to the Internet. The dual-firewall architecture requires that firewall #1 be able to handle significant traffic loads if the DMZ systems are expecting a lot of traffic. Firewall #2 can be a less ca - pable system since it will only handle internal traffic. The firewalls can be two different types as well. This configuration may increase overall security as a single attack is un - likely to compromise both firewalls. Like the single-firewall architecture, the DMZ sys- tems are protected from the Internet by firewall #1. Chapter 9: Internet Architecture 151 Figure 9-11. Dual-firewall DMZ architecture Dual firewalls do increase the cost of the architecture and require additional manage - ment and configuration. FIREWALLS Firewalls have been mentioned a fair amount in the proceeding sections of this chapter (and have been mentioned in various other chapters as well). A firewall is a network ac - cess control device that is designed to deny all traffic except that which is explicitly al - lowed. This definition contrasts with a router, which is a network device that is intended to route traffic as fast as possible. Some will argue that a router can be a firewall. I will agree that a router can perform some of the functions of a firewall but one key difference remains: A router is intended to route all traffic as fast as possible, not to deny traffic. Perhaps a better way to differen - tiate a router and a firewall is to say that a firewall is a security device that can allow ap - propriate traffic to flow while a router is a network device that can be configured to deny certain traffic. In addition to this, firewalls generally provide a more granular level of configuration. Firewalls can be configured to allow traffic based on the service, the IP address of the source or destination, or the ID of the user requesting service. Firewalls can also be con- figured to log all traffic. Firewalls can perform a centralized security management func- tion. In one configuration, the security administrator can define allowed traffic to all systems within an organization from the outside. While this does not alleviate the need to properly patch and configure systems, it does remove some of the risk that one or more systems may be misconfigured and thus open to attack on an inappropriate service. 152 Network Security: A Beginner’s Guide Sensitive Internal Networks Firewalls should not be limited to use only on Internet connections. A firewall is a network access control device that can be used anywhere that access must be con - trolled. This includes internal networks that should be protected from other internal systems. Sensitive internal networks may include systems with extremely impor - tant information or functions or networks that conduct experiments on network equipment. A good example of a sensitive network can be found in banks. Every evening banks communicate with the Federal Reserve System to transfer funds. A failure here can cost the bank large sums of money. The systems that control this communi - cation are very sensitive and important to the bank. A firewall could be installed to restrict access to these systems from other parts of the bank. . from those that are only accessed by employees. DMZs can also be used when dealing with business partners and other out - side entities. Defining the DMZ The DMZ is created by providing a semi-protected. own DNS, the DNS server must be accessible for queries from the outside. DNS will also be a critical part of your organization’s infrastructure. Because of this, you may choose to have redundant DNS. important to the bank. A firewall could be installed to restrict access to these systems from other parts of the bank.