There are several key devices in the Corporate Internet module that are common between the medium-sized network design and the small network design. The key devices in both the small and medium-sized network designs are summarized in Table 4-3. This table also indicates in which network these devices can be found.
Public Services Segment PSTN
To Campus Module ISP
VPN/Dial-In Segment
Public Services Segment
To Campus Module To ISP
One or the Other
Understanding the Corporate Internet Module 53
Table 4-3 Key Devices in Corporate Internet Module
Key Devices Functions
Medium-Sized Network
Small Network Hosts for small and
medium-sized networks
DNS Server: Provides authoritative external DNS resolution; relays internal requests to the Internet.
FTP Server: Provides public interface for file exchange between Internet users and the corporate network; can be combined with the HTTP server to reduce cost.
HTTP Server: Provides public information about the enterprise or the organization;
can be combined with the FTP server to reduce cost.
SMTP Server: Provides e-mail service for the enterprise by relaying internal e-mail bound for external addresses; can inspect content as well.
X X
Firewall Provides network-level protection of resources through stateful filtering of traffic.
Can provide remote IPSec tunnel termination for users and remote sites. Also provides differentiated access for remote-access users.
X X
ISP router Provides connectivity from the ISP to the network.
X
Dial-in server Authenticates remote dial-in users and terminates their dial-up connection.
X
Layer 2 switches Provides for Layer 2 connectivity within the Corporate Internet module. Can also provide support for private VLANs.
X
Internal router Provides routing within the module. X NIDS appliance Provides for deep packet inspection of traffic
traversing various segments of the network.
X
Edge router Provides for connectivity to the Internet and rudimentary filtering through ACLs.
X X
VPN concentrator Authenticates remote users and terminates their IPSec tunnels.
X
Hosts for Small and Medium-Sized Networks
Additional hosts in both the medium-sized and small network Corporate Internet module designs include the following systems:
■ A DNS server to provide for authoritative external name resolution and to relay internal network requests to the Internet
■ An FTP server to provide for file exchange between Internet users and the corporate network
■ An HTTP server to provide public information about the enterprise or the organization
■ An SMTP server to provide for e-mail service both inbound and outbound; could also provide for e-mail content inspection
Each system requires that HIDS software be installed to help detect and mitigate attacks and the possible exploitation of these systems. These systems represent the endpoint devices that provide significant services to the Internet presence of the corporation.
Firewall
The firewall provides additional filtering capabilities in both designs. The firewall in the small network blueprint provides for one additional demilitarized zone (DMZ) segment, whereas the firewall in the medium-sized network blueprint provides for multiple DMZ segments.
In the medium-sized network design, the firewall provides for a public services segment and a VPN/
dial-in segment. Publicly available servers, such as web, e-mail, and FTP servers, reside in the public services segment. Inbound filtering is used to limit the traffic that reaches the public servers.
Outbound filtering reduces the possibility that a compromised public server can be used for further exploitation of the network. To achieve this goal, specific filters are in place to prevent any unauthorized connections that originate in the public services segment from being generated. Private VLANs can be used in the segment to prevent an attacker who successfully compromises a server from exploiting other servers in the public services segment. Other services that the firewall provides include SMTP command filtering and termination of site-to-site VPNs.
The VPN/dial-in segment of the firewall is used to filter inbound traffic from the dial-in access server and the VPN concentrator. Private VLANs can be provided in this segment to prevent an attacker who compromises either a VPN connection or a dial-in connection from affecting other connections that terminate on the devices in this segment.
In the small network blueprint, the firewall provides for much of the functionality that is provided in a medium-sized network. However, only one additional segment is available, the public services segment. The firewall also provides for SMTP command filtering, as in the medium-sized network
Understanding the Corporate Internet Module 55
design, and provides a termination point for remote sites, preshared keys, and VPN tunnels. The remote users authenticate to the access control server in the Campus module.
Many firewall appliances and firewall software packages provide for rudimentary NIDS capabilities; however, those capabilities, if used, can result in a degradation of the firewall’s performance.
ISP Router
The ISP router is found in the medium-sized network design only and its primary purpose is to provide connectivity to a provider network. ACLs provide for address filtering in accordance with RFC 1918 and RFC 2827 in both directions of traffic. Additionally, egress traffic from the ISP provides for rate limitations on nonessential traffic from the ISP network to the enterprise to reduce the effects of denial of service (DoS) and distributed denial of service (DDoS) attacks.
Edge Router
The edge router provides various functionalities in both the medium-sized and the small network design. In both networks, this device should be configured to drop most fragmented packets.
In the medium-sized network blueprint, the edge router provides the point of demarcation between the medium-sized network and the ISP network. Basic traffic filters provide for address filtering in accordance with RFC 1918 and RFC 2827. Additionally, only expected IP traffic is permitted through. For example, IPSec and IKE traffic that is destined for the VPN concentrator or the firewall is permitted through.
In the small network design, the edge router provides for address filtering in both directions in accordance with RFC 1918 and RFC 2827. Additionally, nonessential traffic that exceeds prespecified thresholds is rate limited to reduce the impact of DDoS attacks. Agreements between the enterprise and the ISP that provide for additional traffic-rate limiting help push the DDoS mitigation further upstream of this router.
Dial-In Server
Dial-in user connections in medium-sized networks are terminated at the NAS. Authentication is provided by the access control server using the three-way Challenge Handshake Authentication Protocol (CHAP). Once a user has been authenticated, she is assigned an IP address from a predefined pool.
Layer 2 Switches
The Layer 2 switches in the medium-sized network blueprint provide for connectivity between devices in the Corporate Internet module. Several switches are implemented rather than a single
switch with multiple VLANs, to reduce the impact of device misconfiguration. Each segment in the module has a switch to provide for device connectivity. These switches are configured with private VLANs to reduce the potential of device compromise through trust exploitation.
Internal Router
The primary function of the internal router in the medium-sized network blueprint is to provide for Layer 3 separation and routing between the Campus module and the Corporate Internet module. The device functions solely as a router without any filtering capabilities and provides a final point of demarcation between the routed intranet and the external network. Most firewalls do not participate in any routing protocols; therefore, it is important to provide a point of routing within the Corporate Internet module that does not rely on the rest of the network.
NIDS Appliance
The public services segment of the medium-sized network’s firewall includes a NIDS appliance.
This device is configured in a restrictive stance because signatures that are matched here have already passed through the firewall. Each of the servers in the public services segment has HIDS software installed. The function of the HIDS is to monitor for any illegal activity on the host at the OS and application levels. Finally, the external SMTP server provides for mail content filtering services to prevent viruses or Trojan-horse applications from reaching the end users on the internal network.
In addition to the IDS in the public services segment, a NIDS appliance is deployed between the firewall’s private interface and the internal router. This NIDS is also set to a restrictive stance;
however, unlike the NIDS in the public services segment, this NIDS is capable of initiating a countermeasure against detected activity. This response can be through TCP resets or ACL shuns.
Attacks encountered at this NIDS may indicate that a public services host has been compromised and that the attacker is using that host as a platform to gain further entry into the internal network.
This segment permits only traffic that is in response to initiated flows, this is from select ports on the public services segment or that is from the remote-access segment.
VPN Concentrator
The remote-access VPN concentrator provides secure connectivity to the medium-sized network for remote users. Authentication is provided by the access control server, which queries the OTP server to verify user credentials. IPSec policy is pushed from the concentrator to the client and prevents split tunneling, whereby the client maintains both a live connection to the external Internet and the secure connection to the medium-sized network. This policy forces the client to route all traffic through the medium-sized network, including traffic that is ultimately destined for the Internet. Encryption is provided through use of the 3DES algorithm and data integrity is
Understanding the Corporate Internet Module 57
provided through use of the Secure Hash Algorithm/Hash-Based Message Authentication Code (SHA/HMAC).
In the medium-sized network blueprint, the VPN terminates outside the firewall, at the VPN concentrator. This enables the firewall to filter remote-user traffic, which it wouldn’t be able to do if the VPN device were placed behind the firewall, because VPN traffic is encrypted until it reaches the VPN concentrator. This deployment also allows the IDS on the inside of the firewall’s private interface to inspect traffic from remote VPN users.
In the small network, remote-access VPN termination occurs at the edge router/firewall.