NETWORK DESIGN ELEMENTS AND COMPONENTS

As you create a network security policy, you must define procedures to defend your network and users against harm and loss. With this objective in mind, a network design and the included components play an important role in implementing the overall security of the organization.

An overall security solution includes design elements and components such as firewalls, VLANS, and perimeter network boundaries that distinguish between private networks, intranets, and the Internet. This section discusses these elements and will help you tell them apart and understand their function in the security of the network.

Demilitarized Zone

A demilitarized zone (DMZ) is a small network between the internal network and the Internet that provides a layer of security and privacy. Both internal and external users may have limited access to the servers in the DMZ. Figure 3.3 depicts a DMZ.

Often, web and mail servers are placed in the DMZ. Because these devices are exposed to the Internet, it is important that they are hardened and patches are kept current. Table 3.2 lists the most common services and ports that are run on servers inside the DMZ.

Commonly Used Ports on Servers in the DMZ

21  FTP

22  SSH

25  SMTP

53  DNS

80  HTTP

110 POP3

443 HTTPS

The DMZ is an area that allows external users to access information that the organization deems necessary but will not compromise any internal organizational information. This configuration allows outside access, yet prevents external users from directly accessing a server that holds internal organizational data.

Remote Access

To protect your corporate data from attacks from intruders and from being accessed by unauthorized users, you need to plan for and implement remote access security. You should authenticate remote access clients attempting to establish a remote connection with the remote access server. To secure connections to the corporate network, you can configure properties that either allow remote access or deny remote access. You can also specify authorization using the source number or destination phone number as the basis.

There are a number of strategies that you can use to secure remote access connections:

• Control access through the Dial-in Properties of an individual user account. This is the account that remote access clients utilize to connect to the network.
• Create and configure remote access policies.
• Create and configure remote access profiles.
• Configure remote access authentication and encryption.
• You can use Remote Authentication Dial-In User Service (RADIUS) to provide authentication, authorization, and accounting for your remote access implementation.
• Configure advanced security features such as smart cards, callback security.
• Raise the domain functional level to provide additional security features for your remote access implementation.

Telephony

The transmission of data through equipment in a telecommunications environment is known as telephony. Telephony includes transmission of voice, fax, or other data. This section describes the components that need to be considered when securing the environment. Often, these components are neglected because they are not really network components. However, they use communications equipment that is susceptible to attack and therefore must be secured.

Modems

Modems are used via the phone line to dial in to a server or computer. They are gradually being replaced by high-speed cable and Digital Subscriber Line (DSL) solutions, which are faster than dial-up access. However, some companies still use modems for employees to dial into the network and work from home. The modems on network computers or servers are usually configured to take incoming calls. Leaving modems open for incoming calls with little to no authentication for users dialing in can be a clear security vulnerability in the network. For example, war-dialing attacks take advantage of this situation.

War-dialing is the process by which an automated software application is used to dial numbers in a given range to determine whether any of the numbers are serviced by modems that accept dial-in requests. This attack can be set to target connected modems that are set to receive calls without any authentication, thus allowing attackers an easy path into the network. You can resolve this problem area in several ways:

• Set the callback features to have the modem call the user back at a preset number.
• Make sure authentication is required using strong passwords.
• Be sure employees have not set up modems at their workstations with remote-control software installed.

Cable and DSL modems are popular these days. They act more like routers than modems. Although these devices are not prone to war-dialing attacks, they do present a certain amount of danger by maintaining an always-on connection. If you leave the connection on all the time, a hacker has ample time to get into the machine and the network. The use of encryption and firewall solutions will help keep the environment safe from attacks.

VOIP

VoIP uses the Internet to transmit voice data. A VoIP system might be composed of many different components, including VoIP phones, desktop systems, PBX servers, and gateways. VoIP PBX servers are susceptible to the same type of exploits as other network servers. These attacks include DoS and buffer overflows, with DoS being the most prevalent. In addition, there are voice-specific attacks and threats. H.323 and Inter Asterisk eXchange (IAX) are specifications and protcols for audio/video. They enable VoIP connections between servers and enable client/server communication. H.323 and IAX protocols can be vulnerable to sniffing during authentication. This allows an attacker to obtain passwords that may be used to compromise the voice network.

Session Initiation Protocol (SIP) is commonly used in instant messaging, but it can also be used as an alternative for VoIP. Using SIP can leave VoIP networks open to unauthorized transport of data. Man-in-the-middle attacks between the SIP phone and SIP proxy allow the audio to be manipulated, causing dropped, rerouted, or playback calls. Many components comprise a VoIP network, and VoIP security is built upon many layers of traditional data security. Therefore, access can be gained in a lot of areas.

Implementing the following solutions can help mitigate the risks and vulnerabilities associated with VoIP:

• Encryption
• Authentication
• Data validation
• Nonrepudiation

Layered Security/Defense In Depth


Layered security refers to security systems that use multiple components to protect operations on multiple levels, or layers. This term can also be related to the term defense in depth, which is based on a slightly different idea where multiple strategies and resources are used to slow, block, delay or hinder a threat until it can be completely neutralized. Layered security may also be known as layered defense.

The central idea behind layered security or defense is that in order to protect systems from a broad range of attacks, using multiple strategies will be more effective. Layered security can involve security protocols at the system or network levels, at the application level, or at the transmission level, where security experts may focus on data in use over data at rest.

Layered security efforts attempt to address problems with different kinds of hacking or phishing, denial of service attacks and other cyber attacks, as well as worms, viruses, malware and other kinds of more passive or indirect system invasions.