Secure by Design
William Kramp
In the past ten years, network connectivity has undergone some major changes for many businesses. In 1989, most companies had networks that were physically contained within a single location. If a company did have remote sites, connectivity was done with private, leased circuits. This limited the exposure of the company network from unauthorized access to dial-in modems. At that time, the Internet was predominately used for educational and research purposes. Security was a concern, but it was usually host-based. If there wasn't a need for administrative users to access the Internet, a site could enhance security by physically isolating administrative systems from academic systems.
With the introduction of the graphical Web browser in the early 1990s, text, sounds, and images could be linked together into a hypermedia document. This hypermedia document provided a new format for distributing information for both businesses and educational institutions. It also opened up the Internet to users who didn't understand how to use tools like gopher, telnet, and ftp. This shift in how the Internet was used caused a change in how networks were configured and secured. Business networks could not remain isolated from the Internet; neither could educational institutions keep their academic and administrative networks separate.
Designing A Secure Network Designing a network that balances the need for users to access resources on the Internet, and which is also secure, can be a difficult task. If security is tightened too much, it will hinder access and can compel users to look for ways around it. This could lead to back doors in your defenses. On the other hand, weak security will allow attackers to access your network through the wide-open front door.
One philosophy that details the requirements of network security is the "CIA" triangle illustrated in Figure 1: confidentiality, integrity, and availability. Confidentiality represents the security aspect of the network. This is the level of security needed to protect the systems on the network. Integrity can be interpreted as the level of trust in the security configuration of the network. Auditing and network monitoring are used to confirm this trust. Availability is the ability, or lack thereof, of the users to access resources, internal or external.
The optimal security solution would be an even balance of the three requirements, placing the solution in the middle of the triangle. To increase one of the requirements, a reduction would be needed in one or two of the other requirements. This involves more than just the balance between open or restrictive access to the resources. It includes the balance between performance and the overhead of processing filtering rules. It also involves the time and effort to monitor the integrity of the network security. These are the compromises in terms of security, access, time, and costs. Trying to solve network security with a single solution will be very difficult. Instead of attempting to use a single CIA triangle for all the systems of an organization, use a different CIA triangle for the various security requirements of the systems you are protecting.
Network Security Layers Implementing network security in layers will help break the complexity of the security requirements into smaller, manageable portions. Place the most critical systems deep within the network. These are usually systems that do not need to have any direct, inbound contact with the outside world. The next layer would be systems that need to talk to both internal and external systems. The outer layer would be the systems providing services to the external network. The best security solution for high confidentiality of the inner network layer would be to have no connection to the outer layers. However, that would produce a situation of zero availability to external resources.
The host security requirements should increase for each layer that is closer to the outside world. This is not to say that system security should be lax on the innermost layer. But, as there will be a higher number of hosts on the inner layer. It's easier to concentrate the security at the access points to the outer layers.
At each division between a layer, a firewall device should be implemented, as shown in Figure 2. This should be done with an application level proxy, a filtering router, or, minimally, a filtering bridge. This provides a single point to limit access to internal resources.
Application Proxies The application layer proxy can be considered the most secure method of isolating the layers. These types of firewalls use proxies to run interference between two devices trying to communicate across layer boundaries. They understand the network service at the application level and can control the traffic.
An example of this type is Firewall Toolkit from Network Associates (formally TIS). Using the SMTP proxy of the Firewall toolkit, it will accept an SMTP request from the Internet at one of the layer boundaries. The advantage of this is that it protects the inner email systems from being directly attacked using security holes in mail transport agents such as Sendmail. The SMTP proxy uses one process for accepting the email, and a second process to forward the received email to the final destination. Any attempts to use command channel attacks will fail because of this isolation.
The SMTP proxy provides a limited set of commands to the outside world. Attempts to use the VRFY command to probe the internal systems for user information will simply cause the proxy to reply with a specially formatted response. It won't confirm or deny whether the user actually exists like a traditional SMTP server will. The proxy will not prevent data driven attacks, but that is the trade-off for allowing availability of the email service to the internal systems.
For each network service, a separate proxy or plug needs to be configured. This allows you to enable only the services that you wish to permit access. The old saying for this is, "That which is not expressly permitted, is denied". The application proxy firewall traditionally starts at the confidentiality point of the triangle and moves toward availability as services are added.
Another advantage of proxy type firewalls is that they will absorb the hit in certain types of denial of service attacks, isolating the internal servers from the abuse.
Filtering Devices Filtering routers or bridges can also be used to isolate the layers. These devices by default are used to allow traffic to flow between networks. To limit or restrict access, filtering rules must be configured. Filtering devices start at the availability point of the triangle and move toward confidentiality as rules are implemented.
One way to use these types of devices is to limit http access to outbound only. The filtering rules would be configured to allow internal clients to connect to external Web sites. But, the rules would block external clients from connecting to internal Intranet http servers. The exception to this would be for Web servers that need to allow external access from the Internet, but also have contact with an internal network. This is where the layering of networks becomes very important.
The Web server would exist on a middle DMZ (De-Militarized Zone) layer, between the inner, secure network layer and the outside Internet layer. An example of this would be a Web server that supported SMB access (NT and Samba) for file modifications. In the situation where the Web server was not protected by a firewall device, outside users on the Internet would only be restricted from accessing those files based on the host security configuration.
The filter between the Internet and the DMZ layer would be programmed to allow access to the http port of the Web server, but, it would block access to ports: 137, 138, and 139. These ports are used by SMB-based clients to access and modify the Web server files. You should also block port 135, because this is used for some communication between NT servers. The filter device between the secure inner network layer and the DMZ layer would be configured in a similar fashion. It would be programmed to block access to internal SMB servers from the Web server or the external filter device, but allow outbound access to the SMB ports of the Web server.
Integrity The integrity of the network security can be verified in several ways. One way is by auditing the firewall devices. This can involve checking the device to confirm that its configuration is correctly enforcing your security requirements. Part of this auditing will be to review the log files generated by the filtering devices. Another method for checking integrity of the network is to monitor the network traffic.
Auditing There are many ways to audit the firewall device. The most basic, but also the most important, is to compare the existing configuration to the written documentation. The documentation should be an implementation of your written security policy. Any undocumented changes could be the result of unauthorized or poorly planned changes to the configuration.
Application proxies and filtering devices provide different levels of logging. Most filtering routers and bridges will only provide logging information that a connection occurred. Essentially, it would only detail the IP number and socket for the source and destination with a date and time stamp. It would not detail any information at the application layer. This is where application proxies come in. Since the application proxies understand the connection at a higher layer than filtering devices, more detailed information can be provided. Information like the sender and recipient of email messages, as well as the size of the message, can be used to detect whether spammers are using your site for relaying. (Note that this can be prevented by properly configuring the SMTP proxy or internal SMTP servers to block this kind of activity.) The logging features of http requests can also provide similar information for both inbound and outbound connections.
Monitoring Another method of monitoring the integrity of the network security is with the use of tools like tcpdump or Network Flight Recorder. These applications are usually run on systems independent of the firewall devices. They can provide the same kind of data collection as those created by application proxies. This can make up for some of the shortcomings in logging of the filtering devices. These tools can also record attempts to probe or subvert the security of the network. tcpdump is the old standby on UNIX systems for data collection of network traffic. It can provide volumes of information of all the IP activity on the network. Setting rules to limit the amount of data it logs can reduce this. Running scripts to parse the collected data can reduce this data collection even more. The data can be used to generate usage reports, as well flag any network access violations.
Listed below is a simple Perl program using tcpdump to detect external access over a router to the SMB ports of hosts on your DMZ. The fourth line of code specifies that the SYN packets of TCP ports 135 and 139 should be captured. Line 5 specifies UDP packets to sockets 137 and 138 should also be captured. Line 6 tells tcpdump to collect only the UDP or TCP packets specified in lines 4 and 5 if the source or destination is not in local subnet. The local subnet for the DMZ, in this example, is the class B address range of 172.16.0.0. Lines 9-12 simply print each packet that has passed tcpdump's filtering rules. This section of code could be enhanced to log the data to a file and send some kind of notification to the Network or Security Administrator.
1) #!/usr/bin/perl
2) #
3) open (TCPDUMP, "tcpdump -l '\
4) (port (135 or 139) and (tcp[13] &2 != 0) ) or \
5) (port (137 or 138) and (udp) ) and \
6) (not src net 172.16.0.0 mask 255.255.0.0) \
7) ' |") || die "Unable to execute tcpdump command: $!\n";
8)
9) while(<TCPDUMP>) {
10) print $_;
11) };
Network Flight Recorder (NFR) is a more refined tool that uses a Web browser to view the data it collects. The collected data can be filtered, and viewed in many different formats from text listings to pie charts. NFR is available commercially, but can be downloaded and used for research purposes within the scope of their license agreement.
The basic configuration of NFR will allow you to collect network traffic data. It will allow you to view the source and destinations of each network connection. NFR will also list header information for http requests, as well as detect DNS and http servers operating on your local subnet. This is done with backends that can be modified by the user. New backends can be written to enhance or customize the capabilities of the product to your needs.
Conclusion By breaking up your network into smaller sections, you can focus on the security needs of those systems. This also gives the side benefit of multiple layers of defenses. As an attacker penetrates each layer, he will encounter tougher barriers. This approach will also buy the systems or network administrator more time to detect and respond to the intrusion.
Designing a secure network requires you to understand the needs of your users, and the security needs of the systems being protected. This will allow you to configure the network to balance the requirements for confidentiality, integrity, and availability.
References Building Internet Firewalls by D. Brent Chapman and Elizabeth D. Zwicky. 1995. O'Reilly and Associates.
Firewall Toolkit: http://www.tis.com
Network Flight Recorder: http://www.nfr.com
Courtney (A good example of using tcpdump to detect SATAN scans): http://ciac.llnl.gov/ciac/SecurityTools.html
About the Author
William Kramp is the network administrator at the Finger Lakes Community College in Canandaigua, New York. He currently uses NT and UNIX to perform network management and provide DNS, DHCP, firewall, and Web services. He can be reached at: krampwd@fingerlakes.edu.
|