Security Appendix C: Best Practices for network security
Steve riley,microsoft Communications Industry Solutions Group Consulting Practice
August 7, 2000
This essay discusses the best solution for network design and security. Although there are many ways to design and secure the network, only some methods and steps are favored by many people in the industry.
Filter routers-First line of defense
You should use a filter router to protect any Internet-facing firewalls. This router has only two interfaces: one is connected to the Internet and the other is connected to an external firewall (or, if necessary, a load-balanced firewall cluster). Nearly 90% of all attacks involve IP address theft, or change the source address to make the packet look like it came from the internal network. There is no reason for incoming packets to come from an internal network. In addition, because the security of a network usually depends on the security of the network you are connected to, it is best to prevent your network from being used as a source of fake packets. Filtering routers is an ideal way to achieve these goals.
The filtering router should be configured as "Allow all except", "which is specifically denied" (allow all traffic other than a special rejection) state. In this way, the ACL performs the following actions:
Defines an entry filter that rejects incoming traffic for any source address that is an internal network address.
Defines an out-of-office filter that rejects outgoing traffic from a source address that is not an internal network.
Rejects all incoming or outgoing traffic from the source or destination addresses in any private address range identified in RFC 1918.
All other incoming and outgoing traffic is allowed.
This can prevent most attacks because stealing an internal address is almost a basic condition for all attacks. Configure the firewall behind the filtering router as "deny all except this which is specifically allowed" (denies all traffic except special permission) status.
(This part of the information is based on RFC 2267, "Network ingress filtering:defeating denial of service attacks which IP source address employ G ", January 1998. )
For environments with high availability requirements, you can use two filter routers and connect the two to a pair of firewall load balancing devices.
Firewalls-tiered protection
The typical demilitarized zone (DMZ) has two firewalls. The external firewall is configured to allow only the communication required to connect between the Internet and the DMZ. The internal firewall is configured to protect the internal network from the DMZ-DMZ the untrusted network, so it is necessary to protect the internal network.
What is a DMZ? Look at the only political DMZ in the world: the region between the two Koreas. The DMZ is determined by its protection boundary-in this case, two geographical boundaries, respectively, are monitored and protected by separate protection entities. The DMZ in the network is very similar to this: A separate network segment is connected to (usually) two other networks through a separate physical firewall.
DMZ and shielding subnet. A common approach is to use a single physical firewall with multiple interfaces. One interface is connected to the Internet, the second interface is connected to the internal network, and the third interface is connected to the area commonly known as the DMZ. This architecture is not a real DMZ, because a single device is responsible for multiple protected areas. The exact name of this scheme is the screened subnet. Screened subnets have a serious flaw-a single attack can damage the entire network because all network segments are connected to the firewall.
The advantages of the DMZ. Why deploy the DMZ? Cyber attacks are increasing-some are just for fun, show off their pranks, and some are serious, purposeful corporate espionage and sabotage. An effective security architecture is a barrier to attack, and the structure has the ability to adjust. The true DMZ architecture has the following advantages:
Has a targeted security policy. Each firewall enforces a policy corresponding to the protected object.
Deep defense. When security is compromised, multiple physical components of the device provide more time for the security administrator to respond. This is the single and most important reason why you should deploy a real DMZ rather than a screened subnet.
Improve performance. The responsibility for communication checks between the two devices is separate, and each specific protected area is configured with a single device.
Scalability. You can extend the firewall as needed-the external firewall typically has a much higher load to handle than the internal firewall. Technologies like Radware's fireproof can balance loads across firewall farms.
Eliminate the point of failure. To achieve high availability, you should deploy at least a pair of firewall load balancers that are fully applicable to a pair of firewalls. This allows the firewall to exactly match the DMZ core switch.
Firewall type
There are currently three types of firewalls:
Basic packet filters.
The Status detection packet filter.
The application agent.
Basic packet filters. It is not uncommon to have simple packet filtering as a firewall because almost all routers can perform this function. Packet filtering simply compares the ports, protocols, and addresses of outgoing and incoming packets according to a set of rules. Data packets that do not conform to the rule are terminated by the firewall. Basic packet filtering provides little security because many types of attacks can easily bypass it.
The Status detection packet filter. These firewalls examine the process in addition to individual packets. The status check engine tracks the startup of each connection and ensures that all traffic corresponding to a previously logged-on connection is initiated. Unsolicited packets that comply with firewall rules but cannot be mapped to any connection will be terminated. Stateful inspection is more secure than basic packet filtering, but it is likely to be attacked by an intrusion that can be enabled through a firewall-usable protocol, such as HTTP. Neither type of packet filter can parse the contents of any packet. In addition, both types of packet-filtering firewalls cannot reassemble fragmented packets before they are calculated according to the rule set. As a result, certain types of attacks can be successfully delivered using highly skilled packet fragments.
The application agent. Application agents provide the highest level of security. The connection does not pass through the proxy, and the incoming connection is truncated at the agent, and the proxy implements the connection to the target server. The application agent checks the payload and determines whether it conforms to the protocol. For example, a normal HTTP request has a certain characteristic. Attacks that pass through HTTP will have access to these features (most notably, traffic passed over HTTP requests have too much incoming information) and will be terminated. Application proxies are also vulnerable to fragmentation attacks. Because of the load imposed on the application agent, it is the slowest in the three types of firewall technology.
So what is the best technology? The answer depends on the level of security you need. Some stateful inspection firewalls are starting to join the application agent function; Checkpoint's Firewall-1 is such an example.
host-based firewall protection. Thorough defense should be the design goal of any security plan. Filter routers and traditional DMZ provide three-tier protection, which is usually sufficient to protect most network services. For a highly secure environment, a host-based firewall provides another layer of protection. A host-based firewall allows the security administrator to determine a detailed security policy so that the server's IP stack is open only to the ports and protocols required by the application on that server. Some host-based firewalls also implement outgoing protection to help ensure that one damaged machine does not affect other machines on the same network. Of course, host-based firewalls do add to the burden of common system management. Consider adding host-based protection only to servers that contain critical data.
DMZ architecture-Security and performance
Another common type of attack is to pry packets from the line. Although there are recent anti-prying tools (which may often be unreliable), a network built with a simple hub is vulnerable to this attack. (and anti-spying tools can also make it an important issue.) The use of switches to replace hubs eliminates this vulnerability. In a shared media network (a network built with hubs), all of the devices can see all the traffic. Typically, the network interface does not process data frames that are not sent to it. The interface of the promiscuous mode will upload the contents of each frame up to the computer's protocol stack. This information may be of great value to an attacker who has a protocol analyzer.
Switching networks can actually prevent this from happening. The network interface of any machine in a switched network will see only those frames that are specifically sent to the interface. Promiscuous mode is no different here because the NIC does not recognize any other network traffic. The only known way for an attacker to pry into a switched network is if an attacker destroys the switch itself and changes its operation so that the switch is at least one port full of all traffic. Destroying the switch is difficult and will soon be discovered by the network administrator.
Switching networks also eliminates the need to use a dual-host DMZ server. Dual hosts do not provide additional protection, and additional NICs do not prevent attacks from damaged computers. However, it may be more appropriate to use two NICs in situations where high availability or high performance is required.
Eliminate the point of failure. It is necessary to use two NICs in an environment where high availability is required. A practical design is to include two switches in the core and two NICs per server. One NIC is connected to one switch and the other NIC is connected to another switch.
What is the status of the internal network? For the same reason, internal networks should also be built with switches. If high availability is required, follow the same principles in the DMZ.
Cluster interconnection. Use hubs to connect all clusters, both in the DMZ and in the internal network. Bridging cables are not recommended by Microsoft because they do not provide the electronic signals required to ensure that media-sensitive operations are working properly.
A more secure option for ipsec-to trust the DMZ
If all servers are running Windows 2000, you should use Internet Protocol security (IPSEC) to secure all communication between the DMZ and the internal network. IPSEC provides the following features:
Authentication. You can determine such a strategy so that only computers that need to communicate with each other can communicate with each other.
Encryption. Intruders who have invaded the DMZ cannot interpret or interpret the communication in the internal network.
Protection. IPSEC protects the network against replay attacks, human intervention attacks, and attacks through standard protocols such as ICMP or HTTP (these attacks are through the Basic Firewall and stateful inspection packet filter firewalls).
When IPSec is enabled, internal firewalls must allow only IPSec, IKE, Kerberos, and DNS traffic, which further strengthens the security of the internal network. There are no other vulnerabilities in the internal firewall. For standard firewall rules that are vulnerable to a variety of applications, an intruder can determine the policy of a firewall by firewalk such a tool, while encapsulating all traffic in IPSEC and using only that protocol, hide the implementation details that might be useful to an attacker (but see also the "possible security implications" below). The following table lists the services that should be opened in the firewall: services
Position
Description
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.