Security Management for ASP (12)

Appendix C: Best Practices for network security
Steve riley,microsoft Communications Industry Solutions Group Consulting Practice
August 7, 2000
This essay discusses the best solution for network design and security. Although there are many ways to design and secure the network, only some methods and steps are favored by many people in the industry.
Filter routers-First line of defense
You should use a filter router to protect any Internet-facing firewalls. This router has only two interfaces: one is connected to the Internet and the other is connected to an external firewall (or, if necessary, a load-balanced firewall cluster). Nearly 90% of all attacks involve IP address theft, or change the source address to make the packet look like it came from the internal network. There is no reason for incoming packets to come from an internal network. In addition, because the security of a network usually depends on the security of the network you are connected to, it is best to prevent your network from being used as a source of fake packets. Filtering routers is an ideal way to achieve these goals.
The filtering router should be configured as "Allow all except", "which is specifically denied" (allow all traffic other than a special rejection) state. In this way, the ACL performs the following actions:
Defines an entry filter that rejects incoming traffic for any source address that is an internal network address.
Defines an out-of-office filter that rejects outgoing traffic from a source address that is not an internal network.
Rejects all incoming or outgoing traffic from the source or destination addresses in any private address range identified in RFC 1918.
All other incoming and outgoing traffic is allowed.
This can prevent most attacks because stealing an internal address is almost a basic condition for all attacks. Configure the firewall behind the filtering router as "deny all except this which is specifically allowed" (denies all traffic except special permission) status.
(This part of the information is based on RFC 2267, "Network ingress filtering:defeating denial of service attacks which IP source address employ G ", January 1998. ）
For environments with high availability requirements, you can use two filter routers and connect the two to a pair of firewall load balancing devices.
Firewalls-tiered protection
The typical demilitarized zone (DMZ) has two firewalls. The external firewall is configured to allow only the communication required to connect between the Internet and the DMZ. The internal firewall is configured to protect the internal network from the DMZ-DMZ the untrusted network, so it is necessary to protect the internal network.
What is a DMZ? Look at the only political DMZ in the world: the region between the two Koreas. The DMZ is determined by its protection boundary-in this case, two geographical boundaries, respectively, are monitored and protected by separate protection entities. The DMZ in the network is very similar to this: A separate network segment is connected to (usually) two other networks through a separate physical firewall.