Security is a full-time job, but keeping an eye on your perimeter network can cut down the work.
- By Bill Heldman
- July 01, 2002
The .NET revolution is going to change everything. Bill Gates' idea about
a universal computing environment includes a vision for wireless devices,
the tablet PC and other unique offerings. Virtual Private Networks VPNs
will allow telecommuters to connect to the private network from anywhere
in the world. Wireless Access Points WAPs will make it handy for people
whose jobs require them to roam but remain connected to the network to
interact from anywhere within the range of an access point. Enhanced e-commerce
software will enable "mom and pop" shops that couldn't participate with
the big boys on the Internet to get their businesses put into the virtual
world and accomplish it in a secure way.
At the same time the viruses keep comingdevelopers of malicious
code keep writing disruptive wares. The hacker snoops keep trying to get
into places they shouldn't be to obtain things they shouldn't have.
So, how does an administrator balance the very cool things coming down
the wire (and sometimes already here) with the need for security and safety?
As a security administrator, you have two overarching goals: you want
to keep unwanted visitors from coming into your Internet sites and private
networks and performing malicious activities and also you want to keep
your private network users out of Internet sites they shouldn't be going
to. It sounds like a lot, but the majority of the activity pivots around
one place: the perimeter network.
First Line of Defense: NAT
The perimeter network is the place at which users enter or leave
your network, based upon the restrictions you put in place. Figure 1 shows
your internal network connected with the Internet. There's nothing to
protect you from malicious users on the Internet with the exception of
some fancy TCP/IP trickery that we'll discuss next. You probably have
a router or some other sort of connecting device in your company that
connects you by some kind of telephony circuit (T1, E1, T3, E3, ISDN,
DSL, etc.) to your ISP, who in turn is connected to the Internet. Routers
are the connecting devices that make the Internet work.
|Figure 1. A private network connected with the
Internet through an ISP.
In this scenario, there is no protection for the private network. Data
can easily traverse from the Internet inside or from the private network
out. However, even in this elementary setup, a network admin can take
some protective measures. For starters, the private network might be set
up on one of three reserved TCP/IP network addresses:
- Class A10.0.0.0 through 10.255.255.255
- Class B172.16.0.0 through 172.31.0.0
- Class C192.168.0.0 through 192.168.255.0
By setting up your private network on a reserved network address, you
require a device that uses Network Address Translation (NAT), which means
you're representing an internal user by using a valid IP address externally.
NAT-ting is something that Windows 2000 Advanced Server can do right out
of box, so it's pretty easy to provide a modicum of protection to an otherwise
Networks that use legitimate IP address ranges internally can potentially
be more easily hacked, so the idea of converting your network to a reserved
network address is a good one.
Also, the developers of TCP/IP designed in the idea of ports. There are
several thousand different ports, starting at port 0, that TCP/IP protocols
can potentially usesome of them are well-known, such as HTTP's port
80 and SMTP's port 25. (See
http://www.iana.org/assignments/port-numbers for more information
on TCP/IP ports.) Routers can be configured so that they'll only allow
incoming packets on certain ports (port 25 being the most common, because
people need to be able to receive Internet e-mail). Likewise, routers
can also be configured to bar internal users from utilizing certain ports
as well. For example, the FTP protocol (ports 20 and 21) is one that's
commonly blocked from internal use.
However, routers can be spoofed; that is, hackers have figured out workarounds
that can allow them to slip inside the door, regardless of the blocking
that has been established. Also, port 25 is famous for being hacked by
groups who want to utilize company's e-mail server to send blanket e-mail
documents out to hundreds of people. The process is called relaying. (Exchange
Server has been able to prevent relaying since Exchange 5.5 SP3).
You'll likely not prevent internal users from accessing HTTP port 80;
otherwise, users wouldn't be able to utilize the Internet. There is nothing
built into TCP/IP that allows you to keep internal users from surfing
out to porn or other sites that they shouldn't be allowed to visit.
Put Up a Firewall
So, what's a person to do? To build up your defenses, you begin
to develop a perimeter network. The first thing you'll start with is a
firewall (see Figure 2). A firewall is software (such as Microsoft Internet
Security and Acceleration Server) or hardware (such as a Cisco PIX) that
can be adjusted so that only certain categories of users are allowed outside
using certain protocols and so that you heavily regulate the kind of traffic
allowed inside. Typically the firewall sits behind the router.
|Figure 2. The private network resides behind
Firewalls use rules to do their work. Rules represent to the firewall
the way that you'd like to filter specific activities. You might have
a firewall rule that says "Allow all users in the Marketing group to access
HTTP port 80" or "Direct all incoming Internet traffic destined for SMTP
port 25 to internal e-mail server 10.1.2.2". (I must add that ISA server
is much more than a firewall. You may find it informative and fun to study
for and take the ISA Server exam.)
So, your firewall is in place and you're able to keep users from getting
outside to the Internet using certain protocols; you're also able to keep
external traffic from coming in. The router can continue to NAT or, depending
on the firewall you choose, it might be able to pick up the NAT-ting efforts,
leaving routers to do what they do bestsend data from one place
But what do you do about users who are going out to undesirable sites?
This is a risky area for corporations, who have to balance their own policies
for free access to information with what's appropriate to the workplace.
To accomplish this, you can implement Web filtering software.
Using intelligent Web filtering software (see Figure 3), you can
set up the kinds of sites that you don't want your internal users to visit
and then direct them to a warning page instead. You can also log the traffic
and generate reports showing where people have tried to go on the Internet.
Some great examples of Windows-based Web filtering software include Websense
(www.smartfilter.com) and Surfwatch
(www.surfwatch.com), but there
tons of others. Figure 3 shows your perimeter network, now with a Web
filtering server included.
|Figure 3. For extra protection, the Web filtering
software is usually set up behind the firewall.
Note: ISA Server isn't designed for robust out-of-box Web filtering,
though you can do some elementary filtering. Instead, ISA Server has a
feature that allows yuou to "snap in" a third-party Web filtering component.
Web filtering software generally uses files that list the "naughty" sites
by name and by IP address and contain any one or more code words that
denote what the site contains. Web filtering software companies' servers
"crawl" the Internet on a daily basis, looking for new sites, and then
update their files, which are downloaded on a regular basis to owners
of the software. (This is only one method; there are others.)
With quality Web filtering software products, you have the ability to
apply your filtering rules to groups of users, and you are provided with
lots of choices about sites you want to rule out: job search, travel,
romance, hate, religion, chat, gaming, pornography, jokes, sports and
entertainment to name a few. You can also generate reports on a single
user, a group of users or IP addresses, a specific site, etc. Some software
allows for reports to be routinely e-mailed to managers.
All companies, regardless of size, can benefit from the installation
and good quality management of a Web filtering server. While Web filtering
servers are essentially plug-n-play, it's a good idea to check in on them
daily to make sure they're working correctly. Also, if your users have
been working steadily without a Web filtering server, you should consider
developing an Internet policy and having them sign off as you implement
your server, so they don't think about suing your company for infringement
of their free speech (sounds silly, but it has happened). Check with your
company's management and legal eagles.
Now that your network is NAT-ted and has a firewall and Web filtering
software, is that enough protection? Not quitenext time, we'll discuss
intrusion detection and antivirus software and the importance of setting
up a DMZ.