|
Serious Perimeter Security
Use these two keywords to make your perimeter more secure.
by Danielle Ruest and Nelson Ruest
November 1, 2004
One of today's major focuses for security issues is the network perimeter. In the past, perimeter protection mostly consisted of a hardware or software firewall installation, but today it has become slightly more complex. That's because most attacks no longer occur at the network layer, but rather at the application layer. This is why you should concentrate on two keywords when dealing with perimeter security: the perimeter itself and wireless.
Determine Your Perimeter
The best defense system is a layered defense system. Each layer is designed to address potential threats and issues that target specific components of a complete network. One of the most important layers you must deal with is the perimeter, and the most important aspect of this layer is defining what is and what should be contained inside and outside the perimeter. Today's perimeters do not only consist of the firewall, but also include virtual private network connections (VPN), routing and remote access (RRAS) to your internal network, and potentially, remote access from your network to the outside world. This will often also involve the provision of secure access to services you render publicly. In this case, you might have to incorporate the implementation of multiple authentication methods, including public key infrastructure (PKI) certificates, one of the most universal methods for the support of secure communications. And, if you're dealing with the outside world and provide services to users whose desktops are out of your control, you'll also need to handle the publication of services from inside protected zones to public areas of the Internet. Finally, you might also have to include extranet services within your perimeter. This means providing a secure means for authentication for partners and remote customers.
To provide all of these services in an integrated and secure manner, you need a variety of tools. Of course, you still need the firewall. Protection at the hardware level is still deemed important as much for corporations as for the home user. Because you receive data from the Internet in the form of e-mail messages and Web page connections, you also need a filtering system as well as virus protection. You might even want to add an intrusion detection system if you are extremely conscious of the data you want to protect.
If you're publishing information or Web services to the Internet, the best level of protection you can implement will be in the form of a reverse proxy—a tool designed to publish Web information in a secure way by impersonating the Web server. Users think they are actually working on the Web server when in fact they are using the reverse proxy server. For external authentication services, you need platform-independent systems since you can't control the type of client visitors, even partners, will use. To allow traveling internal users to remotely access your network either through the Internet or through telephone communications, you need private authentication systems because here, you do control client operating systems and technologies.
In short, you need to build the protection layers in your perimeter in response to both perceived and anticipated needs, and you must include any connection type from outside in or from inside out in your definition of the perimeter. Too many organizations just look at the demilitarized zone as the perimeter and leave wide open holes everywhere else in their infrastructure. This is why you should include protection for modems and other sporadic connectivity systems present in the network in your perimeter defense strategy.
If you're working with Microsoft technologies, one great place to get information about how to design a complete perimeter defense system is the Microsoft Systems Architecture Guide. This most comprehensive resource provides complete documentation on how to build a complete network (see Figure 1), including perimeter defenses. In fact, it is so detailed, it even includes how to configure your hardware firewalls (see Resources).
One other required piece of technology for any Microsoft-oriented network is Internet Security and Acceleration (ISA) Server 2004. Microsoft recently released a powerful new version of this application-layer firewall that includes many essential improvements. Microsoft concentrated on three areas of improvement for ISA Server 2004: improved network security, ease of use, and performance.
ISA's firewall feature now boasts new protocol support, letting users control the access of any protocol, even the Internet Protocol (IP). This supports improved integration and administration of VPN connections at both the Point-to-Point Tunneling Protocol (PPTP) and the Internet Protocol Security (IPSec) level as well as improved user authentication. ISA 2004 also natively supports three authentication methods: Windows, Remote Authentication Dial-in User Service (RADIUS) and RSA Security's SecureID. The addition of RADIUS and direct integration of SecurID to ISA 2004 is a vast improvement because it allows organizations to create and implement "authentication gateways"—secure entry points into both intranets and extranets.
ISA 2004 supports multiple network configurations, letting you easily implement different connections for different networks, such as a private network along with an Internet connection, while applying the same, standard policies to all connections (see Figure 2). ISA 2004 now goes a long way toward helping you do more with less for perimeter security.
Back to top
|