Where should an administrator place an internet-facing host on the network?

Network Zones and Topologies

Although most networks have Internet connectivity, only an inexperienced administrator would connect a network directly to the Internet. The secure way to implement a network is dividing the network into different zones, using different topologies. Three terms that are relevant here are:

• Intranet: An internal network to communicate and share content with each other. While it’s common for an intranet to include web servers, this isn’t a requirement.
• Extranet: Part of a network that can be accessed by authorized entities from outside of the network.
• The network perimeter:  A boundary between the intranet and the
  Internet; boundary protection includes multiple methods to protect the network perimeter.

The Demilitarized Zone

A buffered zone between a private network and the Internet. As attackers seek out servers on the Internet, servers placed directly on the Internet have the highest amount of risk. However, the DMZ provides a layer of protection for these Internet-facing servers, while also allowing clients to connect to them.

The diagram above show the DMZ is the area between the internal and external fire wall, hosting several Internet-facing servers; many DMZs have two firewalls, creating a buffer zone between the Internet and the internal network, providing access to the services hosted in the DMZ, while segmenting access to the internal network.

• One firewall separates the DMZ from the Internet.
• The second firewall separates the DMZ from the internal network.

Each firewall includes detailed rules designed to filter traffic and protect both the internal network and the public servers. 

• The external firewall can have rules to allow traffic to the servers in the DMZ, but block unsolicited traffic to the internal firewall.
• The mail server would send and receive email to other email servers on the Internet through port 25 of both the external and internal firewall 
• The web server hosts web pages to any Internet users through ports 80 and 443 on the external firewall, but the internal firewall blocks incoming traffic using these ports.
• The Certificate Authority (CA) server validates certificates for Internet clients by answering through the external firewall
• The internal firewall allows traffic between the web server (and only the web server) and the database server on port 1433, but block all other Internet traffic to the database server.
• The web server and database server can be part of an extranet.
  • The web server may hosts a site that for users to place orders.
  • The web server would first authenticate them before granting them full access.
  • After users log on, the web site connects to the back-end database server, allowing them to browse the inventory and place orders.

The DMZ can host any Internet-facing server, including FTP servers used for uploading/downloading files and virtual private network (VPN) servers used for providing remote access.

Network and Port Address Translation

Network Address Translation (NAT) is a protocol to translate public IP addresses to private IP addresses and private addresses back to public.

You’ll often see NAT enabled on an Internet-facing firewall.

A commonly used form of NAT is network address and port translation, commonly called Port Address Translation (PAT).  If you run a network at your home (such as a wireless network), the router that connects to the Internet is very likely running NAT. Some of the benefits of NAT include:

• Public IP addresses don’t need to be purchased for all clients:
  A home or company network can include multiple computers that can access the Internet through one router running NAT. Larger companies requiring more bandwidth may use more than one public IP address.
• NAT hides internal computers from the Internet: Computers with private IP addresses are isolated and hidden from the Internet. NAT provides a layer of protection to these private computers because they aren’t as easy to attack and exploit from the Internet.
  • NAT is that it is not compatible with IPsec.
  • You can use IPsec to create VPN tunnels and use it with L2TP to encrypt VPN traffic. Although there are ways of getting around NAT’s incompatibility with IPsec, if your design includes IPsec going through NAT, you’ll need to look at it closely.
• NAT can be either static NAT or dynamic NAT:
  • Static NAT: Uses a single public IP address in a one- to-one mapping. It maps a private IP address with a single public IP address.
  • Dynamic NAT: Uses multiple public IP addresses in a one-to-many mapping,  deciding which public IP address to use based on load. For example, if several users are connected to the Internet on one public IP address, NAT maps the next request to a less-used public IP address.

Network Separation

A common network security practice is to use different components to provide network separation, which can be achieved in 3 different ways:

• Segregation: Provides basic separation
• Segmentation: Putting traffic on different segments,
• Isolation: Systems are completely separate; virtualization can be used to provide isolation and some antivirus experts use virtual machines to analyze malware. 

Physical Isolation and Airgaps

Physical isolation a network, seen with SCADA system, ensures that it isn’t connected to any other network; the physical isolation significantly reduces risks to the SCADA system. 
An airgap is a metaphor for physical isolation, indicating that there is a gap of air between an isolated system and other systems. 

Logical Separation and Segmentation

Routers segment traffic between networks using rules within ACLs.

• Administrators use subnetting to divide larger IP address ranges into smaller ranges. They then implement rules within ACLs to allow or block traffic.
• Firewalls separate network traffic using basic packet-filtering rules and can also use more sophisticated methods to block undesirable traffic.

It’s also possible to provide logical separation by using a virtual local area network (VLAN) to segment traffic between logical groups of users or computers

Layer 2 Versus Layer 3 Switches

• A traditional switch: operates on Layer 2 of the Open Systems Interconnection (OSI) model, using the destination MAC address within packets to determine the destination port, while forwarding broadcast traffic to all ports on the switch.
• Routers: Operate on Layer 3 of the OSI model, forwarding traffic based on the destination IP address within a packet, while blocking broadcast traffic.
  • Layer 3 switches mimic routers, allowing network administrators to create virtual local area networks (VLANs).
    • Not susceptible to ARP-based attacks as it forwards traffic based on the destination IP address instead of the MAC address

Read More About The OSI Model Here:

What are the OSI and TCP/IP Models?
Understanding IP Addresses in Relation to the OSI Model
Relating Network Devices and Protocols to the OSI Model 

Isolating Traffic with a VLAN

A (VLAN) uses a switch to group several different computers together, based on departments, job function, or any other administrative need, into a virtual network, providing security because you isolate the traffic between the computers in the VLAN.

Normally routers group different computers onto different subnets based on physical locations and are typically located in the same physical location, such as on a specific floor or wing of a building.

A single Layer 3 switch can create multiple VLANs to separate the computers based on logical needs rather than physical location.   Examples includes:

• Group of users, normally working in separate departments may begin work on a project that requires them to be on the same subnet. When the project is over, you can simply reconfigure the switch to return the network to its original configuration.
• VoIP streaming traffic can consume quite a bit of bandwidth, so you can increase the availability and reliability of systems. by putting voice traffic on a dedicated VLAN, separating the voice and data traffic within the VLAN.

You can also use a single switch with multiple VLANs to separate user traffic.

• if you want to separate the traffic between the HR department and the IT department, you can use a single switch with two VLANs, logically separating all the computers between the two different departments, even if the computers are located close to each other.

Read More About Networks Here
How Does Network Routing Work

Media Gateways

Device that converts data from the format used on one network to the format used on another network. As an example, a VoIP gateway converts telephony traffic between traditional phone lines and an IP-based network.

Proxy Servers

Many networks use proxy servers (or forward proxy servers) to forward requests for services (such as HTTP or HTTPS) from clients.  Administrators configure internal clients to use the proxy server for specific protocols.  Located on the edge of the network bordering the Internet and the intranet, a proxy  improves performance by caching content and some proxy servers can restrict users’ access to inappropriate web sites by filtering content.

A proxy accepts a request, retrieves the content from the Internet, and then returns the data to the client.

• Most proxy servers only act as a proxy for HTTP and HTTPS. However, proxy servers can also proxy other Internet protocols, such as FTP.

Performance Improvement with Content Caching

Proxies increase performance of Internet requests by storing each result received from the Internet; data that is in the proxy server’s cache doesn’t need to be retrieved from the Internet again when requested by a client. In this context, cache simply means “temporary storage.”

Cache could be a dedicated area of RAM, or, in some situations, it could also be an area on a high-performance disk subsystem.

Transparent and Nontransparent Proxies

A transparent proxy: Accepts/forwards requests without modifying them; it is the simplest to set up and use and it provides caching.

A nontransparent proxy: Can modify/filter requests.  Often used to restrict what users can access with the use of URL filters. A URL filter examines the requested URL and chooses to allow the request or deny the request.

Proxy servers include logs that record each site visited by users. These logs can be helpful to identify frequently visited sites and to monitor user web browsing activities.
 
Reverse Proxy

In comparison to a regular proxy, a reverse proxy accepts requests from the Internet, typically for a single web server.  Note that this allows a web server to be located in the private network behind a second firewall.

It appears to clients as a web server, but then  forward the requests to the web server and serves the pages returned by the web server. 
The reverse proxy server can be used for a single web server or a web farm of multiple servers; when used with a web farm, it can act as a load balancer and is placed  in the DMZ to accept the requests and it then forwards the requests to different servers in the web farm using a load-balancing algorithm.

Application Proxies
An application proxy is used for specific applications. It accepts requests, forwards the requests to the appropriate server, and then sends the response to the original requestor. A forward proxy used for HTTP is a basic application proxy. However, most application proxies are multipurpose proxy servers supporting multiple protocols such as HTTP and HTTPS.

Unified Threat Management

Depending on the size of your company,  a cornerstone of knowing how to implement a secure network is determining if your situation is suited for a unified threat management (UTM) solution, a single solution combining multiple security controls;  a UTMs objective is the simultaneous simplification and improvement of security management.  Initially, solutions were brought to market as one offs, leading to ever increasing management complexity, UTM security appliances combine the features of multiple security solutions into a single appliance,  a hardware device designed to provide a specific solution.

Commonly placed at the network border, between the Internet and the intranet, a UTM device intercepts/analyzes all traffic to and from the Internet, it placement dependents on the UTM use case;  if it is being used as a proxy server, it can be placed within the DMZ and configured so that all relevant traffic goes through it.

UTM security appliances include multiple capabilities, including:

• Content inspection: Uses a combination of different content filters to monitor incoming data streams and attempts to block any malicious content, can also include:
  • A spam filter to inspect incoming email and reject spam.
  • Filters to block specific types of transmissions, such as streaming audio and video, and specific types of files such as Zip files.
• DDoS mitigator: Attempts to detect and block DDoS attacks, similar to intrusion prevention systems (IPSs).
• Mail gateway: Many vendors include a mail gateway within a UTM to scan incoming/outgoing mail
• Malware inspection: Screens incoming data for known malware and blocks it. Organizations often scan for malware at email servers and at individual systems as part of a layered security or defense-in-depth solution.
• URL filtering: Perform the same job as a proxy server that block access to sites based on the URL.  Typically administrators:
  • Subscribe to a service that update URLs to block access to
  • Configure URL filters manually to allow or block access to specific web sites.

Mail Gateways and Secure Networks

A server that examines all incoming and outgoing email, mail servers attempts to reduce risks associated with email; typically located between the email server and the Internet all mail goes to the gateway before it goes to the email server.  Gateways often include:

A spam filter: within a mail gateway filters out spam from incoming email. By filtering out spam, it helps block attacks.
Data loss prevention (DLP) capabilities:  Examine outgoing email looking for confidential or sensitive information and block them. 
Encryption:  Can encrypt all outgoing email to ensure confidentiality for the data-in-transit, or only encrypt certain data based on policies. 

Share This Post:

Share on facebook

Facebook

Share on twitter

Twitter

Share on linkedin

LinkedIn

Leave a Reply

Your email address will not be published. Required fields are marked *

Comment

Name *

Email *

Website

Save my name, email, and website in this browser for the next time I comment.

PrevPreviousSecure Networking Technologies and Tools

NextWorking With Advanced Network Security DevicesNext

You May Like

Related Posts

Security

Identifying Different Types of Server Attacks

Identifying different types of server attacks allows you to understand how hacker target server based applications, such as websites, in order to penetrate an organization. 

Read More »

April 29, 2021 No Comments

Linux Basics

How Does Linux Access and Authentication Work

Properly securing a Linux system involves being able to answer the question of “How Does Linux Access and Authentication Work?” Managing a Linux system, regardless

Read More »

January 21, 2021 No Comments

Linux Basics

Linux File and Text Management FAQ

Secur put together a handy Linux file and text management FAQ to help you out when studying for the COMPTIA Linux + test.  If you

Read More »

June 9, 2021 No Comments

Networking

Assess, Mitigate and Respond to Network Vulnerabilities

Understanding how to Assess, Mitigate and Respond to Computer Network Threats and Vulnerabilities is going to be a large part of your job as a

Where should you place network firewalls?

Firewalls are often placed at the perimeter of a network. Such a firewall can be said to have an external and internal interface, with the external interface being the one on the outside of the network. These two interfaces are sometimes referred to as unprotected and protected, respectively.

What is an internet

An internet-facing server is any server that is directly accessible over the internet.

What is internet

Firewalls protect the perimeter of the network, guarding your internal data from external attacks. Firewalls are a default-closed technology, which means if a user, either accidentally or on-purpose, creates a service in your network, it won't be exposed to the internet unless the firewall is instructed to allow it.

What is a forward facing server?

A forward proxy is an Internet-facing proxy used to retrieve data from a wide range of sources (in most cases anywhere on the Internet). A reverse proxy is usually an internal-facing proxy used as a front-end to control and protect access to a server on a private network.