Where should an administrator place an internet-facing host on the network?
So now that we have gotten over the blinding flashes of the obvious and my lame attempts at humor, let’s dive into the elements of implementing a secure network: Show
Once you’ve finished off this article, you should have a good grasp of knowing how to implement a secure network. Network Zones and TopologiesAlthough most networks have Internet connectivity, only an inexperienced administrator would connect a network directly to the Internet. The secure way to implement a network is dividing the network into different zones, using different topologies. Three terms that are relevant here are:
The Demilitarized ZoneA buffered zone between a private network and the Internet. As attackers seek out servers on the Internet, servers placed directly on the Internet have the highest amount of risk. However, the DMZ provides a layer of protection for these Internet-facing servers, while also allowing clients to connect to them. The diagram above show the DMZ is the area between the internal and external fire wall, hosting several Internet-facing servers; many DMZs have two firewalls, creating a buffer zone between the Internet and the internal network, providing access to the services hosted in the DMZ, while segmenting access to the internal network.
Each firewall includes detailed rules designed to filter traffic and protect both the internal network and the public servers.
The DMZ can host any Internet-facing server, including FTP servers used for uploading/downloading files and virtual private network (VPN) servers used for providing remote access. Network and Port Address TranslationNetwork Address Translation (NAT) is a protocol to translate public IP addresses to private IP addresses and private addresses back to public. You’ll often see NAT enabled on an Internet-facing firewall. A commonly used form of NAT is network address and port translation, commonly called Port Address Translation (PAT). If you run a network at your home (such as a wireless network), the router that connects to the Internet is very likely running NAT. Some of the benefits of NAT include:
Network SeparationA common network security practice is to use different components to provide network separation, which can be achieved in 3 different ways:
Physical Isolation and AirgapsPhysical isolation a network, seen with SCADA system, ensures that it isn’t connected to any other network; the physical isolation significantly reduces risks to the SCADA system. Logical Separation and SegmentationRouters segment traffic between networks using rules within ACLs.
It’s also possible to provide logical separation by using a virtual local area network (VLAN) to segment traffic between logical groups of users or computers Layer 2 Versus Layer 3 Switches
Read More About The OSI Model Here: What are the OSI and TCP/IP Models? Isolating Traffic with a VLAN A (VLAN) uses a switch to group several different computers together, based on departments, job function, or any other administrative need, into a virtual network, providing security because you isolate the traffic between the computers in the VLAN. Normally routers group different computers onto different subnets based on physical locations and are typically located in the same physical location, such as on a specific floor or wing of a building. A single Layer 3 switch can create multiple VLANs to separate the computers based on logical needs rather than physical location. Examples includes:
You can also use a single switch with multiple VLANs to separate user traffic.
Read More About Networks Here Media GatewaysDevice that converts data from the format used on one network to the format used on another network. As an example, a VoIP gateway converts telephony traffic between traditional phone lines and an IP-based network. Proxy ServersMany networks use proxy servers (or forward proxy servers) to forward requests for services (such as HTTP or HTTPS) from clients. Administrators configure internal clients to use the proxy server for specific protocols. Located on the edge of the network bordering the Internet and the intranet, a proxy improves performance by caching content and some proxy servers can restrict users’ access to inappropriate web sites by filtering content. A proxy accepts a request, retrieves the content from the Internet, and then returns the data to the client.
Performance Improvement with Content Caching Proxies increase performance of Internet requests by storing each result received from the Internet; data that is in the proxy server’s cache doesn’t need to be retrieved from the Internet again when requested by a client. In this context, cache simply means “temporary storage.” Cache could be a dedicated area of RAM, or, in some situations, it could also be an area on a high-performance disk subsystem. Transparent and Nontransparent Proxies A transparent proxy: Accepts/forwards requests without modifying them; it is the simplest to set up and use and it provides caching.
In comparison to a regular proxy, a reverse proxy accepts requests from the Internet, typically for a single web server. Note that this allows a web server to be located in the private network behind a second firewall. It appears to clients as a web server, but then forward the requests to the web server and serves the pages returned by the web server. Application Proxies Unified Threat ManagementDepending on the size of your company, a cornerstone of knowing how to implement a secure network is determining if your situation is suited for a unified threat management (UTM) solution, a single solution combining multiple security controls; a UTMs objective is the simultaneous simplification and improvement of security management. Initially, solutions were brought to market as one offs, leading to ever increasing management complexity, UTM security appliances combine the features of multiple security solutions into a single appliance, a hardware device designed to provide a specific solution. Commonly placed at the network border, between the Internet and the intranet, a UTM device intercepts/analyzes all traffic to and from the Internet, it placement dependents on the UTM use case; if it is being used as a proxy server, it can be placed within the DMZ and configured so that all relevant traffic goes through it. UTM security appliances include multiple capabilities, including:
Mail Gateways and Secure NetworksA server that examines all incoming and outgoing email, mail servers attempts to reduce risks associated with email; typically located between the email server and the Internet all mail goes to the gateway before it goes to the email server. Gateways often include: A spam filter: within a mail gateway filters out spam from incoming email. By filtering out spam, it helps block attacks. Share This Post:Share on facebook Share on twitter Share on linkedin Your email address will not be published. Required fields are marked * Comment Name * Email * Website Save my name, email, and website in this browser for the next time I comment. Table of ContentsPrevPreviousSecure Networking Technologies and Tools NextWorking With Advanced Network Security DevicesNext You May Like Related PostsSecurity Identifying Different Types of Server AttacksIdentifying different types of server attacks allows you to understand how hacker target server based applications, such as websites, in order to penetrate an organization. Read More »April 29, 2021 No Comments Linux Basics How Does Linux Access and Authentication WorkProperly securing a Linux system involves being able to answer the question of “How Does Linux Access and Authentication Work?” Managing a Linux system, regardless Read More »January 21, 2021 No Comments Linux Basics Linux File and Text Management FAQSecur put together a handy Linux file and text management FAQ to help you out when studying for the COMPTIA Linux + test. If you Read More »June 9, 2021 No Comments Networking Assess, Mitigate and Respond to Network VulnerabilitiesUnderstanding how to Assess, Mitigate and Respond to Computer Network Threats and Vulnerabilities is going to be a large part of your job as a Where should you place network firewalls?Firewalls are often placed at the perimeter of a network. Such a firewall can be said to have an external and internal interface, with the external interface being the one on the outside of the network. These two interfaces are sometimes referred to as unprotected and protected, respectively.
What is an internetAn internet-facing server is any server that is directly accessible over the internet.
What is internetFirewalls protect the perimeter of the network, guarding your internal data from external attacks. Firewalls are a default-closed technology, which means if a user, either accidentally or on-purpose, creates a service in your network, it won't be exposed to the internet unless the firewall is instructed to allow it.
What is a forward facing server?A forward proxy is an Internet-facing proxy used to retrieve data from a wide range of sources (in most cases anywhere on the Internet). A reverse proxy is usually an internal-facing proxy used as a front-end to control and protect access to a server on a private network.
|