Perimeter Network Defense

Read Complete Research Material

PERIMETER NETWORK DEFENSE

Perimeter Network Defense and Anti-Malware Architecture

Perimeter Network Defense and Anti-Malware Architecture

1.0 Introduction

In this white paper, we examine the Case Study Organization's (CSO) network and how it should implement perimeter security. We identify the organization's network devices and firewalls as combining to form a least privileged gateway which keeps traffic moving only in expected and intended ways. For the CSO's network, this traffic includes data from internal users, guests, public-facing Web servers, and highly-protected application servers - all of which combine to support the organization's business requirements, and each of which requires protection. In this paper we look at the CSO's network components from servers to thin clients and its security perimeters. We review these perimeters with attention towards improving the organization's overall security posture, and make tactical recommendations that minimize acquisition and maintenance costs.

2.0 Background

In the CSO, the physical layout includes at least the following security zones:

public - the organization's “face” to the world (reception via secure entry)

protected - the organization's proprietary information (locked access requiring entry codes or a key -think a corporate safe)

internal - employee workspaces (bullpen - normally an open or thinly partitioned area)

guest - provides an area for visitors to be entertained (think the “nice” executive conference room)

Many corporate networks are built to reflect and support this simple network model. Adding to this simple network design is the fact that in most cases an organization will standardize on some single operating system (in this paper we'll assume the ubiquitous Windows environment, but of course it could be anything). Given these typical constraints and CSO logical network setup, we look at some common effects on the organization's network security perimeter (Knipp & Danielyan, 2002).

3.0 Network Diagram

The following diagram shows a simple but reasonable network diagram for the CSO organization.

Figure 1 - the CSO corporate network's security zones

The CSO's network defines four primary areas that map more-or-less to the standard four physical security zones identified above:

192.168.16/24 - A protected network containing file and database servers, an internal Exchange server, corporate antivirus, and the organization's intranet portal.

192.168.15/24 - A DMZ (demilitarized zone) containing a public Web server and the organization's public SMTP server for receiving email.

192.168.14/24 - An internal network containing primarily workstations and thin clients, although some development servers and the hypervisors can be found here in the CSO display.

192.168.1/24 - A wireless network for guests and mobile devices.

4.0 Perimeter Defenses

Each element in the CSO organization's layered network defense strategy surrounds individual hosts much like an onion skin does - the closer one gets to a host the more perimeter layers one must have traversed (Oppliger, 2001).

Consider a malicious application within the “guest” subnet: it must cross four different gateways (and the same number of firewalls) for even one data packet to be presented to the protected file server - which itself is hardened with at least three more perimeter defenses (host firewall, anti-malware solutions, and operating system level access control lists) (Tanenbaum, 1996).

4.1 Application Gateway

The CSO has at its outermost perimeter two physical Internet connections for ...