|
Introduction
|
|
|
|
Network design is much more than buying a hub at a local computer store and connecting together the
computers with some cables.
If you want your network to scream like a well tuned race car, then take advantage of our deep training.
We have full professional knowledge and experience in LAN design. We consider the physical and electrical
rules and limits of network layout, so you won't be plagued with network failures and bottlenecks.
|
|
|
Generic Secure Design
|
|
Note: If you use wireless networking equipment, you will need a much more complex network to keep it secure.
You can read about each component's purpose from the drawing below by matching up the icons on this page. A
certain amount of artistic license has been taken for illustrative purposes.
The overall purpose of this network design is to provide a reasonably secure network for your
servers and a very secure network for your internal company LAN. The area between the two firewalls
is called a DMZ. Only traffic of an authorized nature is allowed into the DMZ, and no traffic
originating from the Internet, or even the DMZ, is allowed into the company LAN. Traffic originating
from within the company LAN is allowed to pass and the responses are allowed through. mugen akku 4 1500 mah
One thing you must realize about networks is that any "hacker" with the proper
tools, motivation and skill
will eventually compromise a system. Your intrustion detection system (IDS)
will have to alert you to problems
so you can take action. A robust computer security plan will account for this event and your data will still
be secure. Your IDS is a crucial part of your network
security, just like roving patrols and video
surveillance are a crucial part of a physical security
program. forex signal
This is where many of your problems will come from. This is actually the source of attacks that is increasing
in "market share." In 1998, the FBI reported that 15% of computer intrusions came from "hackers"; 15% came
from company contractors; and the other 70% came from company employees.
The focus of these pages are intrusion detection and security from the Internet, so we are focusing
on a small percentage of attacks. It is very hard, if not impossible, to build a system to protect
you from your employees (the 85%). If they are not trustworthy, then why are they still there? Our job
is to help protect you from those that we know are not trustworthy.
 Internet Facing Firewall
Allows only mail, web, ftp, and DNS traffic through.
Company Firewall
Allows nothing origination from outside of the company LAN through. Any traffic initiated by the LAN
is passed through, as are all responses to that traffic.
Database Firewall
This adds one more layer of protection to your database in case your Web
Server is compromised. After all, isn't your data worth the extra protection?
Firewall Notes
Firewall filter out traffic that has no business on the network behind them. Like any other security
device, it can be compromised. This will happen. What you need is an intrusion detection system (IDS)
that will alert you to a problem. Tripwire in one such IDS. We use a custom built security scanner
that checks your system continually, and will e-mail you if it detects a problem.
One substantial problem with tripwire, and its kind, is that a complete system scan takes a tremendous
amount of CPU and IO resources. Every file on the hard drive is checked and it will take several minutes.
This cannot easily performed on a continuous basis, so the best you can expect from these IDS is to be
notified the day after the intrusion. Our security scanner checks sertain files every minute, and if
they change, you are notified.
Use for speed and security performance. Hubs are too insecure with Ethernet; a switch makes it more difficult
(but not impossible) to snoop traffic for network discovery. Sure hubs are cheaper, but by less than $100. For
that price, you get up to five times better performance under expreme load, and a lot more security. Spend the
money.
This is used to resolve names to IP addresses for both your clients' web surfers, and your own company LAN.
Name servers are the focus of many attacks. If the attacker controls the DNS, they can redirect your traffic
to another web server, or as I have seen, remove your site from the DNS, taking you completely off the Internet.
We also recommend using two name servers in case one fails, or must be taken down, the other is available
and ready to take over. You will notice that most (if not all) domain registratoin records list at least two
name servers. If the first name server is not answering, the second should, and network traffic continues
undisturbed.
For these reasons, we recommend keeping the name servers separate from everything else, as they will be highly
fortified against attack.
|
|
Used as a backup for the Primary Name Server. If you only had one name server and it failed at 2 am, you would
have several hours of outage for your clients. A backup name server will take over in case the primary fails.
See also DNS #1.
This is separate from the mail server in case the mail server fails, Web service will still function.
See also, Mail Server.
This is separate from the Web/FTP server in case the web server fails, mail service will still function. It
also adds one more layer of security in case the Web/FTP server is compromised, your client and company mail
is still secure. I have seen integrated mail/Web/FTP servers, and was able to read other people's e-mail
using an FTP client. Not very secure!
In this configuration, there is no Web nor FTP access to the servers. Only you and the people you authorize
are allowed access to the mail server.
These are your workstations. It is up to you to keep them secure, however, we can make recommendations, and
even come in under a separate support contract to keep them up to date, and performing well.
You should have a separate database server in case your web server is compromised. If you are hosting
a client's web site, and it uses a database that contains credit card information, or other sensitive material,
we highly recommend putting the database behind another firewall. Leaving it on the Web Server
is not in your client's best interests.
If it is just your data, isn't your data worth the extra protection?
You should have a separate database server in case your web server is compromised. If you are hosting
a client's web site, and it uses a database that contains credit card information, or other sensitive material,
we highly recommend putting the database behind another firewall. Leaving it on the Web Server
is not in your client's best interests.
If it is just your data, isn't your data worth the extra protection?
|
|
Not Even on the Internal LAN
|
|
Telnet, pop (mail retrieval), and ftp use plain text authentication, which can be sniffed.
When you telnet to a Unix server, this is what you see:
$ telnet 192.168.55.10
Trying 192.168.55.10...
Connected to 192.168.55.10.
Escape character is '^]'.
Red Hat Linux release 5.2 (Apollo)
Kernel 2.0.36 on an i686
login: bob
Password:
Last login: Sat Feb 23 15:26:30 from 192.168.55.10
[bob@hackme bob]$
This is what the attacker sees:
Right there in plain sight is the password ("badpass1").
The threat agent that is already present on your network are your own employees - 75% of the dollar loss
from all attacks came from employees (Source:
SANS Institute)
|
