CCSP SelfStudy CCSP CSI: Exam Certification Guide, Second Edition [Electronic resources] نسخه متنی

Understanding the Corporate Internet Module

The Corporate Internet module provides internal users with access to the Internet. It also provides public services such as DNS, FTP, e-mail, and web services to external users. In both medium-sized and small networks, VPN traffic from remote users and remote sites terminates in this module. Additionally, dial-in connections from remote users also terminate here. Unlike its counterpart in the SAFE Enterprise blueprint, the SAFE SMR Corporate Internet module is not designed to handle e-commerce traffic or applications.

Figure 4-3 shows the design of the SAFE medium-sized network Corporate Internet module, and Figure 4-4 shows the SAFE small network Corporate Internet module. The SAFE medium-sized network Corporate Internet module provides for a public services segment where web, mail, and other publicly accessible servers are located. Additionally, this design provides for remote access both through a connection to the Public Switched Telephone Network (PSTN) and through IPSec VPNs that terminate in the VPN/dial-in segment. The firewall is at the center of the design and controls access to the various segments.

Figure 4-3. SAFE Medium-Sized Network Corporate Internet Module

Figure 4-4. SAFE Small Network Corporate Internet Module

The SAFE small network design shown in Figure 4-4 provides for a firewall, or a router with firewall capabilities, as the primary security device. All publicly accessible servers are located on a DMZ segment off of this device.

Key Corporate Internet Module Devices

There are several key devices in the Corporate Internet module that are common between the medium-sized network design and the small network design. The key devices in both the small and medium-sized network designs are summarized in Table 4-3. This table also indicates in which network these devices can be found.

Table 4-3. Key Devices in Corporate Internet Module
Key Devices	Functions	Medium-Sized Network	Small Network
Hosts for small and medium-sized networks	DNS Server: Provides authoritative external DNS resolution; relays internal requests to the Internet. FTP Server: Provides public interface for file exchange between Internet users and the corporate network; can be combined with the HTTP server to reduce cost. HTTP Server: Provides public information about the enterprise or the organization; can be combined with the FTP server to reduce cost. SMTP Server: Provides e-mail service for the enterprise by relaying internal e-mail bound for external addresses; can inspect content as well.	X	X
Firewall	Provides network-level protection of resources through stateful filtering of traffic. Can provide remote IPSec tunnel termination for users and remote sites. Also provides differentiated access for remote-access users.	X	X
ISP router	Provides connectivity from the ISP to the network.	X
Dial-in server	Authenticates remote dial-in users and terminates their dial-up connection.	X
Layer 2 switches	Provides for Layer 2 connectivity within the Corporate Internet module. Can also provide support for private VLANs.	X
Internal router	Provides routing within the module.	X
NIDS appliance	Provides for deep packet inspection of traffic traversing various segments of the network.	X
Edge router	Provides for connectivity to the Internet and rudimentary filtering through ACLs.	X	X
VPN concentrator	Authenticates remote users and terminates their IPSec tunnels.	X

Hosts for Small and Medium-Sized Networks

Additional hosts in both the medium-sized and small network Corporate Internet module designs include the following systems:

A DNS server to provide for authoritative external name resolution and to relay internal network requests to the Internet
An FTP server to provide for file exchange between Internet users and the corporate network
An HTTP server to provide public information about the enterprise or the organization
An SMTP server to provide for e-mail service both inbound and outbound; could also provide for e-mail content inspection

Each system requires that host-based IPS software be installed to help detect and mitigate attacks and the possible exploitation of these systems. These systems represent the endpoint devices that provide significant services to the Internet presence of the corporation.

Firewall

The firewall provides additional filtering capabilities in both designs. The firewall in the small network blueprint provides for one additional demilitarized zone (DMZ) segment, whereas the firewall in the medium-sized network blueprint provides for multiple DMZ segments.

In the medium-sized network design, the firewall provides for a public services segment and a VPN/dial-in segment. Publicly available servers, such as web, e-mail, and FTP servers, reside in the public services segment. Inbound filtering is used to limit the traffic that reaches the public servers. Outbound filtering reduces the possibility that a compromised public server can be used for further exploitation of the network. To achieve this goal, specific filters are in place to prevent any unauthorized connections that originate in the public services segment from being generated. Private VLANs can be used in the segment to prevent an attacker who successfully compromises a server from exploiting other servers in the public services segment. Other services that the firewall provides include SMTP command filtering and termination of site-to-site VPNs.

The VPN/dial-in segment of the firewall is used to filter inbound traffic from the dial-in access server and the VPN concentrator. Private VLANs can be provided in this segment to prevent an attacker who compromises either a VPN connection or a dial-in connection from affecting other connections that terminate on the devices in this segment.

In the small network blueprint, the firewall provides for much of the functionality that is provided in a medium-sized network. However, only one additional segment is available, the public services segment. The firewall also provides for SMTP command filtering, as in the medium-sized network design, and provides a termination point for remote sites, preshared keys, and VPN tunnels. The remote users authenticate to the access control server in the Campus module.

Many firewall appliances and firewall software packages provide for rudimentary NIDS capabilities; however, those capabilities, if used, can result in a degradation of the firewall's performance.

ISP Router

The ISP router is found in the medium-sized network design only and its primary purpose is to provide connectivity to a provider network. ACLs provide for address filtering in accordance with RFC 1918 and RFC 2827 in both directions of traffic. Additionally, egress traffic from the ISP provides for rate limitations on nonessential traffic from the ISP network to the enterprise to reduce the effects of denial of service (DoS) and distributed denial of service (DDoS) attacks.

Edge Router

The edge router provides various functionalities in both the medium-sized and the small network design. In both networks, this device should be configured to drop most fragmented packets.

In the medium-sized network blueprint, the edge router provides the point of demarcation between the medium-sized network and the ISP network. Basic traffic filters provide for address filtering in accordance with RFC 1918 and RFC 2827. Additionally, only expected IP traffic is permitted through. For example, IPSec and IKE traffic that is destined for the VPN concentrator or the firewall is permitted through.

In the small network design, the edge router provides for address filtering in both directions in accordance with RFC 1918 and RFC 2827. Additionally, nonessential traffic that exceeds prespecified thresholds is rate limited to reduce the impact of DDoS attacks. Agreements between the enterprise and the ISP that provide for additional traffic-rate limiting help push the DDoS mitigation further upstream of this router.

Dial-In Server

Dial-in user connections in medium-sized networks are terminated at the NAS. Authentication is provided by the access control server using the three-way Challenge Handshake Authentication Protocol (CHAP). Once a user has been authenticated, she is assigned an IP address from a predefined pool.

Layer 2 Switches

The Layer 2 switches in the medium-sized network blueprint provide for connectivity between devices in the Corporate Internet module. Several switches are implemented rather than a single switch with multiple VLANs, to reduce the impact of device misconfiguration. Each segment in the module has a switch to provide for device connectivity. These switches are configured with private VLANs to reduce the potential of device compromise through trust exploitation.

Internal Router

The primary function of the internal router in the medium-sized network blueprint is to provide for Layer 3 separation and routing between the Campus module and the Corporate Internet module. The device functions solely as a router without any filtering capabilities and provides a final point of demarcation between the routed intranet and the external network. Most firewalls do not participate in any routing protocols; therefore, it is important to provide a point of routing within the Corporate Internet module that does not rely on the rest of the network.

NIDS Appliance

The public services segment of the medium-sized network's firewall includes a NIDS appliance. This device is configured in a restrictive stance because signatures that are matched here have already passed through the firewall. Each of the servers in the public services segment has host-based IPS software installed. The function of the host-based IPS is to monitor for any illegal activity on the host at the OS and application levels. Finally, the external SMTP server provides for mail content filtering services to prevent viruses or Trojan-horse applications from reaching the end users on the internal network.

In addition to the IDS in the public services segment, a NIDS appliance is deployed between the firewall's private interface and the internal router. This NIDS is also set to a restrictive stance; however, unlike the NIDS in the public services segment, this NIDS is capable of initiating a countermeasure against detected activity. This response can be through TCP resets or ACL shuns. Attacks encountered at this NIDS may indicate that a public services host has been compromised and that the attacker is using that host as a platform to gain further entry into the internal network. This segment permits only traffic that is in response to initiated flows, this is from select ports on the public services segment or that is from the remote-access segment.

VPN Concentrator

The remote-access VPN concentrator provides secure connectivity to the medium-sized network for remote users. Authentication is provided by the access control server, which queries the OTP server to verify user credentials. IPSec policy is pushed from the concentrator to the client and prevents split tunneling, whereby the client maintains both a live connection to the external Internet and the secure connection to the medium-sized network. This policy forces the client to route all traffic through the medium-sized network, including traffic that is ultimately destined for the Internet. Encryption is provided through use of the 3DES algorithm and data integrity is provided through use of the Secure Hash Algorithm/Hash-Based Message Authentication Code (SHA/HMAC).

In the medium-sized network blueprint, the VPN terminates outside the firewall, at the VPN concentrator. This enables the firewall to filter remote-user traffic, which it wouldn't be able to do if the VPN device were placed behind the firewall, because VPN traffic is encrypted until it reaches the VPN concentrator. This deployment also allows the IDS on the inside of the firewall's private interface to inspect traffic from remote VPN users.

In the small network, remote-access VPN termination occurs at the edge router/firewall.

Alternative Medium-Sized Network Corporate Internet Module Designs

The medium-sized network blueprint provides for alternative placements of devices within the designs. For example, in the medium-sized network, you can implement a stateful firewall on the edge router. This has the added benefit of providing greater defense in depth to this module. Also, you can insert another NIDS just outside the firewall. This NIDS provides for important alarm information that normally is not seen because of the firewall. The NIDS device can also provide validation of the inbound ACLs on the edge router.

CAUTION

When deciding whether or not to place a NIDS outside the firewall, be sure to consider the large volume of alarms that may be generated. If a NIDS is placed outside the firewall, it is recommended that the NIDS be configured to alarm at a lower severity than alarms generated by the NIDS behind the firewall's private interface. Also, it may be wise to have this NIDS' alarms log to a separate management server so that the legitimate alarms receive the appropriate attention.

Another possible alternative in the medium-sized network blueprint is to eliminate the internal router in the Corporate Internet module and integrate its functions into the Layer 3 switch of the Campus module. The drawback to this alternative is that this requires the Corporate Internet module to rely on the Campus module for Layer 3 routing.

Another alternative is to provide additional content filtering beyond that provided by the mail server. This could take the form of a proxy system that provides URL filtering in the public services segment to filter the types of web pages that employees can access, or it could take a different form such as URL inspection on a firewall device.

Alternatives to the small network blueprint are geared toward either separating network device functions or increasing capacity. In either case, the small network quickly begins to look like the medium-sized network design.