ACIS Article (A.Warren)

Case study of network security design on a hypothetical ISP network
by A.Varin Khera, Instructor,
Master in Network Computing, Bachelor of Information Technology, CCNA, CAP, Member of the Australian computing society
ACIS Professional Team

Download Article - PDF Format

Figure 1.1 - A hypothetical network of an Internet Service Provider XYZ

The network shown in the above figure belongs to a hypothetical Internet Service Provider XYZ CO, LTD. The company provides its clients with Internet access through different access means such as the Integrated Services Digital Network (ISDN), dial up 56 K modem and a high speed leased line for corporate clients. This company has 2 regional offices (Point of Presence) located in different cities. This allows clients with flexible roaming access solution within those cities. In addition to providing Internet access XYZ also support web and DNS hosting for clients.

The XYZ network is based on a hub and spoke model with all regional offices connecting back to the main offices for major services, Internet access and accounting purposes. In an attempt to reduce the amount of traffic traveling on the intranet backbone between the regional offices and the main offices all the regional offices contain a small portion of highly accessed servers.

The main offices and the regional offices have similar building blocked with each location (POP) consisting of 4 main blocks (refer to figure 1.1). A multi-port firewall is connected to each of the building block to ensure the level of desired overall security. The first block consists of XYZ Local Area Network. The data link medium in use for the Local Area Network at the main office are traditional Ethernet (802.3) network with wireless access point located throughout the building, allowing authorized mobile users with wireless card instant access into the company network. Regional sites only support traditional Ethernet (802.3) LAN. The local area network is broken down into different subnets each accommodating different departments. The wireless clients will also be located on its own subnets to allow easy policy enforcement.

Refer to the figure 2.1 below for a brief view of XYZ LAN.

Figure 2.1 - XYZ internal LAN

The second section of the network consists of subnets accommodating protected servers. These servers are database server and billing servers that store confidential information about the company and its clients. These sets of servers are highly protected, providing limited virtual access to trusted clients. The current database server in use to store the accounting and billing information will be the IBM RISC 7000 mainframe servers. A version of Open LDAP (light weight directory access protocol) will be used to control authentication on clients connecting to the network. A high performance firewall is placed in front of the protected subnets to achieve the required security requirement on these servers. Refer to figure 3.1 for a complete view on the sets of protected servers.

Figure 3.1 - XYZ protected servers

The third section of the network will contain publicly accessed servers. These types of servers require external connections in order to perform their operations successfully. A subnet has been allocated to this section to ease management and reduce the broadcast and collision domain. These servers are the most vulnerable servers since they are highly exposed to the outside world. This zone (section) is called the DMZ zone (servers located here are usually called bastion hosts). The corporate firewall allows only traffic designed to known ports on the machine through to the zone. This prevent a malicious hackers from attempting to port scan the servers for vulnerabilities. Refer to figure 4.1 for the diagram of the zone.

Figure 4.1 - XYZ public accessed servers

The fourth section contains XYZ remote access clients. These are users who has requested to sign up for an account with the ISP. No special security consideration will be enforced to the users. They will however be bound to rules associated with the rest of the ISP network but the users will be allowed to access any kind of services from any host over the internet. It's the users own responsibilities to ensure that his/her machine are protected from Trojan which may gives a hackers control to the users individual personal computer.

When a users dial into the network he/she is authenticated by the radius servers which fetches the appropriate account information from the LDAP server located in the secure subnets. All accounting information is also written to the database servers located in the secure subnets. Refer to figure 5.1 for the complete remote access solution offered by the XYZ companies.

Figure 5.1 - Remote access section and AAA (radius)

The risks and priorities for security and its use

Any network system connected to the Internet is considered insecure. A malicious hacker could attempt to break into the ISPs network from the Internet and gain access to confidential data. In order to strengthen the network against hacking attack, certain section within the network such as the DMZ zone and the protected server zone are given higher security priorities, since they are most vulnerable to outside attacks.

The following section will detail some of the security threads that the XYZ ISP would have to face.

1] Trojan horse programs
A Trojan host is like a backdoor program. A hacker will trick users via means of social engineering or other possible means to install the Trojan. Once the Trojan is in place the hacker can control the infected machine.

2] Back door and remote administration programs
Since the ISP will be running some of its server on a Windows NT based system a possible threads exist from tools such as Back Orifice, Netbus and SubSeven. These back door or remote administration programs, once installed, allow hacker/cracker unconditional access and control on the system.

3] Denial of service
Denial of Services (DOS) attack is one of the most common types of attack. In an attempt to perform a DOS attack on a host computer, the intruder will continuously flood the victim machine with packet until the application running on the victim machine stop responding or the victim machine crashes due to an overloaded buffers.

4] Email spoofing
Email spoofing is when one email message appear to have originated from one source when it fact it has been send by the other source. This form of attack is very common and the types of messages spoofed can range from simple junk mail to several social engineering tactics trying to get users to release his/her confidential information like passwords. A good example of performing such an attack would be to telnet into the email port (SMTP 25) and manually inserting options into the Sendmail program to force it to hide the real identity of the attacker.

5] TCP passive attack
TCP passive attack is an attacked perform on the TCP protocol. This type of attack are perform on Ethernet based network whereby a hacker continuously set up a program to monitor all the broadcast on an Ethernet segment and reconstruct the entire session based on the information contained within the Ethernet broadcast (This technique utilizes the main advantages of an Ethernet network being a broadcasting network whereby every machine hears all the conversation that happens on the network). A good way to prevent this attack is to carefully design a complex switching system so all traffic are not relayed to each port like the traditional hubs based system).

In earlier Unix kernel such as that of the earlier 2.2.x version the sequencing number of the system could easily be calculated by constantly monitoring the conversation of a particular hosts, this could allow a hacker to hi-jack a TCP session by spoofing the correct sequence number.

6] Packet sniffing
A packet sniffer is a very important tool for a system administrator but it can also be dangerous if used with bad intention. The first thing most hacker does when he/she could gain access into a network is to set up a packet sniffer, to sniff out username/password and confidential information from the network.

7] Buffer Overflow
A buffer overflow is a very dangerous attack that can if successfully usually gives root access to a hacker. The buffer overflow problem is due to the memory management of the software.

8] Virus attack
Virus attack is very common and many good anti-viruses exist to combat with the viruses. A good way to protect from viruses is to regularly scan your network for any viruses and automatically updating your virus scanner program.

9] Spoofing
Spoofing is when one host prevents to be another hosts. They are 2 popular types of spoofing one called ARP spoofing and the other called IP spoofing.

10] DNS cache pollutions
DNS cache pollution is when a hacker has access into a DNS server and he changes the name to address mapping pair within the server to a fake server set up to attack the victims computer. (EG - www.xyz.net = 203.20.104.1 but the hacker manages to gain access into the DNS cache and changes www.xyz.com to 200.200.200.1 (the hackers machines)

Advance plans for what to do in an emergency

Even a company with the best information security infrastructure cannot be assured that an intrusion or other malicious acts will not happen to their computer system. When a security incident occur, it is critical for an organization to have an effective way to respond to the incident because a quick accurate and effective respond will save the company time and money.

The XYZ companies have set up an emergency respond team to handle all emergency incident. This team consists of a formalized team with a highly technical people who have a strong computer security related experience. The emergency response team will have their office located in the main building and they will respond to all emergencies situation detail in the earlier section of this report. The jobs of the emergency respond team apart from responding to emergency situations will be to work with the technical support people in helping design a secure network system.

The security respond team will try to break into the ISP network in an attempt to find out every possible path that a hacker could undertake to get into the ISP protected network. If the respond team find any problem such a buffer overflow in one of the Unix Sendmail program which could allow a potential hacker to gain access on the machine they will immediately inform the technical support people of such a threads and recommend an upgrade to the Sendmail version that is more secure.

Description of good security practices that you need to educate your users

Security, privacy, and protection are rapidly becoming the most important issues for computer users. The following are some of the good security practices that XYZ will educate its worker through campaign such as seminar, social workshop, and special training.

Brings end-users up to speed on critical information security risks.
Arms employees with common sense protection techniques (choosing a good password, never leave the machine log on when unattended, etc).
Remind employees about their ongoing responsibility to protect the company data.

(The above point has been referenced from http://nsi.org/SSWebSite/TheService.html )

Ways to enforce security for user accounts and passwords

One of the cheapest and secure ways of authentication is through the use of a password. If user X needs to gain access to the resources and services offered on a network he/she will need to identify themselves as a registered users through the use of a password. The XYZ company has sets up certain policy as follow that ensure a users select a password that would be capable of withstanding simple brute forced attacked.

Be as long as possible (never shorter than 6 characters).
Include mixed-case letters, if possible.
Include digits and punctuation marks, if possible.
Not be based on any personal information.
Not be based on any dictionary word, in any language.
Require the users to change their password every month.
Never use the same password twice.

(The above policy has been referenced from http://www.psynch.com/docs/strength.html)

Most modern operating system such as Windows 2000, Windows NT and Unix/Linux support built in mechanism to support some of the above policy. (Windows NT has a program called passprop.exe for enforcing secure password policy as outlined above, the Linux system provides support for PAM (Pluggable Authentication Module) from kernel 2.2 + which allow the system administrator to enforce such a policy).

In the XYZ ISP network all the password authentication for dial up and leased line clients will be done through the use of a central Light weighted Directory Access Protocol (LDAP) server. This server will be a Linux based machine and will run the OpenLDAP software implementing the outlined password policy. A Windows NT/2000 system will perform the authentication for LAN clients. LDAP supports a web-based password changing using the Secure Socket Layer (SSL) protocol. Please refer to figure 6.1 for a clearer view on how radius (AAA) and LDAP are used for the password authentication on clients.

Figure 6.1 - Clients authentication through a central LDAP server with Radius AAA

Policy, strategy and implementation to protect against physical attack

Most people think about locks, bars, alarms, and uniformed guards when they think about security. While these countermeasures are by no means the only precautions that need to be considered when trying to secure an information system, they are a perfectly logical place to begin. Physical security is a vital part of any security plan and is fundamental to all security efforts.

The XYZ Corporation has taken many countermeasure in securing itself from any physical attack to the servers. All the servers are placed in a highly protected room with limited access.
The following policy was implemented in the design of such a room.

Maximize structural protection: A secure room should have full height walls and fireproof ceilings.
Minimize external access (doors): A secure room should only have one or 2 solid door with good locks, and observable by assigned security staff. Doors to the secure room should never be propped open
Minimize external access (windows): A secure room should not have excessively large windows. All windows should have locks.
Maintain locking devices responsibly: Locking doors and windows can be an effective security strategy as long as appropriate authorities maintain the keys and combinations responsibly. If there is a breach, each compromised lock should be changed.

( Some of the above policy has been referenced from http://nces.ed.gov/pubs98/safetech/chapter5.html)

Ways to protect against denial of service attacks

Denial of Service Attack (DOS) has been briefly explains in the risks and priorities section of this report. In this section we will look at how to prevent such an attack from occurring on the XYZ company network. The following lists precautions that should has been taken to prevent such an attack.

Perform regular virus scans for DOS agents regularly, check for machines with unfamiliar ports, and make sure that the corporate firewall blocks packets with spoofed source addresses from originating inside the company network.
Turn off restrictive specific services that might otherwise be compromised or attacked. A good example of this would be something like disabling UDP services for use only within the internal network, thus keeping UDP available for network diagnostic purposes only.
Use an Intrusion Detection System (IDS). IDS can automatically report to network manager in an event of a thread to the network.
Protect all key network infrastructures such as switches, routers, etc from DOS by setting up a secure access lists on these devices.
Some DOS attacks will result from an intruders who understand the network routing policies, it is also therefore important to maintain tight controls over basic policy disciplines such as IP-broadcast forwarding controls, ICMP and IP option response controls.

(Some of the above points have been referenced from the web site, http://www.itp.net/features/980333182529006.htm )

Ways to secure data and information for the XYZ corporations

The XYZ Corporation will uses the following method to guarantee security on its data and information.

1] Encryptions
All the email messages containing any sensitive information will be encrypted using the PGP public and private key RSA encryption method. All file and patch downloaded for any system within the intranet will be checked with the matching hashed key. The Radius server and the LDAP server will also uses the public/private key encryption pair to secure their communication from any tampering.

2] Segmentation
The database server are segmented and replicated at each location to ensure full integrity of the data stored within them. The protected servers are stored at one location and the publicly accessed servers on the other subnet. Both these group of server are protected by the firewall.

3] Regular Backup
All the core database server such as the IBM RISC 7000, users home directory server, etc will be automatically backup at the end of each day. This ensures that if any version of such a server has been modified the system administrator could always resort to the last clean backup copy of the system.

4] Transaction Auditing
Some of the crucial users may have their keystroke recorded in a central database and an alert could be filled if an attempt to break in is being detected by the users.

5] Virtual Private Networking with IPSEC
With users demand a VPN IPSEC tunnel could be established between 2 end points of the users network.

6] Use SSL to protect confidential server
All the servers such as the automatic billing payment system, the user password changing system, the comment and support form will support full SSL to prevent any kind of interceptions of the data while it travel its path from one end to the other.

Methods and tools to protect the XYZ networks against attacks from the outside world

Three main tools used to protect the network from outside threads are Firewall for the entire network, TCP Wrapper on Linux/Unix based machine, an Intrusion detection system to detect and warn of attacks as they happen and system vulnerabilities reporting tools such as SATANS. We will now look at each of the individual component and how they fit together in this network.

1] A firewall system
A firewall is a group of one or more system that enforces an access control policy between different computer networks. In principles a firewall scan all the packet that leaves or enter the network and deny or permit them based on the predefined policies. Some firewalls places a greater emphasis on blocking traffic, while others emphasize more on permitting traffic.

The following will provide a brief explanation on how the firewall system will be used for the XYZ network to protect against security threads from the outside world.

Figure 7.1 - A multi-port firewall with a connection to each network block (subnets)

The above figure shows the firewall design of the XYZ corporations. All traffic traveling from any sections of the network will have to go through the firewall. The following briefly explains the firewall policy in use by the corporations.

1] Traffic from the local LAN port 2 will be allowed to the protected server block on port 3. Only authorized traffic from other POP will also be allowed to enter the protected server section this is determined based on the source and destination address.

2] Port 4 will only allow known port traffic through to the public server areas. All traffic cannot be initiated from port 4 to any other port in the network (this prevent a hacker who has successfully confiscated the bastion hosts from getting into the protected network from the bastion hosts).

3] Port 5 has no restriction set but are bound to policy placed on other ports.

TCP Wrapper

TCP Wrapper is a public domain computer program that provides a simple firewall services for Unix servers. An un-secure Unix server attached to a network is exposed to various types of risk from users of the network. TCP Wrapper works by monitors incoming packets and if an external host attempts to connect, TCP Wrapper checks to see if that external entity is authorized to connect. If it is authorized, then access is permitted; if not, access is denied. The program can be tailored to suit individual user or network needs.

All the XYZ Linux server will have TCP wrapper set up to deny all connection to the machine and allow only the registered administrator IP address to make SSH , FTP, etc connection into the machine.

Intrusion Detection System (IDS)

IDS can automatically alert the network manager in an event of real time threads. In order to use an IDS system the system administrator will define a policy that trigger an alert if the IDS system will continuously monitor the network and send off an alert on such an event. Certain policies that usually trigger the alert are the detecting of a DOS attacks, the detection of a port scan or TCP session hijacking etc.

Security and system vulnerabilities check tools

Other ways to prevent threads from the Internet is to constantly use tools such as SATANS that are capable of scanning a system (Unix) and producing a report based on the vulnerability detected on such a system

Plans to update systems to cope with new technologies that may increase security risks to your systems

In order to update the security of the current system to cope with future technologies the following steps should be perform.

1. Regular update of system patch

Windows system supports an automatic update tools the san your system and recommend the required patch for your system. Linux system has freeware application written in Perl that scan the application install on your system and attempt to automatically update them when a newer patch fix has been released.

2. Keep in touch with future technology

A good administrator must attend all seminar and conferences to keep themselves up to date with all the new technologies available.

3. Add more resources and bandwidth to the network when required

With the advent of new technologies such as a faster and higher throughput access medium may forces a company to expand its resources to remain competitive in the market.

Bibliography

Practical UNIX & Internet Security, 2nd Edition, By Simson Garfinkel, Gene Spafford, April 1996 , Oreilly Publishing, ISBN 1-56592-148-8.

Network Intrusion Detection System, By Stephen Northcut, September 2000, New Riders publishing, ISBN 0-7357-1008-2.

Dos Attack types, http://www.itp.net/features/980333182529006.htm, Last accessed 20/10/2002

Physical attack method, http://nces.ed.gov/pubs98/safetech/chapter5.html, Last accessed 20/10/2002

Password security, http://www.psynch.com/docs/strength.html. Last accessed 20/10/2002

Educating users about security, http://nsi.org/SSWebSite/TheService.html, Last accessed 21/10/2002