Secure Network Design Example
Secure Network Design Example
To lay a foundation for discussion of secure networks, this section looks at some basic terms and concepts used throughout the book. In security terms, you have three types of networks to consider: inside, outside, and an optional network called the demilitarized zone (DMZ). A firewall is the device that separates or joins these areas. The firewall can be a router running a firewall feature set or a specialty server, or it can be a specialty device such as the Cisco PIX that does nothing but provide firewall services. Figure 2-1 shows a simplified view of the three areas and the firewall.
Figure 2-1: A firewall separating the three security areas
The typical firewall device has three or more LAN interfaces: one each for the inside and outside networks, and one for each DMZ network. Some early firewalls and those used in small implementations like branch locations or telecommuter residences might only have two interfaces for separating the inside network from the outside world. Today the LAN interfaces are typically Fast Ethernet or Gigabit Ethernet, but there’s no reason they couldn’t be Ethernet, Token Ring, or Fiber Distributed Data Interface (FDDI).
Inside Network
Inside networks are also referred to as the internal or private networks. The inside area is made up of the network(s) of the organization, including all workstations and servers not shared with the outside world. These devices are considered trusted and in need of protection from the outside world. The inside area is typically under one administrative authority and operates under a common security plan.
A firewall is normally used to separate the inside network from the outside world, but a firewall can also be used to separate internal departments if additional security is required. For example, a school might choose to place a firewall between the student network and the faculty network.
Outside Network
Outside networks are also referred to as the external or public networks. The outside area, or untrusted area, is considered to be all devices and networks beyond the direct control of the organization’s administration and security policies. The outside area would typically include the perimeter router, the ISP, the Internet, and all networks attached to it.
While not necessarily the greatest actual threat to many networks, the international scope of the Internet means an organization can face threats from anywhere in the world for reasons that could seem ludicrous at home.
Demilitarized Zone (DMZ)
The demilitarized zone (DMZ) is made up of one or more isolated LAN networks that contain shared server resources, such as web, DNS, and e-mail servers. These servers are available to the outside world. These shared servers are often called bastion hosts, bastion servers, or even sacrificial hosts. Bastion hosts must be secured and receive highest priority security maintenance because of their vulnerability to the outside world and increased likelihood of attacks. A bastion server typically runs only those specific services being shared, and all other services will be stopped or turned off.
The firewall must be configured to allow quite loose, but regulated, access to the DMZ from the outside network while at the same time protecting the inside network. Inside network users need access to the server resources in the DMZ and are typically allowed limited access, possibly restricting access to only those sessions originating within the inside network.
Generally, the firewall will be configured to prevent access from the outside to the inside, possibly limiting access to those sessions originating from the inside network. Other, unsolicited, access from the outside would be blocked in most cases. One common exception might be the e-mail server(s) if it resides in the inside network instead of the DMZ. Securing this type of connection is covered in the firewall chapters.
