A network, like a city or village, has an area where the network meets the outside world. Unlike a city, this interface is limited to those devices—hopefully routers—that have connections both to the inside of the network and with the outside world. Typically, an ISP is at the other end of that connection, and then the Internet.
In the preceding two chapters, you looked at network access servers (NAS), which also constitute a part of the network boundary. These NAS connections are a little different, in that security technologies like AAA can be set up to limit access to only those remote dial-in users with preestablished login authority. On the other hand, the network boundary, or perimeter, routers often must allow access to persons unknown to the corporate shared resources, such as web and FTP servers. Furthermore, perimeter router connections also provide access for the Internet, which then exposes the network to other risks.
In Chapter 1, you saw a simplified example of a secure network design. Figure 5-1 expands on that view. The perimeter router represents the border crossing or the demarcation point between the outside world and the internal network.
In a small branch office or in a telecommuter’s home, a single perimeter router might be the only barrier between the inside and outside network. The features and configuration of that lone device would be the only line of defense. Many larger networks use a design similar to that shown in Figure 5-1, called screened subnet architecture. In screened subnet architecture, two devices work together with a router as the perimeter device and the firewall as the second line of defense. The result is three types of networks: inside, outside, and an area called the demilitarized zone (DMZ).
Inside networks are also referred to as the internal or private networks. The inside area is made up of the corporate network(s), including all workstations and, typically, any servers not shared with the outside world. These devices are considered trusted and can be accessed freely by other inside hosts. These trusted devices need to be protected from the outside world and even from attackers that might have compromised the DMZ area(s). The inside area is under one administrative authority and operates under a common security plan.
The inside area is often connected to one of the firewall interfaces, the inside interface. Additional firewalls might be used within the inside area to offer secure separation between two or more subnets. The company security policy might specify a firewall between the accounting/finance departments and the other operating units.
The outside network is also referred to as the external or public network. The outside area, or untrusted area, is considered to be all devices and networks beyond the direct control of the organization’s administration and security policies. The outside area typically includes everything beyond the external interface of the perimeter router, the ISP, and the Internet and all networks attached to it.
The outside network wouldn’t normally be attached directly to a firewall device because of media and data framing issues. A firewall device like the Cisco PIX devices have LAN interfaces only requiring another device between the firewall and the serial WAN connection. The perimeter router, possibly a lower-end model, provides the media conversion, framing transition, and any first-line security services.
The DMZ can be two or more areas inside the network perimeter, but not on the inside of the firewall device. The first type of DMZ, often called the dirty DMZ or dirty net, is the LAN segment between the perimeter router and the firewall. This area has only the protection of the perimeter router and the individual security features of any devices placed there. The second type of DMZ is made up of one or more additional LAN interfaces on the firewall. These areas are often called protected DMZs because they have the additional protection offered by the firewall device.
Not uncommonly, some firewall devices offer six or more interfaces, allowing for multiple protected DMZs with different security requirements. Special thought would have to be given to whether any performance benefits from the dirty DMZ only being “filtered” once is offset by the increased risk to whatever is placed out there.
DMZs contain shared server resources, such as web, DNS, and e-mail servers. These servers are available to the outside world. These shared servers are often called bastion hosts, bastion servers, or even sacrificial hosts. Bastion hosts must be hardened, and they receive the highest priority security maintenance because of their vulnerability to the outside world and increased likelihood of attacks. A bastion server typically runs only those specific services being shared, and all other services will be stopped or turned off.
The dirty DMZ is bordered by the outside interface of the firewall device and the internal interface of the perimeter router. The firewall must be configured to allow loose, but regulated, access to the protected DMZ from the outside network, while at the same time protecting the inside network. Inside network users need access to the server resources in the DMZ and are typically allowed limited access, possibly restricting access to only those sessions originating within the inside network.
A firewall is a device that separates or joins the inside network to the dirty DMZ and any optional protected DMZs. The firewall can be a router-running firewall feature set, a specialty server with two or more NICs in different networks, or a specialty device like the Cisco PIX that does nothing but provide firewall services. While suitable applications exist for each type of firewall, generally best is to use a dedicated device performing only security features, and leave routing and serving to other devices.
In a network like the example in Figure 5-1, the firewall would typically be configured to prevent access from the outside to the inside, possibly limiting access to those sessions originating from the inside network. The firewall configuration might allow inside users access to DMZ resources, while providing some defense for the inside from attackers who compromise a bastion host.
Unsolicited access from the outside directed to the inside would typically be blocked. Certain well-thought-out exceptions and configurations could be created, so e-mail server(s) residing on the inside network, instead of the DMZ, could still exchange e-mails. Securing this type of connection is covered in the firewall chapters.
The typical firewall device has two or more LAN interfaces: one each for the inside and outside networks. Optionally, an additional LAN interface can exist for each protected DMZ network. Today, the LAN interfaces are typically Fast Ethernet or Gigabit Ethernet, but there’s no reason they couldn’t be Ethernet, Token Ring, or FDDI.
Some small firewalls used in implementations like branch locations or telecommuter residences could only have two interfaces for separating the inside network from the outside world. In those small implementations, the inside interface could connect to a user machine via a crossover cable, or to a small hub or switch. The external interface would often connect to the DSL, cable modem, or ISDN device. The Cisco 806 router, shown in Figure 5-2, with an Ethernet interface, four-port hub, Cisco IOS, and supporting the firewall feature set, is an example.
While a firewall is normally used to separate the inside network from the outside world, also possible is to use a firewall to separate internal departments where additional security is required. For example, a school might choose to place a firewall between the student network and the faculty network. In this case, the firewall might have only two interfaces, with the inside interface connected to the protected network and the outside interface connected to the network perceived as the potential threat.
The perimeter router is typically a standard router providing a serial connection to the outside world and a LAN connection to the internal network. The perimeter router should provide any filtering of outside traffic to implement basic security for the dirty DMZ and preliminary filtering for the inside network. This device could be running the firewall feature set for additional security options.
Because the perimeter router is often connected to a slower WAN interface on one side and it doesn’t normally provide routing functions for internal networks, the LAN interface speed isn’t as critical as making sure adequate memory and features exist to handle the outside connection. Even if the inside network is 100MB and all protected DMZ interfaces are full-duplex 100MB, if the Internet connection is a T1 (1.54MB), then a 10MB LAN interface on the perimeter router shouldn’t impede traffic. Even most DSL or cable connections would be well below 10MB.
While bandwidth issues are important, feature sets are important on perimeter routers. Routers clear down to the 800 series support access list, firewall features, and so forth, making low-end devices attractive in some perimeter implementations. If intrusion detection features are needed, though, you should know that the firewall feature sets for devices below the 2600 devices don’t include them. So, while a 1700 or 2500 device might handle the traffic, it won’t provide intrusion detection services.
The next chapter looks at the Cisco IOS firewall feature set and the additional features it can add to the perimeter router.