Special Reports

Five Layers of Defense

You can adapt the logical perimeter network design to suit your own access requirements, but most common requirements are met with this design.

• By Danielle Ruest and Nelson Ruest
• 04/01/2004

For This Solution: Windows Server 2003, Internet Security and Acceleration Server 2000, Internet Security and Acceleration Server Feature Pack 1, Internet Security and Acceleration Server 2004 (Beta), Internet Information Services 6.0

Despite the reoccurrence of e-mail attachment–based viral attacks, users continue to infect internal networks. For example, even though news outlets everywhere covered Mydoom with almost as much interest as Janet Jackson's costume malfunction, 400,000 hapless users still clicked on the Mydoom attachment, according to Symantec, and turned their systems into the zombies that brought down The SCO Group's Web site.

Nagging users doesn't seem to work. One person's slip of vigilance is all it takes to do the damage. You need a gatekeeper to filter out these malicious pieces of code. That's where the perimeter network comes into play. This network, often called the demilitarized zone (DMZ), is designed to protect your internal resources from attacks stemming from the outside world. That's not to say that attacks only originate from outside. Infection can also come from inside your network. In fact, five years ago, internal attacks were the most common form. This is changing though. Today, more and more attacks originate from outside your network, which is why perimeter security is so important. Your perimeter network is your first line of defense when it comes to the outside world. It must be configured properly and must be designed to provide a series of different security services as well as information and perhaps e-commerce features.

A complete defense system needs to address all aspects of internal and external networks. That's why it's best to use a defense-in-depth strategy such as the Castle Defense System (CDS), which provides a layered structure to IT security (see Figure 1). The CDS is based on five layers, stemming from the core of your network—your data—to the outer extremes, which are your connections with the outside world. The advantage of the CDS is its basis on the protection systems used in medieval times. Because it's a familiar image, it allows people to visualize how a layered IT defense system should work. For example, layer five is analogous to a castle's moat. This means securing perimeter networks, including the virtual private network (VPN) and/or routing and remote access (RRAS), to your internal network. Also, because layer five deals with the external world and you can't control the configuration of the clients accessing your services, you might also need to implement multiple authentication methods, including Public Key Infrastructure certificates, one of the most universal methods for the support of secure communications.

If you examine this layer in depth, you begin to realize that it requires quite a few different technologies to provide complete protection. The selection of these technologies and systems will depend on the services you intend to provide through your perimeter network. First off, you need an external connection because most organizations need to send and receive e-mail as well as browse the Internet. This means implementing technologies that protect your network from unauthorized entry. And because you will be receiving data from the Internet in the form of e-mail messages and Web page connections, you'll also need a filtering system as well as virus protection. If you are very conscious of the data you are protecting, you might want to add an intrusion detection system.

Second, you will probably want to have an Internet presence. This means publishing information to the Internet. Here the best type of protection is the reverse proxy—a tool that is designed to publish Web information in a secure way by impersonating the Web server. Users think they are actually working on the Web server when in fact they are using the reverse proxy server (for more information on this subject, see "Locking Down MCMS" in this issue). Third, you might want to support e-commerce. In this case, you'll need authentication systems that are platform independent because you can't control the type of client visitors will use.

Finally, you might also want to allow traveling internal users to remotely access your network either through the Internet or through telephone communications. For this, you'll need private authentication systems because here, you do control client operating systems and technologies. In short, you need to build the protection layers in your perimeter in response to both perceived and anticipated needs.

You need to ensure the perimeter network includes all access points to your internal network. Too often people forget about modems and other sporadic connectivity systems that are present in the network but for some reason are not included in perimeter defenses. All access points must be considered, including wireless base stations. This is why it is a good idea to begin with a logical perimeter architecture that takes into account all of your connectivity options. This logical design can then serve as a map your integrators can follow to build or modify your existing perimeter network.

Define the Logical Protection Layers
The basis of a secure perimeter architecture (SPA) is to allow the right people in and out of your internal network while protecting your data (see Figure 2). This is one reason why you need to separate it into different zones. In fact, a proper SPA should include the following zones:

• A DMZ designed to be the entry and exit point for the perimeter network.
• A sensitive zone designed to protect sensitive services and/or data.
• An internal zone, which is your intranet.
• A management zone designed to allow private access to perimeter technologies in order to update, control, and administer its services.

Each of the four zones requires special considerations. For example, the DMZ mostly consists of firewalls. In a complex network, this can include two firewalls. The first is often a hardware firewall that protects at the physical layer. It supports traffic control as well as route prioritization and can integrate traffic from both the Internet and private partner networks. All firewalls—each of the three included in this design—include intrusion detection technology to alert operators in the event of mishaps.

The DMZ's second firewall is software based and provides protection at the application layer, which is fast becoming the most commonly attacked layer. It also provides other services, which for design purposes have been illustrated separately from the second firewall, though in actuality they might be hosted on the same machine. This represents the authentication gateway—a secure entry point that provides both private and public authentication services. This gateway examines destination requests and controls all accesses to both the sensitive and the internal zones as well as controlling outbound access and responses. To further protect the public subzone, which is designed to provide read-only Web services, the authentication gateway supports reverse proxy, publishing services to the Internet. This gateway can be based on Microsoft's Internet Security and Acceleration (ISA) Server 2000 running the ISA Feature Pack today, but could also be using ISA 2004 soon (see the sidebar, "Protect the Application Layer").

The second perimeter zone is the sensitive zone. It includes three subzones: public, authentication, and services. The first provides public, read-only information services to visitors. It doesn't contain anything that can't be easily restored from an internal carbon copy server. The second subzone hosts the authentication service. It is tied to the authentication gateway found in the DMZ and stores both identification information and user profiles. Because this service is based on Active Directory (AD), this zone also hosts name services. Note that in most scenarios, this external AD is not linked to the directory found in the internal zone. The third subzone hosts e-commerce services. It is also commonly called the extranet. Note that the sensitive zone is further separated from the internal zone (commonly called the intranet) through a third firewall. This can be either a software or hardware firewall.

The third perimeter zone is the perimeter management zone. It is based on a private connection to the perimeter. This private connection has no links to the external world. It only provides access to the perimeter from the internal network and is used to manage all perimeter zones, create backups of valuable data, monitor services and accesses, and analyze usage. It should be managed from a single integrated console if possible.

All three zones form the logical design of the perimeter network. Note that this network also includes the servers that control internal network access through virtual private networks (VPN) or remote access services (RAS) because they are doors that must be protected. In the case of remote access, this service can be provided by Remote Authentication Dial-in User Service servers today. These servers might also double up to support VPN access when ISA 2004 is released.

Moving from Logical to Physical
You can adapt the logical perimeter network design to suit your own access requirements, but as you can see, most common requirements are met with this design. Once you have finalized your logical design, you'll want to transform it into a physical implementation. Here you'll realize that there might be significant differences between the logical and the physical. For example, the logical design represents three firewalls. Although the first firewall should be physical, in some scenarios, you might discover that it's possible to host the second and third firewalls on the same server through the addition of extra network interface cards. Your actual physical implementation will depend on factors such as anticipated traffic, provided services, and expected growth. One great place to get help on the transformation of logical to physical is with the Microsoft Systems Architecture (MSA) version 2.0 (see the sidebar, "Configure your Perimeter Network"). The MSA provides comprehensive guidance in the form of complete documentation for the implementation of secure networks, both internal and external, based on Microsoft technologies.

One thing is certain: You need added protection given the rise in Internet-based attacks. Using a logical perimeter network design will help you visualize the security services you require, and using the MSA, you can easily transform that vision into reality. This way you'll be able sleep peacefully because you'll know that your network is ready to face future Mydoom alerts.