Windows Foundation

Standing Guard

Security is a full-time job, but keeping an eye on your perimeter network can cut down the work.

• By Bill Heldman
• 07/01/2002

The .NET revolution is going to change everything. Bill Gates' idea about a universal computing environment includes a vision for wireless devices, the tablet PC and other unique offerings. Virtual Private Networks VPNs will allow telecommuters to connect to the private network from anywhere in the world. Wireless Access Points WAPs will make it handy for people whose jobs require them to roam but remain connected to the network to interact from anywhere within the range of an access point. Enhanced e-commerce software will enable "mom and pop" shops that couldn't participate with the big boys on the Internet to get their businesses put into the virtual world and accomplish it in a secure way.

At the same time the viruses keep coming—developers of malicious code keep writing disruptive wares. The hacker snoops keep trying to get into places they shouldn't be to obtain things they shouldn't have.

So, how does an administrator balance the very cool things coming down the wire (and sometimes already here) with the need for security and safety?

As a security administrator, you have two overarching goals: you want to keep unwanted visitors from coming into your Internet sites and private networks and performing malicious activities and also you want to keep your private network users out of Internet sites they shouldn't be going to. It sounds like a lot, but the majority of the activity pivots around one place: the perimeter network.

First Line of Defense: NAT
The perimeter network is the place at which users enter or leave your network, based upon the restrictions you put in place. Figure 1 shows your internal network connected with the Internet. There's nothing to protect you from malicious users on the Internet with the exception of some fancy TCP/IP trickery that we'll discuss next. You probably have a router or some other sort of connecting device in your company that connects you by some kind of telephony circuit (T1, E1, T3, E3, ISDN, DSL, etc.) to your ISP, who in turn is connected to the Internet. Routers are the connecting devices that make the Internet work.

Figure 1. A private network connected with the Internet through an ISP.

In this scenario, there is no protection for the private network. Data can easily traverse from the Internet inside or from the private network out. However, even in this elementary setup, a network admin can take some protective measures. For starters, the private network might be set up on one of three reserved TCP/IP network addresses:

• Class A—10.0.0.0 through 10.255.255.255
• Class B—172.16.0.0 through 172.31.0.0
• Class C—192.168.0.0 through 192.168.255.0

By setting up your private network on a reserved network address, you require a device that uses Network Address Translation (NAT), which means you're representing an internal user by using a valid IP address externally. NAT-ting is something that Windows 2000 Advanced Server can do right out of box, so it's pretty easy to provide a modicum of protection to an otherwise unprotected network.

Networks that use legitimate IP address ranges internally can potentially be more easily hacked, so the idea of converting your network to a reserved network address is a good one.

Also, the developers of TCP/IP designed in the idea of ports. There are several thousand different ports, starting at port 0, that TCP/IP protocols can potentially use—some of them are well-known, such as HTTP's port 80 and SMTP's port 25. (See http://www.iana.org/assignments/port-numbers for more information on TCP/IP ports.) Routers can be configured so that they'll only allow incoming packets on certain ports (port 25 being the most common, because people need to be able to receive Internet e-mail). Likewise, routers can also be configured to bar internal users from utilizing certain ports as well. For example, the FTP protocol (ports 20 and 21) is one that's commonly blocked from internal use.

However, routers can be spoofed; that is, hackers have figured out workarounds that can allow them to slip inside the door, regardless of the blocking that has been established. Also, port 25 is famous for being hacked by groups who want to utilize company's e-mail server to send blanket e-mail documents out to hundreds of people. The process is called relaying. (Exchange Server has been able to prevent relaying since Exchange 5.5 SP3).

You'll likely not prevent internal users from accessing HTTP port 80; otherwise, users wouldn't be able to utilize the Internet. There is nothing built into TCP/IP that allows you to keep internal users from surfing out to porn or other sites that they shouldn't be allowed to visit.

Put Up a Firewall
So, what's a person to do? To build up your defenses, you begin to develop a perimeter network. The first thing you'll start with is a firewall (see Figure 2). A firewall is software (such as Microsoft Internet Security and Acceleration Server) or hardware (such as a Cisco PIX) that can be adjusted so that only certain categories of users are allowed outside using certain protocols and so that you heavily regulate the kind of traffic allowed inside. Typically the firewall sits behind the router.

Figure 2. The private network resides behind the firewall.

Firewalls use rules to do their work. Rules represent to the firewall the way that you'd like to filter specific activities. You might have a firewall rule that says "Allow all users in the Marketing group to access HTTP port 80" or "Direct all incoming Internet traffic destined for SMTP port 25 to internal e-mail server 10.1.2.2". (I must add that ISA server is much more than a firewall. You may find it informative and fun to study for and take the ISA Server exam.)

So, your firewall is in place and you're able to keep users from getting outside to the Internet using certain protocols; you're also able to keep external traffic from coming in. The router can continue to NAT or, depending on the firewall you choose, it might be able to pick up the NAT-ting efforts, leaving routers to do what they do best—send data from one place to another.

But what do you do about users who are going out to undesirable sites? This is a risky area for corporations, who have to balance their own policies for free access to information with what's appropriate to the workplace. To accomplish this, you can implement Web filtering software.

Web Filtering
Using intelligent Web filtering software (see Figure 3), you can set up the kinds of sites that you don't want your internal users to visit and then direct them to a warning page instead. You can also log the traffic and generate reports showing where people have tried to go on the Internet. Some great examples of Windows-based Web filtering software include Websense (www.websense.com), Smartfilter (www.smartfilter.com) and Surfwatch (www.surfwatch.com), but there tons of others. Figure 3 shows your perimeter network, now with a Web filtering server included.

Figure 3. For extra protection, the Web filtering software is usually set up behind the firewall.

Note: ISA Server isn't designed for robust out-of-box Web filtering, though you can do some elementary filtering. Instead, ISA Server has a feature that allows yuou to "snap in" a third-party Web filtering component.

Web filtering software generally uses files that list the "naughty" sites by name and by IP address and contain any one or more code words that denote what the site contains. Web filtering software companies' servers "crawl" the Internet on a daily basis, looking for new sites, and then update their files, which are downloaded on a regular basis to owners of the software. (This is only one method; there are others.)

With quality Web filtering software products, you have the ability to apply your filtering rules to groups of users, and you are provided with lots of choices about sites you want to rule out: job search, travel, romance, hate, religion, chat, gaming, pornography, jokes, sports and entertainment to name a few. You can also generate reports on a single user, a group of users or IP addresses, a specific site, etc. Some software allows for reports to be routinely e-mailed to managers.

All companies, regardless of size, can benefit from the installation and good quality management of a Web filtering server. While Web filtering servers are essentially plug-n-play, it's a good idea to check in on them daily to make sure they're working correctly. Also, if your users have been working steadily without a Web filtering server, you should consider developing an Internet policy and having them sign off as you implement your server, so they don't think about suing your company for infringement of their free speech (sounds silly, but it has happened). Check with your company's management and legal eagles.

Now that your network is NAT-ted and has a firewall and Web filtering software, is that enough protection? Not quite—next time, we'll discuss intrusion detection and antivirus software and the importance of setting up a DMZ.