Life at the edge: Securing the network perimeter

by Michael Cobb

The Internet is an unbounded network environment. It has no central administrative control and no unified security policy. Despite best efforts, no amount of hardening can guarantee that a system connected to an unbounded network is invulnerable to attack. A Web server is publicly available on the Internet, so a network infrastructure

More from this lesson Download the full four-part technical paper -- Life at the edge: Securing the network perimeter (.pdf). Return to Web attack prevention and defense: Identify and analyze Web server attacks. Return to Intrusion Defense School.

must play a role in protecting the Web site and other IT assets. Airtight security is not possible, so don't get caught in the trap of trying to achieve it. You must aim to establish a balance of adequate security with cost effectiveness and common sense. Security is about ensuring that systems can deliver essential services and maintain essential properties such as integrity, confidentiality and performance despite the presence of intrusions; in other words, reliability in the face of adversity.

To be able to deliver essential services, a "reliable" system must demonstrate four key properties:

1. Resistance to attacks
2. Recognition of attacks and the extent of any damage
3. Recovery of full and essential services after attack
4. Adjustment to reduce effectiveness of future attacks

An overview of Web security architectures

When planning Web-based services you must fully understand what needs to be protected. Thus, the process to ensure survivability is an organizational one, rather than purely an IT one. Once your organization has defined its minimum levels of acceptable service and security for each service, the task of planning the Web security architecture can begin. Never use a totally "flat" network design, one where all devices connect directly to each other, as you must avoid hackers gaining access to your Web server and finding that your entire network is wide open.

The network layout should ensure that the failure of one level of protection does not result in a succession of compromises. Practice defense-in-depth and utilize multiple security devices including firewalls, border routers with packet filtering and intrusion-detection systems (IDSes). Further protect Web service resources with a segmented network topology, which reduces the scope of any compromise and buys time to respond to it. This is achieved by dividing the system into trust domains bounded by trust boundaries, with resources placed in the appropriate domain. This outermost barrier in your Web site defense is a secure network perimeter or demilitarized zone (DMZ).

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Identify and analyze Web server attacks Web site attacks and how to defeat them Windows tools for investigating an attack Essential fortification checklist Life at the edge part 2: Divide and conquer with DMZs Life at the edge part 3: Resistance to failure Life at the edge part 4: When things go wrong Quiz: Identify and analyze Web server attacks

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary