BACKGROUND IMAGE: iSTOCK/GETTY IMAGES
The following is an excerpt from the Official (ISC)2 Guide to the CISSP CBK, fourth edition, edited by Adam Gordon, CISSP-ISSAP, ISSMP, SSCP. This section from Domain 4 explains different ways that enterprises can protect themselves from a network security attack by segmenting, isolating or otherwise limiting access to various parts of the network.
In addition to providing throughput, a network's architecture should also help protect its assets.
Listed below are the key concepts concerning isolating networks in different domains of trust that the security professional needs to be aware of.
Secure routing/deterministic routing
While it is possible to establish corporate wide area networks (WANs) using the internet and VPN technology, it is not desirable. Relying on the internet to provide connectivity means that there is little ability to control the routes that traffic takes or to remedy performance issues. Deterministic routing means that WAN connectivity is supplied based upon a limited number of different routes, typically supplied by a large network provider. Deterministic routing means that traffic only travels by pre-determined routes that are known to be either secure or less susceptible to compromise. Similarly, deterministic routing from a large carrier will make it much easier to address performance issues and to maintain the service levels required by the applications on the WAN. If the WAN is supporting converged applications like voice (VoIP) or video (for security monitoring or video conferencing), then deterministic routing becomes even more essential to the assurance of the network.
Boundary routers primarily advertise routes that external hosts can use to reach internal ones. However, they should also be part of an organization's security perimeter to prevent a network security attack by filtering external traffic that should never be allowed to enter the internal network. For example, boundary routers may prevent external packets from the Finger service from entering the internal network because that service is used to gather information about hosts.
A key function of boundary routers is the prevention of inbound or outbound IP spoofing attacks. In using a boundary router, spoofed IP addresses would not be routable across the network perimeter.
The following sections are examples of IP spoofing attacks.
This type of network security attack takes place when the attacker is on the same subnet as the victim. The sequence and acknowledgement numbers can be sniffed, eliminating the potential difficulty of calculating them accurately. The biggest threat of spooling in this instance would be session hijacking. This is accomplished by corrupting the data stream of an established connection, then re-establishing it based on correct sequence and acknowledgement numbers with the attack machine.
This is a more sophisticated network security attack because the sequence and acknowledgement numbers are unattainable. Several packets are sent to the target machine in order to sample sequence numbers. While not the case today, machines in the past used basic techniques for generating sequence numbers. It was relatively easy to discover the exact formula by studying packets and TCP sessions. Today, operating systems implement random sequence number generation, making it difficult to predict sequence numbers accurately. If, however, the sequence number was compromised, data could be sent to the target.
Man in the middle attack
Both types of spoofing are forms of a common security violation known as a man in the middle attack. In these attacks, a malicious party intercepts a legitimate communication between two friendly parties. The malicious host then controls the flow of communication and can eliminate or alter the information sent by one of the original participants without the knowledge of either the original sender or the recipient.
The security perimeter is the first line of protection between trusted and untrusted networks. In general, it includes a firewall and router that help filter traffic. Security perimeters may also include proxies and devices, such as an intrusion detection system (IDS), to warn of suspicious traffic. The defensive perimeter extends out from these first protective devices to include proactive defense such as boundary routers, which can provide early warning of upstream attacks and threat activities.
It is important to note that while the security perimeter is the first line of defense, it must not be the only one guarding against a network security attack. If there are not sufficient defenses within the trusted network, then misconfigured or compromised device could allow an attacker to enter the trusted network.
Segmenting networks into domains of trust is an effective way to help enforce security policies. Controlling which traffic is forwarded between segments will go a long way to protecting an organization's critical digital assets from malicious and unintentional harm. See figure below on network partitioning.
A dual-homed host has two network interface cards (NICs), each on a separate network. Provided that the host controls or prevents the forwarding of traffic between NICs, this can be an effective measure to isolate a network.
Bastion hosts serve as a gateway between a trusted and untrusted network that gives limited, authorized access to untrusted hosts. For instance, a bastion host at an internet gateway could allow external users to transfer files to it via file transfer protocol (FTP). This permits files to be exchanged with external hosts without granting them access to the internal network in an uncontrolled manner.
If an organization has a network segment that has sensitive data, it can control access to that network segment by requiring that all access must be from the bastion host. In addition to isolating the network segment, users will have to authenticate to the bastion host, which will help audit access to the sensitive network segment. For example, if a firewall limits access to the sensitive network segment, allowing access to the segment from only the bastion host will eliminate the need for allowing many hosts access to that segment. For instance, terminal servers are a form of bastion host, which allow authenticated users deeper into the network.
A bastion host may also include functionality called a "data diode." In the world of electronics, a diode is a device that only allows current to flow in a single direction. A data diode only allows information to flow in a single direction; for instance, it enforces rules that allow information to be read, but nothing may be written (changed or created or moved).
A bastion host is a specialized computer that is deliberately exposed on a public network. In terms of its vulnerability to a network security attack, it is the only node exposed to the outside world and is therefore very prone to attack. It is placed outside the firewall in single firewall systems or, if a system has two firewalls, it is often placed between the two firewalls or on the public side of a demilitarized zone (DMZ).
The bastion host processes and filters all incoming traffic and prevents malicious traffic from entering the network, acting much like a gateway. The most common examples of bastion hosts are mail, domain name system, and web and FTP servers. Firewalls and routers can also become bastion hosts.
The bastion host node is usually a very powerful server with improved security measures and custom software. It often hosts only a single application because it needs to be very good at what it does. The software is usually customized, proprietary and not available to the public. This host is designed to be the strong point in the network to protect the system behind it. Therefore, it often undergoes regular maintenance and audit. Sometimes bastion hosts are used to draw a network security attack so that the source of the attack may he traced.
To maintain the security of bastion hosts, all unnecessary software, daemons and users are removed. The operating system is continually updated with the latest security updates and an intrusion detection system is installed.
Demilitarized Zone (DMZ)
A demilitarized zone (DMZ), also known as a screened subnet, allows an organization to give external hosts limited access to public resources, such as a company website, without granting them access to the internal network. Typically, the DMZ is an isolated subnet attached to a firewall (when the firewall has three interfaces -- internal, external, and DMZ -- this configuration is sometimes called a three-legged firewall). Because external hosts b design have access to the DMZ (albeit controlled by the firewall), organizations should only place in the DMZ hosts and information that are not sensitive.
CISSP® is a registered mark of (ISC)².
Explore the evolution of network security
How advanced machine learning can help identify network security threats
Basic steps to improve network security