Internal users are better protected from the In- ternet attacks than in the previous type of archi- tecture, due to the two firewalls.
The Internet Web and DNS servers are located on a DMZ of the “external” firewall because incoming traffic addressed to these two servers comes mainly from external area.
In order to improve the filtering level of some sensitive servers like intranet Web, some ad-
ditional proxies can be added. For instance, an HTTP proxy for intranet Web can be installed in the MoIP DMZ to do users’ authentication but also high control on HTTP data (format and content). The “external” firewall should be configured so that HTTP traffic to Intranet Web is redirected to HTTP proxy for a first filtering. As such, the efforts required for introducing Intranet Web are really higher than before.
Anti-virus functions can be separated for e- mail server and internal staff needs, that is, the e-mail anti-virus functions remain the same as the previous architecture, while a specific anti-virus server dedicated to internal needs can be added on the intranet DMZ of the “internal” firewall.
To improve reactivity of Company B when malicious behaviours occur, IDS functions can be added on servers (HIDS function) or subnets (NIDS). Examples of IDS positioning may be: HIDS within the Simulation server (if it contains very sensitive data) or LDAP/RADIUS server,
Security Architectures
and NIDS on the internal side of the “internal” firewall.
In order to avoid direct communications be- tween subnets of the internal network or to protect servers from users, VLANs can be defined. For example, the access to the accounting database server may be allowed for the accounts depart- ment staff only and separated from the rest of the network.
All other servers’ positions remain unchanged compared to the previous architectures.
Remote users’ access and branch offices’ ac- cess are achieved in the same way than in the two first kinds of architecture (see section “Company
B Case Study for Minimal Protection”).
With this kind of architecture (as depicted in Figure 6), all requirements of B company are achieved, and beyond them, security can be improved with additional proxies capabilities or IDS external elements.
In terms of ROSI, this solution is mandatory for companies with critical sensitivity (e.g. banks),
but it can also be suitable for all classical medium to big-sized companies.
When Company B will introduce wireless equipments in its network (Kizza, 2005), it should first strongly control mobiles’ access as they will gain access to the headquarters’ network. For a higher security level, the wireless network may be considered as a specific VLAN within the “internal” network, and/or an extra DMZ host- ing APs.
cOnclusiOn
This chapter addresses the problematic of design- ing security architectures and wishes to give as much information as possible in these few pages, so it helps administrators deciding which archi- tecture is the most suitable for them.
For more concrete explanations, two compa- nies were considered with different sizes, and constraints. The first one, A, is medium-sized
Security Architectures
company with two branch offices and 35 employ- ees: it wants to be protected from external area: it has no internal security expertise, implements a limited number of servers, and restricts remote access to e-mails. The second company, B, is big-sized with about 20 branch offices and 300 employees: it wants to be protected both from internal and external areas: the staff expertise is good: a number of network and security servers are implemented; access from branch offices and remote users is possible to Intranet Web, e-mail and any internal servers: it requires a highsecurity level with redundancy and alarms consideration.
For both companies, three families of architec- tures are studied, a low security level architecture with a router-only protection, a medium level security architecture with one router and one firewall and a high security level architecture with two firewalls. For each of these six cases, explanations or discussions are given relative to the positioning of equipments, the objectives of the DMZ, the number of DMZs, the VPN mechanism selection (L2TP/IPsec, IPsec, SSL) for a secure access by remote users and remote branches, the access control performed by proxies, firewalls and routers. Other discussions include users’ authentication by LDAP/RADIUS servers, the e-mail problematic with the requirement for the open e-mail system to be reachable by any Internet machine, and to be protected so to avoid e-mail divulging, careful WiFi introduction into existing networks, VLAN usage to partition the network and limit direct interactions between machines … Recommendations are also given for the selection of the firewall product and its installation.
To conclude, as described in this chapter, finding the appropriate architecture is a huge task
as the final architecture depends on so various parameters like existing security and network ar- chitectures, security constraints, functional needs, size of companies, available budget, management of remote users or branch offices.
The idea of the authors, when writing this chapter, was to give useful guidelines to succeed in defining the appropriate architecture that reaches best compromise between companies’ needs and constraints. Hope it helps.