• No results found

Security in Local Area Networks

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Security in Local Area Networks"

Copied!
12
0
0

Loading.... (view fulltext now)

Download now ( 12 Page )

Full text

(1)

Security in Local

Area Networks

Firewall for Access Control and Security

August 1998 RADLAN Computer Communications Ltd.

Atidim Technological Park, Bldg. 4 Tel Aviv 61131, Israel

Tel: 972.3.645.8555 Fax: 972.3.648.7368

A Member of the RAD Group

To learn more about RADLAN products, visit our World Wide Web site at http://www.radlan.co.il

(2)

Security in Local Area Networks:

Firewall for access control and security

Contents

Background...1

LAN Security is Essential ...1

Network Security Today – A Partial Perspective ...2

Internal Network Security Requirements...3

Forwarding Performance Issues ...4

Global Policy Management...4

Secure the Network at the Entrance ...5

Advanced Control at Each Port ...5

Central Security Definition – Reduce human errors and save time...5

FACS as an Active Security Model ...6

Forwarding Performance Solved ...8

Protecting the Servers...9

(3)

1

Security in Local Area Networks

Firewall for access control and security Back ground

Security has become one of the major concerns for today’s system administrators who need to provide users with information-sharing capabilities across enterprise networks and Internet access, while maintaining the integrity of their corporate data.

Recent surveys show that information security budgets as well as the number of information security specialists are on the rise. Information security professionals recommend that a company dedicate as much as three to five per cent of their total IS budgets to information security. What does the term “information security“mean, and how can it be implemented in your organization? “Information security” is the protection of information assets from accidental (or intentional) unauthorized disclosure, modification, or destruction. ‘Hackers’ and computer viruses are external threats that can be handled at the proxy level by protection systems, such as a Firewall and Virtual Private

Networks (VPNs).

Although external threats attract public attention, the greater threats are internal and lie within human errors – errors of omission either by employees whose honesty is not in question, or by dishonest employees intending an assault on the network.

LAN Security is Essential

According to market surveys, internal threats are estimated to be in the range of 75-80 percent of total threats on the network, whereas,

external attacks and strangers -- including Internet hackers -- represent only 1-3 percent. Thus, efforts to place vast information resources at the fingertips of each individual within an organization must be balanced by proportionate attention to access restriction rules and information protection policies.

This paper reviews the security requirements for a corporate network considering the above survey statistics. It proposes a flexible access control method for ensuring that the user has access only to the information necessary to do his/her job and restricts user access to various resources based on user identity.

(4)

Network Security Today – A Partial Perspective

Most organizations embraced off-the-shelf products called Firewalls as a means to prevent security problems. Firewalls are ready-made security solutions that provide organizations with a management interface to easily implement and manage their security policies regarding access from the Internet.

This limitation in protecting network resources from the external world does not answer the major issues of inside threats or human errors which represent 90% of information destruction and financial loss.

What can conventional firewall protection deliver? There are several alternatives for firewall solutions in the market to provide different levels of network and usage protection. In general, all firewalls share the same firewall methodology:

? Packet filtering: Looks at each packet entering or leaving the network and either accepts or rejects it based on user-defined rules. Packet filtering is relatively sufficient and transparent to users. However, since conventional firewalls are essentially dedicated to WAN-to-LAN protection and are not physical-port dependent, they could present some weaknesses against network attacks, for example, IP spoofing. ? Application gateway: Applies security mechanisms to specific

applications such as FTP and Telnet servers by reducing the number of possible application options. This is very effective, but imposes

performance degradation.

? Circuit-level gateway: A flow-based security method that applies security mechanisms when a TCP or UDP connection is established. Once a connection is made, packets can flow between hosts without further verification checks. It is a faster alternative than ‘application gateway’ but not all packets are controlled which leaves the

organization vulnerable to attack.

? Proxy server: Intercepts all messages entering and leaving the network and processes them. Proxy servers effectively hide the true network addresses, such as data-base servers and application servers, thus protecting real information from a direct attack.

In practice, many firewalls use two or more of these techniques in concert. A firewall is considered the first line of defense in protecting

(5)

3

-private information. All messages entering or leaving the -private network pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria.

Nevertheless, firewall techniques can be fooled into permitting protocol tunneling. This penetration technique requires cooperation – either intentional or subverted – from an internal user. The internal user must allow a forbidden protocol or subnet address to pass through a firewall by transmitting it via a permitted protocol. Thus, the firewall actually acts as an intermediary between an internal network and the Internet. The

firewall is a relatively good solution in preventing external threats (such as unauthorized Internet users) from accessing private networks.

However, real and complete network security requires protection from the real risks - the internal threats.

Internal Network Security Requirements

In the internal network the slowest pipe speed is a 10-Mbps Ethernet link. This low LAN speed is already above the capabilities of most conventional firewalls that usually deal with T1/E1 WAN lines.

With the introduction of Layer-3 switches in the network, a new concept of switching was born. Distributed workgroups as well as centralized or distributed servers can now benefit from local high-speed switching and local routing services.

The primary business requirements in implementing internal network protection today are:

1. To provide a high level of security and reduce the risks of human error in a distributed environment.

2. To controll network access at the workgroup level.

3. To avoid network performance degradation which results from the use of an external firewall.

4. To minimize the skills and resources required to implement, maintain and manage the network.

5. To provide an economical and scaleable solution. 6. To provide detailed audit reports.

(6)

Forwarding Performance Issues

The earliest examples of firewalls were based on WAN routers which are flexible directors of network traffic. Routers examine the destination address of every packet received and forward each packet to the next hop toward its destination. However, routers can do more than merely forward packets, they can also filter packets.

Layer-3 switches add another level to packet control. Layer-3 switches are not limited only to the control of each packet as it arrives, they can also ensure that a specific physical port is authorized to send or receive a specific type of information. Moreover, all this is done at wire speed. Conversely, the application gateway approach does have its downside, namely slower performance. During the course of operation, data must be copied from the operating system’s memory to the program memory, and then back again. The added proxy services also introduce performance delays. Inbound data is processed twice, by the application and by its proxy. [For example, the Internet e-mail application talks to the proxy’s e-mail agent, which in-turn talks to a LAN’s e-mail application.]

In addition, because it is a software program, an application gateway suffers from the overhead of starting and running an independent application program over an operating system.

Global Policy Management

One of the most critical steps in network security is to avoid human error in the definition and implementation of security rules in a distributed environment. Most of today’s networks are based on a collapsed backbone design. This design allows for the deployment of switches and hubs

throughout the building or campus network, all of which connect to a central routing resource. Such designs are becoming obsolete due to the ever-increasing demand for bandwidth at the workgroup and the

department levels. A better network design, based on distributed routing switches will provide more flexibility and more routing power at the edge. The drawback of these future networks is the multiplication of routers and related configuration tasks. A network built upon several routers and routing switches requires extensive organization on the part of the

network manager in order to ensure that the entire network is based upon the same security rules.

(7)

5

-A more secure solution would provide the network manager with a

management tool that would transform all routers such they are viewed as a single logical router with many ports. In this manner, the network

manager can define the security policies only once and have these affect the different interfaces and physical ports.

Secure the Network at the Entrance

Distributed networking allows routing switches to be spread throughout the network. Each routing switch serves the needs of independent workgroups or departments. Stations attached to the closest router-switch are fully controlled at the router entrance, that is the workgroup, while the entire security definition is done at a centralized location. In addition, Radlan’s architecture provides true single-hop routing from any location to any other, ensuring best performance and preventing external interference until the destination is reached. Once the security process has authorized packet forwarding, the traffic is sent at wire speed and at Layer-2 latency. Distributed networking architecture leverages the need for a centralized definition of security policies, reinforces the

requirement of early access control and improves the secured network performance with one-hop latency.

Advanced Control at Each Port

The generic implementation of firewall functions answers the following control requirements:

♦ Service-dependent packet control (well-known protocols and logical ports).

? User-defined rules based on packet header information

(address, protocol).

? Packet control upon incoming interface.

? Asymmetric filtering providing non-identical right for packets in and out.

♦ Service-independent packet control

? Physical port-dependent security policy. ? Source routing attacks (IP option header). ? Tiny fragments attacks.

Central Security Definition – Reduce human errors and save time

RADLAN’s Apollo Pro Layer-3 switch offers a unique distributed topology which allows up to 31 router-switches to behave as members of the same

(8)

logical routing engine. As such, the network manager benefits from the performance capacity of 31 router-switches, but manages them as a single unit with only one IP address for all of them. Each port can be a member of a specific VLAN and on each port a specific class of service (CoS) can be

permitted or rejected. The network manager can define the security policies only once, saving time in configuring and controlling coherence on tens of routers. RADLAN’s Apollo Pro provides an approach that can be used to maintain flexible administration, minimize the impact on network

performance, and maintain a significant capacity for defining complex operations.

FACS as an Active Security Model

With a Firewall for Access Control and Security (FACS), each port is associated with a set of default actions which a device may perform. The power of FACS as an access control mechanism is a concept in which protection may be implemented in every Layer-3 LAN switch port of the Apollo Pro. FACS PACKAGE USERs SYSTEM SNMP CDB store/restore FACS statements F Fiigguurree11..IInnddiiccaatteeppaacckkaaggeesstthhaattiinntteerrffaacceewwiitthhtthheeFFAACCSSppaacckkaaggee..

RADLAN’s FACS security mechanism is designed to allow controlled access between users inside the organization and the company’s information databases. With Apollo Pro distributed topology, up to 31 switches may be configured in a network as a single logical router-switch. This capability provides the network manager with RADLAN’s security protection which guards the internal network using a flexible

(9)

7

-mechanism of access policies. A policy can be defined as a set of criteria as outlined below:

? Specific Ports Definition: Defining specific ports to be the subject for access control, allows for the inspection of traffic received by these ports.

•Filtering Definition: Filtering policies are a combination of rules that

are verified at the per-packet level. For example, a simple rule may be defined as: “All users defined in the network range of 176.110. 117.* are not permitted to run FTP applications on server X”. The FACS service will then verify all packets coming through and ensure that the

condition is applied. Rules are entered into the Access Control

Statements (ACS) form detailed in an OMPC (Offset, Mask, Pattern, and Condition) table describing the exact control condition. OMPC allows the network manager to define the most detailed rules and conditions at the bit level, providing a sophisticated means to control traffic.

Traffic Direction Definition: A set of rules can be applied separately for incoming or outgoing traffic.

Action Definition: Definition indicating the action to be taken in situations in which a packet matches the defined criteria. There are three possible reactions under certain conditions:

1. To block all traffic from one point to another if a condition matches. 2. To permit traffic if a condition matches.

3. To block and also to run an application program which will send an alarm, or activate any other operation.

In a secure environment, the most natural method to control traffic is to block everything and to allow traffic flow only under specific conditions.

(10)

RADLAN’s access policy provides flexible, advanced and comprehensive security capabilities with the additional advantages of:

§ Numerous combinations of access control statements.

§ Easy-to-use and user-friendly graphic interface to allow for quick configuration and require no knowledge of the packet structure.

§ Port-specific operation for enabling a thorough examination of specific

port traffic, as well as global access control for all other ports.

§ Minimal performance reduction due to a sophisticated table structure

and search algorithm.

RADLAN’s FACS provides an unobtrusive and effective means to protect your company from external intrusion and internal abuse.

F

Fiigguurree22.. IInntteerrnnaallnneettwwoorrkksseeccuurriittyyaarrcchhiitteeccttuurree

Forwarding Performance Solved

FACS defines a new and complementary standard in security architecture. It integrates major firewall functions while providing added-value

features. The firewall protects the entire network by prohibiting

connections between specific Internet sources and internal computers. In addition, the FACS can be used to deny access to certain hosts or

network services while permitting access to others using a bi-directional asymmetrical permission mechanism.

Performing security entirely within the operating system results in higher performance. At the heart of the FACS architecture are the intelligent

F

F

A

A

C

C

S

S

I

(11)

9

-OMPC and ACS structures. These allow for fast forwarding while almost maintaining wire-speed operation.

Protecting the Servers

The server is one of the weakest network elements compared to its importance in the network. One just needs to know the server’s IP

address. Once the address is known the hacker can send denial of service (DOS) attacks, such as “ping-to-death”, until the server goes down. Other attacks against servers can easily be performed with similar tools.

In order to overcome these types of attacks, a server defense system can be positioned as a server farm front-end and protect the farm from

simple attacks as well as more sophisticated, application level-based

attacks. The server defense masks the servers’ address location from the network users and counts and controls the number of attempts to open several application sessions. Moreover, it prevents a network service fail-over by providing balancing between two or more NFS servers, and

delivers detailed statistics on actions at the server farm level.

Virtual Private Network (VPN)

The Internet provides WAN communications more cheaply and more globally than a leased line, Frame Relay, or asynchronous transfer mode (ATM) network. Unfortunately, the Internet cannot provide the security, bandwidth, or quality of service (QoS) guarantees that are typically associated with private networks. In addition, the Internet supports only TCP/IP while most networks accommodate a variety of protocols.

Therefore, if a corporate network operates over the Internet, it is less expensive, but the service is inferior.

Then again, maybe not. RADLAN’s equipment can provide the best of both worlds: the security, performance, availability, and multiprotocol support of a private network over the inexpensive and pervasive Internet – a Virtual Private Network (VPN).

Currently, VPN technology is considered primarily as a means of extending the reach of private networks for dial-in access. However, other

important applications include the connection of two or more secure

(12)

sites in a building or campus. And, to a lesser extent, VPNs may address locations where traditional private network connections cannot be economically justified.

RADLAN’s VPN is implemented on a revolutionary hardware platform and a unique secured operating system. This powerful combination places the VPN far ahead of other VPN security solutions. It affords real random encryption bays and a secure operating system, immune to the security holes of the NT platform.

The VPN is interoperable with all standard networking and security products.

To learn more about RADLAN products, visit our World Wide Web site at: http://www.radlan.co.il

References

Download now ( PDF - 12 Page - 133.46 KB )

Related documents

Love-Politics: Lesbian Wedding Practices in Canada and the United States from the 1920s to the 1970s

14 When black, Latina, and white women like Sandy and June organized wedding ceremonies, they “imagine[d] a world ordered by love, by a radical embrace of difference.”

September 27, 2011 UWRA Seminar. Continuum of Care Retirement Communities Madison Wisconsin

Prairie Point ranch home and Attic Angel Place apartment and assisted living residents have priority access to Attic Angel Place skilled nursing and rehabilitation care...

Examining Intellectual Clout on A Taken Action

Being set out from the ethical decision making model mentioned above, in addition to investigate the effectiveness of contemporary literature in accounting ethics education,

Cultivation of leaders within the medical staff is

One physician CEO put it like this: “I raised my hand for everything.” 11 Entry points include leading committees, pursuing elected leadership, accepting entry-level medical

Getting Started. Career/College Planning Guide. for Ninth Grade Students. Rockville, Maryland

For graduation, students must earn a minimum of 22 credits, complete a program option, pass the High School Assessments, and earn the required number of

A study of automatic email routing for an information technology help desk

While work has been done on email classification systems before, email classification problems can vary greatly based on the domain, since different domains could have very

Stabilization of Interval Type-2 Polynomial-Fuzzy-Model-Based Control Systems

Unlike the membership-function-independent methods, the information and properties of IT2 membership functions are considered in the stability analysis and contained in the

The Effects of Cognitive Training Program for Cognitively Impaired Older Adults: A Pilot Randomized Control Trial

As can be seen in Table 2, the intervention group showed superior functioning at post-treatment on measures of seven cognitive domains: general cognitive functioning