DMZ Security for Data Transmission between Hosts on the Network

French | Spanish | Portuguese | Italian | German | Japanese | Chinese | Korean | Russian | Arabic

DMZ Concepts

The use of a DMZ and its overall design and implementation can be relatively simple or extremely complex, depending on the needs of the particular business or network system.The DMZ concept came into use as the need for separation of networks became more acute when we began to provide more access to services for individuals or partners outside the LAN infrastructure. One of the primary reasons why the DMZ has come into favor is the realization that a single type of protection is subject to failure.This failure can arise from configuration errors, planning errors, equipment failure, or deliberate action on the part of an internal employee or external attack force.The DMZ has proven more secure and offers multiple layers of protection for the security of the protected networks and machines. It is also very flexible, scalable, and relatively robust in its capability to provide the protection we need. DMZ design now includes the ability to use multiple products (both hardware- and software-based) on multiple platforms to achieve the level of protection necessary, and are often designed to provide failover capabilities as well. When we are working with a DMZ, we must have a common ground from which to work.To facilitate understanding, we examine a number of conceptual paths for traffic flow in the following section. Before doing so, however, let’s make sure we understand the basic configurations that can be used for firewall and DMZ location and how each can be visualized. In the following figures, we’ll see and discuss these configurations. Please note that each of these configurations is useful on internal networks needing protection, and protecting your resources from networks such as the Internet.

Designing End-to-End Security for Data Transmission between Hosts on the Network

Proper DMZ design, in conjunction with the security policy and plan developed previously, allows for end-to-end protection of the information being transmitted on the network.The importance of this capability is explored more fully later in the article, when we review some of the security problems inherent in the current implementation of TCP/IPv4 and the transmission of data.The use of one or more of the many firewall products or appliances currently available will most often afford the opportunity to block or filter specific protocols and protect the data as it is being transmitted.This protection may take the form of encryption and can use the available transports to protect data as well. Additionally, proper use of the technologies available within this design can provide for the necessary functions previously detailed in the concepts of AAA and CIA, using the multilayer approach to protection we discussed in earlier sections.This need to provide end-to-end security requires that we are conversant with and remember basic network traffic patterns and protocols.The next few sections further illustrate the need to design the DMZ with this capability in mind.

Traffic Flow and Protocol Fundamentals

Another of the benefits of using a DMZ design that includes one or more firewalls is the opportunity to control traffic flow into and out of the DMZ much more cohesively and with much more granularity and flexibility. When the firewall product in use (either hardware or software) is a product designed above the homeuse level, the capability usually exists to control traffic flowing in and out of the network or DMZ through packet filtering based on port numbers, and allow or deny the use of entire protocols. For instance, the rule set might include a statement that blocks communication via ICMP, which would block protocol 1. A statement that allowed IPSec traffic where it was desired to allow traffic using ESP or AH would be written allowing protocol 50 for ESP or 51 for Authentication Header (AH). (For a listing of the protocol IDs, visit www.iana.org/assignments/protocol-numbers.) Remember that like the rule of security that follows the principle of least privilege, we must include in our design the capability to allow only necessary traffic into and out of the various portions of the DMZ structure.

Making Your Security Come Together

In today’s security battlefield, it almost seems impossible to win.You must identify the best products and procedures for your organization. If you have all of the suggested security solutions, but not enough staff to manage them, the solutions may not be effective enough. Simply having the appropriate products is not going to resolve all of your problems; you must effectively understand how to use and configure the products.There is no easy solution regarding the best way to go about securing your organization.This is why companies all over the world spend hundreds of millions of dollars on consulting companies to come in and make security decisions for them. We’ve covered a lot of ground in this article because your network infrastructure is literally and figuratively the backbone of your network. Creating a network security policy touches every aspect of your network, and a thorough assessment will take time and careful effort to complete so your network is as secure as it can reasonably be, given the organizational constraints and considerations you’ll have to deal with. It’s often helpful to break the network infrastructure down into its systems or areas to help ensure that you cover all the areas, including devices and media, topology, intrusion detection and prevention, system hardening, and all the network components such as routers, switches, and modems. Once you’ve identified all the areas, you need to take a top-to-bottom look at how security is currently implemented and what threats exist.

By looking at issues such as information criticality and performing an impact analysis, you can decide what should be included in your project and what can reasonably be left out or delayed for a later phase if needed. Understanding the threat environment and your network’s vulnerabilities is also important during your planning phase. Requirements need to be thoroughly developed because they form the foundation of your project’s scope. Functional requirements should be developed first, followed by technical, legal, and policy requirements. Be sure to build these into your task details when you create your WBS so that all required elements will be present and accounted for in your project plan. In an infrastructure security project, you’ll need a wide variety of skills that span the depth and breadth of networking knowledge. Be sure you define those skills so you can assess your team and your organization to identify skills gaps.These will have to be addressed before your project can proceed, and often requires hiring outside contractors or providing training for internal staff members. Either way, this can affect both your budget and your schedule, so be sure you do a gap analysis between needed and available skills prior to proceeding with your project. The WBS defines the scope of your project, so once you’ve identified all the work through delineating the tasks, be sure to do a scope check. If the defined scope is smaller than the scope outlined in your WBS, you need to reconcile the differences.

Also, be sure to discuss any scope changes with your project sponsor so you start with the same expectations about project results. Scheduling an infrastructure security project can be challenging due to all the moving parts involved.You’ll run into scheduling conflicts, resource usage conflicts, timing issues, and more.These should be resolved to the greatest degree possible before starting the project, because things will only get more complicated and difficult to resolve once project work is underway. One important scheduling note is that with all areas of your network being poked and prodded, you’ll need to make sure subproject teams are not working at cross-purposes and undoing work just done or inadvertently injecting false indicators into the process through their own task work. When it’s all said and done, you should be able to define, implement, and manage a very useful network security policy if you follow a consistent methodology and make teamwork and quality topmost priorities.This is the foundation of all other security projects; it touches on everything in your organization, so success here will create the framework for a very secure network that will help you sleep at night, knowing you’ve done everything possible to keep your organization’s assets secure.

Solutions Fast Track

Defining Your Organization

- You need to understand your organization’s business and business processes before you can craft a network security policy.

- Consider the IT needs and characteristics of different areas within your company; e.g., your application developers may have differing security requirements than members of your Human Resources area.

- Be aware of any legal or regulatory requirements that your company needs to comply with, such as compliance measures like SOX or HIPPAA. Trusted Networks

- As much as possible, you should define the difference between trusted and untrusted networks in your environment; i.e., those networks that can safely transmit sensitive data versus those that are at risk by internal or external attackers.

- The increased availability of home-based high-speed Internet access and wireless hotspots has made it much more difficult to create a line of demarcation between trusted and untrusted networks.

- Even on trusted networks, your network security policy should dictate the protection measures that should be put in place to protect your data as it traverses the network. Untrusted Networks

- Any time your data traverses a network where it is at risk of being intercepted or manipulated by a malicious user, you need to outline the steps that will minimize the risk of this occurring.

- Whenever possible, business data should not be transmitted over an untrusted network in a clear-text or other easily readable format.

- Technologies such as Network Quarantine and Federation Services will make an increasingly large impact on your ability to secure your network as the line between trusted and untrusted networks continues to blur.

Q. I’ve already configured a perimeter firewall and numerous other resources for my company, aren’t we already secure?

A. The only way to make a computer or network completely secure is to never ever connect it to a network or plug in a floppy or USB drive. (Dropping it overboard in the middle of the ocean helps as well.) In the modern computing environment, the phrase that pays is “defense in depth” configuring multiple layers of security (within the limits of budgets and reason) so that if one layer fails, another layer will be present to secure your resources.

Q. How can I determine which resources on my network should receive priority when crafting our security policy?

A. In a perfect world, you would have an unlimited budget to deploy perfect security for all aspects of your network. In reality, you only have so much money to spend and it’s usually not worth spending more on securing an asset than that asset is worth. In many ways, this decision is not a technical one, but must be made in conjunction with data owners and decision-makers in your organization to determine which resources need to be given priority in a finite budget.

Q. What is the difference between a policy and a procedure?

A. Your network security policy should be a high-level document that can withstand changes in technology without needing constant revision. In addition to your security policy, you can specify a number of procedures that detail how to secure specific technologies or products; these procedures are much more technical in nature and can be updated as the technology they refer to changes. In other words, your network security policy should specify the “What,”“When,” “Where,” and “Who,” while your procedures can focus more on the specifics of “How.”

Q. How do I respond to the CEO or other VP who insists that he or she should be exempt from all security restrictions?

A. This is a delicate political needle to thread, but you are doing a disservice to your organization if you do not at least make the attempt. For example, you might point out that a network virus will do the same amount of damage regardless of whether it originated from a secretary’s computer or the CEO’s laptop. It’s the “weakest link” adage in action if a certain segment of your network is left unsecured, it can potentially reduce the security of the entire network.