Outbound mail can move through this same server or the organization can allow desktop systems to send mail directly to the destination system.. However, if your mail systems are hosted o
Trang 1CHAPTER 9 Internet Architecture
133
Copyright 2001 The McGraw-Hill Companies, Inc Click Here for Terms of Use
Trang 2The Internet has great potential in terms of new businesses, reduced costs of selling,
and improved customer service It also has great potential to increase the risk to an organization’s information and systems With proper security architecture, the Internet can truly become an enabler rather than a security risk
SERVICES TO OFFER
The first question that must be answered with regard to Internet architecture is: What ser-vices will the organization provide via the Internet? The serser-vices that will be offered and who will be accessing them will greatly impact the overall architecture and even the choice of where services may be hosted
If mail service is available, it is generally offered to internal employees to send and re-ceive messages This service requires that at least one server be established to rere-ceive in-bound mail If higher availability is required, at least two mail servers are required Outbound mail can move through this same server or the organization can allow desktop systems to send mail directly to the destination system
NOTE: Allowing desktop systems to send mail directly to the destination systems is not a
recom-mended solution However, if your mail systems are hosted on the Internet, each desktop will send and receive mail from your hosted system In this case, it is wise to limit outbound mail connections from desktops to just the hosted server
An organization may also choose to establish public mail relays for such things as
e-mail discussion groups Such systems are normally referred to as list servers These
sys-tems will allow external people to send mail to the system and the system resends that message to the subscribers of the list List servers can reside on the same servers as the or-ganization’s primary mail systems but the larger traffic requirements should be taken into account in the overall architecture of the Internet connection
Web
If an organization chooses to publish information to customers or partners via the World Wide Web, it needs to establish a Web server and place some amount of content there for public viewing This Web server may be hosted at another location or it may be hosted internally
Web servers can provide simple, static content or they can be linked to e-commerce systems (see Chapter 11) that provide dynamic content and allow the taking of orders Access to the Web site can be public or it can be restricted through some authentication mechanism (usually a user ID and password) If some content on the site is restricted or
Trang 3sensitive, you should use HTTPS HTTPS works over port 443 instead of port 80, which is
normal for Web traffic HTTPS is the encrypted version of HTTP, which is used for
stan-dard Web traffic, and is normally used for Web pages that contain sensitive information
or require authentication The choice of how the Web site is constructed will impact the
amount of traffic to expect and the criticality of the Web server itself
The organization may choose to provide a File Transfer Protocol (FTP) server as part
of the Web server An FTP server allows external individuals to get or send files This
ser-vice can be accessed via a Web browser or an FTP client It can also be anonymous or it
can require a login ID and password
Internal Access to the Internet
How employees access the Internet should be governed by organization policy (see
Chapter 5) Some organizations allow employees to access the Internet using any service
they choose including instant messaging, chat, and streaming video or audio Others
only allow certain employees to access the Internet using a browser to access only certain
Web sites The choice will impact the amount of traffic to expect and the perceived
criti-cality to the employees
A common set of services that employees are allowed to use includes:
Service Description
HTTP (port 80) and HTTPS (port 443) Allows employees to access the Web
FTP (ports 21 and 22) Allows employee to transfer files
Telnet (port 23) and SSH (port 22) Allows employees to create interactive
sessions on remote systems POP-3 (port 110) and IMAP (port 143) Allows employees to access remote
mail accounts NNTP (port 119) Allows employees to access remote
network news servers
NOTE: Even if the organization determines not to allow streaming video and audio, many sites are
now offering these services over HTTP; therefore, this traffic will not appear to be different than regular
Web traffic Likewise, there are several peer-to-peer services on the Internet that can be configured to
use port 80 These types of services open up the risk of having unauthorized individuals gaining
ac-cess to internal systems
External Access to Internal Systems
External access to sensitive internal systems is always a touchy subject for security and
network staff Internal systems in this case are those systems primarily used for internal
processing These are not the systems that are set up just for external access such as Web
or mail servers
Trang 4External access can take two forms: employee access (usually from remote locations
as part of their job) or non-employee access Employee access to internal systems from re-mote locations is usually accomplished through the use of a virtual private network (VPN) over the Internet (see Chapter 10), dial-up lines into some type of remote access server, or a leased line The choice of method will impact the Internet architecture of the organization
Greater impact will occur if external organizations require access to internal systems Even access by trusted business partners must be mediated to manage risk External ac-cess may be accomplished through the use of VPNs, dial-up lines, or leased lines or by di-rect, unencrypted access (such as telnet) over the Internet, depending on the purpose of the connection
CAUTION: Unencrypted access over the Internet is not a recommended practice; however, some
business agreements require this type of access If this is the case, every effort should be made to move the systems to be accessed out of the internal network and into some restricted network (see the section “Demilitarized Zone” later in this chapter)
Control Services
Some services will be required for the smooth function of the network and your Internet connection Whether or not you should allow these services depends on orga-nization policy
DNS
The Domain Name Service (DNS) is used to resolve system names into IP addresses Without this function, internal users would not be able to resolve Web site addresses and thus would find the Internet unusable Normally, internal systems query an inter-nal DNS to resolve all addresses The interinter-nal DNS is able to query a DNS at the ISP to resolve external addresses The rest of the internal systems do not query external DNS systems
DNS must also be provided to external users who wish to access your Web site To
do this, your organization can host the DNS or your ISP can host it This choice will im-pact the Internet architecture If you choose to host your own DNS, this system should
be separate from the internal DNS Internal systems should not be included in the ex-ternal DNS
ICMP
Another control service that helps the network to function is the Internet Control Mes-sage Protocol (ICMP) ICMP provides such services as ping (used to find out if a system is up) In addition to ping, ICMP provides messages such as “network and host unreach-able” and “packet time to live expired.” These messages help the network to function effi-ciently They can be turned off but this may impact the way the network functions
Trang 5The Network Time Protocol (NTP) is used to synchronize time between various systems
There are sites on the Internet that can be used as primary time sources If you choose to
use this service, one system on your site should be the primary local time source and only
that system should be allowed to communicate to the Internet with NTP All other
inter-nal systems should take time from that primary local time source
SERVICES NOT TO OFFER
The Internet architecture should be designed to accommodate the services that are
required Services that are not required should not be offered By designing the
Internet architecture in this way, a number of services that create significant risk will
not be offered
Specific services that should not be offered due to significant security risks include:
Service Description
NetBios Services (ports 135,
137, 138, and 139)
Used by Windows systems for file sharing and remote commands
Unix RPC (port 111) Used by Unix systems for remote procedure calls
NFS (port 2049) Used for the Network File Services (NFS)
X (ports 6000 through 6100) Used for remote X Windows sessions
“r” Services (rlogin port 513,
rsh port 514, rexec port 512)
Allow remote interaction with a system without a password
Telnet (port 23) Not recommended because the user ID and
password travel in the clear over the Internet and thus can be captured If an interactive session must be allowed inbound, SSH is recommended over telnet
FTP (port 21 and 22) Not recommended for the same reason as telnet If
this capability is required, files can be transferred over SSH
TFTP (Trivial File Transfer
Protocol) (port 69)
Similar to FTP but it does not require user IDs or passwords to access files
Netmeeting Potentially dangerous because it requires a
number of high ports to be opened in order to work properly Instead of opening these ports, an H.323 proxy should be used
Trang 6Service Description
Remote Control Protocols Include programs like PC Anywhere and VNC If
these protocols are required to allow remote users
to control internal systems, they should be used over a VPN
SNMP (Simple Network
Management Protocol)
(port 169)
May be used for network management of your organization’s internal network but it should not
be used from a remote site to your internal systems
COMMUNICATIONS ARCHITECTURE
When developing a communications architecture for an organization’s Internet connec-tion, the primary issues are throughput requirements and availability Throughput is something that must be discussed with the organization’s Internet Service Provider (ISP) The ISP should be able to recommend appropriate communication lines for the services
to be offered
The availability requirements of the connection should be set by the organization For example, if the Internet connection will only be used by employees for non-business criti-cal functions, the availability requirements are low and an outage is unlikely to adversely affect the organization If the organization is planning to establish an e-commerce site and have the majority of its business moving through the Internet, availability is a key to the success of the organization In this case, the design of the Internet connection should include fail-over and recovery capabilities
Single-Line Access
Single-line access to the Internet is the most common Internet architecture The ISP sup-plies a single communications line of appropriate bandwidth to the organization, as shown in Figure 9-1
Generally, the ISP will supply the router and the Channel Service Unit (CSU) for the link The local loop is the actual wire or fiber that connects the organization’s facility with the phone company’s central office (CO) The ISP will have a point of presence (POP) somewhere nearby The link to the ISP will actually terminate at the nearest POP Even though the POP is not at the closest CO, the local loop connection will require that the line
go through the closest CO From the POP, the link goes through the ISP’s network to the Internet
If we analyze the connection shown in Figure 9-1, we see that there are a number of points where an equipment failure will cause an outage For example:
▼ The router could fail
■ The CSU could fail