Security in Local Area Networks

Transcription

1 RADLAN White Papers RADLAN Computer Communications Ltd. Atidim Technological Park, Bldg. 4 Tel Aviv 61131, Israel Tel: Fax: Security in Local Area Networks Firewall for Access Control and Security A Member of the RAD Group To learn more about RADLAN products, visit our World Wide Web site at August 1998

2 Security in Local Area Networks: Firewall for access control and security Contents Background...1 LAN Security is Essential...1 Network Security Today A Partial Perspective...2 Internal Network Security Requirements...3 Forwarding Performance Issues...4 Global Policy Management...4 Secure the Network at the Entrance...5 Advanced Control at Each Port...5 Central Security Definition Reduce human errors and save time...5 FACS as an Active Security Model...6 Forwarding Performance Solved...8 Protecting the Servers...9 Virtual Private Network (VPN)...9 1

3 Security in Local Area Networks Firewall for access control and security Background Security has become one of the major concerns for today s system administrators who need to provide users with information-sharing capabilities across enterprise networks and Internet access, while maintaining the integrity of their corporate data. Recent surveys show that information security budgets as well as the number of information security specialists are on the rise. Information security professionals recommend that a company dedicate as much as three to five per cent of their total IS budgets to information security. What does the term information security mean, and how can it be implemented in your organization? Information security is the protection of information assets from accidental (or intentional) unauthorized disclosure, modification, or destruction. Hackers and computer viruses are external threats that can be handled at the proxy level by protection systems, such as a Firewall and Virtual Private Networks (VPNs). Although external threats attract public attention, the greater threats are internal and lie within human errors errors of omission either by employees whose honesty is not in question, or by dishonest employees intending an assault on the network. LAN Security is Essential According to market surveys, internal threats are estimated to be in the range of percent of total threats on the network, whereas, external attacks and strangers -- including Internet hackers -- represent only 1-3 percent. Thus, efforts to place vast information resources at the fingertips of each individual within an organization must be balanced by proportionate attention to access restriction rules and information protection policies. This paper reviews the security requirements for a corporate network considering the above survey statistics. It proposes a flexible access control method for ensuring that the user has access only to the information necessary to do his/her job and restricts user access to various resources based on user identity. 1

4 Network Security Today A Partial Perspective Most organizations embraced off-the-shelf products called Firewalls as a means to prevent security problems. Firewalls are ready-made security solutions that provide organizations with a management interface to easily implement and manage their security policies regarding access from the Internet. This limitation in protecting network resources from the external world does not answer the major issues of inside threats or human errors which represent 90% of information destruction and financial loss. What can conventional firewall protection deliver? There are several alternatives for firewall solutions in the market to provide different levels of network and usage protection. In general, all firewalls share the same firewall methodology:? Packet filtering: Looks at each packet entering or leaving the network and either accepts or rejects it based on user-defined rules. Packet filtering is relatively sufficient and transparent to users. However, since conventional firewalls are essentially dedicated to WAN-to-LAN protection and are not physical-port dependent, they could present some weaknesses against network attacks, for example, IP spoofing.? Application gateway: Applies security mechanisms to specific applications such as FTP and Telnet servers by reducing the number of possible application options. This is very effective, but imposes performance degradation.? Circuit-level gateway: A flow-based security method that applies security mechanisms when a TCP or UDP connection is established. Once a connection is made, packets can flow between hosts without further verification checks. It is a faster alternative than application gateway but not all packets are controlled which leaves the organization vulnerable to attack.? Proxy server: Intercepts all messages entering and leaving the network and processes them. Proxy servers effectively hide the true network addresses, such as data-base servers and application servers, thus protecting real information from a direct attack. In practice, many firewalls use two or more of these techniques in concert. A firewall is considered the first line of defense in protecting - 2 -

5 private information. All messages entering or leaving the private network pass through the firewall, which examines each message and blocks those that do not meet the specified security criteria. Nevertheless, firewall techniques can be fooled into permitting protocol tunneling. This penetration technique requires cooperation either intentional or subverted from an internal user. The internal user must allow a forbidden protocol or subnet address to pass through a firewall by transmitting it via a permitted protocol. Thus, the firewall actually acts as an intermediary between an internal network and the Internet. The firewall is a relatively good solution in preventing external threats (such as unauthorized Internet users) from accessing private networks. However, real and complete network security requires protection from the real risks - the internal threats. Internal Network Security Requirements In the internal network the slowest pipe speed is a 10-Mbps Ethernet link. This low LAN speed is already above the capabilities of most conventional firewalls that usually deal with T1/E1 WAN lines. With the introduction of Layer-3 switches in the network, a new concept of switching was born. Distributed workgroups as well as centralized or distributed servers can now benefit from local high-speed switching and local routing services. The primary business requirements in implementing internal network protection today are: 1. To provide a high level of security and reduce the risks of human error in a distributed environment. 2. To controll network access at the workgroup level. 3. To avoid network performance degradation which results from the use of an external firewall. 4. To minimize the skills and resources required to implement, maintain and manage the network. 5. To provide an economical and scaleable solution. 6. To provide detailed audit reports

6 Forwarding Performance Issues The earliest examples of firewalls were based on WAN routers which are flexible directors of network traffic. Routers examine the destination address of every packet received and forward each packet to the next hop toward its destination. However, routers can do more than merely forward packets, they can also filter packets. Layer-3 switches add another level to packet control. Layer-3 switches are not limited only to the control of each packet as it arrives, they can also ensure that a specific physical port is authorized to send or receive a specific type of information. Moreover, all this is done at wire speed. Conversely, the application gateway approach does have its downside, namely slower performance. During the course of operation, data must be copied from the operating system s memory to the program memory, and then back again. The added proxy services also introduce performance delays. Inbound data is processed twice, by the application and by its proxy. [For example, the Internet application talks to the proxy s agent, which in-turn talks to a LAN s application.] In addition, because it is a software program, an application gateway suffers from the overhead of starting and running an independent application program over an operating system. Global Policy Management One of the most critical steps in network security is to avoid human error in the definition and implementation of security rules in a distributed environment. Most of today s networks are based on a collapsed backbone design. This design allows for the deployment of switches and hubs throughout the building or campus network, all of which connect to a central routing resource. Such designs are becoming obsolete due to the ever-increasing demand for bandwidth at the workgroup and the department levels. A better network design, based on distributed routing switches will provide more flexibility and more routing power at the edge. The drawback of these future networks is the multiplication of routers and related configuration tasks. A network built upon several routers and routing switches requires extensive organization on the part of the network manager in order to ensure that the entire network is based upon the same security rules

7 A more secure solution would provide the network manager with a management tool that would transform all routers such they are viewed as a single logical router with many ports. In this manner, the network manager can define the security policies only once and have these affect the different interfaces and physical ports. Secure the Network at the Entrance Distributed networking allows routing switches to be spread throughout the network. Each routing switch serves the needs of independent workgroups or departments. Stations attached to the closest routerswitch are fully controlled at the router entrance, that is the workgroup, while the entire security definition is done at a centralized location. In addition, Radlan s architecture provides true single-hop routing from any location to any other, ensuring best performance and preventing external interference until the destination is reached. Once the security process has authorized packet forwarding, the traffic is sent at wire speed and at Layer-2 latency. Distributed networking architecture leverages the need for a centralized definition of security policies, reinforces the requirement of early access control and improves the secured network performance with one-hop latency. Advanced Control at Each Port The generic implementation of firewall functions answers the following control requirements: Service-dependent packet control (well-known protocols and logical ports).? User-defined rules based on packet header information (address, protocol).? Packet control upon incoming interface.? Asymmetric filtering providing non-identical right for packets in and out. Service-independent packet control? Physical port-dependent security policy.? Source routing attacks (IP option header).? Tiny fragments attacks. Central Security Definition Reduce human errors and save time RADLAN s Apollo Pro Layer-3 switch offers a unique distributed topology which allows up to 31 router-switches to behave as members of the same - 5 -

8 logical routing engine. As such, the network manager benefits from the performance capacity of 31 router-switches, but manages them as a single unit with only one IP address for all of them. Each port can be a member of a specific VLAN and on each port a specific class of service (CoS) can be permitted or rejected. The network manager can define the security policies only once, saving time in configuring and controlling coherence on tens of routers. RADLAN s Apollo Pro provides an approach that can be used to maintain flexible administration, minimize the impact on network performance, and maintain a significant capacity for defining complex operations. FACS as an Active Security Model With a Firewall for Access Control and Security (FACS), each port is associated with a set of default actions which a device may perform. The power of FACS as an access control mechanism is a concept in which protection may be implemented in every Layer-3 LAN switch port of the Apollo Pro. USERs SYSTEM FACS PACKAGE SNMP CDB store/restore FACS statements Figure 1. Indicate packages that interface with the FACS package. RADLAN s FACS security mechanism is designed to allow controlled access between users inside the organization and the company s information databases. With Apollo Pro distributed topology, up to 31 router-switches may be configured in a network as a single logical routerswitch. This capability provides the network manager with RADLAN s security protection which guards the internal network using a flexible - 6 -

9 mechanism of access policies. A policy can be defined as a set of criteria as outlined below:? Specific Ports Definition: Defining specific ports to be the subject for access control, allows for the inspection of traffic received by these ports. Filtering Definition: Filtering policies are a combination of rules that are verified at the per-packet level. For example, a simple rule may be defined as: All users defined in the network range of * are not permitted to run FTP applications on server X. The FACS service will then verify all packets coming through and ensure that the condition is applied. Rules are entered into the Access Control Statements (ACS) form detailed in an OMPC (Offset, Mask, Pattern, and Condition) table describing the exact control condition. OMPC allows the network manager to define the most detailed rules and conditions at the bit level, providing a sophisticated means to control traffic. Traffic Direction Definition: A set of rules can be applied separately for incoming or outgoing traffic. Action Definition: Definition indicating the action to be taken in situations in which a packet matches the defined criteria. There are three possible reactions under certain conditions: 1. To block all traffic from one point to another if a condition matches. 2. To permit traffic if a condition matches. 3. To block and also to run an application program which will send an alarm, or activate any other operation. In a secure environment, the most natural method to control traffic is to block everything and to allow traffic flow only under specific conditions

10 RADLAN s access policy provides flexible, advanced and comprehensive security capabilities with the additional advantages of: Numerous combinations of access control statements. Easy-to-use and user-friendly graphic interface to allow for quick configuration and require no knowledge of the packet structure. Port-specific operation for enabling a thorough examination of specific port traffic, as well as global access control for all other ports. Minimal performance reduction due to a sophisticated table structure and search algorithm. RADLAN s FACS provides an unobtrusive and effective means to protect your company from external intrusion and internal abuse. FACS Internet Figure 2. Internal network security architecture Forwarding Performance Solved FACS defines a new and complementary standard in security architecture. It integrates major firewall functions while providing added-value features. The firewall protects the entire network by prohibiting connections between specific Internet sources and internal computers. In addition, the FACS can be used to deny access to certain hosts or network services while permitting access to others using a bi-directional asymmetrical permission mechanism. Performing security entirely within the operating system results in higher performance. At the heart of the FACS architecture are the intelligent - 8 -

11 OMPC and ACS structures. These allow for fast forwarding while almost maintaining wire-speed operation. Protecting the Servers The server is one of the weakest network elements compared to its importance in the network. One just needs to know the server s IP address. Once the address is known the hacker can send denial of service (DOS) attacks, such as ping-to-death, until the server goes down. Other attacks against servers can easily be performed with similar tools. In order to overcome these types of attacks, a server defense system can be positioned as a server farm front-end and protect the farm from simple attacks as well as more sophisticated, application level-based attacks. The server defense masks the servers address location from the network users and counts and controls the number of attempts to open several application sessions. Moreover, it prevents a network service failover by providing balancing between two or more NFS servers, and delivers detailed statistics on actions at the server farm level. Virtual Private Network (VPN) The Internet provides WAN communications more cheaply and more globally than a leased line, Frame Relay, or asynchronous transfer mode (ATM) network. Unfortunately, the Internet cannot provide the security, bandwidth, or quality of service (QoS) guarantees that are typically associated with private networks. In addition, the Internet supports only TCP/IP while most networks accommodate a variety of protocols. Therefore, if a corporate network operates over the Internet, it is less expensive, but the service is inferior. Then again, maybe not. RADLAN s equipment can provide the best of both worlds: the security, performance, availability, and multiprotocol support of a private network over the inexpensive and pervasive Internet a Virtual Private Network (VPN). Currently, VPN technology is considered primarily as a means of extending the reach of private networks for dial-in access. However, other important applications include the connection of two or more secure networks via a wide area network, or even between two protected security - 9 -

12 sites in a building or campus. And, to a lesser extent, VPNs may address locations where traditional private network connections cannot be economically justified. RADLAN s VPN is implemented on a revolutionary hardware platform and a unique secured operating system. This powerful combination places the VPN far ahead of other VPN security solutions. It affords real random encryption bays and a secure operating system, immune to the security holes of the NT platform. The VPN is interoperable with all standard networking and security products. To learn more about RADLAN products, visit our World Wide Web site at: Ref. No