SECURITY AND FINANCIAL VIABILITY OF MIXED NETWORKS CONSISTING OF PRODUCTION AND TEST ENVIRONMENTS Dominik VYMĚTAL ABSTRACT Companies using both and test networks in order to present their products and services, to educate their personnel and customers cope with the problem of contradiction between the security and flexibility of their and test networks. The same may be valid for educational institutes providing distance education for their students especially in several nodes connected through network infrastructure. Three proposals how to solve this challenge are discussed in the paper. The 802.1x based solution deployed in several steps is recommended as both system and financial viable. The analysis is done based on an example of a mid-sized company. KEYWORDS: Security, VPN, 802.1x, Distributed test nodes, financial viability JEL classification: M15, O32 INTRODUCTION Companies selling copiers, printers, faxes, PDAs and other office and multi-media products, services and software are being confronted by contradictions between the security of their productive networks and the necessity of maximum flexibility in testing, presenting and education of their personnel and customers. The same may be valid for educational institutes providing distance education for their students especially in several nodes connected through network infrastructure and supporting various tests during the educational courses. This might be a real challenge for the security administrator. Let us analyse a mid-sized company having a central site and some branch offices throughout a country. The situation would be similar for an educational institute supporting test nodes and educational connections for its students. To support its productive information system a package of WAN provider services is used. The employees using the productive system connect regularly to ; hence the network is protected by common means like firewall, proxy server,antivirus/antispam programs etc. The active elements of the networks are either rented or company owned but they mostly do not posses switch port level authentication possibilities. This is a typical situation in a lot of companies of this type. On the other side, an urgent need is emerging to test the new software, for distance education, for on-line presentations of new ideas and products in the distributed education and show rooms of the branch offices and last but not least, to download the firmware and corresponding manuals from the partner portals and networks. This situation, shown in fig.1 is a real challenge to the IT manger of the company. Let us discuss his practical and financial possibilities in the well known environment of limited budgets. (Note: in the figures using icons of well known manufacturers and providers have no relevance to theses manufacturers and do not imply any recommendation.) 4
1 test& n test& Branch network routers lab.network Company central office test network Firewall Figure 1 Initial Situation 1. INTERNAL FIREWALL The principle of the internal firewall usage is shown in the fig.2. The in the central site is connected to branch office s via routers and WAN, the whole network is protected by external firewall. The test network in the branch offices and SW laboratory network in the central site is detached from the productive network by internal firewall. Any device connected to these test networks has to use the internal firewall rules. Advantages: A) this is the simplest solution B) the costs of the solution are sufficiently low Disadvantages: A) Requirements to enable the connection to the external partners cause random requirements to open the firewall ports in both external and internal firewalls. This takes time and practically diminish the firewall s functionality B) The devices used normally in the networks but needing some time spans to be used in the test networks (e.g. service personnel notebooks) have to be reconfigured all the time in order to meet the firewall rules 5
s test network Branch network router Company central office lab.network External firewall Internal firewall Figure 2 Proposed solution with internal firewall C) The traffic from PCs and notebooks to the output devices in the show rooms placed in the test networks but used from the network (printers in the branch offices etc.) causes high data load in the network in order to reach the internal firewall and the target output device. This solution will not be accepted as viable. 2. VPN SOLUTION A possible VPN connection is presented in the fig.3. Internal firewall is either still used to detach the test networks in the branch offices and Laboratory network in the central site from the network or multiple s are connected to the network through. The end user devices in the test networks can access the resources of the network via VPN. Advantages: A) The solution is still simple and most of the requirements of the end users are met. Disadvantages: A) Multiple firewalls cause higher administration costs, the problem of ports is not solved and the danger of un-coordinated handling of the firewall rules is high. 6
lab.network External firewall Internal firewall Central office VPN test network s network router Figure 3 Proposed solution using VPN B) Not all end devices like printers can use VPN in the time being. C) The requirement to use resources of this type from the s is not met. D) The requirement to reach both and test s causes the necessity to build a split-tunnel what brings further risks in the environment. This solution will be most probably refused. 3. 802.1x BASED SOLUTION 802.1x is based on the authentication on the switch-port level. There are three Roles defined in the authentication process: End device asking for network connection (Supplicant) some notebook, printer or other end device. The Authenticator a switch directly connected to the Supplicant, this is the device through which the Supplicant gets the network access. The authentication Server where the authentication procedure runs. The Authenticator serves as a gateway to the Authentication Server. The authentication process consists of so called Extensible Authentication Protocol messages between the Server and the Supplicant. The protocol of the communication RADIUS (Remote Authentication Dial In User Service) runs over the UDP ports. 7
Following authentication services can be proposed based on 802.1x: Authentication of the end user or device The security policy can be enforced on the network level independent of the end user or device The network access can be allowed or denied on the port level On the top of the basic authentication, extended function can be defined and / or enforced during the authentication like antivirus and antispam definition check, operating system patches level control, etc. Possibilities of the 802.1x standard can be used to meet the requirements of flexibility and security our network. Typically, based on the MAC address, end user name or certification the devices can be authentified on the switch port level. Roles and access control lists can be used to make the process more flexible. The introduction of such a solution can be done in several steps in order to keep the financial costs of the solution in the scope needed. Based on the functional possibilities of the network active elements, more steps can be defined to achieve financial viability of the change. The first step of the migration to 802.1x solution is shown in the fig. 4. The test and laboratory networks in the central site would be grouped into own Vs in demilitarized zone (DMZ) and migrated to 802.1x ready network using proper switches. The external firewall would get 2 more interfaces connected to 802.1x network. The hardware costs of this step can be coped with. The end user of the Vs and their communication routes would be then defined and necessary roles on the authentication server can be set. In the first step, the MAC based authentication is proposed. If the MAC address corresponds to the address defined on the server, the role of the device can be set and authorised, the switch port of the corresponding V would be configured and a dynamic ACL (Access Control List) on the firewall can be changed. The device can get all resources needed from the network. If the MAC address of the device is not known to the authentication server, there are two possibilities - either the device gets a guest role or the access would is, what can be defined in the setup time of the network. As the authentication using MAC address is not sufficiently safe, some certification procedure is to be done in the next step or in the further steps when the branch offices will be connected to the new network. The routers do not support MAC address authentication. The connection of the branch offices in the next step needs a definition of two Vs in each branch office namely, the V and the test V. The deployment of Vs causes the procurement of new switches supporting Vs. However, the introduction of the solution proposed can be done step by step to keep the costs in the limit. The connection of the branch office routers to the central WAN router is to be done by 802.1Q trunk. 8
network router File Server Authentification Server network router Mail Server Web Server 802.1Q Trunk Production DB Server WEB DMZ Production Laboratory DMZ Test DMZ Laboratory V lab. External firewall 802.1x Switch Test V VPN test Figure 4 802.1x based solution The last step of the migration would then be the migration of the in the central site and introduction of the extended functions like virus protection, patch fixes control etc. The steps proposed can be done according to the security needs of the company and the financial resources assigned to the project what we see as an advantage of the solution proposed. 4. SUMMARY The proposal of 802.1x based network interconnection presented in Chapter 3. solves the most important needs of the company coping with the problem of and test network co-operation keeping necessary security level of the solution. The deployment in two to four steps helps the financial viability of the project and the flexibility needed. 9
INFORMÁCIE O AUTOROVI Ing. Dominik VYMĚTAL, DrSc. was appointed to a chair in Information Technologies Silesian University, School of Business Administration in Karvina Czech Republic recently. His previous appointments were at Konica Minolta Business Solutions Austria and Czech Republic where he was responsible for Strategy, Operations and Support of Company Information Systems for the last 16 years. Formerly he spent 22 years in Iron and Steel Works Trinec, Czech Republic in Research and IT Operations. He received his CSc. degree at Institute of Steel in Moscow, Russia in 1975 on modelling metallurgical processes and DrSc. degree at the same institution in 1985 on Methodology of Information Systems Development. He lives in the Czech Republic. ADRESA Ing. Dominik VYMĚTAL, DrSc. Silesian University in Opava School of Business Administration Department of Informatics Univerzitní nám.1934/3 733 40 Karviná Czech Republic Phone: +420 596 398 237 Fax: +420 596 312 069 e-mail:vymetal@opf.slu.cz 10