Isolation of networks affects the flow of network data, which services run on particular systems, and where they are located. It does not affect any of the internal or external network data from traveling across those same paths. Isolation is often used to enhance the security and efficiency of the network by isolating certain network traffic to certain physical wires and networks. Network isolation is achieved with the use of multiple physical and virtual networks within a single organization to separate functionality. Network designers can enhance security by organizing the network into its functional areas and considering the impact that each of these functions has on security.

One example of network isolation is to design the network so that the credentials of remote access users do not travel across any network wires or circuits that are exposed to users or other systems. The simplest method to provide this security is to connect the remote access server directly to the authentication server with a single cable. Another method is to use a switched network topology, keeping the authentication server and remote access device on their own private segments. The data sent from one to the other will then travel between only the two systems and their segments, where no other system can view it.

Isolation is discussed in the following contexts:

· Service differentiation

· VLANS

· Firewalls

The first and most obvious concept is the isolation of external from internal network traffic. Service differentiation is the identification and categorization of network services. The network services provided by an organization can be categorized as external-only, internal-only, or bridge services. As the name implies, external- and internal-only services provide functionality to either the external or internal network, but not both. Bridge services provide functionality to both the internal network and the external network. External services should be isolated in a service network, or hosted by the ISP for the organization. Also, the management of these services should occur via the previously mentioned management network. Internal services should be protected from external Internet or service network access.

It is considered dangerous to attach systems and equipment directly to the Internet without some form of protection, so be sure to protect service networks with protection mechanisms such as a firewall.

The simplest network topology takes a router and connects one interface to the ISP and the other to a multiplexing device such as a hub. All of the internal systems are then connected to the hub. Without getting into the detail of network numbering, this is effective to provide Internet access to all of the internal systems in the organization, but it also allows all systems on the Internet to communicate directly with each system on the internal network. Each system is susceptible to attack, and the entire computing infrastructure could be compromised.

The requirement for Internet access should be categorized into outgoing and incoming access. Outgoing access refers to the most common concept of Internet access—the ability to communicate with Web servers, send email, and download files. Most systems require outbound Internet access, but typically need securing from arbitrary inbound Internet traffic. All network communication and protocol detail aside, the ability to perform these actions does not require internal systems to provide access to those on the Internet. When defining a network architecture, it is important to identify the services and systems that do require access initiated by Internet-based systems. The security considerations for the network architecture now take a basic shape as three organizational classes of network—the external, the intermediary, and the internal network.

Services Differentiation

The computing services provided by an organization form the basis of the network. Aside from the configuration and security methods used to protect the individual servers and operating systems, isolation of the network services is an important security tactic because it protects from attack and restricts the effects of an attack. The services are those features that the users require and are provided by computers and network equipment. Common services include:

· Domain Name System (DNS)

· Email

· Web serving

· File sharing

· Printing

· Network login

DNS

The Domain Name System servers in an organization often serve the internal users as well as the external Internet. The application that provides DNS services has a history of vulnerabilities that have allowed attackers to compromise the system on which it runs and to corrupt its records. Given this history, careful attention to security is required. If the organization maintains their own DNS server, it is often best suited for the service network in order to protect the internal network from adverse effects of attack. As part of the network architecture, security is also bolstered by redundancy. The use of multiple DNS servers provides a level of reliability in the event of failure or attack on one, and the placement of these merits consideration in the network architecture. Multiple DNS servers should not be placed on the same network; the purpose of redundancy is to provide a high level of reliability in the event of the failure of one network. If both DNS servers are located on the same network or on a single service network, they can both be taken out of service by a single attack. The ideal solution is to locate redundant DNS servers on separate networks that have differing paths to them. This prevents attackers from disabling all domain name services without a complex attack method. DNS servers should be protected by a firewall, and primary servers should be configured with access control restrictions that disallow arbitrary queries and DNS zone transfers to unknown servers.

The separation of DNS usage also requires consideration. Many organizations use a single DNS server, with or without redundancy, to answer both internal and external queries. This means that the Internet-based systems have access to the name server, as well as the internal systems. This bridging of the internal and external networks may present a high security risk if the name server is compromised. Another security risk when using a common name server is the revelation of information. The common DNS server stores all of the name and network information for both internally and externally accessible systems. An attacker can glean this information from the server, arrive at a reasonable idea of the internal network architecture, and identify potential target systems.

One solution to these problems is a split-DNS topology, which creates two distinct name servers—one for systems on the internal network and one for those on the Internet to use. The records in each are then updated independently, and external systems have no access to information about internally networked systems. The attacker no longer has a potential bridge between the internal and external networks, and the effects of the attack are limited.

Email

Email is one of the most important network services to an organization, and the establishment of email services in the network architecture requires careful planning. It is inadvisable to support email with a single mail server. Mail servers often store the contents of users'mailboxes, including company private and confidential information. A single point of failure is present when using only one server. It is equally dangerous to provide access to the primary mail server from the Internet because an attacker may expose or have access to its private information. One solution is to establish mail relays at different locations on the network and then allow access to the primary mail server only from those relay systems. The mail relays are often located on the service network and further away at the ISP to provide several levels of redundancy in the event of attack or connectivity issues with the organization.

If an attacker can succeed in compromising the primary mail server, the attacker can then access many other sensitive resources of the organization. The use of a mail relay defends the primary mail server and limits the effects of the attack. The mail relay can and should be protected with strong filtering rules on the firewall, and the primary mail server should also be strictly access-controlled to allow inbound mail only from the relay servers.

Web Serving

Many companies have a corporate Web site that provides the virtual storefront to the Internet and an intranet, or internally located Web site that contains private company information. The corporate and internal Web sites should be hosted on separate machines in order to isolate the information accessible by Internet users from employees. The network location of corporate Web sites should be determined based on how much traffic the site sees. An extremely popular Web site located on the service network with other network services such as mail relays and DNS servers may put those servers at risk in the event of a denial of service attack. The entire bandwidth can be consumed, rendering the other services unusable. The careful placement of redundant and distributed Web servers helps minimize the risks associated with this service. Web sites can be located on remote servers hosted by the ISP, or Web traffic can be load- balanced among several servers placed in close proximity to each other or even in remote areas.

File and Printer Sharing

File sharing is a staple of network life that is utilized at a majority of organizations. It is also one of the more common insecurities found on a network. The network architecture that supports security and services that hold potential risks does so by carefully controlling the network access to the file servers. When sharing filesystems among multiple systems on the internal networks, access should not be available to the extranets, service network, or Internet. File sharing should never be allowed from unknown or external systems.

Network Login

Network logins are the methods used by users to authenticate to a remote or local system. This includes interactive access to UNIX accounts, Windows Domain authentication, authentication to Web sites, and any other service that requires user credentials for access. There are many methods for network login, many of which are very insecure. The insecurities of network logins come from the use of cleartext authentication methods wherein the user credentials are transmitted over the network without any encryption or other data obfuscation.

Security considerations for a network design include the isolation of traffic that carries credentials to minimize the opportunity for eavesdropping and the use of VPN systems to provide encrypted communication that protects the credentials during transit. Other protection mechanisms include firewall rules to disallow the protocols that are known to function insecurely from passing the boundary of the internal networks.

Telnet, remote shells, and FTP are commonly used services whose traffic should not be allowed outside of the internal network, if used at all. These services transmit user credentials without any form of encryption, allowing an attacker to eavesdrop and intercept the information.

VLANS

The use of Virtual Local Area Networks (VLANs) is a relatively new approach to network topology that arose with the development of new network equipment. VLANs provide an alternative to the normal routed and switched network topology by simplifying diverse networks through more intelligent hardware. The VLAN allows groups of systems on different physical networks and segments to communicate seamlessly without the need for a router. One of the drawbacks of routed and switched networks is that the physical location of systems often dictates their presence on a particular network. For example, putting two systems that are physically in the same room onto two different networks requires that the network cables terminate at two different places, one at each network access point. If the network equipment is not physically located in the same area, this becomes quite unmanageable. VLANs allow for this capability and do so transparently.

The use of VLAN technology also has security considerations that may encourage their use. The nature of virtual and dynamically specified networks allows for fine-grained tuning of network traffic. The ability to shape the flow of network traffic is the ability to control it, which provides very flexible security capabilities that make it more difficult for network eavesdropping and provide for more easily thwarted denial of service attempts. It is important to note that part of the benefit of VLAN technology comes from its manageability. Administrators can more easily monitor network information, gather statistical information, and notice and resolve anomalous conditions.

Firewalls

The use of firewalls in a network architecture is generally seen as a requirement for any organization that has Internet access. Firewalls are useful tools, and their use in the network architecture provides greater security. As mentioned earlier, firewalls are often used to protect internal networks from access by unauthorized Internet-based systems. They can also be used to protect service networks and extranets. The use of firewalls is not a guaranteed preventative method, however. When designing a network, it is important to determine the restrictions needed for the organization and where the firewall is most beneficial. Multiple firewalls are often utilized to protect network access points, and specialized networks throughout the infrastructure.

Firewalls come in several different forms including dedicated firewall appliances, software-based firewall suites, and as built-in functionality of network equipment. When considering security for a network architecture, it is often useful to utilize more than one of these methods. Routers are useful for the application of generic filtering rules such as disallowing access to particular port numbers or services. Hardware and software firewalls can then work in conjunction with the routers to perform more fine-grained filtering based on more granular details such as protocol flags and options