Separation of networks often comes in the form of specialized network functionality such as network management, monitoring, and remote access. Access to these functions may merit separation from the remainder of the network infrastructure. Different broadcast domains and network numbers communicate among each other via routers and by adding extra network interfaces to servers and network equipment.

Network Management

Network management refers to the control, configuration and maintenance of the network hardware used throughout an organization. Many of these devices provide network, terminal, and Web browser-based access to administer and configure them. It is advisable to disallow the ability to manage these devices from the Internet and other in-band networks. In-band network management occurs when the administrators connect to the device over one of the networks that the device services. In-band management of a router, for example, occurs when the administrator connects to it from the Internet over the external interface or from the internal network over the internal interface. Remote management of a router that ties the Internet to a service network or internal network should not be allowed from the Internet. Although outsiders cannot access the router directly from the Internet, they can access it from an Internet-accessible system in the service network. Compromise of a service network-based system provides the attacker with access to the network equipment. If possible, it is best to establish a management network on a third network interface and to restrict management access to the router from only that special network.

A management network is often a separate physical connection to the devices and on which there are only a handful of dedicated management stations. No other network should have connectivity to the management network, unless controlled through a single, high-security system; access otherwise occurs by physical presence at one of the management stations. The use of a management network severely limits the ability of an attacker to access important systems and equipment, which decreases the risk of compromise.

Monitoring

Network monitoring is a useful function that aids in the security of a network by debugging problems and maintaining performance. The separation of network data may hinder the ability to monitor sections of the network. Therefore, it is important to consider what monitoring should be used and where and to incorporate the required changes or equipment into the network architecture.

Several methods of network monitoring should be considered, as well as their placement in the design of the network. Intrusion detection is a relatively new innovation that is proving useful in the network. These intrusion detection systems (IDS) are placed throughout the network and actively monitor for known signs of attack. The placement of an IDS is often useful at network access points, including the service network, near the inside and outside of firewalls, remote access devices including VPNs and dial-in servers, and near key systems. Firewalls also act as a form of monitoring for a network. Their role is more active in that they manipulate network traffic by allowing or disallowing information to pass through. The effects of many attacks can be limited by regular and frequent analysis of these monitoring methods, including log analysis and configuration of the equipment to notify administrators in the event of an attack condition.

Other considerations for monitoring include the ability for administrators to monitor network traffic and analyze it for insecurities as part of the regular maintenance. The network and its implementation affect the ability to monitor traffic in this way. Network equipment often supports monitoring with SNMP and RMON, two standardized protocols used for this purpose. A final method of network monitoring is via complex network management software suites. These packages use a number of different protocols and methods to acquire and analyze information and provide fast alert and responses to anomalous conditions. These tools often utilize special agents that run in conjunction with the systems and equipment being monitored; these packages are not affected by the physical orientation of the network, however.

Remote Access

If remote access methods are needed in the organization, the methods to provide it should be considered during the creation of the network architecture. Two methods are commonly used: VPN solutions and dial-in modem access. VPN solutions come in two forms—the hardware device and software application. The hardware VPN device provides several benefits; it is a specialized device that often provides a high level of performance and incorporates its own security methods. The software VPN solution runs as an application or service on existing server systems and often relies on the security mechanisms of its respective operating system.

The effects on the network architecture required to support a VPN are similar for each solution. VPN devices can be more easily integrated in a secure manner into the network environment because the access to and control of the device are more easily dictated. The software service requires more attention. To achieve the highest security, the VPN software should run on a dedicated server and be treated as a device with no other services present. The operating system should be configured in a secure manner and no other internally used services should be run on the system in order to prevent access to the internal network. Software VPN solutions are affected by the vulnerabilities of the operating system as well as any insecurities in the software.

Dial-in support via modems and access servers provides a direct connection to the internal network. The considerations for dial-in methods include the use of a management network to control the device to protect it from unauthorized configuration changes. The dial-in server often relies on other servers on the network to provide authentication of its users. The network path used for authentication should also be private. Finally, dial-in servers should disallow remote networks to route traffic across their dial-in lines. Attackers will often use "war-dialing" software to scan phone numbers for dial-in servers. While the scanning cannot be prevented, the proper organization and configuration of dial-in equipment will limit the risk of compromise.

There are several considerations given to the placement of VPN and dial-in systems in order to protect the internal network. When defining the network architecture, the designers should identify the functionality supported and provided by the remote access. VPNs can provide transparent access to all of the resources of a network, allowing the remote system to appear and function as it would if it were physically located at the organization. Dial-in access, unless combined with a VPN solution, is often used to provide more limited services such as email and Web access. Despite the differences in methods, both supply the same basic functionality—access from remote, distrusted networks and locations. Therefore, it is advisable to place remote access servers on a separate network and to control access to the facilities which it uses. The previously mentioned management network should also be used to control and configure these systems.

The placement of remote access equipment follows the same logic used for other network equipment: the limitation of the effects should an attack occur. Attackers will attempt to find the targets that provide them with the most access to other systems and equipment. Remote access devices are easily identifiable targets and should be protected adequately.