DMZ and Network Architecture

Network architecture defines how servers and clients are able to interact. Notably network architecture may be of interest in secure installations and high availability installations.  Network architecture may be used to:

• To prevent unauthorized access to critical resources and servers
• To prevent single point of failures
• To increase robustness against some types of attacks, e.g. denial of service

For security (and performance) reasons, it is a good idea to place all or most IFS Applications server in the same server environment, connected by a network with low latency and great bandwidth. Utilize firewall rules to allow only necessary traffic and prevent forged packets will increase security a lot.

Contents

• Classic DMZ network architecture; Perimeter defense
• Implementing Perimeter Defense for IFS Applications - Proxy in DMZ
• Complex network architecture; Defense in Depth

Related documentation

• Managing Firewall Idle Timeout
• Web Client and Proxy server

Classic DMZ network architecture; Perimeter defense

The perimeter defense model builds on the same principles as ships and their watertight bulkheads. This models key concept is to segment your network in to different zones, the barrier between these zones are more or less watertight. The most common configuration is with 3 zones, the External Zone, Middle Zone and Internal Zone but that number can be increased. For big companies these zones can become quite big. You can then section this zones in to smaller sub zones that are cut of from each other with the help of firewalls. Some companies also section of there different departments.

The zone principle are there to prevent an attack from spread to more computers and in particular to computers with more sensitive information (which hopefully are in another zone).

Internet zone (External Zone)

This is the most insecure zone. In most cases this is the Internet but some may also put partner networks in this zone. Any computer put in this zone will be attack. In most cases this will not take more then minutes, Uppsala University did experiments with computers sitting directly on the internet and they did not even have time to start properly before they where under attack. Most of these attacks are automated and done by network worms or by script kiddies (a script kiddy is a person that attacks computers but lack the technical knowledge to construct his/her own attacks and just uses downloaded scripts and programs form the Internet.)

It is not recommended to have anything other then honey pots in this zone.

DMZ: De-militarized Zone (Middle Zone)

It is the zone in between your intranet and Internet. It's the not so trusted network segments. Normally this is the only zone that are allowed access form the Internet. Then the attack comes (because the attack will always gone come sooner or later) this is the zone that gets hit. The idea with DMZ are that servers sitting in this zone are the only ones that are compromised. With the right configuration this zone has no need to initiate connections into the Internal Zone. When servers in the DMZ starts to try to connect to IP in the Internal zone we know that there has been a breach of security.

You should always try to minimize the number of servers in the DMZ, the more servers you can put in the internal zone the better. There are a few things that you should always do and have in the DMZ.

• Limit your attack surfs by only letting in traffic that are necessary for the operation of the DMZ servers. If you don't have server of type X don't let traffic of type X enter the DMZ.
• Section the DMZ into smaller sub zones. In each sub zone are only servers that need to communicate with each other. The sub zones are separated by a firewall or router that are configured to drop all traffic.
• All servers in DMZ are to be patched immediately and kept under close guard.
• Use Computer Integrity Systems on all servers in the DMZ.
• Network traffic should be monitored on a regular bases. Intrusion Detection Systems and Intrusion Prevention Systems should be used.

Corporate Intranet Zone (Internal zone)

This is the last zone. In this zone no access to and from the internet should be allowed. Employees needs to surf the web are preferably handled by a proxy sitting in the DMZ but it can also be handled by letting web traffic connect to servers outside the DMZ (but not recommended). Under no circumstances should traffic be coming in to this zone from Internet.

Implementing Perimeter Defense for IFS Applications - Proxy in DMZ

IFS Applications can be portioned in a couple of different ways, and two recommended ways are provided.

One approach is to only put a reverse proxy in DMZ. A reverse proxy is basically a server which acts as an transparent filter, it lets approved traffic flow through and drops the traffic that are not approved.

Perimeter defense with only Reverse Proxy in DMZ

Security Considerations

At low/medium security requirements, the proxy is configured to only allow access to the IFS Web Client site. This stops the people from accessing sensitive URL:s such as common Microsoft IIS scripts and Extended Server.

Note: Not all proxies are designed to prevent "traversal" out of such restrictions. It should be checked with vendor if proxy do prevent URL traversal. For high security installations, further security restrictions are advised.

At high level security demands, it is possible to configure the proxy to only allow access to specific URLs which are only used when reference users utilize the application. By configuring so, the proxy not only locks down users to "only access the web site", but also "only access the specific features reference users utilize". It also prevents possible traversal attacks.

Security may be further improved by utilizing a proxy which has Intrusion Prevention System (IPS) capabilities. IPS proxies are able to block any traffic they consider odd, suspicious or similar to known attack patterns.

Internet - DMZ: Firewall rules

Firewall rules for this configuration are very simple. Web Browsers must to be able to initiate HTTP / HTTPS traffic to proxy. Standard web server ports (80 for HTTP or 443) are usually used. No other ingress/egress rules are required for operation.

DMZ - Corporate Intranet: Firewall rules

Firewall rules for this configuration are very simple. Proxy must to be able to initiate HTTP / HTTPS traffic to Web Server / IFS Web Client / Extended Server. Ports may be configured to nonstandard numbers - refer to web server "Listen" configuration or installation logs. No other ingress/egress rules are required for operation.

More information on proxies, configurations and limitations

Web Client and Proxy server

Complex network architecture; Defense in Depth

Defense in Depth (DiD) is a security term that builds on the assumption that everything can and will be over run at some point (think of a big bank vault with thick steal walls it is only a matter of time until a bank robber breaches the walls to the vault). The DiD principle states that security is to be layered and all layers should be independent of each other.

Enhanced Perimeter Defense

One Defense in Depth method is to enhance the perimeter defense model with more firewall zones.

• Since servers DMZ is considered more likely than other servers to be compromised, split a large DMZ into several DMZ zones. In that way, a compromised World Wide Web is still very bad, but it does not make your e-mail server less vulnerable, since it is a unique firewall zone and remains protected by firewall.
• Separate Corporate Intranet Servers from the large Client (users) LAN. It is very likely that a client will be used in an attempt to attack servers or other clients. The attack might be performed by a malicious local user, or by an remote attacker using "Trojan" software to remote control a client.
• Split corporate server network into smaller network zones. Define firewall rules which only allow necessary inter-communication between servers, and necessary client - server communication.
• For security (and performance) reasons, it is a good idea to place all or most IFS Applications servers in the same server environment, connected by a network with low latency and great bandwidth. Utilize firewall rules to allow only necessary communication and prevent forged packets will increase security a lot.

   

Enhanced perimeter defense

Extranet Zone

Extranet Zone is an extension to the perimeter defense model. Extranet is similar to DMZ, in essences it provides a part of the network to external users. The difference is that

• DMZ is designed to create publicly available resources
• Extranet is designed to provide resources only to partners, suppliers, vendors and organizations and persons which the enterprise have an interest of having close cooperation with.

It is generally not a good idea to rely solely on IP ranges to protect access to Extranet over Internet since it is possible to forge addresses. A more secure extranet can be archived by:

• Virtual Private Network (VPN) technology
• Combining firewall rules based on external IP-ranges with SSL / HTTPS mutual authentication.

Enabling SSL / TLS / HTTPS encryption

SSL / TLS / HTTPS encryption can be enabled for communication between Internet - DMZ and DMZ - Intranet. This is recommended because it helps to protect the information sent and received by the user and the web client.