Firewall And Perimeter Security

Published Date: 02 Nov 2017

Scott Whaley

Wilmington University

SEC 450

Abstract

Securing our networks from threats is a never ending battle. Attackers can come from the outside across the internet, gain access to the local network or be employees that already have access to the local network. This paper discusses some key areas of perimeter security including firewalls, intrusion detection and prevention systems, virtual private networks and how some of these things are being used in the k-12 school district environment.

As a network security professional, you must take the necessary steps to defend your network from the numerous threats that are everywhere. Connecting your network to the Internet opens it up to millions of potential attackers around the world. This stresses the importance of having proper perimeter security. Some of the key areas of perimeter security include firewalls, intrusion detection and prevention systems and virtual private networks.

Having a firewall to protect your network now days is pretty common knowledge. But, what a lot of people do not seem to understand is that to protect a network, there are typically many firewalls involved not a single firewall. There might be a hardware firewall at the perimeter of the network filtering out the low hanging fruit of attacks. After this initial firewall, the company might have some Internet facing servers such as a web server in a demilitarized zone (DMZ). Behind this DMZ will be a second hardware based firewall. This firewall is there to stop the Internet traffic from reaching the private network. Further in the network, you will find even more firewalls. Each client and server should also have its own software based firewall installed. This firewall is a piece of software that runs on the operating system of the client or server and provides a last line of defense.

At the school district I work for, there are multiple firewalls involved at different layers. The first firewalls are provided and maintained by the State of Delaware. Because we do not have access or control to these firewalls, I do not know much of their details. On top of the state’s firewall, we also have an inline firewall and intrusion prevention system. This is a Linux server that utilizes open source firewall and IDS technology with proprietary software to allow user friendly management. School districts have small technology budgets and limited IT resources. Combing the firewall and IDS eases management and keeps the costs down. Finally, once inside the building, each client and server is running a software firewall. Most of the devices are utilizing Microsoft’s Windows Firewall with the Linux servers running iptables.

An intrusion prevention system analyzes the network traffic that passes through it, looking for anomalies or signatures. Depending on how the IPS is configured, it will either alert, log or block access once a signature or anomaly is detected. For example, if an attacker is sending specially crafted packets that can cause a buffer overflow in a webserver, the IPS will detect that these packets are not normally traffic. Once it identifies these packets as an attack, it will stop them from reaching the server. An intrusion detection system is very similar to an IPS. The primary difference between the two is that a true IDS does not have the capabilities to block or prevent an attack. Inline intrusion prevention systems that can proactively block bad packets have mostly replaced passive intrusion detection systems.

Another key area of perimeter security are virtual private networks. A VPN is an encrypted tunnel between two trusted entities across an untrusted medium. One example of a when a VPN connection is used is when an employee connects to the corporate network from his house across the Internet. The employee and the corporate network trust each other, but they do not trust the potential eavesdroppers on the Internet. The VPN software allows the employee to authenticate himself and then securely connect to the network. Once the connection is made, all of the packets traveling from the employee’s computer to the corporate network are encapsulated. Encapsulation encrypts the packets so that eavesdroppers on the Internet cannot interpret what the packets mean. While connected to the VPN, the employee’s computer will work and act like it was connected to the corporate network.

Another type of VPN connection is a site to site VPN. A site to site VPN creates a secure connection between two or more office buildings across the Internet. Usually these types of VPNs use hardware devices to make the connection. There are also different topologies used to design the connections of multiple sites together. In the hub and spoke topology, all the branch offices connect back to the main office. The advantage of this topology is simplicity. Each of the branch offices only have one VPN to maintain. A disadvantage of this topology is if the main site goes down, all of the VPNs are down.

Another site to site VPN topology is the mesh topology. In a mesh topology each site has a connection to every other site. This topology works well when there are only a handful of sites, but the complexity grows exponentially with more sites. The advantages of this topology include redundancy. If a link between site A and site B is broken, there is still a path by going from site A to C and then from C to B. Another advantage of a mesh topology is speed. In a hub and spoke design, in order to get data from one branch office to another it has to go through the main headquarters. These extra hops tie up expensive bandwidth at the main headquarters. In a mesh topology the data can travel directly between the two sites.

In order to obtain VPN access at my work, the ISO must submit a security request to give the user VPN access. This request includes the employee’s name, username and the ipaddress of the advice they need VPN access to. Once approved, they can then use the VPN software to connect to the corporate network, but can only access the device that was listed in the security request. From that device they can pivot to any other device that they normally have access to on the network.

Although Oxford’s examples were focused on video games, I believe the theory can translate to the corporate world. Some applications require multiple ports to be accessible from the Internet in order for outside world to connect to the application. Instead of leaving these ports open all the time, Oxford suggests allowing your friends to open a VPN connection to your local network. You are allowing a few trusted friends to connect when it is time to play instead of leaving potentially hundreds of ports open on your router for them to be able to connect to your server (Oxford, 2012).

To sum everything up, it takes many layers to properly protect a network. A layered approach adds complexity to the network making it more difficult for attacker to succeed. The perimeter of the network is just one of the many layers that make up the network. Protecting the key areas of the perimeter of the network is essential to surviving on the Internet.