CHAPTER
9
Internet Architecture
133
Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
T
he Internet has great potential in terms of new businesses, reduced costs of selling,
and improved customer service. It also has great potential to increase the risk to an
organization’s information and systems. With proper security architecture, the
Internet can truly become an enabler rather than a security risk.
SERVICES TO OFFER
The first question that must be answered with regard to Internet architecture is: What ser
-
vices will the organization provide via the Internet? The services that will be offered and
who will be accessing them will greatly impact the overall architecture and even the
choice of where services may be hosted.
Mail
If mail service is available, it is generally offered to internal employees to send and re
-
ceive messages. This service requires that at least one server be established to receive in-
bound mail. If higher availability is required, at least two mail servers are required.
Outbound mail can move through this same server or the organization can allow desktop
systems to send mail directly to the destination system.
NOTE:
Allowing desktop systems to send mail directly to the destination systems is not a recom-
mended solution. However, if your mail systems are hosted on the Internet, each desktop will send and
receive mail from your hosted system. In this case, it is wise to limit outbound mail connections from
desktops to just the hosted server.
An organization may also choose to establish public mail relays for such things as
e-mail discussion groups. Such systems are normally referred to as list servers. These sys
-

tems will allow external people to send mail to the system and the system resends that
message to the subscribers of the list. List servers can reside on the same servers as the or
-
ganization’s primary mail systems but the larger traffic requirements should be taken
into account in the overall architecture of the Internet connection.
Web
If an organization chooses to publish information to customers or partners via the World
Wide Web, it needs to establish a Web server and place some amount of content there for
public viewing. This Web server may be hosted at another location or it may be hosted
internally.
Web servers can provide simple, static content or they can be linked to e-commerce
systems (see Chapter 11) that provide dynamic content and allow the taking of orders.
Access to the Web site can be public or it can be restricted through some authentication
mechanism (usually a user ID and password). If some content on the site is restricted or
134
Network Security: A Beginner’s Guide
Chapter 9: Internet Architecture
135
sensitive, you should use HTTPS. HTTPS works over port 443 instead of port 80, which is
normal for Web traffic. HTTPS is the encrypted version of HTTP, which is used for stan
-
dard Web traffic, and is normally used for Web pages that contain sensitive information
or require authentication. The choice of how the Web site is constructed will impact the
amount of traffic to expect and the criticality of the Web server itself.
The organization may choose to provide a File Transfer Protocol (FTP) server as part
of the Web server. An FTP server allows external individuals to get or send files. This ser
-
vice can be accessed via a Web browser or an FTP client. It can also be anonymous or it
can require a login ID and password.
Internal Access to the Internet

How employees access the Internet should be governed by organization policy (see
Chapter 5). Some organizations allow employees to access the Internet using any service
they choose including instant messaging, chat, and streaming video or audio. Others
only allow certain employees to access the Internet using a browser to access only certain
Web sites. The choice will impact the amount of traffic to expect and the perceived criti-
cality to the employees.
A common set of services that employees are allowed to use includes:
Service Description
HTTP (port 80) and HTTPS (port 443) Allows employees to access the Web
FTP (ports 21 and 22) Allows employee to transfer files
Telnet (port 23) and SSH (port 22) Allows employees to create interactive
sessions on remote systems
POP-3 (port 110) and IMAP (port 143) Allows employees to access remote
mail accounts
NNTP (port 119) Allows employees to access remote
network news servers
NOTE:
Even if the organization determines not to allow streaming video and audio, many sites are
now offering these services over HTTP; therefore, this traffic will not appear to be different than regular
Web traffic. Likewise, there are several peer-to-peer services on the Internet that can be configured to
use port 80. These types of services open up the risk of having unauthorized individuals gaining ac
-
cess to internal systems.
External Access to Internal Systems
External access to sensitive internal systems is always a touchy subject for security and
network staff. Internal systems in this case are those systems primarily used for internal
processing. These are not the systems that are set up just for external access such as Web
or mail servers.
External access can take two forms: employee access (usually from remote locations
as part of their job) or non-employee access. Employee access to internal systems from re

-
mote locations is usually accomplished through the use of a virtual private network
(VPN) over the Internet (see Chapter 10), dial-up lines into some type of remote access
server, or a leased line. The choice of method will impact the Internet architecture of the
organization.
Greater impact will occur if external organizations require access to internal systems.
Even access by trusted business partners must be mediated to manage risk. External ac
-
cess may be accomplished through the use of VPNs, dial-up lines, or leased lines or by di
-
rect, unencrypted access (such as telnet) over the Internet, depending on the purpose of
the connection.
CAUTION:
Unencrypted access over the Internet is not a recommended practice; however, some
business agreements require this type of access. If this is the case, every effort should be made to
move the systems to be accessed out of the internal network and into some restricted network (see the
section “Demilitarized Zone” later in this chapter).
Control Services
Some services will be required for the smooth function of the network and your
Internet connection. Whether or not you should allow these services depends on orga-
nization policy.
DNS
The Domain Name Service (DNS) is used to resolve system names into IP addresses.
Without this function, internal users would not be able to resolve Web site addresses
and thus would find the Internet unusable. Normally, internal systems query an inter
-
nal DNS to resolve all addresses. The internal DNS is able to query a DNS at the ISP to
resolve external addresses. The rest of the internal systems do not query external
DNS systems.
DNS must also be provided to external users who wish to access your Web site. To

do this, your organization can host the DNS or your ISP can host it. This choice will im
-
pact the Internet architecture. If you choose to host your own DNS, this system should
be separate from the internal DNS. Internal systems should not be included in the ex
-
ternal DNS.
ICMP
Another control service that helps the network to function is the Internet Control Mes
-
sage Protocol (ICMP). ICMP provides such services as ping (used to find out if a system is
up). In addition to ping, ICMP provides messages such as “network and host unreach
-
able” and “packet time to live expired.” These messages help the network to function effi
-
ciently. They can be turned off but this may impact the way the network functions.
136
Network Security: A Beginner’s Guide
NTP
The Network Time Protocol (NTP) is used to synchronize time between various systems.
There are sites on the Internet that can be used as primary time sources. If you choose to
use this service, one system on your site should be the primary local time source and only
that system should be allowed to communicate to the Internet with NTP. All other inter
-
nal systems should take time from that primary local time source.
SERVICES NOT TO OFFER
The Internet architecture should be designed to accommodate the services that are
required. Services that are not required should not be offered. By designing the
Internet architecture in this way, a number of services that create significant risk will
not be offered.
Specific services that should not be offered due to significant security risks include:

Service Description
NetBios Services (ports 135,
137, 138, and 139)
Used by Windows systems for file sharing and
remote commands.
Unix RPC (port 111) Used by Unix systems for remote procedure calls.
NFS (port 2049) Used for the Network File Services (NFS).
X (ports 6000 through 6100) Used for remote X Windows sessions.
“r” Services (rlogin port 513,
rsh port 514, rexec port 512)
Allow remote interaction with a system without a
password.
Telnet (port 23) Not recommended because the user ID and
password travel in the clear over the Internet
and thus can be captured. If an interactive
session must be allowed inbound, SSH is
recommended over telnet.
FTP (port 21 and 22) Not recommended for the same reason as telnet. If
this capability is required, files can be transferred
over SSH.
TFTP (Trivial File Transfer
Protocol) (port 69)
Similar to FTP but it does not require user IDs or
passwords to access files.
Netmeeting Potentially dangerous because it requires a
number of high ports to be opened in order to
work properly. Instead of opening these ports, an
H.323 proxy should be used.
Chapter 9: Internet Architecture
137

Service Description
Remote Control Protocols Include programs like PC Anywhere and VNC. If
these protocols are required to allow remote users
to control internal systems, they should be used
over a VPN.
SNMP (Simple Network
Management Protocol)
(port 169)
May be used for network management of your
organization’s internal network but it should not
be used from a remote site to your internal systems.
COMMUNICATIONS ARCHITECTURE
When developing a communications architecture for an organization’s Internet connec
-
tion, the primary issues are throughput requirements and availability. Throughput is
something that must be discussed with the organization’s Internet Service Provider (ISP).
The ISP should be able to recommend appropriate communication lines for the services
to be offered.
The availability requirements of the connection should be set by the organization. For
example, if the Internet connection will only be used by employees for non-business criti-
cal functions, the availability requirements are low and an outage is unlikely to adversely
affect the organization. If the organization is planning to establish an e-commerce site
and have the majority of its business moving through the Internet, availability is a key to
the success of the organization. In this case, the design of the Internet connection should
include fail-over and recovery capabilities.
Single-Line Access
Single-line access to the Internet is the most common Internet architecture. The ISP sup
-
plies a single communications line of appropriate bandwidth to the organization, as
shown in Figure 9-1.

Generally, the ISP will supply the router and the Channel Service Unit (CSU) for the
link. The local loop is the actual wire or fiber that connects the organization’s facility with
the phone company’s central office (CO). The ISP will have a point of presence (POP)
somewhere nearby. The link to the ISP will actually terminate at the nearest POP. Even
though the POP is not at the closest CO, the local loop connection will require that the line
go through the closest CO. From the POP, the link goes through the ISP’s network to
the Internet.
If we analyze the connection shown in Figure 9-1, we see that there are a number of
points where an equipment failure will cause an outage. For example:
▼
The router could fail.
■
The CSU could fail.
138
Network Security: A Beginner’s Guide