NOTE:
The choice of a wireless ISP should be governed by the same requirements as that for a tra
-
ditional ISP. Any ISP should be able to provide a service-level agreement and back up that agreement
with sound management practices.
Addressing
Another issue that must be resolved when working with multiple ISPs is the issue of
addressing. Normally, when working with a single ISP, the ISP assigns an address
space to the organization. The ISP configures routing so that traffic destined for the
organization finds its way to the organization’s systems. The ISP also broadcasts the
route to those addresses to other ISPs so that traffic from all over the Internet can
reach the organization’s systems.
When multiple ISPs are involved in the architecture, you must determine which ad
-
dresses will be used. One ISP or the other may supply the addresses. In this case, the rout
-
ing from one ISP works as normal and the other ISP must agree to broadcast a route to
address space that belongs to the first ISP. This configuration requires a strong under
-
standing of the way BGP works so that traffic routes appropriately.
Another option is for the organization to purchase a set of addresses itself. While this
resolves some of the issues, it creates others. Now both ISPs must be willing to advertise
routes to addresses that they do not own.
NOTE:
The addressing and routing issues should be discussed with the ISPs before contracts are
signed. This issue is not easy to resolve without the full cooperation of both the ISPs.
The final option is to use addresses from both ISPs. In this case, some systems will be
given addresses from one ISP and other systems will be given addresses from the other
ISP. This architecture does not truly resolve the availability issues and should not be used
if it can be avoided.
DEMILITARIZED ZONE

DMZ stands for “demilitarized zone.” It is commonly used to refer to a portion of the net
-
work that is not truly trusted. The DMZ provides a place in the network to segment off
systems that are accessed by people on the Internet from those that are only accessed by
employees. DMZs can also be used when dealing with business partners and other out
-
side entities.
Defining the DMZ
The DMZ is created by providing a semi-protected network zone. The zone is normally
delineated with network access controls, such as firewalls or heavily filtered routers. The
network access controls then set the policy to determine which traffic is allowed into the
Chapter 9: Internet Architecture
145
DMZ and which traffic is allowed out of the DMZ (see Figure 9-7). In general, any system
that can be directly contacted by an external user should be placed in the DMZ.
Systems that can be directly accessed by external systems or users are the first systems
to be attacked and potentially compromised. These systems cannot be fully trusted since
they could be compromised at any time. Therefore, we try to restrict the access that these
systems have to truly sensitive systems on the internal network.
General access rules for the DMZ are to allow external users to access the appropriate
services on DMZ systems. DMZ systems should be severely restricted from accessing in
-
ternal systems. If possible, the internal system should initiate the connection to the DMZ
system. Internal systems can access the DMZ or the Internet as policy allows but no exter
-
nal users may access internal systems.
Systems to Place in the DMZ
So now we have a general policy for the DMZ and we have a list of services that will be of
-
fered over the Internet. What systems should actually be placed in the DMZ? Let’s take a

look at each specific service.
Mail
Figure 9-8 shows the services that may be offered in a DMZ. Notice that there is an inter-
nal and an external mail server. The external mail server is used to receive inbound mail
146
Network Security: A Beginner’s Guide
Figure 9-7.
General DMZ policy rules
and to also send outbound mail. New mail is received by the external mail server and is
passed on to the internal mail server. The internal mail server passes outbound mail to
the external server. Ideally, this is all done by the internal mail server requesting the mail
from the external mail server.
Some firewalls offer a mail server. If the firewall mail server is used, it functions as
the external mail server. In this case, the external mail server becomes redundant and
can be removed.
NOTE:
If mail servers are truly critical to operations, redundant mail servers should be placed both
inside and in the DMZ.
Chapter 9: Internet Architecture
147
Figure 9-8.
Layout of systems between the DMZ and the internal network
Web
Publicly accessible Web servers are placed in the DMZ. From Figure 9-8, you can also see
an application server in the DMZ. Many Web sites offer active content based on user in
-
put. This user input is processed and information is called up from a database. The data
-
base contains the sensitive information and thus is not a good choice for the DMZ. The
Web server itself could communicate back to the database server but the Web server is ac

-
cessible from the outside and thus is not completely trusted. In this case, it is best to use a
third system to house the application that actually communicates with the database. The
Web server receives the user’s input and provides it to the application server for process
-
ing. The application server calls the database to request the appropriate information and
provides the information to the Web server for delivery to the user.
While this may seem complicated, this architecture provides protection to the data
-
base server and offloads the query processing from the Web server.
Externally Accessible Systems
All externally accessible systems should be placed in the DMZ. Keep in mind as well that
if a system is accessible via an interactive session (such as telnet or SSH), the users will
have the capability to perform attacks against other systems in the DMZ. You may prefer
to create a second DMZ for such systems to protect other DMZ systems from attack.
Control Systems
External DNS servers should exist in the DMZ. If your organization plans to host its own
DNS, the DNS server must be accessible for queries from the outside. DNS will also be a
critical part of your organization’s infrastructure. Because of this, you may choose to have
redundant DNS systems or to have your ISP act as an alternate DNS. If you choose to do
the latter, the ISP’s DNS will need to perform zone transfers from your DNS. No other
system should need to perform these transfers.
If you choose to use NTP, the primary local NTP server should exist in the DMZ. Inter
-
nal systems then will query the primary local NTP server for time updates. Alternatively,
the firewall can act as your primary local NTP server.
Appropriate DMZ Architectures
There are many DMZ architectures. As with most things in security, there are advantages
and disadvantages to each of them and it becomes a matter of determining which archi
-

tecture is most appropriate for each organization. In the next three sections, we will look
at three of the more common architectures in detail.
NOTE:
Each of the DMZ architectures discussed here includes firewalls, which are discussed in de
-
tail in the “Firewalls” section later in this chapter.
148
Network Security: A Beginner’s Guide
Router and Firewall
Figure 9-9 shows a simple router and firewall architecture. The router is connected to the
link from the ISP and to the organization’s external network. The firewall controls access
to the internal network.
The DMZ becomes the same as the external network and systems that are to be ac
-
cessed from the Internet are placed here. Since these systems are placed on the external
network, they are completely open to attack from the Internet. To somewhat reduce the
risk of compromise, filters can be placed on the router so that the only traffic that is al
-
lowed into the DMZ is traffic to services offered by DMZ systems.
Another way to reduce the risk to the systems is to lock them down so that the only
services running on each system are those that are being offered on the DMZ. This
means that Web servers are only running a Web server. Telnet, FTP, and other services
must be shut down. The systems should also be patched to the most current level and
watched carefully.
In many cases, the router will belong to and be managed by the ISP. If this is the case,
it may become a problem to change the filters or to get them set correctly. If the router is
owned and managed by the organization, this is not as much of a problem. However,
keep in mind that routers tend to use command line configuration controls and the filters
must be set appropriately and in the correct order to work properly.
Chapter 9: Internet Architecture

149
Figure 9-9.
Router and firewall DMZ architecture
Single Firewall
A single firewall can be used to create a DMZ. When a single firewall is used, the DMZ is
differentiated from the external network, as shown in Figure 9-10. The external network
is formed by the ISP router and the firewall. The DMZ is established off a third interface
on the firewall. The firewall alone controls access to the DMZ.
Using the single-firewall architecture, all traffic is forced through the firewall. The
firewall should be configured to allow traffic only to the appropriate services on each
DMZ system. The firewall will also provide logs on what traffic is allowed and what traf
-
fic is denied.
The firewall does become a single point of failure and a potential bottleneck for traffic. If
availability is a key security issue in the overall architecture, the firewall should be in a
fail-over configuration. Likewise, if the DMZ is expected to attract a large amount of traffic,
the firewall must be able to handle it as well as internal traffic destined for the Internet.
Administration of this architecture is simplified over the router and firewall in that
only the firewall must be configured to allow or disallow traffic. The router does not re
-
quire filters, although some filtering may make the firewall more efficient. In addition,
the systems in the DMZ are somewhat protected by the firewall and thus the need to com-
pletely secure them is reduced.
150
Network Security: A Beginner’s Guide
Figure 9-10.
Single-firewall DMZ architecture
TEAMFLY























































Team-Fly
®

NOTE:
I am not suggesting that insecure systems may be left in the DMZ. I am only suggesting that
the firewall provides protection in the same manner as the filtering router and thus alleviates some of
the need to remove unnecessary services.
Dual Firewalls
A third architecture for a DMZ is shown in Figure 9-11. This architecture uses two fire

-
walls to separate the DMZ from the external and internal networks. The external network
is still defined by the ISP router and the first firewall. The DMZ now exists between
firewall #1 and firewall #2. Firewall #1 is configured to allow all DMZ traffic as well as all
internal traffic. Firewall #2 is configured with a much more restrictive configuration so as
to only allow outbound traffic to the Internet.
The dual-firewall architecture requires that firewall #1 be able to handle significant
traffic loads if the DMZ systems are expecting a lot of traffic. Firewall #2 can be a less ca
-
pable system since it will only handle internal traffic. The firewalls can be two different
types as well. This configuration may increase overall security as a single attack is un
-
likely to compromise both firewalls. Like the single-firewall architecture, the DMZ sys-
tems are protected from the Internet by firewall #1.
Chapter 9: Internet Architecture
151
Figure 9-11.
Dual-firewall DMZ architecture
Dual firewalls do increase the cost of the architecture and require additional manage
-
ment and configuration.
FIREWALLS
Firewalls have been mentioned a fair amount in the proceeding sections of this chapter
(and have been mentioned in various other chapters as well). A firewall is a network ac
-
cess control device that is designed to deny all traffic except that which is explicitly al
-
lowed. This definition contrasts with a router, which is a network device that is intended
to route traffic as fast as possible.
Some will argue that a router can be a firewall. I will agree that a router can perform

some of the functions of a firewall but one key difference remains: A router is intended
to route all traffic as fast as possible, not to deny traffic. Perhaps a better way to differen
-
tiate a router and a firewall is to say that a firewall is a security device that can allow ap
-
propriate traffic to flow while a router is a network device that can be configured to
deny certain traffic.
In addition to this, firewalls generally provide a more granular level of configuration.
Firewalls can be configured to allow traffic based on the service, the IP address of the
source or destination, or the ID of the user requesting service. Firewalls can also be con-
figured to log all traffic. Firewalls can perform a centralized security management func-
tion. In one configuration, the security administrator can define allowed traffic to all
systems within an organization from the outside. While this does not alleviate the need to
properly patch and configure systems, it does remove some of the risk that one or more
systems may be misconfigured and thus open to attack on an inappropriate service.
152
Network Security: A Beginner’s Guide
Sensitive Internal Networks
Firewalls should not be limited to use only on Internet connections. A firewall is a
network access control device that can be used anywhere that access must be con
-
trolled. This includes internal networks that should be protected from other internal
systems. Sensitive internal networks may include systems with extremely impor
-
tant information or functions or networks that conduct experiments on network
equipment.
A good example of a sensitive network can be found in banks. Every evening
banks communicate with the Federal Reserve System to transfer funds. A failure
here can cost the bank large sums of money. The systems that control this communi
-

cation are very sensitive and important to the bank. A firewall could be installed to
restrict access to these systems from other parts of the bank.