Case study of network security design on a hypothetical ISP network

Figure 1.1 - A hypothetical network of an Internet Service Provider XYZ

The network shown in the above figure belongs to a hypothetical Internet Service
Provider XYZ CO, LTD. The company provides its clients with Internet access
through different access means such as the Integrated Services Digital Network
(ISDN), dial up 56 K modem and a high speed leased line for corporate clients. This
company has 2 regional offices (Point of Presence) located in different cities. This
allows clients with flexible roaming access solution within those cities. In addition to
providing Internet access XYZ also support web and DNS hosting for clients.

The XYZ network is based on a hub and spoke model with all regional offices
connecting back to the main offices for major services, Internet access and accounting
purposes. In an attempt to reduce the amount of traffic traveling on the intranet
backbone between the regional offices and the main offices all the regional offices
contain a small portion of highly accessed servers.

The main offices and the regional offices have similar building blocked with each
location (POP) consisting of 4 main blocks (refer to figure 1.1). A multi-port firewall
is connected to each of the building block to ensure the level of desired overall
security. The first block consists of XYZ Local Area Network. The data link medium
in use for the Local Area Network at the main office are traditional Ethernet (802.3)
network with wireless access point located throughout the building, allowing
authorized mobile users with wireless card instant access into the company network.
Regional sites only support traditional Ethernet (802.3) LAN. The local area network
is broken down into different subnets each accommodating different departments. The
wireless clients will also be located on its own subnets to allow easy policy
enforcement.

Refer to the figure 2.1 below for a brief view of XYZ LAN.

Figure 2.1 – XYZ internal LAN

The second section of the network consists of subnets accommodating protected

servers. These servers are database server and billing servers that store confidential
information about the company and its clients. These sets of servers are highly
protected, providing limited virtual access to trusted clients. The current database
server in use to store the accounting and billing information will be the IBM RISC
7000 mainframe servers. A version of Open LDAP (light weight directory access
protocol) will be used to control authentication on clients connecting to the network.
A high performance firewall is placed in front of the protected subnets to achieve the
required security requirement on these servers. Refer to figure 3.1 for a complete view
on the sets of protected servers.
 Figure 3.1 – XYZ protected servers

The third section of the network will contain publicly accessed servers. These types of
servers require external connections in order to perform their operations successfully.
A subnet has been allocated to this section to ease management and reduce the
broadcast and collision domain. These servers are the most vulnerable servers since
they are highly exposed to the outside world. This zone (section) is called the DMZ
zone (servers located here are usually called bastion hosts). The corporate firewall
allows only traffic designed to known ports on the machine through to the zone. This
prevent a malicious hackers from attempting to port scan the servers for
vulnerabilities. Refer to figure 4.1 for the diagram of the zone.

Figure 4.1 – XYZ public accessed servers

The fourth section contains XYZ remote access clients. These are users who has
requested to sign up for an account with the ISP. No special security consideration
will be enforced to the users. They will however be bound to rules associated with the
rest of the ISP network but the users will be allowed to access any kind of services
from any host over the internet. It’s the users own responsibilities to ensure that
his/her machine are protected from Trojan which may gives a hackers control to the
users individual personal computer.

When a users dial into the network he/she is authenticated by the radius servers which
fetches the appropriate account information from the LDAP server located in the
secure subnets. All accounting information is also written to the database servers
located in the secure subnets. Refer to figure 5.1 for the complete remote access
solution offered by the XYZ companies.

Figure 5.1 – Remote access section and AAA (radius)

The risks and priorities for security and its use

Any network system connected to the Internet is considered insecure. A malicious

hacker could attempt to break into the ISPs network from the Internet and gain access
to confidential data. In order to strengthen the network against hacking attack, certain
section within the network such as the DMZ zone and the protected server zone are
given higher security priorities, since they are most vulnerable to outside attacks.

The following section will detail some of the security threads that the XYZ ISP would
have to face.
1] Trojan horse programs

A Trojan host is like a backdoor program. A hacker will trick users via means of
social engineering or other possible means to install the Trojan. Once the Trojan is in
place the hacker can control the infected machine.

2] Back door and remote administration programs

Since the ISP will be running some of its server on a Windows NT based system a
possible threads exist from tools such as Back Orifice, Netbus and SubSeven. These
back door or remote administration programs, once installed, allow hacker/cracker
unconditional access and control on the system.

3] Denial of service

Denial of Services (DOS) attack is one of the most common types of attack. In an
attempt to perform a DOS attack on a host computer, the intruder will continuously
flood the victim machine with packet until the application running on the victim
machine stop responding or the victim machine crashes due to an overloaded buffers.

4] Email spoofing

Email spoofing is when one email message appear to have originated from one source
when it fact it has been send by the other source. This form of attack is very common
and the types of messages spoofed can range from simple junk mail to several social
engineering tactics trying to get users to release his/her confidential information like
passwords.

A good example of performing such an attack would be to telnet into the email port
(SMTP 25) and manually inserting options into the Sendmail program to force it to
hide the real identity of the attacker.

5] TCP passive attack

TCP passive attack is an attacked perform on the TCP protocol. This type of attack
are perform on Ethernet based network whereby a hacker continuously set up a
program to monitor all the broadcast on an Ethernet segment and reconstruct the
entire session based on the information contained within the Ethernet broadcast (This
technique utilizes the main advantages of an Ethernet network being a broadcasting
network whereby every machine hears all the conversation that happens on the
network). A good way to prevent this attack is to carefully design a complex
switching system so all traffic are not relayed to each port like the traditional hubs
based system).

In earlier Unix kernel such as that of the earlier 2.2.x version the sequencing number
of the system could easily be calculated by constantly monitoring the conversation of
a particular hosts, this could allow a hacker to hi-jack a TCP session by spoofing the
correct sequence number.
6] Packet sniffing

A packet sniffer is a very important tool for a system administrator but it can also be
dangerous if used with bad intention. The first thing most hacker does when he/she
could gain access into a network is to set up a packet sniffer, to sniff out
username/password and confidential information from the network.

7] Buffer Overflow

A buffer overflow is a very dangerous attack that can if successfully usually gives
root access to a hacker. The buffer overflow problem is due to the memory
management of the software.

8] Virus attack

Virus attack is very common and many good anti-viruses exist to combat with the
viruses. A good way to protect from viruses is to regularly scan your network for any
viruses and automatically updating your virus scanner program.

9] Spoofing

Spoofing is when one host prevents to be another hosts. They are 2 popular types of
spoofing one called ARP spoofing and the other called IP spoofing.

10] DNS cache pollutions

DNS cache pollution is when a hacker has access into a DNS server and he changes
the name to address mapping pair within the server to a fake server set up to attack the
victims computer. (EG - www.xyz.net = 203.20.104.1 but the hacker manages to gain
access into the DNS cache and changes www.xyz.com to 200.200.200.1 (the hackers
machines)

Advance plans for what to do in an emergency

Even a company with the best information security infrastructure cannot be

assured that an intrusion or other malicious acts will not happen to their
computer system. When a security incident occur, it is critical for an
organization to have an effective way to respond to the incident because a
quick accurate and effective respond will save the company time and money.

The XYZ companies have set up an emergency respond team to handle all emergency
incident. This team consists of a formalized team with a highly technical people who
have a strong computer security related experience. The emergency response team
will have their office located in the main building and they will respond to all
emergencies situation detail in the earlier section of this report. The jobs of the
emergency respond team apart from responding to emergency situations will be to
work with the technical support people in helping design a secure network system.

The security respond team will try to break into the ISP network in an attempt to find
out every possible path that a hacker could undertake to get into the ISP protected
network. If the respond team find any problem such a buffer overflow in one of the
Unix Sendmail program which could allow a potential hacker to gain access on the
machine they will immediately inform the technical support people of such a threads
and recommend an upgrade to the Sendmail version that is more secure.

Description of good security practices that you need to educate your users

Security, privacy, and protection are rapidly becoming the most important issues for
computer users. The following are some of the good security practices that XYZ will
educate its worker through campaign such as seminar, social workshop, and special
training.

• Brings end-users up to speed on critical information security risks.

• Arms employees with common sense protection techniques (choosing a good
password, never leave the machine log on when unattended, etc).
• Remind employees about their ongoing responsibility to protect the company
data.

(The above point has been referenced from http://nsi.org/SSWebSite/TheService.html )

Ways to enforce security for user accounts and passwords

One of the cheapest and secure ways of authentication is through the use of a
password. If user X needs to gain access to the resources and services offered on a
network he/she will need to identify themselves as a registered users through the use
of a password. The XYZ company has sets up certain policy as follow that ensure a
users select a password that would be capable of withstanding simple brute forced
attacked.

• Be as long as possible (never shorter than 6 characters).

• Include mixed-case letters, if possible.
• Include digits and punctuation marks, if possible.
• Not be based on any personal information.
• Not be based on any dictionary word, in any language.
• Require the users to change their password every month.
• Never use the same password twice.

(The above policy has been referenced from http://www.psynch.com/docs/strength.html)

Most modern operating system such as Windows 2000, Windows NT and

Unix/Linux support built in mechanism to support some of the above policy.
(Windows NT has a program called passprop.exe for enforcing secure password
policy as outlined above, the Linux system provides support for PAM (Pluggable
Authentication Module) from kernel 2.2 + which allow the system administrator to
enforce such a policy).
In the XYZ ISP network all the password authentication for dial up and leased line
clients will be done through the use of a central Light weighted Directory Access
Protocol (LDAP) server. This server will be a Linux based machine and will run the
OpenLDAP software implementing the outlined password policy. A Windows
NT/2000 system will perform the authentication for LAN clients. LDAP supports a
web-based password changing using the Secure Socket Layer (SSL) protocol. Please
refer to figure 6.1 for a clearer view on how radius (AAA) and LDAP are used for the
password authentication on clients.

Figure 6.1 – Clients authentication through a central LDAP server with Radius AAA

Policy, strategy and implementation to protect against physical attack

Most people think about locks, bars, alarms, and uniformed guards when they think
about security. While these countermeasures are by no means the only precautions
that need to be considered when trying to secure an information system, they are a
perfectly logical place to begin. Physical security is a vital part of any security plan
and is fundamental to all security efforts.

The XYZ Corporation has taken many countermeasure in securing itself from any
physical attack to the servers. All the servers are placed in a highly protected room
with limited access.

The following policy was implemented in the design of such a room.

• Maximize structural protection: A secure room should have full height walls
and fireproof ceilings.
 • Minimize external access (doors): A secure room should only have one or 2
solid door with good locks, and observable by assigned security staff. Doors to
the secure room should never be propped open.
• Minimize external access (windows): A secure room should not have
excessively large windows. All windows should have locks.
• Maintain locking devices responsibly: Locking doors and windows can be an
effective security strategy as long as appropriate authorities maintain the keys
and combinations responsibly. If there is a breach, each compromised lock
should be changed.

( Some of the above policy has been referenced from

http://nces.ed.gov/pubs98/safetech/chapter5.html)

Ways to protect against denial of service attacks

Denial of Service Attack (DOS) has been briefly explains in the risks and priorities
section of this report. In this section we will look at how to prevent such an attack
from occurring on the XYZ company network. The following lists precautions that
should has been taken to prevent such an attack.

• Perform regular virus scans for DOS agents regularly, check for machines
with unfamiliar ports, and make sure that the corporate firewall blocks
packets with spoofed source addresses from originating inside the company
network.
• Turn off restrictive specific services that might otherwise be compromised or
attacked. A good example of this would be something like disabling UDP
services for use only within the internal network, thus keeping UDP available
for network diagnostic purposes only.
• Use an Intrusion Detection System (IDS). IDS can automatically report to
network manager in an event of a thread to the network.
• Protect all key network infrastructures such as switches, routers, etc from
DOS by setting up a secure access lists on these devices.
• Some DOS attacks will result from an intruders who understand the network
routing policies, it is also therefore important to maintain tight controls over
basic policy disciplines such as IP-broadcast forwarding controls, ICMP and
IP option response controls.

(Some of the above points have been referenced from the web site,
http://www.itp.net/features/980333182529006.htm )

Ways to secure data and information for the XYZ corporations

The XYZ Corporation will uses the following method to guarantee security on its data
and information.
1] Encryptions

All the email messages containing any sensitive information will be encrypted using
the PGP public and private key RSA encryption method. All file and patch
downloaded for any system within the intranet will be checked with the matching
hashed key. The Radius server and the LDAP server will also uses the public/private
key encryption pair to secure their communication from any tampering.

2] Segmentation

The database server are segmented and replicated at each location to ensure full
integrity of the data stored within them. The protected servers are stored at one
location and the publicly accessed servers on the other subnet. Both these group of
server are protected by the firewall.

3] Regular Backup

All the core database server such as the IBM RISC 7000, users home directory server,
etc will be automatically backup at the end of each day. This ensures that if any
version of such a server has been modified the system administrator could always
resort to the last clean backup copy of the system.

4] Transaction Auditing

Some of the crucial users may have their keystroke recorded in a central database and
an alert could be filled if an attempt to break in is being detected by the users.

5] Virtual Private Networking with IPSEC

With users demand a VPN IPSEC tunnel could be established between 2 end points of
the users network.

6] Use SSL to protect confidential server

All the servers such as the automatic billing payment system, the user password
changing system, the comment and support form will support full SSL to prevent any
kind of interceptions of the data while it travel its path from one end to the other.

Methods and tools to protect the XYZ networks against attacks from the outside world

Three main tools used to protect the network from outside threads are Firewall for the
entire network, TCP Wrapper on Linux/Unix based machine, an Intrusion detection
system to detect and warn of attacks as they happen and system vulnerabilities
reporting tools such as SATANS. We will now look at each of the individual
component and how they fit together in this network.
1] A firewall system

A firewall is a group of one or more system that enforces an access control policy
between different computer networks. In principles a firewall scan all the packet that
leaves or enter the network and deny or permit them based on the predefined policies.
Some firewalls places a greater emphasis on blocking traffic, while others emphasize
more on permitting traffic.

The following will provide a brief explanation on how the firewall system will be
used for the XYZ network to protect against security threads from the outside world.

Figure 7.1 – A multi-port firewall with a connection to each network block (subnets)

The above figure shows the firewall design of the XYZ corporations. All traffic
traveling from any sections of the network will have to go through the firewall. The
following briefly explains the firewall policy in use by the corporations.

1] Traffic from the local LAN port 2 will be allowed to the protected server block on
port 3. Only authorized traffic from other POP will also be allowed to enter the
protected server section this is determined based on the source and destination
address.

2] Port 4 will only allow known port traffic through to the public server areas. All
traffic cannot be initiated from port 4 to any other port in the network (this prevent a
hacker who has successfully confiscated the bastion hosts from getting into the
protected network from the bastion hosts).

3] Port 5 has no restriction set but are bound to policy placed on other ports.
TCP Wrapper

TCP Wrapper is a public domain computer program that provides a simple firewall
services for Unix servers. An un-secure Unix server attached to a network is exposed
to various types of risk from users of the network. TCP Wrapper works by monitors
incoming packets and if an external host attempts to connect, TCP Wrapper checks to
see if that external entity is authorized to connect. If it is authorized, then access is
permitted; if not, access is denied. The program can be tailored to suit individual user
or network needs.

All the XYZ Linux server will have TCP wrapper set up to deny all connection to the
machine and allow only the registered administrator IP address to make SSH , FTP,
etc connection into the machine.

Intrusion Detection System (IDS)

IDS can automatically alert the network manager in an event of real time threads. In
order to use an IDS system the system administrator will define a policy that trigger
an alert if the IDS system will continuously monitor the network and send off an alert
on such an event. Certain policies that usually trigger the alert are the detecting of a
DOS attacks, the detection of a port scan or TCP session hijacking etc.

Security and system vulnerabilities check tools

Other ways to prevent threads from the Internet is to constantly use tools such as
SATANS that are capable of scanning a system (Unix) and producing a report based
on the vulnerability detected on such a system

Plans to update systems to cope with new technologies that may increase
security risks to your systems

In order to update the security of the current system to cope with future technologies
the following steps should be perform.

1. Regular update of system patch

Windows system supports an automatic update tools the san your system and
recommend the required patch for your system. Linux system has freeware
application written in Perl that scan the application install on your system and attempt
to automatically update them when a newer patch fix has been released.

2. Keep in touch with future technology

A good administrator must attend all seminar and conferences to keep themselves up
to date with all the new technologies available.

3. Add more resources and bandwidth to the network when required

With the advent of new technologies such as a faster and higher throughput access
medium may forces a company to expand its resources to remain competitive in the
market.
 Bibliography

Practical UNIX & Internet Security, 2nd Edition, By

Simson Garfinkel, Gene Spafford, April 1996 ,
Oreilly Publishing, ISBN 1-56592-148-8.

Network Intrusion Detection System, By Stephen Northcut, September 2000,

New Riders publishing, ISBN 0-7357-1008-2.

Dos Attack types, http://www.itp.net/features/980333182529006.htm, Last accessed

20/10/2002

Physical attack method, http://nces.ed.gov/pubs98/safetech/chapter5.html, Last

accessed 20/10/2002

Password security, http://www.psynch.com/docs/strength.html. Last accessed

20/10/2002

Educating users about security, http://nsi.org/SSWebSite/TheService.html, Last

accessed 21/10/2002