[edit section] Security Topologies
One of the most essential portions of information security is the design and topology of secure networks. What exactly do we mean by “topology?” Usually, a geographic diagram of a network comes to mind. However, in networking, topologies are not related to the physical arrangement of equipment, but rather, to the logical connections that act between the different gateways, routers, and servers. We will take a closer look at some common security topologies.
[edit section] Screening Router
In a screening router setup, the router acts as the sole gateway and gatekeeper between the un-trusted, outside network (i.e. the Internet) and the trusted network (i.e. LAN). The router maintains sole discretion on which traffic to allow in by implementing an ACL, or access control list. The router in this setup, which blocks traffic based on source, destination, and other header information, is analogous to Saint Peter, who acts as the gatekeeper into Heaven. Some of the advantages of screening routers include their transparency and simplicity. However, in the screening router setup, the router is the sole point of failure and depends heavily on the administrator to maintain a favorable ACL. Also, a screening router has difficulty in masking internal network structure.
[edit section] Dual-Homed Gateway
The dual-home gateway is a screening router setup that implements a bastion host between the screening (external) router and the trusted network. A bastion host is a host that is configured to withstand most attacks and can additionally function as a proxy server. By adding the bastion host, no direct communication exists between the external network and the trusted network, masking the internal network structure and allowing for traffic to be screened twice. It is considered fail-safe in that if one of the components (bastion host, router) fails, the security system remains available. However, it is cumbersome and rather slow in comparison to other topologies.
[edit section] Screened Host Gateway
A screen host gateway is essentially a dual-homed gateway in which outbound traffic (from trusted to un-trusted) can move unrestricted. Incoming traffic must first be screened and then sent to the bastion host, like in a dual-homed gateway. This is a less secure but more transparent system than dual-homed gateway.
[edit section] Screened-Subnet
A screened-subnet setup works to employ a bastion host between two screening routers. What this provides is a special zone for publicly available services (around the bastion host) and transparent access for users on the trusted network. The zone around the bastion host that operates publicly and whose traffic to the trusted network is screened is known as a DMZ zone; for this reason, bastion hosts are sometimes referred to as DMZ hosts. Remember for the exam that a DMZ host would always be well-secured, just like a bastion host would be.
[edit section] IDS
An intrusion detection system, or IDS, can track or detect a possible malicious attack on a network. For the exam, you will have to know about some division of IDS classifications:
- Active v. Passive IDS: An active IDS will attempt to thwart any kind of detected attacks without user intervention. A passive IDS simply monitors for malicious activity and then alerts the operator to act, or in other words, requires their intervention. Passive IDS is less susceptible to attacks on the IDS system as it does not automatically act.
- Network v. Host IDS: A network-based IDS is one that operates as its own node on a network, while host-based IDS systems require agents to be installed on every protected host.*
- Knowledge v. Behavior IDS: A knowledge-based IDS works by assessing network traffic and comparing it with known malicious signatures, much like antivirus software. A behavior-based IDS analyzes baselines or normal conditions of network traffic; it then compares them to possibly malicious levels of traffic. Note that this type of IDS produces more false alarms.
[edit section] Honeypot
A honeypot is designed to lure attackers or malicious users into attempting an attack on a fictional or purposefully-weak host and then recording the patterns of their activity or the source of the attack. A honeypot can also act as bait for the rest of the network by luring attackers to an “easy target.”
[edit section] Quick Review
1. Which of the following topologies features a demilitarized zone or DMZ?
a. Active IDS
b. Passive IDS
c. Dual-Homed Gateway
2. Why would behavior-based IDS require less maintenance than knowledge-based IDS?
a. Behavior-based systems necessarily work without user intervention
b. Knowledge-based IDS can only work on a screened-subnet or screened host gateway topology.
c. No DMZ host is required in a behavior-based IDS
d. Behavior-based systems do not require signatures or libraries of attacks
3. Your company wishes to implement a web server, email server, and voice-over-IP server that are accessible to the rest of the Internet. However, it wants to ensure that the structure and hosts within the rest of the network are totally protected from outside access. Which of the following setups would provide this functionality?
a. Dual-Homed Gateway
b. Screened Host Gateway
c. Screening Router
[edit section] Answers
1. The screened-subnet topology features a DMZ between two screening routers, effectively isolating the publicly-accessible zone from the rest of the trusted network. The answer is D.
2. Because behavior-based systems compare baseline use levels to current or potentially malicious levels, they do not require signatures or libraries, decreasing the amount of active administrator maintenance that is required. The answer is D.
3. A screened-subnet gateway provides a protected zone for public services. The answer is D.