Kelley 1 Jake Kelley Chuck Pease Securing Business Applications 8 December 2007 Securing a Demilitarized Zone When setting up any network, especially a corporate network, the DMZ is one of the most important security areas to address. Because any anonymous person can access this area of the network, it is a network administrator’s vital duty to ensure that this area is updated and secure against both focused attacks and less focused bot attacks. Because almost every company requires common services such as web sites, email access, and secure remote access, it is very important to ensure that these services are locked down and not vulnerable to common distributed attacks. When people think of network security, it is generally assumed that they are thinking about internal security. Things like passwords, firewall security, and access controls are generally at the forefront of any discussion about security, but it is important to realize that the DMZ can provide a very easy avenue of access for hackers. Because many viruses and such are concerned with creating “zombies” which are really bots that constantly attack known vulnerabilities on a world-wide scale, we must protect our network at this area – the gate. It is a concern which every administrator should address because it affects the network as a whole, and can impact the company’s finances as well as an administrator’s stress levels. Because part of my job involves monitoring firewall log files for attempted attacks, I know that the majority – 90% and above – of attacks originate from zombie PCs, and are targeted at the DMZ on ports associated with common vulnerabilities. Ensuring that your firewall is protected from access on Kelley 2 these ports can prevent a large majority of problems that people face by being visible to the internet in an age where spyware and viruses are so pervasive. Network Permissions and Services It is very important in any network to ensure that files and services are completely secured from anyone who would have access to them, but should not be allowed to view or modify them. Such documents could be things like manuals that are in place for all employees to use. The employees should be allowed to view them, but not to make changes without notifying a manager and undergoing a process to make these changes. They should certainly not be allowed to delete them either. Using NTFS permissions is a great way to accomplish such a task. In this example, an administrator could grant certain users read permissions to this file, but not modify. This also applies to documents that a company would want users to have access to from the internet. A perfect example would be a web page. Users on the internet should be able to view the web page, but should not be allowed to modify it's contents. Securing the web page document with permissions to only allow IIS users (or whatever program you are running) to view, but not modify, ensures that everyone has access to it, but not everyone can make changes. Securing services can be of equal or greater importance to an administrator. Because some services have to be grated control over documents (such as SQL – it must be allowed to interact with a database document, from a given input on in a program or on a web page), they need to be secured from misuse. In the example of SQL, users on the internet should be allowed to use SQL's functionality to view lists of products and services, but should not be allowed to Kelley 3 abuse it's functionality by gaining access to files through an unprotected power user type of account. By restricting the user that SQL uses to interact with a SQL database, you can ensure that users will only be able to view the contents of your database, and even if they try to, the user would not be granted sufficient rights to modify a database or any other file on the server. This is especially important because users have access to your network through systems like SQL frontends, and an administrator must be vigilant to ensure that their activity is restricted to only what they need to be able to do, and that they are not able to gain any unwanted access or privileges. Encryption – Secure Access Encryption is a very important aspect of network security. It can be used to ensure that home users have access to a company's internal network, enabling cost-effective telecommuting. It can also be used to ensure that a company's sensitive documents are protected from unwanted eyes, and malicious use. Encryption can be used in a couple of very important ways. Firstly, when creating a document, depending on it's importance, you can choose to have it encrypted from the start with a type of encrypting file system. This enables us as administrators to keep valuable information viewable to only a select group of people that we choose. Another method (the most commonly found) is the encryption of transmitted data. This involves using a protocol to jumble the contents of a message and make it unreadable before transmitting it over public areas. Additionally, you can choose to set up digital certificates, which provide a means of identifying each user involved in the transmission and making sure that they are indeed who they claim to be. Kelley 4 The level of encryption you choose for your company depends on what you are protecting, as well as considering how much you will have to protect. I will outline three generic levels of protection that I believe are fairly common in workplaces. The first level of protection is designed for the majority of companies, and is generally sufficient when there is no mission critical data being sent regularly over the internet. This level of protection involves having very secure perimeters, and a well designed network that facilitates security from the beginning. In most cases, having passwords set up all around the network, using file permissions and subnetting your network into secure areas is enough protection to prevent attacks from occurring. Also, enabling logging will provide you with a method of responding to attacks if they do occur. When sending data over the internet, a VPN connection is set up at the firewall for users to connect to, thereby encrypting their data transmissions over the internet. These methods of security are fairly commonplace, and generally are all that is required by almost any company because most companies do their business internally, and the most important factor of security is securing the internal network so valuable data is protected. Another less common form of overall security, with regards to encryption, is high security in a small environment. This includes having encryption enabled on files (EFS), encryption with digital certificates enabled for all web browsing and email transmissions, and having VPNs enabled with digital certificates to authenticate users. This level of protection might be feasible in very small workplaces where the administrator is paranoid about security, and has all of the tools to incorporate such a high level of protection. It is generally not seen very much though, because it is overkill when you are not dealing with highly sensitive data, or commonly transmitting such data over public lines. Finally, high security is required in government institutions that work with very sensitive Kelley 5 documents, and transfer these between departments. They use higher than 128 bit encryption as a standard, and do so on all transmissions. A lot of their protected documents are also encrypted at a file level to ensure that if there was a network breach, the intruder would still need to decrypt a document to view it's contents (as well as crack the password of a user who has sufficient access to that document, or was involved in it's creation). All internet browsing is encrypted and verified via digital certificate, and any access to the internal network is verified via VPN connection. DMZ Services DMZ services are a crucial aspect of any network, and a highly important area of security. Because any anonymous user has access to these services, it is very important to ensure that these services don't have access to the network in any manner other than the way that you intend them to. They should only be for viewing purposes, and should be secured and patched against threats which would enable them to gain access to modify files, or view internal documents or network structure. This is generally accomplished in a couple of different ways. One method of setting up a DMZ is to have a firewall with 3 network cards – one which plugs into the internet, one which routes data to the internal network, and one that routes data to a DMZ. The internet card would be secured with an incoming firewall to only allow access via ports regarding the DMZ, and nothing else. The DMZ card is not very important as far as configuration because the data it is routing has already been filtered through the external internet card. The internal card would have an additional filter for incoming data, ensuring that it originated inside the lan, and that it is not malicious. It would also have an outgoing filter, so Kelley 6 traffic from the internal lan such as viruses could be contained from doing any further damage. This approach works pretty well, but if a hacker was familiar with the firewall or OS you are running as a gatekeeper, he would be able to crack it and gain full access. Therefore the next option is generally viewed as the most secure approach to a DMZ. Using two firewalls in a DMZ configuration is highly desirable because it creates another barrier to entry in case the first firewall is compromised. In this configuration, one firewall has a port exposed to the internet for external access, and filters all incoming traffic, ensuring that only relevant, DMZ-related connections are coming in, or that connections have been established already outgoing from the lan. On the other side of this firewall resides the DMZ servers, with FTP, VPN connections, DNS services and web page services set up. This way all traffic heading to the DMZ can sit in a sheltered area that is not a part of the protected internal network. On the other side of these DMZ servers is another firewall. It is set up with additional filters to ensure that traffic entering and exiting the internal network is genuine and verified. Also, it is important that this firewall is made by a different company than the other firewall. This ensures that even if a hacker was to compromise the first firewall and gain access, they would still have to use a different method to compromise this internal firewall and actually gain access to a company's internal network. This also means that they would have to crack two separate passwords, and utilize two different avenues of attack if they were to be successful in hacking into the network. FTP – File Access FTP services are generally enabled within a DMZ, and are historically an important Kelley 7 aspect of any network. These servers can host many types of files, and it is important to keep a secured backup of them internally, in case the FTP server is compromised. Also, making sure that external users only have access to a certain user, and no anonymous, or guest access is critical to keeping abuse at a minimum. VPN – Remote Access A company VPN is a highly important part of doing business these days, and as such it is something that should be highly protected. An important design consideration regarding VPNs is that they should be placed in a separate DMZ space, away from other internet-facing services. Minimizing access to the VPN server, and making it less likely that internet users will know of it's existence. Also, making sure that it isn't affected by traffic entering the DMZ, or exiting the LAN. HTTP - Web Services Web services are the most frequently thought of when referring to a DMZ. Almost every company has a website, and for that to have the least amount of security implications, it must be placed in a DMZ. Because everyone is jumping on the internet bandwagon, they all need to have a web server, and this server must be kept outside of the internal network for obvious security purposes. If a user is granted access to any of your servers, it makes sense that this user could then look around the network for security flaws and loopholes, so by placing your web server outside of the network, you ensure that any possible damage is minimized, and critical Kelley 8 data loss is prevented entirely. Keeping this server patched and up to date is an important concern, because this will minimize the amount of time you have to spend repairing any possible issues created by external users messing with this server. Also, keeping backups internally after every revision to the website ensures that even if it is compromised and/or destroyed or defaced, you will be able to quickly get it back up and running in the state it was previously in. Another major concern regarding security is frontend access via a website. If your website includes any fields for entering data, then it also contains a potentially exploitable vulnerability. This is called SQL injection, and hackers use this method to return information from a company's database regarding data that they shouldn't have access to. Common locations for SQL input fields are user logins and search functions. Because these can potentially be such risky areas of security, it is important to make sure that any database access that is granted through a web page is secured in every way possible. This includes methods like data cleanup, string substitution, etc... for making sure that a user's entry into that field does not tamper with the database itself. Also, it is a good idea to keep any database access that a user would have to a minimum. For instance, don't locate such data in the same database as one that stores company accounting information, or information regarding user accounts/passwords. POP3 / SMTP - Company Email Email services are probably the biggest target for internet “hacking” in the DMZ. These services are frequently abused by spammers and bots that reside somewhere in the wild of the internet. Because of this, the mail servers must be located in the DMZ area just for these services, and also have special firewall rules regarding incoming and outgoing SMTP and DNS Kelley 9 traffic. Additionally, these servers should be configured with mail relay settings, ensuring that email only travels to and from trusted email partners, as an open relay is the largest target for spam abuse. Open relays are a huge target for tons of bots out there, just waiting for a chance to find an open relay and set up shop. Spammers and hackers both use open relays because they accept emails from any outside source, and will forward it to any source. This means that a malicious user or program would be allowed to send mail to this open relay, and when the relay sends it, this mail or connection will become anonymous. This is a huge factor for malicious intents – needless to say, just don’t allow this type of access. DNS One very important task involved in securing your DNS server it to keep it dedicated to DNS functions. Having additional software installed can open up holes that can be exploited, and is unnecessary. This rule applies to all of your servers company-wide, as well as servers located in the DMZ – keep your operating system patched and up-to-date, and keep any program you must have installed up-to-date as well. Keep your administrator account as well protected as possible to prevent hacking – again this applies to all servers in the internal network and DMZ. Ensure that all default shares are unshared, and that anonymous access is not allowed. This prevents a large amount of “default hacking” from occurring by bots that crawl the web. Keep all of your unused ports closed. This serves as more of an overall DMZ security consideration, but it deals with DNS as well. Ensuring that outside access to DNS is disabled will prevent a lot of unnecessary problems in the future. Keep your zone transfers as secure as possible. One option that may be available would be to only allow zone transfers to server IPs Kelley 10 that you specify. This provides very fine-grained access to DNS services, and keeps intruders from gaining access to internal records. Ensure that DNS zones are all Active Directory Integrated, and zones are only transferred to servers listed in the Name Servers tab. As you can tell, securing the DMZ is not a critical role in network security, but it is an important one. With a DMZ we are basically putting our servers within full view of hackers and malicious bots that would love to gain full access to these servers and wreak havoc. It is our responsibility to ensure that these servers are configured and patched in a way that minimizes risk, and requires the smallest amount of administrative intervention in order to save money and keep the network administrator focused on more important issues. While the data contained on these servers is generally not needed to be secure, or critical to the operation of a company, it is very important to prospective customers and clients that the data is there and functioning correctly. This is why these servers must be as secure as possible in the face of the entire internet – not a very simple task. But by taking the steps outlined above, you at least take one step towards being more secure, and able to respond to threats in the quickest and most efficient manner. You will also be eliminating the vast majority of threats from occurring in the first place, which is the most important step in my opinion. Kelley 11 Works Cited: Flynn, Hal, et al. Designing and Building Enterprise DMZs. : Syngress, 2006. September 1999 SECURING WEB SERVERS. 10 Sep. 2002. National Institute of Standards and Technology. 7 Dec. 2007. <http://18.104.22.168/search?q=cache:ea6ms27Qx2kJ:csrc.nist.gov/publications/nistbul/09-99. pdf+securing+web+servers&hl=en&ct=clnk&cd=1&gl=us>. Magalhaes, Ricky. Securing Windows 2000 DNS by using configuration. 23 Jul. 2003. WindowsSecurity.com. 11 Dec. 2007. <http://www.windowsecurity.com/articles/Securing_windows_2000_DNS_by_using_configurati on_Part_2.html>.
Pages to are hidden for
"Securing Your DMZ"Please download to view full document