Data Center Network Infrastructure and Security Topics Best practices • Best Practice is a management idea which asserts that there is a technique, method, process, activity, incentive or reward that is more effective at delivering a particular outcome than any other technique, method, process, etc. • The idea is that with proper processes, checks, and testing, a project can be rolled out and completed with fewer problems and unforeseen complications. Network Infrastructure • Communications in data centers today are most often based on networks running the IP protocol suite. • Data centers contain a set of routers and switches that transport traffic between the servers and to the outside world. • Redundancy is sometimes provided by getting the network connections from multiple vendors. • Some of the servers at the data center are used for running the basic Internet and intranet services needed by internal users in the organization: email servers, proxy servers, DNS servers, etc. Network Infrastructure • Some of the servers at the data center are used for running the basic Internet and intranet services needed by internal users in the organization – email servers – proxy servers – DNS servers Network Infrastructure • Network security elements are also usually deployed – Firewalls – VPN gateways – Intrusion detection systems • Also common are monitoring systems for the network and some of the applications. • Additional offsite monitoring systems are also typical, in case of a failure of communications inside the data center. Applications • The main purpose of a data center is running the applications that handle the core business and operational data of the organization. • Such systems may be proprietary and developed internally by the organization, or bought from enterprise software vendors. • Such common applications are ERP and CRM systems. ERP • Enterprise Resource Planning systems (ERPs) integrate (or attempt to integrate) all data and processes of an organization into a unified system. • A typical ERP system will use multiple components of computer software and hardware to achieve the integration. • A key ingredient of most ERP systems is the use of a unified database to store data for the various system modules. CRM • Customer relationship management (CRM) is a broad term that covers concepts used by companies to manage their relationships with customers, including the capture, storage and analysis of customer information. Aspects of CRM • There are four aspects of CRM, each of which can be implemented in isolation: 1. Active CRM: Centralized database which facilitates organization of data and automate business processes and common tasks. 2. Operational CRM: automation or support of customer processes that include a company’s sales or service representatives 3. Collaborative CRM: direct communication with customers that does not include a company’s sales or service representatives (“self service”) 4. Analytical CRM: analysis of customer data for a broad range of purposes CRM: Technology considerations • The technology requirements of a CRM strategy are very complex and far reaching. The basic building blocks include: – A database to store customer information. This can be a CRM specific database or an enterprise data warehouse. – Operational CRM requires customer agent support software. – Collaborative CRM requires customer interaction systems, eg an interactive website, automated phone systems etc. – Analytical CRM requires statistical analysis software, as well as software that manages any specific marketing campaigns. – Support CRM systems require interactive chat software to provide live help and support to web site visitors. CRM: Privacy and Data Security • The data gathered as part of CRM must consider customer privacy and data security. Customers want the assurance that their data is not shared with 3rd parties without their consent and not accessed illegally by 3rd parties. • Customers also want their data used by companies to provide a benefit for them. DMZ • In computer security terminology, a DMZ is a network area that sits between an organization's internal network and an external network, usually the Internet. • Typically, the DMZ contains devices accessible to Internet traffic, such as – Web (HTTP ) servers – FTP servers – SMTP (e-mail) servers – DNS servers. DMZ • In computer security, a demilitarized zone (DMZ) or perimeter network is a network area (a subnetwork) that sits between an organization's internal network and an external network, usually the Internet. DMZ • The point of a DMZ is that connections from the internal and the external network to the DMZ are permitted, whereas connections from the DMZ are only permitted to the external network -- hosts in the DMZ may not connect to the internal network. DMZ • This allows the DMZ's hosts to provide services to the external network while protecting the internal network in case intruders compromise a host in the DMZ. For someone on the external network who wants to illegally connect to the internal network, the DMZ is a dead end. DMZ • Connections from the external network to the DMZ are usually controlled using port address translation (PAT). PAT • Port Address Translation (PAT) is a feature of a network device that translates TCP or UDP communications made between a host and port on an outside network, and a host and port on an inside network. It allows a single IP address to be used for many internal hosts. PAT may allow one public IP address to handle communication for 65536 inside hosts. • A PAT device can transparently and automatically modify the IP packets' destination or source host IP and port fields belonging to its internal hosts. PAT • PAT is closely related to the concept of Network Address Translation, often called NAT. • Similar to NAT, port translation makes changes to the sender’s address or recipient’s address on data packets. • However, any IP address change involves the PAT device’s outside IP address rather than a pool of addresses as in NAT. PAT • PAT translates both the IP and port fields - - wherever those values belong to an internal host. • Port numbers on packets coming from the external network, rather than destination IP addresses, are used to identify and designate traffic to different computers on the inside network. PAT • Server (public) IP addresses have worldwide significance and ports have significance that depend on the particular type of communication desired (e.g. web, email, FTP). • The significance of the IP address on an internal host however needs only to be limited to the organizational entity where it resides. Thus private addresses as given in RFC 1918 may be used. • Additionally, the port number of a client application on a client host is significant only to that particular host. • Consequently within an organization any communicating client application can be uniquely identified by the combination of its host IP (organizational significance) and host port (host only significance). PAT • A PAT device is like a post office that delivers box mail: outgoing envelopes are changed to appear to come from a post office box; incoming envelopes addressed to a valid post office box are changed to have the real street address of the box holder. PAT • PAT can only translate/replace IP addresses and ports for its internal hosts. • As a consequence of its function it effectively hides the true endpoint IP address and port of the internal hosts. • However, PAT must of course leave the public IP address and port information of the external host unmodified. PAT • Port translation allows many computers to share a single IP address. • The PAT device periodically deletes translations from its table when they no longer appear to be in use. • Because the port number field is a 16-bit unsigned number (0-65535), the likelihood of an inside computer not being able to send outside traffic is greatly reduced. PAT • The PAT operation is typically invisible to both the internal and external hosts. • Typically the internal host is aware of the true IP address and TCP or UDP port of the external host. • Typically the PAT device may function as the default gateway for the internal host. • However the external host is only aware of the public IP address for the PAT device and the particular port being used to communicate on behalf of a specific internal host. PAT • The PAT device usually sits at the network perimeter where one side connects to the external network, usually the public Internet • On the other side is internal network, usually with private IP addressing. PAT • Firewall systems and multi-port broadband network access devices (e.g. ADSL routers, cable modems) tend to use PAT. • In the configuration of those devices, the outside network is the Internet and the inside network is the LAN. PAT • Advantage: – PAT's main advantage is that multiple internal hosts can share a single IP address for communication. • Disadvantage: – Only a single public service e.g. port 80 HTTP, can be exposed per public IP address. – Thus an organization using PAT and a single IP cannot easily run more than one of the same type of public service behind a PAT e.g. two public web servers using the default port 80. NAT • The process of network address translation (NAT, also known as network masquerading, native address translation or IP-masquerading) involves re-writing the source and/or destination addresses of IP packets as they pass through a router or firewall. • Most systems using NAT do so in order to enable multiple hosts on a private network to access the Internet using a single public IP address (see gateway). • According to specifications, routers should not act in this way, but many network administrators find NAT a convenient technique and use it widely. • Nonetheless, NAT can introduce complications in communication between hosts. NAT • In a typical configuration, a local network uses one of the designated "private" IP address subnets (the RFC 1918 Private Network Addresses are 192.168.x.x, 172.16.x.x through 172.31.x.x, and 10.x.x.x), and a router on that network has a private address (such as 192.168.0.1) in that address space. • The router is also connected to the Internet with a single "public" address (known as "overloaded" NAT) or multiple "public" addresses assigned by an ISP. • As traffic passes from the local network to the Internet, the source address in each packet is translated on the fly from the private addresses to the public address(es). NAT • The router tracks basic data about each active connection (particularly the destination address and port). • When a reply returns to the router, it uses the connection tracking data it stored during the outbound phase to determine where on the internal network to forward the reply; – the TCP or UDP client port numbers are used to demultiplex the packets in the case of overloaded NAT, or IP address and port number when multiple public addresses are available, on packet return. • To a system on the Internet, the router itself appears to be the source/destination for this traffic. NAT • Drawbacks: – Hosts behind a NAT-enabled router do not have true end-to-end connectivity and cannot participate in some Internet protocols. – Services that require the initiation of TCP connections from the outside network, or stateless protocols such as those using UDP, can be disrupted. – Use of NAT also complicates tunneling protocols such as IPsec because NAT modifies values in the headers which interfere with the integrity checks done by IPsec and other tunneling protocols NAT • In addition to the convenience and low cost of NAT, the lack of full bidirectional connectivity can be regarded in some situations as a feature rather than a limitation. • To the extent that NAT depends on a machine on the local network to initiate any connection to hosts on the other side of the router, it prevents malicious activity initiated by outside hosts from reaching those local hosts. • This can enhance the reliability of local systems by stopping worms and enhance privacy by discouraging scans. Many NAT-enabled firewalls use this as the core of the protection they provide. NAT • The greatest benefit of NAT is that it is a practical solution to the impending exhaustion of IPv4 address space. – Networks that previously required a Class B IP range or a block of Class C network addresses can now be connected to the Internet with as little as a single IP address (many home networks are set up this way). – The more common arrangement is having machines that require true bidirectional and unfettered connectivity supplied with a 'real' IP address, while having machines that do not provide services to outside users (e.g. a secretary's computer) tucked away behind NAT with only a few IP addresses used to enable Internet access. NAT • Two kinds of network address translation exist. – The type popularly called simply "NAT" (also sometimes named "Network Address Port Translation" or "NAPT" or even PAT) refers to network address translation involving the mapping of port numbers, allowing multiple machines to share a single IP address. – The other, technically simpler, form - also called NAT or "one-to-one NAT" or "basic NAT" or "static NAT" - involves only address translation, not port mapping. This requires an external IP address for each simultaneous connection. Broadband routers often use this feature, sometimes labelled "DMZ host", to allow a designated computer to accept all external connections even when the router itself uses the only available external IP address. NAT • NAT with port-translation comes in two sub-types: – source address translation (source NAT), which re-writes the IP address of the computer which initiated the connection – destination address translation (destination NAT). • In practice, both are usually used together in coordination for two-way communication. NAT • NAT traversal refers to a solution to the common problem in TCP/IP networking of establishing connections between hosts in private TCP/IP networks which use NAT devices. • This problem is typically faced by developers of client-to- client networking applications especially in peer-to-peer and VoIP. NAT-T is commonly used by IPsec VPN clients in order to have ESP packets go through NAT. • Many techniques exist, but no technique works in every situation since NAT behavior is not standardized. NAT • Many techniques require a public server on a well-known globally reachable IP address. – Some methods use the server only when establishing the connection (such as STUN), while – Others are based on relaying all the data through it (such as TURN), which adds bandwidth costs and increases latency detrimental to conversational VoIP applications. • Most NAT behavior-based techniques fail to preserve enterprise security policies and break end-to-end transparency. Some NAT types • With full cone NAT, also known as one-to-one NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port. • An external host can send a packet to the internal host, by sending a packet to the mapped external address. Some NAT types • With restricted cone NAT, all requests from the same internal IP address and port are mapped to the same external IP address and port. • Unlike a full cone NAT, an external host can send a packet to the internal host only if the internal host had previously sent a packet to it. Some NAT types • Port restricted cone NAT or symmetric NAT is like a restricted cone NAT, but the restriction includes port numbers. • Specifically, an external host can send a packet to a particular port on the internal host only if the internal host had previously sent a packet from that port to the external host. Some NAT types • With symmetric NAT all requests from the same internal IP address and port to a specific destination IP address and port are mapped to a unique external source IP address and port. • If the same internal host sends a packet with the same source address and port to a different destination, a different mapping is used. • Only an external host that receives a packet can send a UDP packet back to the internal host. NAT • Many NAT implementations follow a port preservation design. • For most communications, they will use the same values as internal and external port numbers. • If two internal hosts attempt to communicate with the same external host using the same port number, the external port number used by the second host will be chosen at random. – Such NAT will be sometimes perceived as restricted cone NAT and other times as symmetric NAT. Firewall • A firewall is an information technology (IT) security device which is configured to permit, deny or proxy data connections set and configured by the organization's security policy. • Firewalls can either be hardware and/or software based. Firewall • A firewall's basic task is to control traffic between computer networks with different zones of trust. – Typical examples are the Internet which is a zone with no trust and an internal network which is (and should be) a zone with high trust. – The ultimate goal is to provide controlled interfaces between zones of differing trust levels through the enforcement of a security policy and connectivity model based on the least privilege principle and separation of duties. Firewall • A firewall is also called a Border Protection Device (BPD) in certain military contexts where a firewall separates networks by creating perimeter networks in a Demilitarized zone (DMZ). • In a BSD context they are also known as a packet filter. • A firewall's function is analogous to firewalls in building construction. Firewall Types • There are three basic types of firewalls depending on: – Whether the communication is being done between a single node and the network, or between two or more networks. – Whether the communication is intercepted at the network layer, or at the application layer. – Whether the communication state is being tracked at the firewall or not. Firewall Types • With regard to the scope of filtered communications there exist: – Personal firewalls, a software application which normally filters traffic entering or leaving a single computer. – Network firewalls, normally running on a dedicated network device or computer positioned on the boundary of two or more networks or DMZs (demilitarized zones). • Such a firewall filters all traffic entering or leaving the connected networks. Firewall Types • In reference to the layers where the traffic can be intercepted, three main categories of firewalls exist: – Network layer firewalls. • An example would be iptables. – Application layer firewalls. • An example would be TCP Wrappers. – Application firewalls. • An example would be restricting ftp services through /etc/ftpaccess file Network Layer Firewall • A network layer firewall works as a packet filter by deciding what packets will pass the firewall according to rules defined by the administrator. • Filtering rules can act on the basis of source and destination address and on ports, in addition to whatever higher-level network protocols the packet contains. • Network layer firewalls tend to operate very fast, and transparently to users. Network Layer Firewall • Network layer firewalls generally fall into two sub-categories, stateful and stateless. – Stateful firewalls hold some information on the state of connections (for example: established or not, initiation, handshaking, data or breaking down the connection) as part of their rules (e.g. only hosts inside the firewall can establish connections on a certain port). – Stateless firewalls have packet-filtering capabilities but cannot make more complex decisions on what stage communications between hosts have reached. • Stateless firewalls therefore offer less security. • Stateless firewalls somewhat resemble a router in their ability to filter packets. Network Layer Firewall • Any normal computer running an operating system which supports packet filtering and routing can function as a network layer firewall. • Appropriate operating systems for such a configuration include Linux, Solaris, BSDs or Windows Server. Application Layer Firewall • An application layer firewall is a firewall operating at the application layer of a protocol stack. • Generally it is a host using various forms of proxy servers to proxy traffic instead of routing it. • As it works on the application layer, it may inspect the contents of the traffic, blocking what the firewall administrator views as inappropriate content, such as certain websites, viruses, attempts to exploit known logical flaws in client software, and so forth. Application Layer Firewall • An application layer firewall does not route traffic on the network layer. • All traffic stops at the firewall which may initiate its own connections if the traffic satisfies the rules. Application Firewall • An application firewall limits the access which software applications have to the operating system services, and consequently to the internal hardware resources found in a computer, much as a car firewall limits access of heat, or even fire, to the passengers of the vehicle. • The reason that application firewalls are needed in today's internet and data-sharing world is that the other types of firewalls in existence do not control the execution of data, only of the flow of data to the computer's processor. Proxy • A proxy server is a computer that offers a computer network service to allow clients to make indirect network connections to other network services. • A client connects to the proxy server, then requests a connection, file, or other resource available on a different server. • The proxy provides the resource either by connecting to the specified server or by serving it from a cache. • In some cases, the proxy may alter the client's request or the server's response for various purposes, usually to view websites normally not allowed Web Proxy • Proxies that attempt to block offensive web content are implemented as web proxies. • Other web proxies reformat web pages for a specific purpose or audience; for example, Skweezer reformats web pages for cell phones and PDAs. • Network operators can also deploy proxies to intercept computer viruses and other hostile content served from remote web pages. Intercepting Proxy • An intercepting proxy, often incorrectly called transparent proxy (also known as a forced proxy) combines a proxy server with NAT. Connections made by client browsers through the NAT are intercepted and redirected to the proxy without client- side configuration (or often knowledge). Intercepting Proxy • Intercepting proxies are commonly used in businesses to prevent avoidance of acceptable use policy, and to ease administrative burden, since no client browser configuration is required. • Intercepting proxies are also commonly used by Internet Service Providers in many countries in order to reduce upstream link bandwidth requirements by providing a shared cache to their customers. Open Proxy • An open proxy is a proxy server which will accept client connections from any IP address and make connections to any Internet resource. • Generally, a proxy server allows users within a network group to store and forward internet services such as DNS or web pages so that the bandwidth used by the group is reduced and controlled. • With an "open" proxy, however, any user on the Internet is able to use this forwarding service. • Because proxies might be used for abuse, system administrators have developed a number of ways to refuse service to open proxies Reverse Proxy • A reverse proxy is a proxy server that is installed in the neighborhood of one or more web servers. All traffic coming from the Internet and with a destination of one of the web servers goes through the proxy server. Reverse Proxy • A reverse proxy is a proxy server that is installed in the neighborhood of one or more web servers. All traffic coming from the Internet and with a destination of one of the web servers goes through the proxy server. Reverse Proxy • Typically, reverse proxies are utilized in front of webservers. • All connections coming from the Internet addressed to one of the webservers are routed through the proxy server, which may either deal with the request itself or pass the request wholly or partially to the main webserver. • Contrast this with 'forward proxy', which is a proxy server configured in the end-user's browser. Reverse Proxy • There are several reasons for installing reverse proxy servers: – Security: the proxy server is an additional layer of defense and therefore protects the webservers further up the chain – Encryption / SSL acceleration: when secure websites are created, the SSL encryption is sometimes not done by the webserver itself, but by a reverse proxy that is equipped with SSL acceleration hardware. – Load distribution: the reverse proxy can distribute the load to several servers, each server serving its own application area. In the case of reverse proxying in the neighborhood of webservers, the reverse proxy may have to rewrite the URLs in each webpage (translation from externally known URLs to the internal locations) Reverse Proxy – Caching static content: A reverse proxy can offload the webservers by caching static content, such as images. Proxy caching of this sort can often satisfy a considerable amount of website requests, greatly reducing the load on the central web server. – Compression: the proxy server can optimize and compress the content to speed up the load time. – Spoon feeding: if a program is producing the webpage on the webservers, the webservers can produce it, serve it to the reverse-proxy, which can spoon-feed it however slowly the clients need and then close the program rather than having to keep it open while the clients insist on being spoon fed. Split Proxy • A split proxy is effectively a pair of proxies installed across two computers. Since they are effectively two parts of the same program, they can communicate with each other in a more efficient way than they can communicate with a more standard resource or tool such as a website or browser. Split Proxy • This is ideal for compressing data over a slow link, such as a wireless or mobile data service and also for reducing the issues regarding high latency links (such as satellite internet) where establishing a TCP connection is time consuming. – Taking the example of web browsing, the user's browser is pointed to a local proxy which then communicates with its other half at some remote location. This remote server fetches the requisite data, repackages it and sends it back to the user's local proxy, which unpacks the data and presents it to the browser in the standard fashion . IDS • An intrusion detection system (IDS) generally detects unwanted manipulations to computer systems, mainly through the Internet. • The manipulations may take the form of attacks by skilled malicious hackers, or script kiddies using automated tools. IDS • An intrusion detection system is used to detect all types of malicious network traffic and computer usage that can't be detected by a conventional firewall. • This includes – network attacks against vulnerable services – data driven attacks on applications – host based attacks such as privilege escalation, unauthorized logins and access to sensitive files – malware (viruses, trojan horses, and worms). IDS • An IDS is composed of several components: – Sensors which generate security events, – a Console to monitor events and alerts and control the sensors – a central Engine that records events logged by the sensors in a database and uses a system of rules to generate alerts from security events received. IDS – There are several ways to categorize an IDS depending on the type and location of the sensors and the methodology used by the engine to generate alerts. – In many simple IDS implementations all three components are combined in a single device or appliance. IDS • In a network-based intrusion-detection system (NIDS), the sensors are located at choke points in the network to be monitored, often in the demilitarized zone (DMZ) or at network borders. • The sensor captures all network traffic and analyzes the content of individual packets for malicious traffic. • In systems, PIDS and APIDS are used to monitor the transport and protocols illegal or inappropriate traffic or constricts of language (say SQL). IDS • A network intrusion detection system is an independent platform which identifies intrusions by examining network traffic and monitors multiple hosts. • Network Intrusion Detection Systems gain access to network traffic by connecting to a hub, network switch configured for port mirroring, or network tap. • An example of a NIDS is Snort. IDS • In a host-based system, the sensor usually consists of a software agent, which monitors all activity of the host on which it is installed. IDS • A host-based intrusion detection system (HIDS) is an intrusion detection system that focuses its monitoring and analysis on the internals of a computing system rather than on its external interfaces (as a network intrusion detection system (NIDS) would do). Protocol Based IDS(PIDS) • A protocol-based intrusion detection system consists of a system or agent that would typically sit at the front end of a server, monitoring and analyzing the communication protocol between a connected device (a user/PC or system). • For a web server this would typically monitor the HTTPS protocol stream and understand the HTTP protocol relative to the web server/system it is trying to protect. Where HTTPS is in use then this system would need to reside in the "shim" or interface between where HTTPS is un-encrypted and immediately prior to it entering the Web presentation layer. Application Protocol-Based IDS • An application protocol-based intrusion detection system consists of a system or agent that would typically sit within a group of servers, monitoring and analyzing the communication on application specific protocols. • For example in a web server with database this would monitor the SQL protocol specific to the middleware/business-login as it transacts with the database. Hybrid IDS • A hybrid intrusion detection system combines one or more approaches. • Host agent data is combined with network information to form a comprehensive view of the network. Passive vs. Reactive IDS • In a passive system, the IDS sensor detects a potential security breach, logs the information and signals an alert on the console. • In a reactive system, also known as an intrusion prevention system (IPS), the IDS responds to the suspicious activity by resetting the connection or by reprogramming the firewall to block network traffic from the suspected malicious source. This can happen automatically or at the command of an operator.
Pages to are hidden for
"Data Center Network Security"Please download to view full document