Monday, March 06, 2006

The castle as a model for network security

This post was transferred from my original blog

If we're going to have bastion hosts and gatekeepers, then let's have some more castle vocabulary. Also, I'm starting to move to a rather different model from the traditional perimeter security model.

Traditional perimeter security is identifying each point on your network where there is a connection to the outside world and either securing it (usually by putting a firewall on) or disconnecting it.

With pervasive wireless networking (and we're going to have mesh wireless sooner or later), with more and more homeworkers on VPNs, with laptops getting network connections outside of the office, the perimeter is much more permeable than it used to be,

Now, I don't think we should scrap perimeter security altogether - it's still the case that the vast majority of nodes are desktop PCs or laptop PCs with normal ethernet connections, either 802.2 wired or 802.11 wireless, not VPNs or meshed networks or whatever.

However, I do think that secure network designers should be looking at multi-layered security, and doing something about the insecurity of the mass of devices.

If we assume that client devices are on a semi-secure network, then we can build a much more secure paradigm, something like this:

Imagine a castle: a proper mediaeval castle. Castles have an outer wall (usually called a "curtain wall") which protects two areas: the ward and the keep. The keep is the last defence and the most secure area; the ward is the open area within the wall but outside the keep.

So, my proposal is to have a keep, where you have your most important nodes - in a normal business network, these will be the business servers. Place some security device between these and the ward network: the generality of the network, where the client devices are. This is still inside the private network, ie. not part of the DMZ. However, the ward would include wireless networks. Also there are all sorts of security risks here, e.g. bluetooth devices on the network, various kinds of connected mobile phones. Remember it only takes one GPRS connection on one mobile phone attached to a PC to breach conventional perimiter security. However, the keep would be wired-only, physically-secured, and behind a packet filter that only permits client-server traffic, rather than server-to-server stuff. If you have multiple physical sites, you can either run the inter-site connections within the keep (probably makes sense) or you put them outside and then use VPNs between the separate keeps for server-to-server communication (e.g AD replication, DNS zone transfers, FRS, etc.)

The reason I propose a simple packet filter on the keep is performance. This filter will have to run at gigabit speeds or higher. One possibility is to have a separate VLAN and use filtering in Layer 3 switches between the VLANs.

Of couse, the extreme example of a keep/ward architecture would be to require a VPN connection from each client device to the keep. This would prevent client-client connections altogether.

Anyway, it's more the conceptual stuff that's valuable (just as thinking of a DMZ and bastion hosts helps identify where to create chokepoints) than specific technology stuff which will be out of date in no time.

0 Comments:

Post a Comment

Links to this post:

Create a Link

<< Home