Getting Control of an Existing Network

A Typical High End Company Network





Determine What You Are Responsible For

Draw a picture of your network paying particular attention to where the borders are. Start with your connection (or connections) to your ISP. Then move to your router, and then your firewall. Its possible to have a router acting as a firewall (via packet filtering) or a firewall acting as a router (perhaps an OpenBSD or FreeBSD or Linux box.)

The purpose of drawing this map is to find the control points. These exist between IP networks. These choke points are where you can control access into and out of your company network. You can also monitor traffic at these points to determine what your traffic mix is.

In general, there are two things to keep in mind. First, there is other stuff. This is the rest of the internet. You don't have to worry about it. Next there is my stuff. You have to worry about this. Of the stuff you have to worry about, there are two subsets--workstations, or internal company IP Addresses, and the so called DMZ, or externally addressable IP Addresses.

There may not be a physically separate "DMZ" network area. Instead, there may be certain machines directly in the companies Internal IP Address space that are reachable from the outside world. This is not a good idea but it is done very frequently. Provided you have set your firewall filters up properly, this set up is only as good as the security on the "service" that is accessible via the Net.

Services

A service runs on a machine that speaks TCP/IP (for our purposes.) A service may be "SMTP" (mail), "DNS" (Domain Name Service), NNTP (Usenet news), MySQL (a database), or any program that creates a socket and listens for requests. A socket is one end of a TCP/IP connections and is described by an IP Address and Port Number. There is a list of "well known port numbers" for all of the programs that make up the popular internet services, such as 25 for mail, 23 for telnet, 7 for echo, 53 for dns, 80 for http, etc.

Each service you run becomes a potential entry point for a hacker. By allowing incoming tcp/ip connections for the particular service, you are allowing someone for the outside world to connect to that machine. The problem occurs when the service (say Microsoft's IIS web server) has security problems that the hackers know about. Depending on the problem, a hacker may be able to connect and send a packet designed to make the service do something unintended.

Router Access List

The router access list is there to protect the router. Even if you have a situation where the router and firewall are one and the same, it is still a good idea to think of the access lists or filters in two parts. If you are using a Cisco, then use Cisco's recommendations. Make sure all services that the router offers that are not related to routing are either turned off, or screen from outside access. The less it does the better off you are.

As an example, Cisco began including a web server as part of their router in order to make the configuration of the router easier. The problem with this is twofold. First, it is really not necessary. You can configure the router via other means. Second, there were problems with it that enabled outsiders to subvert it. In general, try to keep both the firewall and the router lean, running few services. If you run services such as httpd, make sure that they are not accessible from the outside, or maybe only from certain IP addresses on the inside.

Firewall Access List

The firewall access list is your way of enforcing whatever your policies are. If you expect your network to work a certain way, the firewall is where you can make sure it will work that way. You can control both incoming and outgoing traffic. You can track traffic. You can allow or disallow services. The firewall itself should be running a minimum of services. Any service that is running on a box is a potential entry into that box. If you choose to run something like FreeBSD, or OpenBSD, then turn off everything you don't need-- such as DNS, mail, pop, imap, etc.

What To Allow In

We will talk more about this as we go on, but once you have identified the points where you are going to enforce your security policies, you need to determine what sorts of traffic you are going to allow in (and out.) While controlling the outgoing traffic is important as well, the vast majority of security problems we see stem from what traffic people allow in, and what services they choose to run. Make sure your firewall denies all incoming traffic and then allows in only the services that you require.