The needs of businesses and their networks are evolving daily. Even in this time of recession, many corporations that have not previously had an Internet presence are considering such a presence to increase sales, service and customer support. Many small, static websites are being upgraded to offer all kinds of dynamic information. We have almost fully entered the information age.
What does this mean to the systems administrators and network engineers working for these companies? This means that these companies will be using the talents of their IT staffs more and more to increase visibility and sales. This means that the IT staff is no longer limited to worrying about an internal network and/or a very separate web presence solution. Businesses want to integrate more dynamic websites with resources on their internal networks so that they will be able to better service their customers.
These services can offer customers an excellent support and knowledge base, for a price. The price is security, and the cost is directly proportional to the sensitivity of the information that is to be made available. The challenge comes when designing an effective, efficient, secure solution.
When one takes on designing this type of network solution, one needs to consider all of the variables. What internal resources, if any, need to be shared? Where should machines be located in relation to the firewall, the DMZ (demilitarized zone) or exposure to the Internet. What will the workloads and responsibilities of machines be? What types of connections will need to be made between what machines?
First of all, keeping in mind that sensitive data is usually stored in internal networks (rather than on web servers, etc…), a secure firewall, or firewalls with a DMZ, will usually be necessary. In the case of a DMZ, typically there will be a firewall between machines in the DMZ and the Internet, along with another firewall between the machines in the DMZ and the internal network. This places the DMZ in between the two firewalls so as to have, in theory, complete control of who has access to the internal network from the Internet. This way, someone trying to break in to your internal network will have to be able to compromise one machine in the DMZ (behind the external firewall) and then still have another firewall to get through. That is, unless they have somehow “rooted” or “cracked” the box in the DMZ, in which case they might already have access to the internal network, depending on configuration of that machine and the internal firewall, of course.
Resources will still be able to be shared, however you need to be in control of who has access to these resources. The only way to be reasonably sure that your internal resources are secure is to establish a firewall that allows no external connections to the internal network from the outside (between the DMZ and the internal network). Once you are sure that this firewall is working, you can then loosen restrictions according to what services you will need to provide. This prevents you from leaving anything open that should not be left open. Later, once you have configured access from the DMZ to the internal network, this same approach can be used for configuring the external firewall.
The reason for doing this in this manner is so that you are sure that any unnecessary services are not available to the outside, thus making your network all that more secure. A common method for establishing secure communications to an internal network will involve the placement of some type of secure server (or group of machines- a.k.a. cluster) in the DMZ that is the only machine (or group of machines) that has any access to the internal network. This may be a VPN server, or some other type of authentication server. Either way, this machine will handle authentication of outside sources for access to the internal network.
The machine that is used for authentication will also be multi-homed, which simply means that it will have more than one network card installed. Routing, upon authentication, will be enabled between the two NICs (and as a result, the two firewalls; internal and external). Both network adapters will have unique IP addresses with one connecting to the external firewall to be used for external communication, and one connecting to the internal firewall for access to the internal network. Using a private addressing scheme on the internal network along with the second network adapter in your authentication server enhances security by utilizing IP addresses that are not available on the Internet and therefore cannot be routed by the Internet.
Much of what is being discussed here could be avoided by setting up your own dial-up server using something like RADIUS to handle external connections; however, this is usually cost prohibitive due to toll charges, not to mention the slow speeds usually associated with a dial-up connection. On the other hand, most people have access to the Internet thus making it the more practical choice to use a logon server, albeit a bit more difficult to incorporate.
Jay Fougere is the IT manager for the Murdok network. He also writes occasional articles. If you have any IT questions, please direct them to Jay@https://murdok.org.
