Network Topology How topology decisions affect speed/availability/security/cost/etc.
Metrics for judging network design • Cost • $$$ • Bandwidth • Maintenance hours • Clock cycles • Electricity • Space • Cooling requirements • Others ... • Security • Confidentiality • Integrity • Availability • Authenticity • Non-repudiation Biggest design trade-off: Availability vs. Confidentiality
Dynamic vs. static addressing* Recommended settings: All workstations dynamic, all servers static. Workstation Dynamic Workstation Dynamic • Dynamic addresses: • Allow machines to be easily added and removed • Simplifies management, reduces errors • Static addresses: • Must/should be used for some servers • Reduces traffic for other servers (e.g. arp queries, DNS lookups) • Can be set in /etc/network/interfaces file Workstation Dynamic Gateway Router Static DHCP server Static DNS server Static Fileserver Either (Static recommended. Dynamic possible with discovery/DNS.) Webserver Either (Static recommended. Dynamic possible with DNS.) Mailserver Either (Static recommended. Dynamic possible with DNS.)
Network “Attack Surface”* Each available port is theoretically open to attack IP: 126.96.36.199 Ports: 1-65535 Webserver IP: 188.8.131.52 ISP/Internet Router w/o NAT Switch IP: 184.108.40.206 Ports: 1-65535 DNS server IP: 220.127.116.11 Ports: 1-65535 Workstation IP: 18.104.22.168 Ports: 80, 443 Webserver IP: 22.214.171.124 ISP/Internet Router w/ NAT IP: 126.96.36.199 Port: 53 Switch DNS server IP: 188.8.131.52 Ports: None Workstation
Basic Network Attacks“Front door” vs. “Back door” • “Front door” attack originates from outside the network. Assume that the only open port on the router is 80, which goes to webserver • Attacker finds an exploitable bug in the webserver. • Attacker sends a packet that contains code that creates a shell between attacker and webserver • Attacker uses the shell to “pivot” to the workstation and fileserver Webserver ISP/Internet Router w/ NAT Switch Fileserver Workstation * “Pivot” – to attack a device and gain a foothold (e.g. a shell) then use that foothold to attack other visible devices (ssh/telnet/metasploit/etc.).
Basic Network Attacks“Front door” vs. “Back door” • “Back door” attack originates from inside the network. • Attacker sends an email with a malicious attachment • A workstation user clicks the attachment and runs the code • The code opens a connection to the hacker • The hacker now has a shell on the workstation and can install more software or pivot to other machines Webserver ISP/Internet Router w/ NAT Switch Fileserver Workstation
Most basic topology* All servers & workstations in the ISP’s subnet* All IPs are visible to Internet Workstation Workstation ISP/Internet Router w/o NAT Switch Workstation Webserver Fileserver • PRO: • All IPs are easily accessible from anywhere in the world (Maximum Availability) • Low hardware costs • CON: • All IPs are easily accessible from anywhere in the world (Minimum Confidentiality) • Can access every port on every IP remotely • Very large attack surface • Cost of buying one IP address for each device WAP* * (WAP)Wireless Access Point
Adding NAT* All servers & workstations in a single private subnet* Subnet IPs are hidden from Internet* The subnet appears as a single IP address for the router Workstation Workstation ISP/Internet Router w/ NAT Switch Workstation Webserver Fileserver WAP • PRO: • Much smaller attack surface than previous slide • Only a few IP/port pairs are accessible through router • CON: • All IPs are in the same subnet. An attacker who pwns one box can pivot to the others.
Multiple isolated networks* Public servers are in blue subnet* Private servers & workstations are in green subnet Webserver Router w/ NAT Router w/ NAT Switch ISP/Internet Router w/ NAT Switch WAP Fileserver • PRO: • An attack against one network will not grant access to the other • CON: • Extra Internet IP address is required • Extra routers, switches, licenses, etc. are required • Maintenance-intensive • Difficult to give special priviliges on bluenet from greennet machines Workstation Workstation Workstation
One network with a DMZ* Public servers are in blue subnet* Private servers & workstations are in green subnet Webserver ISP/Internet Router w/ NAT Router w/ NAT Switch WAP • PRO: • An attack against the public webserver will not grant access to workstations or the private fileserver • CON: • An extra router is required • “Double-NATing” of green subnet • Complexity increases chance of misconfigurations • Fileserver no longer available from outside LAN • WAP is a big target for attacks – will allow attacker to pivot to fileserver or workstations Fileserver Switch Workstation Workstation Workstation
Moving WAP to DMZ* Wireless devices can now only connect to the public (blue) subnet WAP Webserver ISP/Internet Router w/ NAT Router w/ NAT Switch Fileserver Switch Workstation • PRO: • An attacker can no longer access the private fileserver after attacking the WAP (Confidentiality UP) • CON: • Mobile users no longer have access to the private fileserver(Availability DOWN) • Attacker can still pivot from WAP to webserver Workstation Workstation
Single router with multiple subnets* WAP is moved to its own (purple) subnet Webserver WAP ISP/Internet Router w/ NAT Fileserver Switch Workstation • PRO: • Increased separation of devices makes it difficult for attacker to pivot • Fewer routers • CON: • More complex & expensive router required • Router rules are more complex, easier to misconfigure Workstation Workstation
How many server applications per physical server? Webserver Fileserver Webserver, Fileserver, DNS, DHCP, FTP DNS DHCP FTP • PRO: • Can buy smaller servers for each task • Can put servers in different subnets • Security: • Only 2-3 ports open per machine • Much easier to find attacks in logfiles & create firewall rules • A successful attack against one service does not grant control over all services • PRO: • Fewer physical servers to buy & maintain • Reduced cost, space, electrical req. • Security: • Only one box to patch • Fewer passwords to forget
Initial plan for class networks* Each group of 4 will build the following: Webserver Email server SI455 internet Router w/ NAT Switch DNS FTP Router w/ NAT Authentication Server DHCP Switch Fileserver • Bluenet: • Public – services available to other groups • Greennet: • Private – services available only to user workstations Workstation Workstation Workstation Workstation