In the Internet age security is always in the news. We hire people and make their jobs dependent on our companies network security. We rely on devices like home routers to protect our personal PC’s from hackers and we give companies like Cisco and Juniper large amounts of money to protect us.
I personally have been using Linux based firewalls to protect both company and personal networks successfully for the past ten years but there are security experts that think I’m crazy. There are many aspects to network security which include knowing and trusting the people you work with. In a small company that is an achievable task but it is not practical as the company grows.
When it comes to network security I tend to look in out of the way places for solutions. The guys who spend countless hours trying to breach firewalls tend to use Linux based firewalls to protect their network assets. I would suggest to you that they are motivated by the same things that most of us are motivated by. If they are going to spend time cracking a firewall they will spend their time learning the thing that they will encounter the most.
Windows has been a very popular target as Windows PC’s still make up over 90% of the personal computer market. Hackers are also motivated by the kinds of networks firewalls protect. If most banks use Cisco for example, and hackers are interested in Bank networks, then Cisco becomes the target. So what am I trying to tell you?
Choosing a firewall like Linux iptables is a good idea because it is not common and can be customized in so many different ways, that each firewall looks like a different device. It doesn’t hurt that iptables is what most hackers use to protect themselves and it is a well documented fact that iptables is the first firewall to be fixed when exploits are discovered.
What does this have to do with topologies you ask? Good question…
With all the focus on security there are a few things that seem to be slipping through the cracks. The advent of smart phones has moved more and more information that hackers are interested onto these devices. Almost all cell phones that are data enabled have NAT’ed IP addresses on a wireless data network protected by the carriers firewall. Those same cell phones are very frequently allowed to connect to the companies WIFI networks. Apps written for IOS and Android have access to both the wireless and cellular networks so it would not be impossible for hackers to use an app to trigger an “inside-out” attack on a corporate network.
The second thing to note here is that with cell phones, the customer gives the responsibility for network security to the service provider. If the carrier’s firewall is compromised, the attacker has access to all the devices it is protecting.
The current trend to provide “cloud based” this that and the other thing, means that those cloud based products and services will be protected by the providers firewall. With cloud based services that need access to your company network, you are passing corporate network security to the cloud based service provider. Make sue that this is what you want to do and read the contract carefully. Many cloud providers specifically say that they are not responsible for network security.
Another popular use of technology is the Virtual Private Network or VPN. Some companies provide devices that live on both sides of your companies firewall like Cisco’s VCS and VCS-Expressway. Security professionals feel more comfortable with a single VPN tunnel through their high priced firewall. I’m not sure they realize that if the bad guys crack that external device they have a free pass to the corporate network over the VPN tunnel.
If you have a road warrior in a hotel and he/she connects back to the corporate network using a secure VPN tunnel while they are connected to the hotel WIFI network, the WIFI connection becomes the weakest link. If routing is enabled on the PC and the hacker accesses the PC via WIFI (Usually there is no firewall), they are into your corporate network via the PC’s router. If you structure your network topology to make sure that remote people are on an isolated network segment you can protect your most important assets.
If the road warrior has picked up a virus or installed a free program from an app store and they connect to your corporate network via a secure VPN, the software on their PC now has access to your corporate network and can perform an “inside-out” attack. If your corporate network has outbound port restrictions then you are somewhat protected, but the laptop software still has access to the corporate network and can save data on the locally until the next time it has a clear connection.
Network topologies are important to network security. Make sure you completely understand what all the devices using your network do. It is not always the best strategy to follow the pack on security. Mix it up, Hackers are just as lazy as everyone else.
The only real way to be 100% sure you are protected is to not connect to the Internet and not allow external devices onto your corporate LAN. It seems extreme, but that is exactly what high security environments do.