How topology decisions affect speed/availability/security/cost/etc. Network Topology

Metrics for judging network design Cost $$$ Bandwidth Maintenance hours Clock cycles Electricity Space Cooling requirements Others... Security Confidentiality Integrity Availability Authenticity Non-repudiation Biggest design trade-off: Availability vs. Confidentiality

Dynamic vs. static addressing * Recommended settings: All workstations dynamic, all servers static. Workstation Webserver Fileserver Workstation Dynamic addresses: Allow machines to be easily added and removed Simplifies management, reduces errors Static addresses: Must/should be used for some servers Reduces traffic for other servers (e.g. arp queries, DNS lookups) Can be set in /etc/network/interfaces file DHCP server Dynamic Static DNS server Static Either (Static recommended. Dynamic possible with discovery/DNS.) Mailserver Either (Static recommended. Dynamic possible with DNS.) Gateway Router Static

Network “Attack Surface” * Each available port is theoretically open to attack ISP/Internet Webserver DNS server Switch Router w/o NAT IP: IP: Ports: IP: Ports: ISP/Internet Switch Router w/ NAT IP: IP: Ports: 80, 443 IP: Port: 53 Workstation IP: Ports: Webserver DNS server Workstation IP: Ports: None

Basic Network Attacks “Front door” vs. “Back door” “Front door” attack originates from outside the network. Assume that the only open port on the router is 80, which goes to webserver 1. Attacker finds an exploitable bug in the webserver. 2. Attacker sends a packet that contains code that creates a shell between attacker and webserver 3. Attacker uses the shell to “pivot” to the workstation and fileserver Workstation ISP/Internet Webserver Fileserver Switch Router w/ NAT * “Pivot” – to attack a device and gain a foothold (e.g. a shell) then use that foothold to attack other visible devices (ssh/telnet/metasploit/etc.).

Basic Network Attacks “Front door” vs. “Back door” “Back door” attack originates from inside the network. 1. Attacker sends an with a malicious attachment 2. A workstation user clicks the attachment and runs the code 3. The code opens a connection to the hacker 4. The hacker now has a shell on the workstation and can install more software or pivot to other machines Workstation ISP/Internet Webserver Fileserver Switch Router w/ NAT

Most basic topology * All servers & workstations in the ISP’s subnet * All IPs are visible to Internet Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/o NAT WAP* * (WAP)Wireless Access Point PRO: All IPs are easily accessible from anywhere in the world (Maximum Availability) Low hardware costs CON: All IPs are easily accessible from anywhere in the world (Minimum Confidentiality) Can access every port on every IP remotely Very large attack surface Cost of buying one IP address for each device

Adding NAT * All servers & workstations in a single private subnet * Subnet IPs are hidden from Internet * The subnet appears as a single IP address for the router Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/ NAT WAP PRO: Much smaller attack surface than previous slide Only a few IP/port pairs are accessible through router CON: All IPs are in the same subnet. An attacker who pwns one box can pivot to the others.

Multiple isolated networks * Public servers are in blue subnet * Private servers & workstations are in green subnet Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/ NAT WAP PRO: An attack against one network will not grant access to the other CON: Extra Internet IP address is required Extra routers, switches, licenses, etc. are required Maintenance-intensive Difficult to give special priviliges on bluenet from greennet machines Switch Router w/ NAT Router w/ NAT

One network with a DMZ * Public servers are in blue subnet * Private servers & workstations are in green subnet Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/ NAT WAP PRO: An attack against the public webserver will not grant access to workstations or the private fileserver CON: An extra router is required “Double-NATing” of green subnet Complexity increases chance of misconfigurations Fileserver no longer available from outside LAN WAP is a big target for attacks – will allow attacker to pivot to fileserver or workstations Switch Router w/ NAT

Moving WAP to DMZ * Wireless devices can now only connect to the public (blue) subnet Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/ NAT WAP PRO: An attacker can no longer access the private fileserver after attacking the WAP (Confidentiality UP) CON: Mobile users no longer have access to the private fileserver (Availability DOWN) Attacker can still pivot from WAP to webserver Switch Router w/ NAT

Single router with multiple subnets * WAP is moved to its own (purple) subnet Workstation ISP/Internet Webserver Fileserver Switch Workstation Router w/ NAT WAP PRO: Increased separation of devices makes it difficult for attacker to pivot Fewer routers CON: More complex & expensive router required Router rules are more complex, easier to misconfigure

How many server applications per physical server? Webserver, Fileserver, DNS, DHCP, FTP Webserver PRO: Fewer physical servers to buy & maintain Reduced cost, space, electrical req. Security: Only one box to patch Fewer passwords to forget Fileserver DNS DHCP FTP PRO: Can buy smaller servers for each task Can put servers in different subnets Security: Only 2-3 ports open per machine Much easier to find attacks in logfiles & create firewall rules A successful attack against one service does not grant control over all services

Initial plan for class networks * Each group of 4 will build the following: Workstation SI455 internet Webserver Fileserver Switch Workstation Router w/ NAT Bluenet: Public – services available to other groups Greennet: Private – services available only to user workstations Switch Router w/ NAT DNS FTP Workstation DHCP Authentication Server server