Network devices are the building blocks of networks, and topologies are how you connect these devices together to control the logical and physical flow of traffic. The network architecture is how you design and arrange networks that make the most sense from a functional and security point of view. Anyone can throw together a few network devices and computers and make a network, but taking the time and consideration to really look at the network architecture and making decisions about how the network is laid out require some forethought and skill. A typical topology introduces devices such as hubs, switches, and routers into a network to control traffic between hosts and other networks. A network architecture also adds specialised network devices, such as firewalls, VPN concentrators, and so on. This article looks at different network architectures, primarily from a security perspective, but I will also discuss these network architectures from a functional point of view.
One of the simplest network architectures from a security perspective is one that uses a bastion host. A bastion host is simply a computer, possibly a server, which sits between two networks, separating them. This host usually has multiple network interface cards, with each card connected to a different network. One network may be the Internet, or other public network, while another network may be the private network. It may have firewall software built in, as well as rules configured to filter traffic between the networks. It is also usually “hardened” to withstand any attacks. You’ll usually only see a bastion host on very small networks, as its capacity for traffic and functionality may not be very scalable. It also may be part of the larger security architecture. Figure 2-12 depicts a simple bastion host setup.
An intranet is the network of computers that belongs to the organization, typically behind a firewall or other security device. It may have internal web servers, file servers, and other network devices and servers that fill requests from internal clients and users. Typically, the intranet is kept separate from external or public networks to minimize unauthorized access and data loss. Only trusted users and clients should be allowed to connect to the intranet from both inside the network and from the outside (typically over a VPN connection).
Of course, defining the Internet should be an easy thing to do. From our perspective, however, the Internet is the public untrusted network that is external to our private, secure network. Because the Internet is untrusted, there must be a way to filter traffic coming into the private network from the Internet, as well as control traffic going from your private network to the Internet. Security architectures help us to do this and are made up of the specialized security devices discussed earlier, such as firewalls, proxies, VPN concentrators, and so on. A bastion host, as discussed, is one such way to protect a small internal network from the public Internet, but this should only be used for very small networks. Larger networks require larger solutions, such as screening networks, or Demilitarized Zones, which are discussed next.
The Demilitarized Zone, or DMZ, as it is usually called, is a special network set up as a buffer between the public or untrusted network (such as the Internet), and the private internal network. A DMZ usually is put in place because there are some assets, such as public web servers, that may be required to be accessible by untrusted clients and users on the Internet. In allowing this access, you also must ensure that these external users can’t get to the internal network. So the solution to this is to set up a DMZ that allows some traffic into very specific resources and denies traffic to others. This is accomplished by setting up specific security devices in a certain way to filter and direct traffic. Additionally, networks such as extranets may be set up in a DMZ as well, allowing only trusted external users to access them, and still keeping external users out of the internal private network.
An extranet is a specially constructed network that is shared between a private organization and its partners, vendors, or customers. It may have data assets on it that external users, such as business partners, need to access. It is typically physically and logically separated from the internal network. It may be protected by its own security devices, such as firewalls and so on. It may be accessible only through a specific secure connection such as its own VPN connection. Typically, extranets require stronger authentication and encryption mechanisms to protect data from unauthorized access.
Published on Thu 29 March 2012 by Daisy Batty in Networking with tag(s): network architecture