Skip Navigation
Weaving a Secure Web Around Education: A Guide to Technology Standards and Security
Home
  Table of Contents and Introductory Material
Chapter 1
  The Role of the World Wide Web in Schools and Education Agencies
Chapter 2
    Web Publishing Guidelines
Chapter 3
    Web-Related Legal Issues and Policies
Chapter 4
    Internal and External Resources for Web Development
Chapter 5
    Procuring Resources
Chapter 6
    Maintaining a Secure Environment
Conclusion
Appendices
Glossary
PDF File (1,119 KB)

Contact:
Ghedam Bairu

(202) 502-7304

Appendix G: Follow That Packet: Deep Down Security

The information in this appendix describes how a secure local area network receives a "packet" from the Internet. The following security information is intended for the individuals within the education agency who already have a basic understanding of computer and network technology.

The Internet Service Provider (ISP) routes the packet that addressed to the agency from the Internet to the agency's border router. The border router typically runs a routing protocol such as BGP, EIGRP, OSPF, RIP, etc. The agency's ISP should install access control lists on this device to prevent access to anyone other than the Network Operating Center (NOC) servers and hosts. This device should also prevent the routing of RFC1918 address spaces (unroutable IP addresses: Class A 10.0.0.0-10.255.255.255 [10/8 prefix], Class B 172.16.0.0-172.31.255.255 [172.16/12 prefix], Class C 192.168.0.0-192.168.255.255 [192.168/16 prefix]).

From the border router, the packet arrives at the agency's edge router. Security processes to be addressed at the edge router are similar to those addressed at the ISP's border router. The difference is that the agency controls the configuration of the edge router. Processes to consider for edge router configuration include the following:

  • ingress and egress filtering (to prevent IP spoofing);
  • black hole routing for those address spaces the agency feels are necessary by interpreting the logs from the agency's intrusion detection system (addressed later);
  • access control lists to prevent others from accessing Telnet or secure shell (SSH) sessions on the agency's router;
  • username/password validation through Local, TACACS+, RADIUS, or Authentication, Authorization, and Accounting (AAA) to allow only authorized individuals to access the edge router;
  • encrypted configuration passwords;
  • firewall feature configuration as part of the router configuration (e.g., port and protocol blocking);
  • proper Network Address Translation (NAT), Port Address Translation (PAT), and static addressing configuration if not handled on a separate firewall;
  • disabling of built-in http server services should they exist;
  • disabling of proprietary "neighbor" communication protocols; and
  • disabling of all protocols and services not necessary for business operations.
From the edge router the packet travels to the outside switch. The switch is positioned at this location in the system to provide the flexibility to attach outside hosts and the ability to accomplish port monitoring with devices such as Content Filtering Servers (CFS) or Intrusion Detection Systems (IDS). The following items should be included in the configuration of the outside switch:
  • access control lists to limit access to the Telnet or SSH sessions to individual network management hosts authorized to effect changes to the switch;
  • username/password validation through Local, TACACS+, RADIUS, or AAA authentication to allow only authorized individuals to access the outside switch;
  • disabling of proprietary "neighbor" communication protocols;
  • enabling of port monitoring for IDS monitor, if installed;
  • enabling of port monitoring for Internet CFS, if installed; and
  • hard code port speed and duplex, if necessary.
It is highly recommended that an IDS monitor be installed as an attached device to the outside switch. This device monitors the arrival of packets at the network door, which in a properly secured system is the only entryway into the network. The IDS monitor can detect attempts to gain access to the agency's network, to map the network (through port scans), or to initiate denial of service (DoS) attacks against the network. The agency should evaluate the IDS data results to effect changes as needed to the edge router and firewall systems.

If there are other gateways into and out of the network, the edge router should be configured at each place according to the recommendations above. Each gateway should have a firewall and should be monitored by an IDS in addition to router audit log monitoring.

In addition to the IDS, some Internet CFS solutions can be installed at the edge router. In a manner similar to that of the IDS, the CFS device looks at every packet requested from the Internet and identifies any improper requests based on a defined list of improper sites. The improper request is denied and a Transmission Control Protocol (TCP) reset is sent back to the server. With this type of content filter, the CFS could be set to redirect an "inappropriate" user request to an internal (intranet) web server. The web server could send information, including the Acceptable Use Policy, back to the person who made the original request.

From the switch, the packet travels to the outside interface of the firewall. This is the last defense point. The network firewall should be configured to deny all inbound requests to the agency's internal network. The only accepted communication should be those packets bound for public servers (e.g., web, mail, etc.) residing on the Demilitarized Zone (DMZ) segment of the Local Area Network (LAN). Acceptable communication should be limited to IP address ranges, protocols, and ports suitable for the individual application on the individual server. All other inbound access should be denied. Other areas for consideration include the following:

  • deny all inbound requests to the agency's internal network with exceptions noted below;
  • allow only those addresses, protocols, and ports required to meet the needs of the application and allow them only on the DMZ segment;
  • configure NAT, PAT, and static addressing as appropriate to suit the agency's needs;
  • use access control lists to limit access to the Telnet or SSH sessions to those individual network management hosts authorized to effect changes to the switch and to the firewall;
  • use username/password validation through Local, TACACS+, RADIUS, or AAA authentication to allow only authorized individuals to access the outside interface of the firewall;
  • use RFC1918 (unroutable) address spaces, logically arranged, inside the firewall;
  • place all internal hosts and servers on the most secure (internal segment) of the firewall;
  • place all publicly accessible servers on the DMZ segment of the firewall;
  • configure only the specific IP addresses and specific protocols and ports (e.g., Open Database Connectivity [ODBC]) of publicly accessible servers on the DMZ to communicate with any specific server on the internal network;
  • configure communication to Internet content filtering, if required; and
  • configure fail-over services, if enabled.
All instructional functions and student research hosts should reside on the DMZ segment of the network. All publicly accessible hosts on this segment or a lower security segment (e.g., DMZ1, DMZ2) should be installed. Such hosts may include web servers, File Transfer Protocol (FTP) servers, e-mail servers, etc. Administrative hosts on the DMZ segment should not be installed. Further segregation of student segments of publicly accessible servers can be accomplished in this manner.

Administrative hosts and servers hosting administrative applications, databases, file servers, print servers, and data should reside on the inside segment of the LAN.

For both the DMZ segment and the inside segment of the LAN, network monitoring tools, packet sniffers, and other such tools should be utilized to analyze the performance of the network and to ensure that the network is able to maintain adequate bandwidth and services. These tools can be handheld devices, such as client software installed on a monitoring station, or they can be web-based. To maximize security, caution should be exercised when using Simple Network Management Protocol (SNMP) tools.

Additionally, appropriate network monitoring and notification tools should be installed to alert assigned personnel to important events, such as device failures and intrusion incidents.