Security has become something like French fries in a fast food restaurant: it comes with just about anything else you order—whether you want it or not. That’s not necessarily a bad thing, but with every device on your network having some form of security setting, eventually things become confusing. Disparate security settings can conflict, causing unpredictable and often unexpected results.

Managing security settings in a heterogeneous environment can be challenging. In this Daily Feature, I’ll give you some pointers than can help you deal with such an environment.

Author’s Note

Unfortunately, there are so many different network devices with so many different security settings that there’s no way to provide a hard and fast rule that will deal with all of the situations and conflicts you’ll face. However, for the purposes of this Daily Feature, I’ll give you a concrete example along with general theories that you can then take and apply to your specific situation.

Who needs defense in depth? I have a firewall!
Properly configured, all of the various security settings for devices on your network form a defense in depth. This means that hackers will face different barriers that they will have to breach in order to get to your important data. Network administrators don’t often think of multiple lines of defense when building security, but they should.

I once had a coworker who hated firewalls. His theory was that firewalls lulled administrators into a false sense of network security. Administrators employing firewalls sometimes become complacent about network security because they view the firewall as both the first and the last line in security. My coworker insisted on tightened security on each individual server as well as each individual service in order to prevent attacks. It was very likely one of the most secure environments that I worked in.

Now, I’m not suggesting that if you properly secure all of the various devices on your network that you’re safe without a firewall. My point is that the mere existence of the firewall shouldn’t give you a reason to forsake security on the rest of your network.

True network security consists of more than point solutions. It consists of a well-designed plan encompassing all aspects of the enterprise. When completely thought out and implemented, the heterogeneous security plan helps to protect the entire network from various types of attacks in a coordinated fashion.

A theoretical scenario
Like snowflakes, no two networks are identical. Therefore, in one Daily Feature, I can’t detail the specifics of how to implement security in an environment identical to yours. For the remainder of this Daily Feature, I’ll show you how to build security in a generic network environment, as shown in Figure A. By learning how to secure this generic environment, you can then tailor the security to your own network

Figure A
This is the “before” picture of an unprotected network.

In this generic network, I’m going to make the following assumptions:

  • The network featured doesn’t include a firewall.
  • All IP addressing on the network consists of public, routable addresses shown as (public.{ip address}).
  • The corporate Web server runs Windows 2000 and IIS 5.0.
  • The network includes Red Hat 7.3 Linux servers with the “no firewall” option.
  • Client PCs run several different operating systems including Red Hat Linux, Windows 2000 Professional, and Windows XP Professional—mostly Windows XP.

Locking it down
There are two ways to go about securing this environment: work from the inside out or from the outside in. By this, I mean that you can either start at the edge of the network and work toward the core for security, or the other way around. For the purposes of this Daily Feature, I’ll be working from the outside in, which is my preferred way of securing heterogeneous environments.

The first order of business will be to install a firewall between the router and the switch. Installing a firewall between the switch and the router gives more bang-for-the-buck than replacing the router with a new one that has firewall capabilities. Doing so also plugs a major security hole right away. For this solution, I will be using a Cisco PIX firewall, as shown in Figure B.

Figure B
Your first task is to increase security by installing a firewall.

You may notice that between the router and the firewall, I’ve placed a hub. The hub can be useful for several things. First, you can hang a server running some type of intrusion detection system (IDS) off the hub. You can also use the hub to analyze all of the traffic coming in from and going out to the Internet. Because of the way a switch works, it won’t allow you to monitor traffic.

As you can also see in the diagram, rather than the public TCP/IP address found in the original network, I have assigned RFC 1918 private IP addresses in the 172 range to all of the devices behind the firewall. Because private addresses aren’t routable on the Internet, the devices will be completely inaccessible from the outside unless you’ve placed a static translation rule on the firewall to make them accessible.

Securing key components
After you’ve added the firewall and made the other configuration changes to the network, you can configure security on the rest of your network. This is a methodical process, requiring you visit security settings on each device on the network. For the theoretical network in this Daily Feature, that means doing the following:

While security systems are often implemented as individual point solutions, the importance of looking at your organization’s security with the entire system in mind cannot be stressed enough. What has been presented in this article is just the tip of the iceberg. For example, the AIDE intrusion detection system could be used on the Linux servers, or the Windows 2000 servers could have access control lists applied to its interfaces to prevent unauthorized use. As you can see, there is much more than could be done to further enhance the security of the sample environment.