Securing Your Network: Identifying SMB Network Perimeters
On This Page
Introduction
Before You Begin
Identifying and Characterizing Static and Dynamic Hosts
Listing the Hosts that are Considered Perimeter Devices
Defining the Perimeter of the Network
Related Information
Introduction
Every network has a perimeter-a gateway to the Internet. These perimeters can help improve your business processes and manage Internet-based activities, but must be carefully protected though every perimeter is different; each is a strategic area open for manipulation. Your organization's dedicated connection to the Internet is an obvious demarcation point, but most networks have other perimeters that must be recognized: For example site to site VPN connections. The base definition of a perimeter device is any device that routes packets between two networks i.e. (firewall, router, and switch). The other possible perimeter appliance definition is any device that could give access to the network i.e. (USB drives, clients, and servers), but these do not route packets between networks they extend the perimeter to more clients. Although these are mentioned within this document, this is not the same as a network based perimeter devices, but companies do need to be aware of them.
Security must be a primary concern when designing an optimum network. A single unrecognized perimeter network exposure such as an unsecured perimeter device could compromise your corporate network. A complete network security solution featuring formal authentication, authorization, confidentiality, availability, and integrity measures reduce the likelihood of an unauthorized intrusion. These measures typically include encryption, certification, directory, network, and other security components. Not protecting your network can lead to serious financial and legal repercussions.
Perimeter security is traditionally provided by a perimeter device, such as a firewall that inspects packets and sessions to determine if they should be transmitted to or from the protected network or instead dropped. In effect, firewalls have become a single point of network access where traffic can be analyzed and controlled using firewall scripts that define application, address, and user parameters. These scripts help protect the connectivity paths to external networks and data centers.
Identifying the possible devices that each network has or could have that provide access to the network can help improve your network's overall security. You can define the perimeter of the network by first defining all the types of hosts on the network, including static and dynamic (temporary) hosts. After identifying all the hosts on the network, you can then characterize each and determine if they could be considered perimeter devices. Consider each perimeter device definition as a part of the perimeter of the network. This document uses a typical small to medium business (SMB) network design to provide a template from which to inventory and characterize your perimeter devices.
You will need to determine all of the perimeter devices that are currently on your corporate network, as well as which devices could be dynamically added in the future-for example virtual private network (VPN) clients. After you have identified all of your company's perimeter devices, you can build a logical and physical diagram of the network to better define the perimeter of the network. The following document will help you:
Identify and characterize the static and dynamic hosts.
List the hosts that are considered perimeter devices.
Define the perimeter of the network.
Before You Begin
Understanding a typical small-sized to medium-sized business (SMB) network and how that network relates to the Internet and any other third-party entity's network can help you better understand the network perimeter and how perimeter devices are identified. The following figure illustrates how a typical small-business and medium-business network looks, complete with examples of the devices and hosts within the company's physical perimeter. This diagram will be used as an example throughout the document when referring to the physical perimeter of a company.
SMB Network with Devices and Hosts Within the Company's Physical Perimeter
.jpg "SMB Network with Devices and Hosts Within the Company's Physical Perimeter")
As you analyze the scenario presented in this document, it will become obvious that a firewall in front of the Internet is not the only perimeter device. There are many devices within a network that need to be defined and maintained and could possibly be perimeter devices, but are not necessarily a base definition of a perimeter device as mention previously within this document. Users can connect to the Internet at multiple access points and receive dynamically assigned Internet Protocol (IP) addresses, not only inside the wired and wireless sections, but also when traveling. An IP address uniquely identifies a host (computer) that is connected to the Internet or to other Internet hosts. Mobile users can connect to the Internet using several types of service providers (SPs): Internet service providers (ISP), cellular service providers, or through public wireless access points (AP). The other perimeter devices outside of a company's physical environment are unknown and unmanageable to the typical SMB. What you can know and manage are the perimeter devices you own and the clients or possible clients of which you are aware.
The following figure illustrates how a typical small to medium business network looks in relation to other networks that it communicates with. It also shows examples of other possible connected devices that you should consider when identifying perimeter devices for a corporate network.
SMB Network in Relation to Other Networks
.jpg "SMB Network in Relation to Other Networks")
Identifying a Perimeter Device
Identifying what perimeter devices exist and what the perimeter of the network looks like is a challenge for many companies. A perimeter device is any device that routes packets between two networks i.e. (firewall, router, and switch). A possible perimeter appliance definition is any device that could give access to the network i.e. (USB drives, clients, and servers), but these do not route packets between networks they extend the perimeter to more clients. A host is any computer that provides information to another computer. A node is any piece of equipment that is directly attached to the network, such as a computer, router, firewall, or other network device. This document will use the term host when identifying any possible perimeter devices throughout each section. The following list outlines the possible perimeter devices and perimeter appliance device and why they might be considered perimeter devices:
Network Hardware Devices. These devices can be considered perimeter devices depending on where they are placed within your network infrastructure. They include routers, firewalls, modems, switches, and wireless hubs. If any of these devices have access to both an external network and any part of the internal network, it is considered a perimeter device.
Servers. These devices may be considered perimeter devices depending on their connectivity to the Internet and intranet. For example, any sever that communicates with both the Internet and intranet and is multihomed could be considered a perimeter device. This also includes remote location servers that connect to the internal network from external networks, because these servers have the potential to open a gateway to the network.
Clients. These devices can be considered perimeter devices depending on their connectivity to the Internet and intranet. For example, any sever that communicates with both the Internet and intranet and is multihomed could be considered a perimeter device. This also includes remote location clients that connect to the internal network from external networks, because these clients may open doorways to the network with certain advanced configurations not mentioned within this document.
When you consider servers and clients as possible perimeter devices you must consider what operating system, services, and applications are installed on the computers and how they are configured. These characteristics determine whether or not the system might expose the trusted internal network to external networks. For example, a computer loaded with an operating system providing any type of Web services, network services, and authentication services to the Internet may be considered a perimeter device (for example, HTTP, HTTPS, FTP, SMTP, and so on).
Identifying and Characterizing Static and Dynamic Hosts
Before you can identify the perimeter devices within your network, you must first take inventory of what exists within your network. Once you have completed an inventory of what exists you will need to characterize your findings. This task consists of identifying each static and dynamic host on your network and documenting each of their characteristics. A static host is permanently attached to the network; it also seldom changes in its network characteristics and overall system configuration. Examples of static hosts are firewalls, servers, and desktop computers. A dynamic host is a temporarily attached device that connects and disconnects as requested by a user or service. Examples of dynamic hosts are remote VPN clients, remote office database syncs, and wireless laptops. Once you have identified all the hosts within the physical perimeter, you can document and analyze all of their characteristics.
The following list outlines the information that you need to gather in order to identify the characteristics of each host:
Operating system (for example, Windows Server 2003 or Windows XP)
Type of host (for example, personal computer, network hardware, or portable device)
Host name (for example, XPmachine0 or ISAserver0)
Applications and Programs installed (for example, Exchange, SQL, Office)
Windows components installed (for example, IIS, ASP.NET, and POP3 Service)
Listing the Hosts that are Considered Perimeter Devices
Determining which hosts are perimeter devices is an important step when defining the perimeter of the network. However, you must also determine which hosts are static and which are dynamic.
Building a List of Static Hosts Within the Network
Obtaining information from the static hosts that exist within your network enables you to build a list of these hosts. A static host is a host or network device that does not detach from the network after being utilized. The size of your SMB will determine the method in which you choose to obtain the information from the static hosts. You can gather this information in a manual method, an automated method, or both. Most SMB companies choose to gather the information with a manual method because they lack the resources to use an automated application. Your results can be combined to confirm the validity of the list. The following list outlines some of the different methods:
Manual Method. You can access each static host locally or through terminal services, if available. Then you can gather the information within the user interface on the hosts. You will have to do this for most network devices, such as firewalls and routers, especially if they are not network devices running as services on a Windows host (for example, Internet Security and Acceleration (ISA) or Routing and Remote Access Server (RRAS)). You can gather this information in the same way that you can gather it from a regular Windows host.
Automated Method. There are numerous companies that provide host inventory applications and services that will automatically inventory all hosts that exist on a network. An example of this type of application and service is Microsoft SMS 2003. Some companies choose to write a logon script or small piece of code to capture the required information at the time of logging and store it in a directory service. Most SMB companies do not have these types of scripting resources available to them, and defer to the manual method.
Organizing the Information You Have Gathered
The following table outlines what was identified within the example SMB network.
Table of Static Hosts and Characteristics
Host Name |
Operating System |
Type of Host |
Applications and Programs |
Windows Components |
|---|---|---|---|---|
Router01 |
Cisco IOS |
Network router Cisco 2500 |
No host-related Applications or Programs |
No hosts-related Windows Components |
ISAServer-01 |
Windows Server 2000 |
Computer-based firewall and VPN Server |
ISA Server 2000 |
No hosts-related Windows Components |
IISServer-01 |
Windows Server 2003 |
Computer-based Web Server |
No host-related Applications or Programs |
IIS, ASP.NET, COM+ |
SQLServer-01 |
Windows Server 2003 |
Computer-based Database Server |
SQL Server 2000 standard |
No hosts-related Windows Components |
Exchange-01 |
Windows Server 2003 |
Computer-based E-mail Server |
Exchange 2003 |
No hosts-related Windows Components |
DC-01 |
Windows Server 2003 |
Computer-based Domain Controller |
No host-related Applications or Programs |
DHCP, DNS, and WINS |
Wireless-01 |
Linksys OS |
Network Wireless AP Hub |
No host-related Applications or Programs |
DHCP |
Numerous static clients |
Windows XP Pro |
Desktop computer |
Office 2003 |
No hosts-related Windows Components |
After gathering the information, you need to decide which of these hosts can be considered perimeter devices. All of the previously listed hosts need to be addressed as possible perimeter devices within your network. All of these hosts have the software and hardware capabilities to provide services to the user community. The host services could be something as simple as a peer-to-peer network share. A security policy designed and implemented by your network administration staff will help protect these perimeter devices that constitute your perimeter. For each of these hosts, your system administrator should research the specific product security guides for what is installed on the hosts and apply the necessary security settings.
Building a List of Dynamic Hosts Within the Network
A dynamic host is a host or network device that temporarily attaches then detaches from the network after being utilized. Examples of dynamic hosts are remote users and mobile laptops. A server that is regularly removed from a network (a "rogue" server) could also be considered a dynamic host. This would be a site-to-site scenario (for example, a branch office connection or home network connection). These hosts are often used by authorized personnel to obtain remote access to an intranet. Unfortunately, these dynamic hosts have a long history of providing unauthorized users with remote access. Gathering information about dynamic hosts is more difficult than gathering information about static hosts, because they are not permanently attached and their characteristics change more often. It is more important for you to be aware of what type of dynamic hosts can access your network than exactly which dynamic host accesses your network. However, it is still beneficial to know the possible dynamic hosts that might access your network. The following figure outlines the possible dynamic hosts that might affect the sample network.
SMB Network with all Static Hosts and Possible Dynamic Hosts
.jpg "SMB Network with all Static Hosts and Possible Dynamic Hosts")
The following table lists the dynamic hosts that were identified for the sample SMB and explains how they gain access to the network.
Types of Dynamic Hosts
Host Type |
Operating System |
Access Method |
|---|---|---|
Roaming Computer |
- Windows- Other |
Direct wireline connect to a docking station and intranet within the SMB physical perimeter |
Remote Users |
- Windows- Other |
Direct connect VPN to a internal VPN Server |
Wireless Clients |
- Laptop- PDA- Smartphone |
Wireless connect to an internal wireless AP |
Remote Offices |
- Windows- Other |
Direct connect VPN to a internal VPN Server |
Identifying Hosts That are Considered Perimeter Devices
The following table lists the hosts identified as perimeter devices and explains why each host is considered to be a perimeter device.
Hosts Considered Perimeter Devices
Host Name or description |
Description |
What Makes it a perimeter device? |
|---|---|---|
Router-01 |
Network Router |
Major network access point from the Internet |
Firewall-01 |
Network Firewall/VPN Server |
Major network access point from the Internet |
Wireless01 |
Wireless Access Point within the network physical perimeter |
Broadcasts a wireless access point to the internal network |
Mobile Computer |
Users who connect and disconnect laptops or PCs to the network when they want |
Might introduce new possible services and/or applications to the network each time they connect |
Remote Users |
Any user who connects from home, hotel, or any other third-party location |
Might introduce new possible services and/or applications to the network each time they connect |
Defining the Perimeter of the Network
After completing the analysis of your network hosts as outlined in the previous sections, you can map a logical diagram of the perimeter network. The perimeter of the network becomes the logical mapping of your host devices, as the following figure illustrates. Almost every component within the network has become a perimeter interest in one way or another. Performing a formal audit of your entire network on a regular basis can be an effective method to help track the perimeter of your network.
Logical View of the Perimeter Devices Within Our Sample SMB Network
.jpg "Logical View of the Perimeter Devices Within Our Sample SMB Network")
Related Information
For more information about security, see the following:
Microsoft Security on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=102.
"Windows Server 2003 Security Center" on the TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=22387.
"Microsoft Windows XP Security Guide Overview" on the TechNet Web site at https://go.microsoft.com/fwlink/?LinkId=22389.