Architecture
As with so many of the areas we have studied,
planning can be the strongest control. In particular, when we build or modify
computer-based systems, we can give some thought to their overall architecture
and plan to "build in" security as one of the key constructs.
Similarly, the architecture or design of a network can have a significant
effect on its security.
Segmentation
Just as segmentation was a powerful security
control in operating systems, it can limit the potential for harm in a network
in two important ways: Segmentation reduces the number of threats, and it
limits the amount of damage a single vulnerability can allow.
Assume your network implements electronic
commerce for users of the Internet. The fundamental parts of your network may
be
·
a web server, to handle
users' HTTP sessions
·
application code, to
present your goods and services for purchase
·
a database of goods, and
perhaps an accompanying inventory to the count of stock on hand and being
requested from suppliers
·
a database of orders
taken
If all these activities were to run on one
machine, your network would be in trouble: Any compromise or failure of that
machine would destroy your entire commerce capability.
A more secure design uses multiple segments, as
shown in Figure 7-20. Suppose one piece of hardware is to be a web server box
exposed to access by the general public. To reduce the risk of attack from
outside the system, that box should not also have other, more sensitive,
functions on it, such as user authentication or access to a sensitive data
repository. Separate segments and servers—corresponding to the principles of
least privilege and encapsulation—reduce the potential harm should any
subsystem be compromised.
Separate access is another way to segment the
network. For example, suppose a network is being used for three purposes: using
the "live" production system, testing the next production version,
and developing subsequent systems. If the network is well segmented, external
users should be able to access only the live system, testers should access only
the test system, and developers should access only the development system.
Segmentation permits these three populations to coexist without risking that,
for instance, a developer will inadvertently change the production system.
Redundancy
Another key architectural control is redundancy:
allowing a function to be performed on more than one node, to avoid
"putting all the eggs in one basket." For example, the design of figure-1 has only one web server; lose it and all connectivity is lost. A
better design would have two servers, using what is called failover mode. In failover mode the servers communicate with each other periodically, each
determining if the other is still active. If one fails, the other takes over
processing for both of them. Although performance is cut approximately in half
when a failure occurs, at least some processing is being done.
Figure 1 Segmented Architecture.
Single Points of Failure
Ideally, the architecture should make the
network immune to failure. In fact, the architecture should at least make sure
that the system tolerates failure in an acceptable way (such as slowing down
but not stopping processing, or recovering and restarting incomplete
transactions). One way to evaluate the network architecture's tolerance of
failure is to look for single points of failure. That is, we should ask if there is a single
point in the network that, if it were to fail, could deny access to all or a
significant part of the network. So, for example, a single database in one
location is vulnerable to all the failures that could affect that location.
Good network design eliminates single points of failure. Distributing the
database—placing copies of it on different network segments, perhaps even in
different physical locations—can reduce the risk of serious harm from a failure
at any one point. There is often substantial overhead in implementing such a
design; for example, the independent databases must be synchronized. But
usually we can deal with the failure-tolerant features more easily than with
the harm caused by a failed single link.
Architecture plays a role in implementing many
other controls. We point out architectural features as we introduce other
controls throughout the remainder of this chapter.