Network Topology and Internet Security
by The Uni-Hacker on Oct.01, 2008, under Security
Network Topology and Internet Security
—————————————————————————-
There are several methods to providing Internet service to an interior
corporate LAN from a single Internet gateway machine. Some of these
provide stalwart protection, others invite diaster. Here are a few:
Physical Isolation:
Security level: Very high
The most simple and secure method. A host is isolated from the
rest of the network. No internet user can see the internal LAN, of
course, nor can any LAN user see the internet. The server itself is
still open to attack, however. This method is therefore not very
extensible. Adding a few small workstations (or kiosks) onto the server
may increase usabilty somewhat. This would grant some corporate users
access to the internet at large. This requires additional hardware, and
cost however.
Protocol Isolation:
Security level: High
If computers on the LAN need to see the Internet server, use
this, the next most secure method: protocol isolation. This method is
deceptively simple, based on the premise that ‘Netspeak is TCP/IP. The
Internet server needs to be outfitted with two NICs, one for the Internet
proper, one for the internal LAN. The NIC connected to the Internet is bound
to TCP/IP, and the other NIC is bound to IPX, netBEUI, or some network
protocol that is not TCP/IP. The key is that the Internet requires use
of IP. Since the corporate LAN is running a different protocol, it
cannot communicate with the Internet, and vice versa. This method is
useful for corporations that have ftp servers, and users who make data
available for disseminination. The resources on the server are available
from either direction, but cannot be passed through. Standard firewall.
Third-party Router:
Security level: High
If you are running TCP/IP on a large corporate network with high
volume or multiple subnets, you will likely want to use a third-party
router connected to a leased line. Some routers will allow for packet
filtering, and tracing as well as other features. If implemented
correctly, it is usally very secure.
Full Gateway Machine:
Security level: Low
An internal LAN running TCP/IP served by an unprotected Internet
gateway machine. Very little protection for the internal network is
provided here. A skilled hacker will easily penetrate this type of setup.
An unskilled hacker will also likely be able to break in. This setup relies
on the host operating system to provide security through file permissions and
intrinsic security features. Not highly recommended.
2/19/95
—————————————————————————–
to view the picture in full size. |  |  |  |
 |  |  |  |
 |  |  |  |
