Sergei Boronin

The Four Perimeters of Security

It is commonly believed that local networks are much better protected from invasion than those directly accessible from the Internet, but is that true? What factors really determine security?

All information resources are divided into three zones: red, yellow and green. Red Zone: hosts with real IP addresses and resources are at the outer perimeter, which are

places at the forefront of an attack. Yellow Zone: servers with private IP addresses and resources available from both the Internet

and local network. Think of them as a demilitarized zone (DMZ): because Internet users have very restricted access to the servers, while. As usually users of the local area network (LAN) users have full access to the resources in the DMZ.

Green Zone: LAN resources that do not provide any services beyond their borders, i.e., no direct access from the Internet and DMZ.

Zonal organization requires a network infrastructure with a layered defense system, in which each zone has its own layer of fortifications and the layers act as nested levels for of the security network.

Most people believe the Green Zone is relatively safe, because it is denied access from the Internet. This illusion of security is enhanced in two ways,

the use of a domain Active Directory, which creates a "circle of trust" by using a centralized database with settings to access local network resources; and

the use of a management server as the domain controller.

Security is an illusion because applications are the Achilles heel of an Active Directory. Some applications require administrative privileges for full access to the directory service; therefore compromising any of these services gives an attacker control over all network computers.

The following steps reduce the risks associated with hacking network services within the local network:

To protect Windows-based Serverso Use non-privileged accounts to run network serviceso Set restrictions using a Group Policy o Configuring Windows Firewallo Install anti-virus, anti-spam and anti-trojan software

To protect UNIX-servers (Linux / FreeBSD)o Use non-privileged accounts to run network services (daemons)o Run services in Chrooto Correctly configure firewallso Protect email servers with antivirus and antispam solutions

To protect Internet gateway serverso Use proxy servers

Basic precautions work well, but there are additional actions you can take that are geared to specific operating systems to further minimize the possibility of your services being hacked.

It is important to remember that new versions of Windows-based platforms already have strong security policies; however, if you use more than 30% of those features you will destroy the

compatibility with previous versions. For that reason, it is recommended to use less than 30% of the available security policies.As with most of IT, advanced anti-hacking efforts are also operating system specific.

To protect Windows 2008 R2: o Increase security policies when compatibility with earlier versions of Windows is not a

requiremento Use Server Virtualization with Hyper-V technologyo Use application virtualization technology with App-V (formerly SoftGrid)o Use RMS (AD RMS)o Use encrypted file system (EFS) to protect from unauthorized physical access

To protect Workstation for Windows 7:o Apply new group policy for non-privileged accountso Use XP mode to run vulnerable serviceso Configure UAC-virtualizationo Deploy the client side of the RMS (AD RMS)o Use encrypted file system (EFS) to protect from unauthorized physical access 

To protect Windows file serverso Use antivirus protection that checks each file with two different antivirus programs - first

on the server and other on the cliento Use encrypted file system (EFS) on servers to protect from unauthorized physical

access

The strategies that protect Linux also apply to workstations running MacOS X, so they are not addressed separately. The main negative security-wise for MacOS X is found in the incompatibility of Mandatory Access Control (MAC) with Apple Carbon, which provides an API for applications.

To protect UNIX-systems (Linux / FreeBSD)o Use a superserver to limit access to serviceso Integrate SELinux / AppArmor into Linux, MAC and FreeBSDo Use OpenVZ / LXC Linux and FreeBSD Jail for server virtualizationo Combine strong security rules and application virtualization in a Chroot environment

Linux workstationso Use SELinux / AppArmoro Use a powerful firewall (netfilter), with Firestarter as front-end for noviceo Use a superserver to limit access to serviceso Use an encrypted file system to protect from unauthorized physical access

None of this is rocket science and the wise admin makes security a high priority item.

Here is a short wrap-up to remind you. Ignoring security at the host level makes it much easier to gain access to the Green Zone and,

in turn, your entire network. You can greatly improve the security of IT infrastructure as a whole by providing full protection

for each host, whether it is a workstation in the Green Zone or a server in the Red Zone. Combining best practices with common sense provides strong perimeter security for external

resources in all zones (Red, Yellow Zone, Green and finally, individual hosts. Moreover, preventive measures, such as intrusion detection systems, solid organizational

policies and comprehensive user training greatly enhance your ability to avoid a serious breach.