Following his guide to physical security, David Barker discusses how best to manage the security of your data center network and suggests five basic questions everyone should ask a provider.
To a large extent your approach to network security and products/services will be defined by your company security policy. To keep unauthorized external users out, you will need a firewall system. To keep unauthorized employees away from sensitive company information, you will need a user access control system. Furthermore, if you have multiple locations and/or remote users, you will need encrypted remote access or VPN capability.
Within this broad specification, there are a lot of options available, but for this article I’ve focused on two areas:
- Border security on your own network—in this case, firewalls
- Potential dangers that should be considered when adopting the “cloud” in your network.
On your network a firewall keeps the outside world (Internet) out and the inside world in, but it allows for controlled exchange of data between these two.
In general there are three major categories of firewall available:
- Packet filters
- Basic firewalls used to keep ports and protocols closed on your network
- Stateful inspection firewalls
- Advanced firewalls that offer the best protection, including intrusion prevention services, anti-DDoS and antivirus/anti-malware.
- Application layer gateways
- Proxy-based services that allow you to control the websites and services that your users can access
Below is a brief summary of the first two (packet filters and stateful inspection firewalls), as they are the two main firewall types deployed at the edge of a network to provide security. Application-layer gateways and proxies are more commonly found in office and access networks where there is a requirement for restrictions on what can be accessed over a connection (e.g., a school network that wants to block access to “adult” websites).
Packet filters are very basic firewalls that block the passage of data from one side of the firewall to the other (i.e., from the Internet to the servers on the inside). The firewall accomplishes this by looking at the header information for every packet and matching it against a set of simple rules. For example, if a packet with port 80 “HTTP” header comes in from the Internet, the firewall will look at its list of rules to see if packets on port 80 can be passed through; if the rule allows it, the packet is passed straight to the internal network; otherwise the firewall drops the packet.
A packet filter is essentially a router with security features, and it can control data flow by protocol, port, source and destination. These filters, however, have little to no authentication, user access control or user management capability. Some devices may have VPN and encryption functions, but these functions are usually very basic when compared with higher-end and dedicated devices.
Packet-filter firewalls have a few distinct advantages. Hardware-based packet filters are generally the fastest of all security platforms, having little effect on your network performance.
Generally such filters are also the most stable firewalls. Although no security platform is “plug and play,” hardware packet filters do come pretty close to it. They can usually be deployed in under an hour and most of the configuration is performed through a web-based interface.
Unfortunately, even with all the benefits, packet filters are considered to be the least secure of the major firewalls. This is because they offer little protection against advanced attacks and have limited features for handling users, custom protocols, remote management and other options provided by more-advanced firewalls. Since packet-filtering firewalls only monitor the network layer, they are highly vulnerable to IP spoofing, denial-of-service attacks and SYN flood attacks.
In addition to hardware-based packet-filtering firewalls, you can also deploy software-based packet filtering at little or no cost by using any of the major operating systems. There’s a lot of firewall software for the UNIX-based operating systems (Linux, FreeBSD, etc.), such as IPChains, and I would recommend deploying a software-based packet filter on all your servers in addition to your main border firewalls.
Stateful Inspection Firewalls
I think that the most secure and the most versatile option is the stateful inspection firewall.
This firewall provides most of the functions of packet filters and application-layer gateways combined. But stateful inspection firewalls have an additional trick up their sleeves: they keep information about the network connections going through them in what is called a state table.
A properly designed stateful inspection firewall operates in an entirely different way from other types of firewall. A full technical specification can run to mini-novel length, but let me try to illustrate how the process works.
How It Works
Say that I enter a domain name (e.g., www.4d-dc.com) and load a website; the stateful inspection firewall records that my computer has requested a particular file from the web server. This information is stored in the state table until the web server responds; when this occurs the firewall looks at the table to see if the response matches a request already in the state table (in this case, it is because I tried to load the web page) and allows the data through to my computer.
For this approach to work with another type of firewall (e.g., a packet filter), you would need to create a rule that allows my computer to send out an HTTP request (port 80/tcp) and a second rule to allow the HTTP response back into my computer. By using the state table, the stateful inspection firewall knows that the response was requested and so allows it through; you don’t need to open an incoming port for the responses.
This may not seem like a big deal when dealing with just HTTP traffic, but if you were to do the same with a protocol such as SSH or telnet, it is very different. You don’t want to explicitly allow SSH into your network (it’s not very secure), but you do want it to work if a device within the firewall wants to talk SSH with a device outside the firewall without needing to make a configuration change every time.
2. What Dangers Does the Cloud Bring to Network Security?
Private and public clouds function basically in the same way: applications are hosted on a server and accessed over the Internet, or via a dedicated connection to the cloud provider. Whether you’re using a “software as a Service” (SaaS) version of customer-relationship management (CRM) software, offsite backups of your company data or a scalable computing platform, or even if you’re setting up a social-media marketing page, you are trusting a third party with potentially sensitive data about your business and your clients.
Although cloud computing can offer cost-saving benefits such as pay-as-you-go access to software, or computing/storage resources running on powerful hardware that you haven’t had to purchase outright, the service does come with certain security risks.
So when evaluating a potential cloud provider, keep the following five questions in mind to ensure that whatever provider or service you pick, your data will be as secure as you can make it. This isn’t an exhaustive list, and no cloud provider will be as secure as running your own equipment where you have total control.
- Is data transfer secure?For most users of cloud computing, all traffic between yourselves, or your clients, and the provider will traverse the Internet. You need to ensure that while in transit, this data is secure from interception and corruption. If you are using a SaaS-type service, ensure that you are always connecting to the provider using Secure Socket Layer (SSL), which can be identified by the URL starting with an “HTTPS” (the ‘S’ denotes a secure connection). If you are using a cloud provider to replace back-end equipment, you should be connecting your local network to the provider’s network using a VPN tunnel with an encrypted protocol such as IPSec.A better solution is use a provider who can also offer you a dedicated point-to-point connection from your office directly into the cloud platform, so that your traffic doesn’t have to touch the Internet at any stage.
- Are the software interfaces secure?The Cloud Security Alliance (CSA) recommends that you be aware of the software interfaces (usually called “application programming interfaces,” or APIs) that allow your software to communicate and exchange data with the cloud provider.The CSA’s report on the top threats to cloud computing says, “Reliance on a weak set of interfaces and APIs exposes organizations to a variety of security issues related to confidentiality, integrity, availability and accountability.”As part of your evaluation process, learn how your cloud provider integrates security throughout its services, from authentication of connections through to the monitoring of policies and how breaches or detected vulnerabilities are dealt with.
- Is data storage secure?This is especially relevant if you are using a cloud provider as a replacement for in-house storage, or as a place to store your regular backups.All data held on the provider’s equipment, and while it is in use by any services on the cloud platform, should be securely encrypted. This will ensure that if there is a breach and data is accessed by an unauthorized third party, it will be unusable.Ask potential cloud providers how they secure your data, not only when it’s in transit but also when it’s on their servers and accessed by the cloud-based applications. Also find out about data disposal and whether the data is wiped using a recognized overwrite standard and whether the encryption is also deleted to ensure encrypted data can’t be recovered.
- What user access controls and authentication exist?Any data stored on a cloud provider’s platform can potentially be accessed by an employee of that company, and you have none of the usual controls over their staff as you do your own team.First, consider carefully the sensitivity of the data you’re allowing out into the cloud and whether it meets your own internal classifications on where that data can be stored.Ask providers for details of the people who manage your data, the background checks they perform on their staff and the level of access they have to it. You will never be in a situation where a provider’s staff has no access to your data. If this is a requirement, you need to be looking at running your own hardware (which could itself be virtualized into an internal cloud platform) over which you have direct control regarding who can physically access those machines and who has the details to log onto the systems.
- How is data segregated?All cloud-based services and clients share resources—namely, space on the provider’s servers, storage and other parts of the provider’s infrastructure, such as the network. Hypervisor software (for example VMware or Hyper-V) creates virtual containers on the provider’s equipment for each of its clients that appear as separate machines.Although these appear separate, however, they all share the same physical hardware. Attacks have surfaced in recent years that target the shared technology inside cloud environments. Investigate how the provider handles the segregation of client data on all levels from the hypervisors through the storage and network.
This is by no means a complete article on network security; whole series of books on specifics such as firewalls can be written, but hopefully it provides some insight into how to protect your network against intrusion and how to manage security given the rising popularity of cloud-based services.
About the Author
David Barker is technical director of 4D Data Centres. David (26) founded the company in 1999 at age 14. Since then, he’s masterminded 4D’s development into the full-fledged colocation and connectivity provider that it is today. As technical director, David is responsible for the ongoing strategic overview of 4D Data Centres’ IT and physical infrastructure. Working closely with the head of IT server administration and head of network infrastructure, David also leads any major technical change-management projects that the company undertakes.
4D Data Centres runs one of the few independently owned data center businesses in the U.K. This Tier 3 data center operator, based at its own flagship site in Surrey, also provides colocation and connectivity services in three other centres in The City, London Docklands and Kent. Other services include dedicated servers and managed services. The company provides customers with access 24/7 with around-the-clock support from its qualified and experienced technical engineers.
Photo courtesy of Marc Kjerland