The Idea of my IS is to safeguard and secure our private Servers from the general public Network and also from the other interior private network. Proposing exclusive interfaces on the firewall and these interfaces are assigned in different ZONES termed as DMZs. Creating better quantity of VLANs within a Area will secure the Servers from compromising due to the other compromised server. By distributing in multiple subnets we can have significantly more secure architecture i. e. like the external most subnets are proposed as DMZs. Middle subnets should be served as deal subnets where in fact the system must support complicated web applications put in the DMZs, now the third or back-end subnet will be the private network that is respected network.
Keywords:
ACL, VLANs, WAN, LAN, DMZ, CTL, ATM, SMS
INTRODUCTION
It is very important to comprehend the security needs of any financial corporation. Firewall plays an essential role in network security. Firewalls are deployed to guard the network. They are usually located on first and second line of protection. By deploying a firewall in a network we can restrict the traffic that is entering in the network and also traversing through different areas. But each one of these things depend after the proper design and the placement of firewall in a network.
In Three-tier deployment architecture is the deployment of multiple subnet between your private network and the internet segregated by firewall. Each succeeding has more specific filtering guidelines to restrict the traffic only from the trusted sources.
Generally in old styles firewalls were deployed in two Tier firewall architecture in which the private network is secure from the general public network by determining the two different interfaces but here I am proposing Firewall structures in a Multiple Tier architecture manner.
Now a day's Applications are created in form of modules that generally resides on different machines or servers and are organised or you can say housed in various groups so as to secure and keep maintaining segregations.
Like if security is breached on one module it will not harm the other one. In other words in case a Server is jeopardized other may possible be safe.
The outside most subnets are proposed as DMZs. Midsection subnets should be dished up as business deal subnets where in fact the system needs to support complex web applications located in the DMZs, now the third or back-end subnet would be the private network that is respected network.
This architecture is most secure but nonetheless it is also the most sophisticated to design and implement. Just like the Database Server that contains client's account details is more very sensitive and require more protection and security than the Web servers that is utilized for the Front-end.
The Idea of my Independent Study is to safeguard and secure our private traffic from the general public Network. This can be done by creating different subnets and restrict them based on the needs. For creating different subnets we require different interfaces literally or almost on the firewall device. If you are using physical interfaces for the devices it limits to the amount of ports on the devices. As general we usually don't have that much physical interface on the device once we require therefore i would propose to set-up electronic interfaces on the firewall. Now these interfaces are designated in different ZONES referred to as DMZs. This restriction can be triumph over by creating different Virtual interfaces on that device and designated them in appropriate areas.
So that as more amount of VLANs are manufactured more security can be achieved by assigning different Servers in different VLANs.
Defining Firewall
The reason for firewall is to monitor, study and control the network traffic to safeguard the Network devices and system that are crucial for any financial corporation. Firewall first lookup the insurance policies for the traffic transferring through it and drops the packets that don't meet up with the policy assertions.
Firewall provides filtering of unwanted/ non respectable traffic from the exterior world as well as from the inside network also.
Firewalls are designed to block against the law unauthorized gain access to and it only allows the traffic that is permitted in the plan defined.
Transmission of every packet is inspected first, firewall includes some guidelines/ guidelines in it and each rule has some action against it either permit or refuse.
Firewalls can be purchased in both hardware and software form. The essential reason for firewall is to protect our private network from internet and unauthorized gain access to also to protect our private network.
Two-Tier Three-Tier Or multiple tier
The idea of providing this tier bottom structures is to secure multi-tier software environment. There is absolutely no specific definition of two-tier or three-tier firewall. They originated from different ideas like the word tier refers to the amount of interfaces available on the firewall.
A two-tier firewall has two interfaces each designated to another zone like:
Inside/ Private network/ Trusted
Outside/ Un-trusted network
A three-tier firewall generally having three zones like:
Inside/ Private network/ Trusted
Outside/ Untrusted network
A DMZ (Demilitarized area)
Use the DMZ area to hold the servers that needs to be accessed from the outside world. It performs a vital role for just about any organization when a whole lot of business services is determined by the internet. Like e-commerce established services in addition to a lot of Lenders are presenting Internet banking facilities with their customer these days and by applying such kind of architecture and adopting such recommendations in our network we can improve the availability and security.
Email machines, web machines and DNS machines are a few of the servers that should be seen publically from the exterior network so they needs a little extra security and coverage.
Now let's see the other use of tier established structures. Here tier will not signify the interfaces a firewall have however the levels of firewall you provide. In such kind of deployment a firewall is needed at each tier. Like one firewall for outside public network, one for the DMZ and one for you private network.
Multi tier applications over view
Now a days and nights applications were created in multiple logical tiers, software engineers has segregated the major practical areas into reasonable groupings that may be design, integrated and run individually of every other. Like if we take a good example of a web-based application following tiers may possibly present there.
Presentation
Middleware
Data
4. 1 Presentation
This tier immediately interacts with the users that are from the internet. This tier is closest to internet. Such kind of publically reached services are usually applied using web, DNS and email servers.
The reason for these servers is to present the application before user. This tier manages the discussion between users coming from public network and back-end components.
4. 2 Middleware
In this tier such components are put that performs business logic of the application in response to the queries wanted by the servers hosted in presentation layer with respect to internet users.
4. 3 Data
In Data Tier center servers such as data source servers, directory servers that contain private database are put. This tier includes most private data of loan provider like account information of users and customer record.
The workflow of an web-based multi-tier request can end up like this.
Users from the web generate a need to web server via web browser.
The submission is then processed by web server and being sent to middleware tire.
Then the middleware aspect interacts with the databases machines for the wanted query.
After finalizing the query the request has been responded to the web server then the web server relays the result to the internet end user directly.
By applying this methodology there is no such immediate communication between your public end user and the core database servers.
Explaing firewall deployment using sole subnet
After segregating the segments into groupings it help us to investigate the risk and coverage of the devices over open public network that how we restrict the immediate connection of critical servers from the internet users. The appropriate amount of risk on each one of the server change from case to state so are there reasons behind to build different kind of areas and VLANs and put these servers in the relevant zones and VLANs and which security level is necessary by each server.
An exemplory case of Internet banking program that works on different machines. Various kinds of servers are playing different jobs in the overall workflow of the software. The server that is participating in the role of FRONT-end server doesn't require such strict degree of security policy as compare to the server on which customer account information exist(Core Data source server).
But in solitary subnet technique all the machines are place behind the firewall and same security level is provided to each server either web server or bank's data source server. They all will be equally secured from the threats both from internet users and from the locally compromised server.
Explaing solitary firewall deployment with multiple SUBNETS
Deploying firewall in such manner that using physical and exclusive interfaces of the firewall to create different subnets. Segregate the network into particular logical tiers create different subnet and inside each subnet each tier provides more strict level of security than using solitary subnet. In this kind of deployment the exterior most tiers (presentation tier) only interacts with midsection one (middleware Tier) and middleware tier only interacts with internal most tier (data tier) only.
Proposing Solution to a Financial Organization
In the proposed design the internet facing routers are portion as perimeter routers and behaving as first line of defense. Routers will work in High availableness mode.
After that two firewalls performing second type of defense to the Servers, these firewall has all the Areas and VLANs onto it. Guidelines will be created here. Program flow control will be controlling at this level.
Both of the Firewalls will work in a higher availability mode providing backup to each other. In case of physical software or logical interface failure or the complete device inability network will be run properly.
These Firewalls are then linked to Level two switches using gigabit interfaces. Machines will be terminating on the same switches or if needed on other switches.
Layer two trunks will be created between the switches as well in order to cater the situation of device or software failure.
Spanning tree would be configured on the switches to avoid loop between the switches and provide contingency.
The basic theme is to create different zones in line with the relevant security levels. Pursuing areas should be created on the firewall.
Internet Gain access to Zone
Public Access Zone
Trusted Sever Zone
Business Access Zone
7. 1 Internet Access Zone
The router on which internet hyperlink is terminating should be assigned in this area. Strict rulebase /policies would be integrated.
7. 2 Public Access Zone
The VLANs that need to be accessed from the web by any mean would be designated in this Area. Different VLANs are manufactured in this area.
Like Internet Bank Leading end server, and Email servers.
7. 3 Trusted Sever Zone
Core Business Request and other critical financial Application's VLANs are assigned in this zone. These servers are critical servers and very rigorous guidelines would be carried out for these servers. Only legitimate traffic would be allowed between the areas and within the zones between the VLANs. Pursuing are some exemplory case of VLANs that would be created in this zone.
Core Business Software VLAN, Internet banking DB VLAN, ATM PHEONIX VLAN, CTL VLAN
7. 4 Business Gain access to Zone
These will be the extranets or you can say external connectivity between the Bank or investment company and the other corporate entities. Like NADRA, UFONE
This zone is used to hold the servers for the next VLANs like i. e. NADRA, SWIFT VLAN, UFONE VLAN, SMS VLAN, 1-Hyperlink VLAN, Central Banking servers.
Explaining Traffic Flow between different zones / within the zones between the VLANs
Internet banking software is design to work in multi tier architecture. Clients from the internet will first struck the front-end servers which can be publically available, that is why these machines are placed in Public Access Area.
Then restricted guidelines are integrated between Public Access Zone and Changeover Server Zone. Only these machines can send obtain communication to Transition Server zone's VLANs.
Then only these machines will communicate with the Trusted Zone's VLANs.
Only these changeover application machines will communicate with Bank's Core Data source Servers.
This model is beneficial for the bank to be able to secure Bank's critical servers. There is absolutely no direct communication between outside the house network like internet surfers and main business machines.
conclusion
For any financial organization Security can be an indispensable concern. Central Business servers needs to protected not only from the exterior open public world but also from the within entities. Because of this a proper Network design should be applied in which the placement and role of the firewall is vital. The Solution suggested in this 3rd party study is how the applications that will work in multiple tiers can be guaranteed properly and by segregating each type of software in separate zone you can limit the non reliable traffic from the other area and also within the area by creating different types of VLANs, this restrict the intra zone unwanted traffic. By using this methodology traffic circulation can be control much more tightly with no need of creating as volume of zones as add up to quantity of VLANs. This securely controlled traffic stream will restrict the connection between each tier. In a nutshell this technique will limit inter-zone traffic and inter-zone traffic as well. Any traffic like intra-zone or inter-zone should be first lookup in the access control insurance plan if it is available then communication will appear else the packets would be just fell. The Caveat of making use of this technique can be bottleneck event credited to traffic fill between the zones and within the areas, every traffic should be handed down first through firewall but to defeat this problem deploy the firewall and turn in a way using gigabit software trunks between them and also estimate the inter-zone and intra-zone traffic by traffic analyzers and if needed built bundles between Firewall and Switches. And moving in such manner will help us to protect our network rather than to compromise on security. Finally I would say that this Independent Study provides recommendations and secure model and cost effective solution for Multi-Tier conditions.