Internet Infrastructure Components: A 10,000-Foot View
In This Chapter
Understanding and Connecting to the Internet
Management of the Internet
What Makes the Internet (In)Secure?
Why Is the Internet Attractive to Businesses?
To connect to and utilize the Internet in a secure manner, the security practitioner must understand not just the "what" of the Internet, but also the "how." It is certainly possible to build a secure network by simply refusing to connect it to any others. Many very useful private networks such as this exist today; however, the users of these networks are cut off from all of the information resources and communication options that the Internet provides. It is fair to say that almost all commercial and federal organizations have decided that some form of connectivity to the Internet is worth having, from the "ma and pa" store with a single email account to large stock exchanges with redundant high-speed connections into hardened data centers. Even very sensitive government organizations such as the Central Intelligence Agency and the National Security Agency can be found utilizing the Internet.
Before plunging into the technical details of the Internetpacket-layer protocols, application-layer protocols, operating systems, applications, and security deviceslet's take a 10,0000-foot view of the most ubiquitous network on Earth. The Internet is the world's largest network based on the TCP/IP protocol; however, it is not merely a collection of routers and switches that move packets around the world at the speed of light (well, pretty fast, most of the time). This core set of transport and routing mechanisms is merely the glue that holds the rest of the Internet together. The "rest" is composed of the myriad of servers, such as Web, mail, file, DNS, application, and transaction servers, that serve up everything from transactional experiences to the latest music video.
The Internet and its predecessors have been around for quite a while now. Students, scientists, engineers, computer specialists, and others have been emailing, exchanging files, and even chatting for several decades. It was the development of the Hypertext Transfer Protocol (HTTP) and Web browsers such as Mosaic and Netscape that brought the Internet into the average person's life, spurring the real growth in Internet service providers and online companies such as America Online, as well as infrastructure companies such as Cisco Systems.
The Internet is really as much about applications and the personal computers that they run on as it is about routers and fiber-optic cable. This said, it's still vitally important to understand what makes the Internet work and how it functions to effectively secure the protocols and applications that utilize its services. To that end, this chapter provides a high-level overview of the major components of the Internet. When you've developed an understanding of how this online world is built and organized, you will be ready to proceed into the more explicit details needed to design and implement a secure Web infrastructure. Details of specific security components and secure network design will be addressed in forthcoming chapters of this book.
Understanding and Connecting to the Internet
What we now call the Internet began as a government-funded network called the ARPANET (named after ARPA, the Department of Defense's Advanced Research Project Agency, which is now known as DARPA). Actually, the government funded the original Internet "backbone," the core that connected all of the edge networks. The edge networks were owned and maintained by universities, research organizations, and government agencies, all interconnected by the ARPANET (and later the National Science Foundationfunded NSFnet) backbone. This internetworking of many IP networks through a core backbone gave rise to the popular term Internet. The modern Internet is built from a collection of privately built and operated backbone networks that are interconnected at major demarcation points around the world. The companies that own and provide access to these networks are called Internet service providers, or ISPs.
Internet Service Providers
ISPs come in many sizes. The "big names" in the industryAT&T, MCI/UUNET, and othersoperate global high-speed backbones. Smaller, regional-based ISPs might serve individual countries or states. Although they are less common than they were in the mid-1990s, many small ISPs also provide dial-up or specialized access to the Internet. This hierarchy of ISPs is illustrated in Figure 3.1.
Figure 3.1 Internet service provider hierarchy.
To get "on the Internet," the first thing you must do is contract with an ISP that provides physical access to the Internet. Nowadays, physical Internet access comes in many forms, with examples including these:
Dial-up modemThis access establishes low-speed connections (tens of kilobits per second, up to about 56Kbps) using an analog modem over a normal phone line.
ISDNIntegrated Services Digital Networks, or ISDN, is a technology that never really caught on in the United States, although it had more success in some European countries. Narrowband ISDN provides two 64Kbps channels that can be used for voice, fax, or data. Some ISPs support ISDN and allow users to "strap" their two 64Kbps channels together to form a 128Kbps connection to the Internet.
DSLDigital Subscriber Loop is an always-on "broadband" connection that also uses normal phone lines. The advanced technology allows the phone line to be used for both normal telephone conversations and full-time Internet access. High-speed data flows from the Internet to the end user, while a lower-speed connection is provided for outbound traffic. This type of "asymmetric" service works on the assumption that the typical consumer user spends a lot of time downloading information and actually sends very little data.
Cable modemCable television service providers have recently began offering their own "broadband" Internet access. Like DSL, cable modems offer asymmetrical connections to the Internet, providing a high-speed download capability.
Satellite modemSome satellite TV service providers offer "high-speed" downlink connections from the Internet. Like DSL and cable modem access, these connections are asymmetric and usually require that a dial-up modem be used for the client-to-provider uplink connection.
Frame RelayIn the commercial world, businesses often contract with ISPs that offer higher levels of service than consumer-grade Internet connections. Frame Relay is one technology that is used for permanent Internet connections ranging from several hundred kilobits to over a megabit per second of access.
T1/T3The "T carriers" have been used within the telephone network for many years now and are convenient increments of bandwidth to sell to enterprise customers. A T1 runs at about 1.5Mbps, and a T3 runs at about 45Mbps.
OC3 and higherHigh-speed fiber-optic links starting at 155Mbps are available to really serious users. Although some enterprise networks use these connections, this type of link more commonly is found within ISP backbones and in connections between ISPs.
EthernetDirect Ethernet connections, usually 100Mbps, are provided by ISPs that also provide server hosting. In these cases, a customer is provided physical "rack space" inside the provider's facilities in which to install things such as Web servers and database servers, and the ISP/hosting/colocation ("co-lo") company provides direct Ethernet connections into its backbone, along with high-availability power and a secure facility.
Regardless of the type of connection to the facility, an Internet connection provides a link into one of the ISP's local "points of presence" or POPs. For example, some dial-up providers have only a few POPs, all located within a small region to service a very local customer base. This means that you may "dial in" using only the local phone numbers that connect to the POPs in the local area. On the other hand, a larger ISP with national presence might have dial-up POPs in cities around the country or around the world. Because the POP ultimately connects to the ISP's backbone, it is possible for a customer to dial a local number wherever he travels to gain access to the ISP.
It also should be noted that many times the company that provides the physical connection to the network is not the same as the ISP. This is very common with DSL, in which one company (such as a phone carrier) provides the physical cable that runs into the facility, and another company provides the Internet connectivity. An example of this type of arrangement is illustrated in Figure 3.2. Similarly, most local cable companies partner with a national ISP to provide their cable modem service. The cable companies install the new equipment and fiber-optic lines in their system to handle the data connections to the end users, and the big ISP provides the high-speed IP backbone and connections to other backbones.
Figure 3.2 An example ISP.
What Does an ISP Provide?
The types of providers just described provide just a few simple things that are minimally required to "get on the Net":
Physical access to the Internet
An IP address (or set of addresses) that allows a device to send and receive packets
The IP address of one or more domain name servers, which act as a sort of telephone book for the Internet (more detail on this in a few pages)
Depending on the service contract given to the end-user customer, the ISP also might provide one or more of the following:
Email accounts (very common for consumer services)
Disk space for Web pages (also common for consumer services)
Security features, such as a firewall or intrusion monitoring
A home user is likely to want the email account and perhaps some space for a personal "vanity" Web page. On the other hand, an enterprise network might be more interested in getting highly reliable service with the intent of running its own mail and Web servers.
Security Implications of Choosing an ISP
The primary concerns for most people when they select an ISP are price and availability. The guaranteed "up time" of an Internet connection is of particular concern to many business customers, especially if they have a revenue stream that is derived from some online service. Security often comes up, but it is usually not a top priority. There is a good reason for this: Most ISPs provide little in the way of security services or guarantees. With most ISPs, you get a connection to the Internetperiod. The exceptions to this statement usually are found in the server-hosting companies, which are geared toward providing a more complete Internet service solution. Clients of these providers often might choose a la carte security packages, such as firewalls or intrusion detection. We will describe both of these types of systems (and services) in subsequent chapters of this book.
ISPs often perform monitoring of their network, but that is usually to protect them from you, not to protect you from everyone else on the Internet. ISPs usually are quite concerned about whether their customers are living within the bounds of the acceptable use policy (AUP). For example, most ISPs geared toward home users do not allow for software such as Web, file, or news servers to be run on the user's systems. Basically, most consumer Internet connections are provided so that the customer can get information, not provide it, and the providers who cater to this market have engineered their infrastructures to support that. Note that this is similar to the way that telephone companies engineer their networks for residential and business phone lines differently, based on their experience on how these two different types of customers use the network. The ISP monitors the network to make sure that you are living up to your end of the contract. Sometimes it will actively probe systems to see if the customer is running an unauthorized server. If the ISP discovers that a customer is not living within the rules set out in the AUP, that customer usually will be asked to cease those activities or move up to a more expensive service package geared for commercial users.
Furthermore, an ISP's monitoring might provide insight into whether any of its client's systems are being used to hack others. The ISP might be capable of detecting unusually large volumes of traffic coming from a system, or the ISP might run a more sophisticated security monitor called an intrusion-detection system, or IDS. Sometimes the ISP simply might receive a call from another person, company, or ISP on the Internet complaining about attacks coming from a computer for which the ISP provides connectivity.
The fact to take out of the previous discussion is that most the security measures of most ISPs are geared toward protecting themselves and providing their core service reliably, not preventing their customers from getting hacked. Their responsiveness to your security problems will vary from offering a few suggestions to trying to help, to simply shutting off your connection until "you get your house in order." For example, if a customer is under a sustained denial-of-service attack, the ISP (perhaps working with other ISPs) could be the only entity that can track down the attacker(s). It also might be capable of filtering the offensive inbound traffic to reduce the severity of the attack. On the other hand, if the ISP discovers that your computer or network is the source of an attack (whether you purposefully are carrying out an attack or someone else has taken over your computer remotely), you might get a reaction ranging from a firm warning to a loss of your connection.
It is common for people to think that the type of connection they have offers some form of protection from the threats on the Internet. Most people seem to understand that if they have a 24 x 7 connection to the Internet, they are at some risk, while many dial-up users believe that because they are connected only for a little bit at a time, they are somehow less susceptible to attack.
The Threat on a Dial-Up Connection
We recently worked with a friend who owns a small law firm in the mid-Atlantic. He has a handful of employees whose computers are all configured as a Microsoft Windows Workgroup. One of these computers is used to dial out to an ISP and is online for several hours during the day. After being hit with a virus in the office, he started to wonder just how secure his network really was. As an experiment, we suggested that he load a free "personal firewall" program on his computer and let it collect logs of blocked activity for about a month. After a month, we looked at the log file and discovered several hundred probes from all over the world. He was surprised to find out that these probes came from not just the United States, but also countries such as Argentina, Australia, Belgium, China, France, Japan, Korea, Malaysia, Mexico, the Netherlands, Romania, Taiwan, and Turkey. A little more analysis revealed that these probes were designed to discover things such as the file sharing associated with his Windows network, any network applications he might be running that might be vulnerable to remote attack, and previously installed Trojan horse programs, such as Sub7.
To summarize, many factors go into selecting an ISP, including cost, reliability, and security. Commercial companies, in particular, should be sure to ask questions of their potential providers:
Do you perform any security monitoring that protects me?
If so, is it a standard feature or an option that costs more money?
Is there a security "hotline" that I can call if I am being attacked?
What services does the security staff provide?
Will you be actively probing my network for any reason?