Jul 30 2008

Four Steps to Build a DMZ Network at Your TIC Site

Creating a manageable enterprise DMZ can help make TIC work for your agency.

The mandate to use Trusted Internet Connections is pushing agencies to merge their Internet gateways at super “points of presence.”

This raises an obvious but somewhat scary question: How can you maximize manageability and security for systems that may not even be in your building? Here are four steps to help build a well-run DMZ network at your TIC site.

1. Wrap a protective layer around everything.

Just because you are inside a firewall with the U.S. Computer Emergency Readiness Team watching an intrusion detection system for you doesn’t mean you’re secure. Look to network infrastructure to firewall and control connections as close to your systems as possible. Managed switches from manufacturers such as Cisco Systems and Hewlett-Packard have security features you won’t find in low-end products, even from the same maker. Beware of web-managed switches. This new product category offers lower prices by stripping out security (and other)
features you may want and need.

If you can, focus on the port level so that every device has its own firewall. It may seem like overkill, but the first time an infection fails to spread, you’ll thank yourself. High-density firewalls are often expensive, but you can gain the same effect by combining a midrange firewall with virtual LAN support and a standard VLAN-capable switch. By creating an individual zone for each server using VLANs, you gain extremely precise control.

2. Use technology to extend your management reach.

When systems are not close at hand, you need tools to manage them from afar. Servers from manufacturers such as HP and IBM have lights-out management ports: separate Ethernet connections that can be used to control servers even if the operating system is dead. If you haven’t used one before, now is the time. Connect the lights-out port to a separate dedicated management network with its own firewall and virtual private network, and uplink to the Internet to gain a channel into each server. If you can afford it, a KVM-over-IP system — such as those available from ATEN, Avocent and Raritan — can provide another channel.

For firewalls, switches, routers and load balancers with serial ports, use a secure console server from a manufacturer such as Lantronix to gain an out-of-band management path. Every DMZ device should also have remote power control — on your management network — from makers such as BayTech and Black Box.

3. Monitor as much as you can.

Your applications may be running, but that doesn’t mean they’re available. Software tools such as Ipswitch’s WhatsUp Gold can constantly monitor apps, servers and services — from across the Internet — and issue an alert when something is down or slow. You’ll have to arrange for a place to put a monitoring system and have a separate notification path. Find a friendly agency that can trade space in its DMZ in a different data center as a cost-effective way to get what you need without having to set up your own separately.

Open a specific hole in your firewall to let the monitoring system “see” more apps and systems than is possible for a typical Internet-connected user. Open carefully to minimize the threat of exposure and maximize the value from monitoring.

4. Encrypt wherever possible.

Even if you’re offering up public information via web server, use Secure Sockets Layer encryption to provide a layer of privacy protection your users will appreciate. Certainly, any traffic between your agency and your DMZ must be encrypted via a VPN tunnel. Never rely on known IP addresses to grant broad network access.

Encrypt and control traffic using SSL VPNs, such as those from Juniper Systems and SonicWall, rather than older IP Security products. SSL VPNs offer maximum flexibility by combining IPsec’s network extension with tight access controls and additional access methods, such as via web browsers.

<p>Illustration: Elizabeth Hinshaw</p>