- Email: [email protected]
Deploying extranets?
EXTRANETS
Deploying extranets? David Morgan, senior security consultant, NGS Systems Ltd More and more companies are using public networks to set up private trusted trading communities. Unless the securities are managed properly, that's like playing Russian Roulette with a machinegun. Extranets are virtual networks that allow an organization to connect to partners, customers and suppliers using the technologies and architectures that best support their business needs. They are fast becoming common in the corporate world where they take many forms. In the modern business environment, wherever there is a requirement to exchange information, the respective parties may benefit from the use of an extranet. An extranet is more open to the public than an intranet environment but it is more private than the Internet. Extranets remove the simplicity of the "them and us" and so can rapidly become very complicated to secure. This article explores some of the different extranet designs in common use today and then discusses key design considerations.
extranet partners, where typically there is no transport level security between the intranet partners. It is common for organizations to deploy several of the options in conjunction with each other so as to provide the flexibility required by their partners and their respective unique needs.
12
Network Security
Shared
Each of these three deployments will now be examined in more detail along with an overview of the cost/security trade offs and key design considerations.
The defining characteristic of a shared extranet connection is that it uses a private network in common with the other members of the extranet. As such the communications channel itself can be considered to be secure from entities not part of the extranet. However they will be susceptible to malicious activity originating with the other extranet members. This makes it desirable to enforce network access control and IDS monitoring on shared networks. Irrespective of which connection method is used, it is recommended that all extranet channels terminate on a dirty/non-trusted network. It is critical to appreciate this point, namely that extranet traffic is not internal traffic even though it may have considerable access to internal resources. The traffic should therefore be stopped from entering the main corporate network as the data cannot be trusted to be nonthreatening. The layered security model based on degrees of trust with a hard outer shell is altered dramatically; this is shown in Figure 1.
Bilateral
So which one?
“
An extranet is more open than an intranet and more closed than the
”
Internet
Extranet characteristics Due to the nature of extranets, most firms will use the common security technologies widely to provide the necessary protection. These include firewalls, encryption, intrusion detection and identity management; they are all vital. But the key component of an extranet is the communication channel itself. It is the defining element of the extranet and the options are numerous. However the following three deployments are the most common: Bilateral - point-to-point connections, typically leased lines that do not traverse the Internet Overlay - using a public network such as the Internet, upon which secure tunnels are created between the respective extranet partners, typically through the use of IPSec or a similar VPN technology Shared - The use of a third party to supply a private network between the
The trading partners will seldom use the same ISP; however this is inconsequential as the key requirement is that a viable route exists between the parties. The communication channels will implement transport level security such as an IPSec-based VPN.
The defining characteristic of a bilateral extranet connection is that it is a pointto-point connection that does not traverse a public network. As such the communications channel itself can be considered to be secure and the communication channels will probably not use transport level security such as IPSec.
Overlay With overlay deployments, the underlying connections between all the parties in the extranet are all via each parties' respective Internet service provider (ISP).
Having identified the need to set up an extranet, the two key considerations when deciding which of the three options to pick are cost and security. Cost is not usually a deciding issue if you are merely setting up a single extranet connection. However as the number of connections rises, the ability to use the existing infrastructure components becomes more and more desirable.
Cost The cost characteristics of the various connections can be distilled as:
December 2004
EXTRANETS Bilateral - the most expensive of the three. Each communications channel requires the physical link itself and its respective routing infrastructure. As you add extranet links there is no chance to use the pre-existing infrastructure to implement redundancy; you are effectively building a physical private network using lines you own or lease. Overlay - depending on the technologies deployed it is probable that the VPN and firewall devices used on the first connection will also be able to perform a similar role for each new extranet connection. To add a connection all you need do is update the network configuration. As the underlying communications channel is via the Internet, a single extra connection to the Internet will provide redundancy for all the extranet connections. Shared - a similar cost to that of the overlay deployment. The communication channel will likely cost more than a standard Internet connection; however savings will accrue as encryption will seldom be needed. As with the overlay deployment, a second connection to the
private network will provide redundancy for all extranet connections. Because of the nature of the content of the network traffic, security is often the key requirement when deciding upon the connection type. Even so, cost is still a factor, and risk assessment and cost-benefit analysis provides a way to decide the balancing point for the trade-off.
Security The key security aspects of the differing connection types are: • Bilateral - this is the most secure connection as the traffic cannot be intercepted without physical access to the network. This ensures data confidentiality and also prevents traffic analysis of the connection by a third party. • Overlay - the data itself is protected from a compromise in its integrity using encryption. However as the encrypted data traverses a public network it is susceptible to traffic pattern analysis by a third party. • Shared - the encrypted data is protected from compromise and traffic analysis by a malicious third party; it
is however best practice to assume that the other members of the private network are capable of analysing the data. As such, shared networks are not usually the first choice if some extranet members are also competitors.
“
Bilateral is the most secure
”
connection
The deployment of encrypted channels over public networks is the most common implementation of an extranet connection as they provide both extensive security and a comparatively cheap connection. However, this type of deployment often fails in comparison to the other deployments in terms of the quality of service it provides. An ISP's service level agreement will often apply only to the access from the organization to the local point of
Non-trusted networks (Extranets/Internet)
Internal Net
Internal Net
Critical App Net
Critical App Net
General App Net
General App Net
Internet Apps Net
Trusted source
Internet Apps Net
Non-trusted source
Traditional segregation
Extranet segregation
Figure 1: Traditional segregation versus extranet segregation
December 2004
Network Security
13
EXTRANETS presence of the ISP. Should the partners need guaranteed bandwidth, latency and up-time levels over all the links, it may be wiser to go with one of the other two options, where the network provider controls the entire communications link.
Further considerations Once the nature of the extranet connection has been established, you still need to consider several other factors before they become serious issues.
Technology compatibility Technology compatibility - this may be as simple as ensuring the physical link technology is consistent and the routing devices at each end are compatible. If the partners have agreed to use a secure tunnelling protocol, the technology has to be agreed upon: PPTP, L2TP or IPSec are some options. They will also have to decide which key exchange and encryption algorithms to use.
Routing control Routing control - for the respective partners to communicate with each other it is necessary to implement routes between them. There are three main way to configure routes; depending on the nature of the link not all may apply. The recommended (and most secure) method is to use static routing. While this may have a high initial overhead, there are no ownership issues and the potential for the "poisoning" of dynamic routes is removed. The use of an exterior gateway protocol such as BGP is next on the recommended list. With granular administrative access it is commonly used for the overlay extranet deployment. The least recommended option is the use of an interior gateway routing protocol. Here it is difficult to establish the separation of ownership among the various extranet partners and the risk of dynamic route poisoning is high.
Access control
“
outweigh initial
Access control - access should be restricted to only those services and systems required for the successful completion of the business task(s). A route may be set up for an entire network, but this does not necessarily imply access should be granted to all the assets on that network.
deployment
Egress filtering
The benefits of extranets far
”
headaches
Network addressing Network addressing - most organizations use reserved IP address ranges for their internal systems. As internal systems of one extranet partner are likely to connect to the internal systems of another, there is a high probability that there will be an addressing conflict. This means registered addresses should be used for systems hosting extranet services. The use of network address translation (NAT) is a common work-around for such situations, but depending on the number of partners it can be extremely complicated to set up and administer. 14
Network Security
Egress filtering should be implemented, particularly so if any of the hosted services allows interactive log-ins. The potential for an extranet member to use the hosted service to launch an attack against another member is scarily real. Transit situations - it is often possible, through incorrectly configured dynamic routing and the lack of effective filtering, to use an extranet environment as a path either to the internet or to another extranet member. For some organizations the transit features may in fact be intentional and desirable; however it will require acceptance of some negative side effects such as: • The ability to attack another member's networks via the intermediary extranet
• Disclosure of confidential information due to traversing an inappropriate network on route elsewhere. It would probably be possible to analyse traffic even if the packet data is encrypted • Network performance degrades for all parties • Identity management - the likely heavy use of NAT and network-wide routing often prohibit the use of effective granular network access control. In such scenarios, the use of effective user authentication and authorisation is essential. Multi-factor authentication such as biometrics and one time pads are often used to prevent the interception of user credentials and replay attacks.
Conclusions It should be apparent that the initial establishment of, and secure maintenance of an extranet connection and/or environment is rife with pitfalls. But it is the blurring of the security trust boundaries, rather than the use of any new technologies, that is the greatest hurdle to overcome when establishing or joining an extranet. Understanding just how to let a non-trusted source gain access to your company's critical information in a controlled and secure manner is the crux. The ever-increasing demand for extranet deployments has proved the catalyst for the upsurge in demand for security architects familiar with the necessary design and technology constraints. Never let it be said that business critical extranets are easy to deploy; however their benefits far outweigh the initial deployment headaches.
About the author David Morgan has over eight years handson experience designing and managing secure hight availability network environments, and over four years experience in providing cutting-edge security consultancy advice. At NGS he is responsible for the delivery of world-leading security consultancy services.
December 2004
Deploying extranets? David Morgan, senior security consultant, NGS Systems Ltd More and more companies are using public networks to set up private trusted trading communities. Unless the securities are managed properly, that's like playing Russian Roulette with a machinegun. Extranets are virtual networks that allow an organization to connect to partners, customers and suppliers using the technologies and architectures that best support their business needs. They are fast becoming common in the corporate world where they take many forms. In the modern business environment, wherever there is a requirement to exchange information, the respective parties may benefit from the use of an extranet. An extranet is more open to the public than an intranet environment but it is more private than the Internet. Extranets remove the simplicity of the "them and us" and so can rapidly become very complicated to secure. This article explores some of the different extranet designs in common use today and then discusses key design considerations.
extranet partners, where typically there is no transport level security between the intranet partners. It is common for organizations to deploy several of the options in conjunction with each other so as to provide the flexibility required by their partners and their respective unique needs.
12
Network Security
Shared
Each of these three deployments will now be examined in more detail along with an overview of the cost/security trade offs and key design considerations.
The defining characteristic of a shared extranet connection is that it uses a private network in common with the other members of the extranet. As such the communications channel itself can be considered to be secure from entities not part of the extranet. However they will be susceptible to malicious activity originating with the other extranet members. This makes it desirable to enforce network access control and IDS monitoring on shared networks. Irrespective of which connection method is used, it is recommended that all extranet channels terminate on a dirty/non-trusted network. It is critical to appreciate this point, namely that extranet traffic is not internal traffic even though it may have considerable access to internal resources. The traffic should therefore be stopped from entering the main corporate network as the data cannot be trusted to be nonthreatening. The layered security model based on degrees of trust with a hard outer shell is altered dramatically; this is shown in Figure 1.
Bilateral
So which one?
“
An extranet is more open than an intranet and more closed than the
”
Internet
Extranet characteristics Due to the nature of extranets, most firms will use the common security technologies widely to provide the necessary protection. These include firewalls, encryption, intrusion detection and identity management; they are all vital. But the key component of an extranet is the communication channel itself. It is the defining element of the extranet and the options are numerous. However the following three deployments are the most common: Bilateral - point-to-point connections, typically leased lines that do not traverse the Internet Overlay - using a public network such as the Internet, upon which secure tunnels are created between the respective extranet partners, typically through the use of IPSec or a similar VPN technology Shared - The use of a third party to supply a private network between the
The trading partners will seldom use the same ISP; however this is inconsequential as the key requirement is that a viable route exists between the parties. The communication channels will implement transport level security such as an IPSec-based VPN.
The defining characteristic of a bilateral extranet connection is that it is a pointto-point connection that does not traverse a public network. As such the communications channel itself can be considered to be secure and the communication channels will probably not use transport level security such as IPSec.
Overlay With overlay deployments, the underlying connections between all the parties in the extranet are all via each parties' respective Internet service provider (ISP).
Having identified the need to set up an extranet, the two key considerations when deciding which of the three options to pick are cost and security. Cost is not usually a deciding issue if you are merely setting up a single extranet connection. However as the number of connections rises, the ability to use the existing infrastructure components becomes more and more desirable.
Cost The cost characteristics of the various connections can be distilled as:
December 2004
EXTRANETS Bilateral - the most expensive of the three. Each communications channel requires the physical link itself and its respective routing infrastructure. As you add extranet links there is no chance to use the pre-existing infrastructure to implement redundancy; you are effectively building a physical private network using lines you own or lease. Overlay - depending on the technologies deployed it is probable that the VPN and firewall devices used on the first connection will also be able to perform a similar role for each new extranet connection. To add a connection all you need do is update the network configuration. As the underlying communications channel is via the Internet, a single extra connection to the Internet will provide redundancy for all the extranet connections. Shared - a similar cost to that of the overlay deployment. The communication channel will likely cost more than a standard Internet connection; however savings will accrue as encryption will seldom be needed. As with the overlay deployment, a second connection to the
private network will provide redundancy for all extranet connections. Because of the nature of the content of the network traffic, security is often the key requirement when deciding upon the connection type. Even so, cost is still a factor, and risk assessment and cost-benefit analysis provides a way to decide the balancing point for the trade-off.
Security The key security aspects of the differing connection types are: • Bilateral - this is the most secure connection as the traffic cannot be intercepted without physical access to the network. This ensures data confidentiality and also prevents traffic analysis of the connection by a third party. • Overlay - the data itself is protected from a compromise in its integrity using encryption. However as the encrypted data traverses a public network it is susceptible to traffic pattern analysis by a third party. • Shared - the encrypted data is protected from compromise and traffic analysis by a malicious third party; it
is however best practice to assume that the other members of the private network are capable of analysing the data. As such, shared networks are not usually the first choice if some extranet members are also competitors.
“
Bilateral is the most secure
”
connection
The deployment of encrypted channels over public networks is the most common implementation of an extranet connection as they provide both extensive security and a comparatively cheap connection. However, this type of deployment often fails in comparison to the other deployments in terms of the quality of service it provides. An ISP's service level agreement will often apply only to the access from the organization to the local point of
Non-trusted networks (Extranets/Internet)
Internal Net
Internal Net
Critical App Net
Critical App Net
General App Net
General App Net
Internet Apps Net
Trusted source
Internet Apps Net
Non-trusted source
Traditional segregation
Extranet segregation
Figure 1: Traditional segregation versus extranet segregation
December 2004
Network Security
13
EXTRANETS presence of the ISP. Should the partners need guaranteed bandwidth, latency and up-time levels over all the links, it may be wiser to go with one of the other two options, where the network provider controls the entire communications link.
Further considerations Once the nature of the extranet connection has been established, you still need to consider several other factors before they become serious issues.
Technology compatibility Technology compatibility - this may be as simple as ensuring the physical link technology is consistent and the routing devices at each end are compatible. If the partners have agreed to use a secure tunnelling protocol, the technology has to be agreed upon: PPTP, L2TP or IPSec are some options. They will also have to decide which key exchange and encryption algorithms to use.
Routing control Routing control - for the respective partners to communicate with each other it is necessary to implement routes between them. There are three main way to configure routes; depending on the nature of the link not all may apply. The recommended (and most secure) method is to use static routing. While this may have a high initial overhead, there are no ownership issues and the potential for the "poisoning" of dynamic routes is removed. The use of an exterior gateway protocol such as BGP is next on the recommended list. With granular administrative access it is commonly used for the overlay extranet deployment. The least recommended option is the use of an interior gateway routing protocol. Here it is difficult to establish the separation of ownership among the various extranet partners and the risk of dynamic route poisoning is high.
Access control
“
outweigh initial
Access control - access should be restricted to only those services and systems required for the successful completion of the business task(s). A route may be set up for an entire network, but this does not necessarily imply access should be granted to all the assets on that network.
deployment
Egress filtering
The benefits of extranets far
”
headaches
Network addressing Network addressing - most organizations use reserved IP address ranges for their internal systems. As internal systems of one extranet partner are likely to connect to the internal systems of another, there is a high probability that there will be an addressing conflict. This means registered addresses should be used for systems hosting extranet services. The use of network address translation (NAT) is a common work-around for such situations, but depending on the number of partners it can be extremely complicated to set up and administer. 14
Network Security
Egress filtering should be implemented, particularly so if any of the hosted services allows interactive log-ins. The potential for an extranet member to use the hosted service to launch an attack against another member is scarily real. Transit situations - it is often possible, through incorrectly configured dynamic routing and the lack of effective filtering, to use an extranet environment as a path either to the internet or to another extranet member. For some organizations the transit features may in fact be intentional and desirable; however it will require acceptance of some negative side effects such as: • The ability to attack another member's networks via the intermediary extranet
• Disclosure of confidential information due to traversing an inappropriate network on route elsewhere. It would probably be possible to analyse traffic even if the packet data is encrypted • Network performance degrades for all parties • Identity management - the likely heavy use of NAT and network-wide routing often prohibit the use of effective granular network access control. In such scenarios, the use of effective user authentication and authorisation is essential. Multi-factor authentication such as biometrics and one time pads are often used to prevent the interception of user credentials and replay attacks.
Conclusions It should be apparent that the initial establishment of, and secure maintenance of an extranet connection and/or environment is rife with pitfalls. But it is the blurring of the security trust boundaries, rather than the use of any new technologies, that is the greatest hurdle to overcome when establishing or joining an extranet. Understanding just how to let a non-trusted source gain access to your company's critical information in a controlled and secure manner is the crux. The ever-increasing demand for extranet deployments has proved the catalyst for the upsurge in demand for security architects familiar with the necessary design and technology constraints. Never let it be said that business critical extranets are easy to deploy; however their benefits far outweigh the initial deployment headaches.
About the author David Morgan has over eight years handson experience designing and managing secure hight availability network environments, and over four years experience in providing cutting-edge security consultancy advice. At NGS he is responsible for the delivery of world-leading security consultancy services.
December 2004