Secure networks are crucial for IT systems and their proper operations as most applications work in the networking environment and closely depend on its performance, reliability, and security.
Improper network design can be very expensive for a company (i.e., loss of business continuity, security incidents, costs of network rebuilding, etc.). Essential to network design is the security architecture that describes the network segmentation (i.e., security zones) and security layers (i.
e., access control, intrusion prevention, content inspection, etc.). An appropriate design of the architecture provides many advantages (e.g., isolation of low trust systems, limitation of a security breach’s scope, costssavings).During network design in order to avoid errors and achieve project cost-effectiveness, recognized principles should be taken into account: compartmentalization, defense in depth, adequate protection, etc. However, there is not one standard network security architecture.
Different IT systems have specific and differing requirements that their individual architectures should fulfill. The article provides guidelines for designing the network security architectures and an overview of the architectures of IT systems with high security requirements such as e-commerce and data centers.An appropriate design of the network security architecture provides many advantages:• Isolation of low-trust network areas, which can be potentially used to launch attacks against strategic IT system resources• Limitation of the security breach scope to one system or network segment as well as limiting the incident spreading to other systems• Accurate network access control to IT system resources as well as monitoring and auditing resource usage and management• Quick identification of IT systems security incidents based on the events detected in the network areas, where these events should not occur• Cost optimization by an appropriate IT resource location and segmentation, and deployment of adequate safeguards for requirement compliance (e.g., IT resources requiring expensive safeguards according to PCI DSS, SOX, or other standards are located in separate security zone)In practical implementations, the security zone is a network segment connected to a physical interface or sub-interface (801.2q VLAN) of an access control device (e.g., network firewall) that separates it from the rest of the network.
The network communication between different zones is strictly controlled. The security layers are implemented on the network devices (i.e.
, dedicated safeguards, security modules on the routers and switches). In the design of network security architecture, the safeguards are named as security layers because the protection scope covers an entire zone (i.e., IT resources located in the network segments).The concept of security layers was adopted by approved guidelines and standards (e.g., ISO/IEC 18028-2:2006). The security layers identify where protection must be addressed in products and solutions by providing a sequential perspective of network security.
Mapping of the safeguards to security layers allows determining how the elements in one layer can rely on protection provided by other layers.E-commerce architectureE-commerce systems provide IT services in an open networking environment and should be ready to handle Internet threats (i.e., hackers, malicious code, DoS attacks). They deploy a multi-tier network security architecture consisting of Web, application, and database server zones and appropriate security layers. Today the Internet provides standard access for most e-commerce applications, e-banking, and data centers.
It is convenient and cost-effective because geographically distributed users do not need to install, configure, and upgrade any client application.Figure 1 shows e-commerce network security architecture. The zones construction is relevant to the functional elements of e-commerce systems, i.
e., the Web servers are responsible for interaction with the users, the application servers perform data processing, and the database servers provide data storage. The servers of the same type (e.g.
, Web servers) that provide different e-commerce services should be separated and located in different zones. A dedicated security zone is also created for the management systems.The security layers are divided into at least two groups – perimeter and internal. Perimeter security layers usually consist of edge routers providing the first line of DoS protection and dedicated security devices (i.e., network firewall, data encryption-VPN, intrusion prevention system-IPS, web application firewall-WAF) as well as server-acceleration devices (i.e.
, load balancing, SSL offload). For effective attack prevention, it is important to perform SSL offload before IPS and WAF inspection (i.e., HTTPS traffic should be decrypted).Internal security layers consist of the firewall and IPS devices that control internal zones and optionally the load balancers for the application and database servers.
Other securities and acceleration solutions are used if required.Security concerns in e-commerce systems place restrictions on network communication. Internet users should not have direct access to the application and database servers. The application servers are accessible only to the Web servers.
The database servers are accessible only to the application servers. In simple applications Web servers can directly access the database servers, however, it is not recommended. In a properly designed network, for the cybercriminal to gain full access to the e-commerce system, he must first hack the Web servers, then the application servers, and then launch an attack on the database servers.
The network security architecture of e-commerce systems is designed in a way to stop hacking attacks in Web server zone.