Network Topology Overview

The following diagram depicts a vastly simplified overview of a single site’s reference network topology architecture.

digraph { splines = true; overlab = prism; edge [color=gray50, fontname=Calibri, fontsize=11]; node [style=filled, shape=record, fontname=Calibri, fontsize=11]; "Outer Perimeter Firewalls" [href="../glossary.html#term-outer-perimeter-firewall", target="_top"]; "Perimeter Networks 1..n" [href="../glossary.html#term-perimeter-network", target="_top"]; "Inner Perimeter Firewalls" [href="../glossary.html#term-inner-perimeter-firewall", target="_top"]; "Internal Firewalls" [href="../glossary.html#term-internal-firewall", target="_top"]; "Load-Balancer (Internal)" [label="Load-Balancer", href="../glossary.html#term-load-balancer", target="_top"]; "Internal Networks" [href="../glossary.html#term-internal-network", target="_top"]; "Service Endpoint" [href="../glossary.html#term-service-endpoint", target="_top"]; "Internet" -> "Outer Perimeter Firewalls" -> "Perimeter Networks 1..n" -> "Inner Perimeter Firewalls" -> "Internal Firewalls" -> "Load-Balancer (Internal)" -> "Internal Networks" -> "Service Endpoint"; }

Todo

This graphic only expresses inbound traffic. It isn’t structured properly. Outbound traffic should be taken in to account. Discretionary, non-transparent proxies should be used for selected systems. Mandatory transparent proxies should be used for all nodes.

Firewalls

Without a differentiation between the function of the outer and inner perimeter firewalls, there is also no functional definition of a perimeter network.

General recommendations include;

  • Use physical hardware, not virtualized guests, for the outer and inner perimeter firewalls.
  • Use a physically different network interface for failover and redundancy traffic, on a completely separate and dedicated VLAN.
  • If switching is required for the external interfaces of the outer perimeter firewalls, use physically separate hardware to switch internet traffic, failover and redundancy traffic [1], and perimeter network traffic.
  • Use physically different network interfaces for each perimeter network, each of them on completely separate and dedicated VLANs.
  • Use different network interfaces on the perimeter networks’ nodes, each of them on completely separate and dedicated VLANs.
  • Set the default route for the perimeter networks’ nodes toward the outer perimeter gateway.
  • Provide each of the perimeter networks with its own DNS horizon, through Split DNS Horizon.
  • Provide each perimeter network with documented security assessments.
  • Use PAT, and let the perimeter networks use private IP spaces.
  • Implement Load-Balancing for Service Endpoints as late as possible.

With the outer and inner perimeter firewalls on physical hardware, but without the function of an internal firewall, there is no policy enforcement point for the nodes in any of the internal networks that can be descended on as high-bandwidth a set of links as the ones that are available to the internal firewalls.

Perimeter Networks 1..n

Perimeter networks include:

External Hidden Master Internet-Authoritative DNS Servers

External Inbound Mail Exchangers

  • Should include only domain-level validation using a static, generated table, so that no recipient-level information is available. Hint; use relay_domains.
  • Should apply Anti-Virus.
  • Should apply Anti-Spam.
  • Relays on to Internal Mail Exchangers.
  • Is included with mynetworks on Internal Mail Exchangers.

External Outbound Mail Exchangers

  • Includes Internal Mail Exchangers in mynetworks.

External Submission Mail Exchangers

  • Used for submission of new messages by users located outside the perimeter.

Reverse IMAP Proxies

  • Intelligent reverse proxy for IMAP – Guam.

Reverse HTTP Proxies

  • Responsible for redirecting unencrypted web traffic to encrypted web traffic.
  • Responsible for filtering traffic using access control, OWASSP, mod_clamav.

Footnotes

[1]A separate cable, cross-over for interfaces not capable of auto-MDIX, or a regular cable for interfaces capable of auto-MDIX, may suffice.