Design Consideration

The Corprotect CDRFW™ product was designed with a strict principal in mind. Keep it simple, fast, versatile, secure, upgradeable and maintainable. The term that Corprotect has formulated for this approach to security architecture is "simply complex". The CDRFW™ system has been developed with a strict adherence to this simply complex concept. This concept breaks down every facet of the operating system support applications and the hardware that are required to their simplest level and builds upon that simplicity from the ground up.

---

Cdrom Disk Drive / USB

There are several advantages of using a CDROM based (diskless) system in various security related environments. The main system is designed around ramdisk; a compressed file system image that is loaded into RAM at boot time. Any changes to the image in memory are temporary, and will be terminated upon the CDRFW™ rebooting. Furthermore, the ramdisk, kernel, binaries, etc, related to the operating system are stored on read-only media (CDROM). This means that if the security of a system running a CDRFW™ based CDROM is ever compromised, the attacker can, at best, affect the system until the next reboot. Because of this there is no real threat of having to go through the task of rebuilding and hardening the system if a successful attack is ever discovered. By removing any writable media from the system (hard disk, compact flash memory, floppies, etc.) it will render any would-be attacker from doing any permanent damage to a CDRFW™ device. Furthermore, Corprotect has implemented a memory integrity check that monitors the ramdisk for rogue processes that may be executing in a processor. This process assures that only Corprotect programs will be running in a CDRFW™ system. Additional programs and configuration files that may be required will be loaded by a request of the CDRFW™ system to a known Corprotect Registry Boot Server (CRBS). The CRBS may be located on your local LAN or on the 'Cloud'. The fact that a CDRFW™ combined with any Intel style PC can provide an extremely secure, robust and versatile Firewall, Load Balancer, VPN Server, Network Traffic Controller and/or Router makes this design concept extremely versatile and able to quickly resolve any issues the system may have.

Example: if a hardware failure occurs with the existing system, simply swap the "box" out with a similar one and using the same CDROM media, reboot the system. This should provide any user with an inexpensive solution to a hardware disaster in minutes. (See Corprotect CORPFOS redundancy.)

---

Quick Disaster Recover Time

The CDRFW CDROM ISO image included with any site license can be modified and then be used to create another CDRFW™ system with new configuration information. This allows for extremely fast network solutions to issues that may arise during the course of a standard day. You can replace a faulty router; add a new edge or border Firewall, VPN server and/or a Network load balancer within minutes. It is as easy as creating a new CDROM and creating the required configuration files on the Corprotect Registry Boot Server.

When constructing a network firewall, the first configuration decision that must be made is which of the two security models to follow. The two options are:

• That which is not expressly permitted is prohibited
• That which is not expressly prohibited is permitted

---

Firewall (CORPRULE)

When implementing a firewall following the first approach, one identifies the services that will be provided, addresses the security of those services, blocks all other services and traffic and then enables the selected services only once they have been tested and are believed to be secure. In the second approach, one identifies all the services that are believed to present risks and disables or secures them. The first approach is more conservative, accepting that "what we don't know can hurt us," but tends to impose limits on the types and number of services that can be provided through the firewall. The second approach is more versatile, since more services are supported, but runs the risk of degenerating into an arms-race between the administrator and system crackers. Another important consideration is the size of the prospective user community on the protected network. As the protected network grows larger and is harder to monitor completely, it becomes increasingly difficult for an administrator to verify that members of the user community are not themselves providing services over the network that get around the security of the firewall. An example of such a problem would be a user who decides to provide FTP service on a different port from the standard FTP port (port 21) because the FTP service port is blocked by the firewall but the alternate port is not. Eventually the firewall will need to protect the network from attacks (intentional or accidental) from the inside as well as outside.

The CDRFW™ Firewall is designed to support users who want to implement firewalls based on the "that which is not expressly permitted is denied" approach. Generally, when building such a firewall, it is important to have good tools to provide access control and secure service for the few services that are provided. The software components of the CDRFW™ Firewall implement security for the most commonly used network services.

There are several archetypal firewall configurations that the can be supported. (For a more in-depth look at various basic forms of firewalls, see [1].) The primary type of firewall supported by the CDRFW™ is the dual-homed gateway. In this firewall, the important factor is a host (known as a "bastion host") which acts as an application forwarder, traffic logger, and service provider. Maintaining security on the bastion host is of paramount importance, and this is where most of the effort of setting up the firewall is focused.

In the dual-homed gateway configuration, the CDRFW™ is booted on a host with two network interfaces. Since the bastion host is a security-critical network strong point, it is important that the configuration of the software on that system be as secure as possible.

Dual-homed gateways are an appealing firewall, since they are simple to implement, require a minimum of hardware, and can be verified easily. By completely disabling routing, the administrator can have a high degree of confidence that any traffic between the protected network and the non-trusted network is somehow passing through an application that is running on the firewall. Since there is no traffic transferred directly between the internal network and the non-trusted network, it is not necessary to show any routes to the private network over the non-trusted network. This effectively renders the protected network "invisible" to any systems except the bastion host.

---

VPN  (CORPVPN)

Corprotects implementation of VPN portion of the CDRFW™ is called Internet Protocol Security. Internet Protocol Security (IPsec) is a protocol suite for securing Internet Protocol (IP) communications by authenticating and encrypting each IP packet of a data stream. IPsec also includes protocols for establishing mutual authentication between agents at the beginning of the session and negotiation of cryptographic keys to be used during the session. IPsec can be used to protect data flows between a pair of hosts (e.g. computer users or servers), between a pair of security gateways (e.g. routers or firewalls), or between a security gateway and a host.

IPsec is a dual mode, end-to-end, security scheme operating at the Internet Layer of the Internet Protocol Suite or OSI model Layer 3. Some other Internet security systems in widespread use, such as Secure Sockets Layer (SSL), Transport Layer Security (TLS) and Secure Shell (SSH), operate in the upper layers of these models. Hence, IPsec can be used for protecting any application traffic across the Internet. Applications need not be specifically designed to use IPsec. The use of TLS/SSL, on the other hand, must typically be incorporated into the design of applications.

IPsec is a successor of the ISO standard Network Layer Security Protocol (NLSP). NLSP was based on the SP3 protocol that was published by NIST, but designed by the Secure Data Network System project of the National Security Agency (NSA).

IPsec is officially specified by the Internet Engineering Task Force (IETF) in a series of Requests for Comment addressing various components and extensions, including the official capitalization style of the term.

The IPsec suite is a framework of open standards. IPsec uses the following protocols to perform various functions:

• A security association (SA) set up by Internet Key Exchange (IKE and IKEv2) or Kerberized Internet Negotiation of Keys (KINK) by handling negotiation of protocols and algorithms and to generate the encryption and authentication keys to be used by IPsec.
• Authentication Header (AH) to provide connectionless integrity and data origin authentication for IP datagrams and to provide protection against replay attacks.
• Encapsulating Security Payload (ESP) to provide confidentiality, data origin authentication, connectionless integrity, an anti-replay service (a form of partial sequence integrity), and limited traffic flow confidentiality.

---

SOFTWARE LOAD BALANCER (CORPSLB)

In computer networking, load balancing is a technique to distribute workload evenly across two or more computers, network links, CPUs, hard drives, or other resources, in order to get optimal resource utilization, maximize throughput, minimize response time, and avoid overload. Using multiple components with load balancing, instead of a single component, may also increase reliability through redundancy. The load balancing service is provided by the CORPSLB dedicated program and PC hardware device.

It is commonly used to mediate internal communications in computer clusters, especially high-availability clusters. If the load is more on a server, then the secondary server takes some load while the other is still processing requests.

Relationship with failover

Load balancing is often used to implement failover . the continuation of a service after the failure of one or more of its components. The components are monitored continually (e.g., web servers may be monitored by fetching known pages), and when one becomes non-responsive, the load balancer is informed and no longer sends traffic to it. And when a component comes back on line, the load balancer begins to route traffic to it again. For this to work there must be at least one component in excess of the service's capacity. This is much less expensive and more flexible than failover approaches where a single "live" component is paired with a single "backup" component that takes over in the event of a failure. Some types of RAID systems can also utilize hot spare for a similar effect.

Load balancer features

The CDRFW™ CDROM comes with a variety of special features used by the CORPSLB portion of the CDROM.

• Asymmetric load: A ratio can be manually assigned to cause some backend servers to get a greater share of the workload than others. This provides a way to account for some servers being faster than others.
• Priority activation: When the number of available servers drops below a certain number, or load gets too high, standby servers can be brought online
• SSL Offload and Acceleration: SSL applications can be a heavy burden on the resources of a Web Server, especially on the CPU and the end users may see a slow response (or at the very least the servers are spending a lot of cycles doing things they weren't designed to do). To resolve these kinds of issues, the CDRFW™ is capable of handling SSL Offloading. When Load Balancers are taking the SSL connections, the burden on the Web Servers is reduced and performance will not degrade for the end users.
• Distributed Denial of Service (DDoS) attack protection: CORPSLB can provide features such as SYN cookies and delayed-binding (the back-end servers don't see the client until it finishes its TCP handshake) to mitigate SYN flood attacks and generally offload work from the servers to a more efficient platform.
• TCP offload: Normally each HTTP request from each client is a different TCP connection. This feature utilizes HTTP/1.1 to consolidate multiple HTTP requests from multiple clients into a single TCP socket to the back-end servers.
• Direct Server Return: CORPSLB provides an option for asymmetrical load distribution, where request and reply have different network paths.
• Health checking: CORPSLB will poll servers for application layer health and remove failed servers from the pool.
• Priority queuing: also known as rate shaping, the ability to give different priority to different traffic.
• Content aware switching: CORPSLB can send requests to different servers based on the URL being requested.
• Client authentication: authenticate users against a variety of authentication sources before allowing them access to a website.
• Programmatic traffic manipulation: CORPSLB allows the use of a scripting language to allow custom load balancing methods, arbitrary traffic manipulations, and more.
• Firewall: direct connections to backend servers are prevented, for network security reasons

---