Article 11 in series. The split network architecture

This months article continues from last month. In this article we examine the split network architecture that CyberSoft has implemented at their corporate headquarters and how that design can be adapted by you for added security.

You may remember that CyberSoft split their network into two separate networks. The Internet Enabled Network (IEN) and the Intranet Internal Network (IIN). Our IEN network is currently only a few Sunmicro Sparc systems in a rack. The Internet connection is a dedicated 56Kbs Frame Relay connection from Net Access (Philadelphia's original and largest regional Internet service provider Phone: 215/576-8669). The frame relay connection is tied into a csu/dsu then directly into a router which sits on the rack's Internet backbone. The primary system attached to the backbone is www.cyber.com which provides web pages to the outside in addition to full Internet access to it's users. The system is programmed to be paranoid and will not allow outsiders to login from the Internet via Telnet or ftp. Outsiders can only see our web pages. In addition to www.cyber.com there are several other IP only systems on the rack network. These systems can not be seen from the Internet and are used by CyberSoft personnel to access the Internet. There is no connection from the IEN network to the IIN network. If data has to move from the IIN to the IEN it is put on an 8mm tape and copied over. There is almost no movement from the IEN to the IIN and what is copied is scanned for viruses and hostile attack algorithms using VFind prior to being allowed on the IIN.

An addition feature of the IEN is that email is split off of the primary network into a separate network. In fact, the email network (EN) is older than the IEN and physically sits next to the IEN rack. Even if someone should break into our IEN they would not have access to the EN. This proved useful when earlier this week our local Bell Operating Company physically broke the line connecting us to Net Access. We lost our Internet connection for 4 days but our email continued without error. This is because our email system uses dialup access and UUCP to access a separate Internet Service Provider. Our local Bell Operating company would have to blow out an entire regional office to kill our email connection. If that ever happened, a major section of the Philadelphia area telephone service would disappear and hopefully someone would notice. (It is possible that no one outside of Philly would notice but I hope not! :-) If anyone broke into our EN they would be trapped onto a single computer with one modem., no way to dial out since to access the system they have to use the only modem, no access to the Internet and no access to the IIN. In fact the EN system is boring, boring, boring. Just the way we like it. It just sits there and does its job, day in and day out.

This leaves us with the problem of how CyberSoft personnel who are traveling can access the IEN without allowing hackers on the network to run up multimillion dollar phone bills making outgoing phone calls on an attached modem. We solved this problem by installing a modem that dials using touch tone codes on a phone line without touch tone service. In fact the phone has no long distance service, regional long distance service, touch tone service, or any smart services. If a hacker broke into the system, broke root access, disabled getty which locks the modem port and then using "tip" or "cu" to access the modem knew which registers to change on the modem to force it to use pulse dial they still wouldn't get out because of an experimental telephone trap that CyberSoft has designed. The trap is actually a miniature telephone firewall that sits between the dialer and the phone line. There is no direct connection between the two sides. The trap reads everything generated by the dialer and does not repeat anything which is a touch tone or pulse dial to the phone company. There are still some problems with this device and we may elect to never sell it but it does provide some additional assurance. If your phone line is hooked up to a PBX then you may be able to use your PBX to provide the same functionality.

Tune in next month, same magazine, same column for the continuing story of how CyberSoft has split its network into an IIN, IEN and EN!

Pete Radatti is the founder and CEO of CyberSoft, Inc. CyberSoft manufactures VFind the antivirus software product that executes under UNIX and simultaneously scans for UNIX, MS-DOS, Macintosh and Amiga destructive software while providing cryptographic integrity to your file system. You can reach Pete at radatti@cyber.com or 610/825-4748 (9:00 AM to 5:00 PM Eastern Time). These articles are dedicated to Chrissy.