Implementing a Demilitarized Zone Using Holistic Open Source Solution

Chafic Bousaba

Download Paper | Permalink

Conference: 2019 ASEE Annual Conference & Exposition
Location: Tampa, Florida
Publication Date: June 15, 2019
Start Date: June 15, 2019
End Date: June 19, 2019
Conference Session: Computing Research I
Tagged Division: Computing and Information Technology
Tagged Topic: Diversity
Page Count: 11
DOI: 10.18260/1-2--32940
Permanent URL: https://peer.asee.org/32940
Download Count: 1442

Request a correction

Paper Authors

biography

Chafic Bousaba Guilford College

visit author page

* Joined Guilford College in January 2008
* Serves as Assistant Professor in the Computing Technology and information Systems.
* Cybersecurity major coordinator

visit author page

Download Paper | Permalink

Abstract

Cybersecurity continues to be a growing priority for organizations of all sizes, sectors, and industries. The threat landscape continues to rapidly evolve producing disastrous cyber attacks that are crippling their targets and debilitating the economy. These attacks continue to increase in frequency, scale, sophistication, and severity of impact. New attack tools and vectors are persistently emerging and new exploit techniques are constantly gaining widespread adoption. Small businesses continue to experience lack of adequate solutions and resources to defend against and repel these attacks. We present a holistic open source software and hardware solution, that implements securing the network architecture by using the “defense-in-depth” approach that ensures the elimination of single or dual point of potential vulnerability within a network. The Protectli FW108120 firewall, referred to as “The Vault” is used as first line of defense. It is a low power, fanless, durable, customizable small form factor PC. It utilizes a Celeron J1900 processor, 8 GB of DDR3 memory, a 120 GB mSATA SSD, and 4 Gigabit Ethernet ports. The community version of pfSense firewall will be utilized to run on the firewall. pfSense is a free and open source firewall and router, based on FreeBSD, that also features unified threat management (UTM), load balancing, and multi zone setup. pfSense implements, maintains, and polices our multi-zone topology, which is formed of a DeMilitarized Zone (DMZ), a trusted zone, and an untrusted zone. The DMZ achieves defense in depth by adding an extra layer of security beyond that of a single perimeter, separating an external network from directly referencing an internal network, and isolating a particular machine within a network. Thought the DMZ concept is not new, implementing it using stacked single-board computers, offers an affordable and flexible, yet secure, network architecture specifically for startups, small businesses, an expansion office, or even home office. The selected single board computers are a combination of third generation Raspberry Pis and Rock64s. These boards provide a remarkable computational power, low energy consumption, light weight, a compact size secure solution, and resourceful community support. These boards will form the DMZ network servers and host services such as a Network Intrusion Detection System (NIDS) using Snort, a selection of honeypots for Secure Shell (SSH), web applications, packet sniffing, private web browsing capabilities via TOR (The Onion Router), LAMP (Linux, Apache, MySQL, PHP or Python or Perl) server, Virtual Private Network (VPN) server, and protected browsing via proxy service. The main goal of this educational project is to leverage the total holistic integration of open source hardware and software to provide an affordable and portable solution that could be promptly deployed in case of an emergency, as a part of an incident response plan (IRP), or in case it is needed for testing purposes. Implementing this project provides valuable hands-on security experience and best practices in network architecture and configuration. Additional security features, both in hardware and software, were added to the single-board computers to add additional hardened security layers.

Citation
Format

Bousaba, C. (2019, June), Implementing a Demilitarized Zone Using Holistic Open Source Solution Paper presented at 2019 ASEE Annual Conference & Exposition , Tampa, Florida. 10.18260/1-2--32940

TY - CPAPER
AB - Cybersecurity continues to be a growing priority for organizations of all sizes, sectors, and industries. The threat landscape continues to rapidly evolve producing disastrous cyber attacks that are crippling their targets and debilitating the economy. These attacks continue to increase in frequency, scale, sophistication, and severity of impact. New attack tools and vectors are persistently emerging and new exploit techniques are constantly gaining widespread adoption. Small businesses continue to experience lack of adequate solutions and resources to defend against and repel these attacks. We present a holistic open source software and hardware solution, that implements securing the network architecture by using the “defense-in-depth” approach that ensures the elimination of single or dual point of potential vulnerability within a network.
The Protectli FW108120 firewall, referred to as “The Vault” is used as first line of defense. It is a low power, fanless, durable, customizable small form factor PC. It utilizes a Celeron J1900 processor, 8 GB of DDR3 memory, a 120 GB mSATA SSD, and 4 Gigabit Ethernet ports. The community version of pfSense firewall will be utilized to run on the firewall. pfSense is a free and open source firewall and router, based on FreeBSD, that also features unified threat management (UTM), load balancing, and multi zone setup. pfSense implements, maintains, and polices our multi-zone topology, which is formed of a DeMilitarized Zone (DMZ), a trusted zone, and an untrusted zone. The DMZ achieves defense in depth by adding an extra layer of security beyond that of a single perimeter, separating an external network from directly referencing an internal network, and isolating a particular machine within a network.
Thought the DMZ concept is not new, implementing it using stacked single-board computers, offers an affordable and flexible, yet secure, network architecture specifically for startups, small businesses, an expansion office, or even home office. The selected single board computers are a combination of third generation Raspberry Pis and Rock64s. These boards provide a remarkable computational power, low energy consumption, light weight, a compact size secure solution, and resourceful community support. These boards will form the DMZ network servers and host services such as a Network Intrusion Detection System (NIDS) using Snort, a selection of honeypots for Secure Shell (SSH), web applications, packet sniffing, private web browsing capabilities via TOR (The Onion Router), LAMP (Linux, Apache, MySQL, PHP or Python or Perl) server, Virtual Private Network (VPN) server, and protected browsing via proxy service. The main goal of this educational project is to leverage the total holistic integration of open source hardware and software to provide an affordable and portable solution that could be promptly deployed in case of an emergency, as a part of an incident response plan (IRP), or in case it is needed for testing purposes. Implementing this project provides valuable hands-on security experience and best practices in network architecture and configuration. Additional security features, both in hardware and software, were added to the single-board computers to add additional hardened security layers.

AU - Chafic Bousaba
CY - Tampa, Florida
DA - 2019/06/15
PB - ASEE Conferences
TI - Implementing a Demilitarized Zone Using Holistic Open Source Solution
UR - https://peer.asee.org/32940
DO - 10.18260/1-2--32940
ER -