Security with the Use of Protocol Isolation

The backbone and protocol of the Internet is TCP/IP.  TCP/IP is a suite of several networking protocols developed especially for use on the Internet.  The suite has proven very popular, and it is also used for most UNIX implementations as well as other platforms such as Windows 2000 and Windows NT.  The problem is that TCP/IP is a “routable” network protocol.  Without some security mechanism such as a firewall, there is nothing to stop Internet users from outside the local network from trying to connect to shared resources in the local network.  This can be a serious threat to small organizations or personal home networks, as their data can easily be obtained.

A fairly simple technique used to solve this problem is called protocol isolation.  In summary, protocol isolation works by configuring the local network in a way that it uses both TCP/IP and a non-TCP/IP protocol.  Internet access is available but only via the Internet protocol TCP/IP.  Next a non-TCP/IP protocol is used for transferring shared data.  As a result, users from outside the network will be unable to obtain access to shared resources while internal users can access shared resources as well as Internet services.

In a case where an individual wanted added protection for a section of his or her network instead of binding multiple protocols to protected computers, one could place the entire segment behind a router, gateway or bridge and only provide NetBEUI or some other protocol’s network services to that section of the network.

The network protocol originally used as the default for Microsoft Networks was NetBEUI.  This protocol is fast, efficient, adds only a small amount of overhead and is not routable.  By configuring shared resources on the local network to use NetBEUI for file sharing, and by setting that as the default protocol, local resources will not be available to remote, unwelcome, users.  Additionally, an alternative to NetBEUI is IPX/SPX which Microsoft and Novell proxy servers provide standard.  Both have the ability to add “protocol isolation” to a network’s security scheme by allowing clients to use only IPX/SPX as network protocols.

Protocol isolation is a very good method of securing data, but one has to remember that all machines on the network that are using TCP/IP are fully exposed to attack from any computer in the world that has access to the internet.  It is also important to not think of protocol isolation as any form of “firewall” because it is not.  Firewalls have the ability to block and filter incoming packets, protocol isolation simply utilizes the fact that the protected computer is not sharing any resources over TCP/IP nor offering any TCP/IP services, thus there is nothing for a hostile user to connect to.

Protocol isolation techniques use network devices that do not require TCP/IP as the primary means of network communication.  They use some other protocol, such as NetBEUI or IPX/SPX, to communicate on the local network.  When these systems need to access the Internet, which requires TCP/IP, they go through some type of application gateway or have multiple protocols bound to protected machines.  Protocol isolation provides a great deal of protection because TCP/IP traffic cannot reach a system that does not run TCP/IP, but should not be considered the same as a firewall because they are 2 entirely different entities.

Leave a Reply

Your email address will not be published. Required fields are marked *