3.7 ELEMENTS OF NETWORK SECURITY

 Network security is broad domain term which includes many key elements. Let us discuss these elements in brief:

a) Firewall

As we have discussed in our earlier discussion on the Internet and similar networks, connecting an organization to the Internet provides a twoway flow of traffic. This is clearly undesirable in many organizations, as proprietary information is often displayed freely within a corporate intranet (that is, a TCP/IP network, modeled after the Internet that only works within the organization).

In order to provide some level of separation between an organization's intranet and the Internet, firewalls have been deployed. A firewall is simply a group of components that collectively form a barrier between two networks.

Firewall systems protect and facilitate your network at a number of levels. They allow email and other applications, such as file transfer protocol (FTP stands for File Transfer Protocol. It is used for copying files between computer systems. FTP server uses well known port 21) and remote login as desired, to take  place while otherwise limiting access to the internal network. Firewall systems provide an authorization mechanism that assures that only specified users or applications can gain access through the firewall.

Firewall systems can also be deployed within an enterprise network to compartmentalize different servers and networks, in effect controlling access within the network. For example, an enterprise may want to separate the accounting and payroll server from the rest of the network and only allow certain individuals to access the information. Unfortunately, all firewall systems have some performance degradation. As a system is busy checking or rerouting data communications packets, they do not flow through the system as efficiently as they would if the firewall system were not in place.

Type of Firewalls

There are three basic types of firewalls, and we’ll consider each of them.

Application Gateways

The first firewalls were applications gateways, and are sometimes known as proxy gateways. These are made up of bastion hosts which run special software to act as a proxy server. This software funs at the Application Layer of our old friend the ISO/OSI Reference Model, hence the name. Clients behind the firewall must be proxitized (that is, must know how to use the proxy, and be configured to do so) in order to use Internet services. Traditionally, these have been the most secure because they don’t allow anything to pass by default, but need to have the programme written and turned on it order to begin passing traffic.


These are also typically the slowest, because more processes need to be started in order to have a request serviced. Figure 3.1 shows an application gateways.

Packet Filtering

Packet filtering is a technique whereby routers have ACLs (access Control Lists) turned on as shown in Figure 3.2. By default, a router will pass all traffic sent through it, and will do so without any sort of restrictions. Employing ACLs is a method of enforcing your security policy with regard to what sorts of access you allow the outside world to have to your internal network and vice versa.


Few terms specific to firewalls and networking are going to be used throughout this section, so let's understand them all together.

Router

A special purpose computer for connecting networks together. Routers also handle certain functions, such as routing, or managing the traffic on the networks they connect.

Access Control List (ACL)

Many routers now have the ability to selectively perform their duties, based on a number of facts about a packet that comes to it. This includes things like origination address, destination address, destination service port, and so on. 

These can be employed to limit the sorts of packets that are allowed to come in and go out of a given network.

Proxy

This is the process of having one host act on behalf of another. A host that has the ability to fetch documents from the Internet might be configured as a proxy server and host on the intranet might be configured to be proxy clients. In this situation, when a host on the intranet wishes to fetch any web page, for example, the browser will make a connection to the proxy server, and request the given <http://www.interhack.net/>. The proxy server will fetch the document, and return the result to the client. In this way, all hosts on the intranet are able to access resources on the Internet without having the ability to direct talk to the Internet.

b) Password Mechanisms

Passwords are a way to identify and authenticate users as they access the computer system.  Unfortunately, there are a number of ways in which a password can be compromised. For Example, someone wanting to gain access can listen for a username and a password and then can access to the network. 

Here are few mechanisms to protect your password. 

Password Aging and Policy Enforcement

Password aging is a feature that requires users to create new passwords every so often. Good password policy dictates that passwords must be a minimum number of characters and a mix of letters and numbers. Smart cards provide extremely secure password protection.

Good password procedures include the following:

  • · Do not use your login name in any form (as is, reversed, capitalized, doubled etc.).
  • · Do not use your first, middle, or last name in any form or use your spouse’s or children’s names.
  • · Do not use other information easily obtained about you. This includes license plate numbers, telephone numbers, social security numbers, the make of your automobile, the name of the street you live on etc.
  • · Do not use a password of all digits or all the same letter.
  • · Do not use a word contained in English or foreign language dictionaries, spelling lists or other lists of words.
  • · Do not use a password shorter than six characters.
  • · Do use a password with mixedcase alphabetic.
  • · Do use a password with nonalphabetic characters (digits or punctuation).
  • · Do use a password that is easy to remember, so that you don’t have to write it down.

c) Elements of Networking Security: Encryption

As we discussed earlier, a firewall system is a hardware/software configuration that sits at perimeter between a company's network and the Internet, controlling access into and out of the network. Encryption can be understood as a method of ensuring privacy of data and that only intended users may view the information. 

Authentication and Integrity

Authentication is simply making sure users are who they say they are. When using resources or sending messages in a large private network, not to mention the Internet, authentication is of the utmost importance. Integrity knows that the data sent has not been altered along the way. Of course, a message modified in any way would be highly suspect and should be completely discounted.

Message integrity is maintained with digital signatures. A digital signature is a block of data at the end of a message that attests to the authenticity of the file. If any change is made to the file, the signature will not verify. Digital signatures perform both an authentication and message integrity function.

d) Developing a Site Security Policy

The goal in developing an official site policy on computer security is to define the organization's expectations for proper computer and network use and to define procedures to prevent and respond to security incidents. In order to do this, specific aspects of the organization must be considered and agreed upon by the policymaking group. For example, a military base may have very different security concerns from those of a university. Even departments within the same organization will have different requirements.

It is important to consider who will make the network site security policy. Policy creation must be a joint effort by a representative group of decisionmakers, technical personnel, and daytoday users from different levels within the organization. Decisionmakers must have the power to enforce the policy; technical personnel will advise on the ramifications of the policy; and daytoday users will have a say in how usable the policy is. A site security policy that is unusable, unimplementable, or unenforceable is worthless. 

Developing a security policy comprises identifying the organizational assets, identifying the threats, assessing the risk, implementing the tools and technologies available to meet the risks, and developing a usage policy. In addition, an auditing procedure must be created that reviews network and server usage on a timely basis. A response should be in place before any violation or breakdown occurs as well. Finally, the policy should be communicated to everyone who ever uses the computer network, whether employee or contractor, and should be reviewed on a regular basis.


Comments

Post a Comment

Popular posts from this blog

3.8 SECURE NETWORK DEVICES

 In this unit, we have already learnt that the firewall is only one entry point to your network. Modems, if you allow them to answer incoming calls, can provide an easy means for an attacker to sneak around, your front door (or, firewall). Just as castlesweren't built with moats only in the front, your network needs to be protected at all of its entry points. Secure Modems, DialBack Systems If modem access is to be provided, this should be guarded carefully. The terminal server, or network device that provides dialup access to your network needs to be actively administered, and its logs need to be examined for strange behavior. Its passwords need to be strong not ones that can be guessed. Accounts that aren't actively used should be disabled. In short, it's the easiest way to get into your network from remote: guard it carefully. There are some remote access systems which have the feature of a twopart procedure to establish a connection. The first part is the remote user di...
Read more

3.5 SECURITY ISSUES FOR SMALL AND MEDIUM SIZED BUSINESSES

 Small and medium sized businesses use the Internet and networked applications to reach new customers and serve their existing ones more effectively. At the same time, new security threats and legislation puts increased pressure on business networks to be reliable and secure. Business Challenges According to recent studies, security is the biggest challenge facing small and mediumsized businesses. Everchanging security threats from both inside and outside the business network can wreak havoc on business operations, affecting profitability and customer satisfaction. Small and mediumsized businesses must also comply with new regulations and laws created to protect consumer privacy and secure electronic information. Security issues for small and medium – sized businesses are classified into 5 basic categories: Worms and Viruses As per research, Computer worms and viruses remain the most common security threat, with 75 percent of small and medium businesses affected by it.. Worms and v...
Read more

3.4 TOPOLOGIES

Image
 In computer networking, topology refers to the layout of connected devices. You can think of a topology as a structure of a network. This shape does not necessarily correspond to the actual physical layout of the devices on the network. Network Topology is the study of the arrangement or mapping of the elements (links, nodes, etc.) of a network interconnection between the nodes. It also determines the strategy for physically expanding the network, in future Topologies can be physical or logical. Physical Topology means the physical design of a network including the devices, location and cable installation. Logical Topology refers to the fact that how data actually transfers in a network as opposed to its design. Following are the considerations for choosing a Topology: · Costing: Some kind of topology may be less expensive compared to others in terms of installation (for example Bus topology). · Length of cable: It is needed to connect machines in a network. · Network scalability:...
Read more