Essay PreviewMore ↓
Does your organization have access to expertise in all aspects of perimeter security, including networking, firewalls, intrusion detection systems (IDSs), intrusion prevention systems (IPSs), Virtual Private Networks (VPNs), UNIX security, and Windows security? In the pages ahead, we will show you how all these protective measures work together. Can you definitively say how secure or insecure your network is? Does everyone in your organization understand the policies related to information security and their implications? One hint that they do not is the famous expression, "But we have a firewall!" If you work in information security, you probably hear this phrase more often than you would like to, because it seems to express the opinion of many people, both technical and nontechnical.
One of the most challenging aspects of securing modern networks, even those that already have firewalls, is that they exhibit porous properties. Wireless connections, portable storage devices, mobile systems, and links to partner sites offer a multitude of ways in which data can get in and out of our networks, bypassing our border defenses. This is one of the reasons why a single security component cannot properly defend a network. However, many components working together can. Defense in depth, a major theme of this chapter and this book, is the process of layering these components to capitalize on their respective strengths. It is flexible, in that it allows us to select components based on technical, budgetary, and organizational constraints and combine them in a way that doesn't compromise the overall security or usability of the network.
We will begin this chapter by defining some common terms of the trade to ensure that we're all on the same page. Then we'll discuss core components of defense in depth, to illustrate how various aspects of the security perimeter can complement each other to form a balanced whole.
How to Cite this Page
"Secure Network Architecture." 123HelpMe.com. 03 Apr 2020
Need Writing Help?
Get feedback on grammar, clarity, concision and logic instantly.Check your paper »
- ... Decide what level of imperfection is acceptable from software vendors and expect congress to be accountable. Hold data handlers accountable for protection of private data. Require that ISP providers disclose information to customers when there has been a compromise or if their computer has been a victim of an attack. Protection and Prevention: For protection of critical infrastructure, follow a standardized architecture design plan to include secure network, application, and data transmission.... [tags: management, federal, prevention]
695 words (2 pages)
- Introduction According to Dubrawsky and Faircloth, remote access denotes to the ability to access a computer, for instance, an office network computer or home computer, from a remote location. This permits personnel to work offsite, for example at home, or any other location, while employees still have to a distant network or computer. Remote access can be implemented by use of wide area network (WAN), local area network (LAN) or virtual private network (VPN). Either of these implementations allows access of systems and resources (Dubrawsky & Faircloth, 2007).... [tags: Virtual private network, Computer network, Wi-Fi]
1010 words (2.9 pages)
- Current Attack Vectors and Secure Network Design Windows is one of the most popular operating systems. It’s used in homes, corporations, and industrial facilities. Windows is compatible with almost every application. Windows also has a huge quantity of functions. On the other hand, Windows operating system requires a lot of computer resources (memory, processor, disk space), and thus, runs slower (Informatics-Tech, n.d.). “When talking about security it’s hard not to mention the many pitfalls of the Windows architecture (Stobing, 2014)”.... [tags: Wireless access point, Wi-Fi, Wireless network]
2065 words (5.9 pages)
- Security is a top most issue in cloud computing busi-ness model followed by privacy, availability and compli-ance. Data security is the main concern among organiza-tions, especially in shared, multi-tenant environment. In a shared environment, technologies are needed to effi-ciently isolate data and workload. We present different security issues in table no 1. Description Issues No Use elastic to prevent DDos attacks Availability of service 1 Protect data by encryption Data confi-dentiality 2 Improve virtual machine supports, flash disk and virtual unit scheduling support HPC application Performance 3 Data backup/achieve, rapid hard disk, higher bandwidth LAN switch, Data transfer bottlenec... [tags: Cloud Computing Security]
2874 words (8.2 pages)
- Research Essay #3 The profession of architecture, the possible career as an architect, taking steps to gain a position and education as well as the set growth and prospects of this profession. According to Lee W. Waldrep (2010), author of the book Becoming a Architect “A Guide to Careers in Design, an architect is an imaginative person who designs a wide range of structures for buildings”(p. 2). These structures not only have to be aesthetically pleasing, but must also meet the safety requirements.... [tags: Bachelor's degree, Academic degree, Architect]
813 words (2.3 pages)
- Bead Bar Network Design The purpose of this project is to identify a computerized system that will align with the Bead Bar’s company goals. The Bead Bar is a company that supplies customers with workshops and materials to produce their own costume jewelry using items such as wire, beads and string. The Bead Bar is 1.5 million dollar company founded in 1998 that employee 15 full-time employees and 20 part-time employees. The company has three divisions that consist of studios, franchises, and Bead Bar on Board.... [tags: Network Bead Bar Business]
1622 words (4.6 pages)
- ... We can distinguish among different service-level agreements (SLAs) by their variable degree of shared responsibil¬ity between cloud providers and users.data integrity, user con¬fidentiality, and trust among providers, indi¬vidual users, and user groups are the critical issues related to security. at the innermost implementation layer, there is infrastructure-as-a-service (IaaS) model which is extended to form the platform-as-a-service (PaaS) layer by adding OS and middle¬ware support. PaaS further by applications on data, content, and meta¬data using special APIsis created to extends to the software-as-a-service (SaaS) model.... [tags: system, techniques, software, service]
1377 words (3.9 pages)
- ABSTRACT : This paper describes the basic threats to the network security and the basic issues of interest for designing a secure network. it describes the important aspects of network security. A secure network is one which is free of unauthorized entries and hackers INTRODUCTION Over the past few years, Internet-enabled business, or e-business, has drastically improved efficiency and revenue growth. E-business applications such as e-commerce, supply-chain management, and remote access allow companies to streamline processes, lower operating costs, and increase customer satisfaction.... [tags: Networks Telecommunications]
1526 words (4.4 pages)
- In designing a network, it is essential to first determine the scope of the project by asking key questions that will aid in the design and build. Questions such as how many servers and computers will be connected, what is the intended purpose of the network, and how much money is available are basic questions that come immediately to mind. Other questions such as security considerations, and how will the physical architecture of the building affect the design are often ignored but are equally important to the success of the network.... [tags: Networks Telecommunications]
903 words (2.6 pages)
- Bead Bar Network The Bead Bar is a growing enterprise that is seeking a greater level of operations through their network. They need a network design that will allow them to branch out and be more effective in their day-to-day transactions. So now, I have to look at the different components that exist in their system, transmission types, software, topologies, architecture, and pro and cons of the recommended network. Bead Bar is a company that allows customers to design their own jewelry, with the use of beads, strings, and wires.... [tags: Networks Telecommunications]
1389 words (4 pages)
Terms of the Trade
We need a common frame of reference when it comes to terms used throughout the book, because one person's definitions might not be the same as someone else's. To that end, we'll define the perimeter, the border router, a firewall, an IDS, an IPS, a VPN, software architecture, as well as De-Militarized Zones (DMZs) and screened subnets.
What exactly is the perimeter? Some people, when they hear the term perimeter, may conjure up an image of a small squad of soldiers spread out on the ground in a circular formation. Others may come up with the circling-the-wagons image. Before we move on, ask yourself, "What is a perimeter?"
In the context of this book, a perimeter is the fortified boundary of the network that might include the following aspects:
DMZs and screened subnets
Let's take a look at these perimeter components in closer detail.
Routers are the traffic cops of networks. They direct traffic into, out of, and within our networks. The border router is the last router you control before an untrusted network such as the Internet. Because all of an organization's Internet traffic goes through this router, it often functions as a network's first and last line of defense through initial and final filtering.
A firewall is a chokepoint device that has a set of rules specifying what traffic it will allow or deny to pass through it. A firewall typically picks up where the border router leaves off and makes a much more thorough pass at filtering traffic. Firewalls come in several different types, including static packet filters, stateful firewalls, and proxies. You might use a static packet filter such as a Cisco router to block easily identifiable "noise" on the Internet, a stateful firewall such as a Check Point FireWall-1 to control allowed services, or a proxy firewall such as Secure Computing's Sidewinder to control content. Although firewalls aren't perfect, they do block what we tell them to block and allow what we tell them to allow.
Intrusion Detection Systems
An IDS is like a burglar alarm system for your network that is used to detect and alert on malicious events. The system might comprise many different IDS sensors placed at strategic points in your network. Two basic types of IDS exist: network-based (NIDS), such as Snort or Cisco Secure IDS, and host-based (HIDS), such as Tripwire or ISS BlackICE. NIDS sensors monitor network traffic for suspicious activity. NIDS sensors often reside on subnets that are directly connected to the firewall, as well as at critical points on the internal network. HIDS sensors reside on and monitor individual hosts.
In general, IDS sensors watch for predefined signatures of malicious events, and they might perform statistical and anomaly analysis. When IDS sensors detect suspicious events, they can alert in several different ways, including email, paging, or simply logging the occurrence. IDS sensors can usually report to a central database that correlates their information to view the network from multiple points.
Intrusion Prevention Systems
An IPS is a system that automatically detects and thwarts computer attacks against protected resources. In contrast to a traditional IDS, which focuses on notifying the administrator of anomalies, an IPS strives to automatically defend the target without the administrator's direct involvement. Such protection may involve using signature-based or behavioral techniques to identify an attack and then blocking the malicious traffic or system call before it causes harm. In this respect, an IPS combines the functionality of a firewall and IDS to offer a solution that automatically blocks offending actions as soon as it detects an attack.
As you will learn in Chapter 11, "Intrusion Prevention Systems," some IPS products exist as standalone systems, such as TippingPoint's UnityOne device. Additionally, leading firewall and IDS vendors are incorporating IPS functionality into their existing products.
Virtual Private Networks
A VPN is a protected network session formed across an unprotected channel such as the Internet. Frequently, we reference a VPN in terms of the device on the perimeter that enables the encrypted session, such as Cisco VPN Concentrator. The intended use might be for business partners, road warriors, or telecommuters. A VPN allows an outside user to participate on the internal network as if connected directly to it. Many organizations have a false sense of security regarding their remote access just because they have a VPN. However, if an attacker compromises the machine of a legitimate user, a VPN can give that attacker an encrypted channel into your network. You might trust the security of your perimeter, but you have little control over your telecommuters' systems connecting from home, a hotel room, or an Internet café. Similar issues of trust and control arise with the security of nodes connected over a VPN from your business partner's network.
Software architecture refers to applications that are hosted on the organization's network, and it defines how they are structured. For example, we might structure an e-commerce application by splitting it into three distinct tiers:
The web front end that is responsible for how the application is presented to the user
The application code that implements the business logic of the application
The back-end databases that store underlying data for the application
Software architecture plays a significant role in the discussion of a security infrastructure because the primary purpose of the network's perimeter is to protect the application's data and services. When securing the application, you should ensure that the architecture of the software and the network is harmonious.
De-Militarized Zones and Screened Subnets
We typically use the terms DMZ and screened subnet in reference to a small network containing public services connected directly to and offered protection by the firewall or other filtering device. A DMZ and a screened subnet are slightly different, even though many people use the terms interchangeably. The term DMZ originated during the Korean War when a strip of land at the 38th parallel was off-limits militarily. A DMZ is an insecure area between secure areas. Just as the DMZ in Korea was in front of any defenses, the DMZ, when applied to networks, is located outside the firewall. A firewall or a comparable traffic-screening device protects a screened subnet that is directly connected to it. Remember this: A DMZ is in front of a firewall, whereas a screened subnet is behind a firewall. In the context of this book, we will adhere to these definitions. Note the difference in Figure 1.1.
A screened subnet is an isolated network that is connected to a dedicated interface of a firewall or another filtering device. The screened subnet is frequently used to segregate servers that need to be accessible from the Internet from systems that are used solely by the organization's internal users. The screened subnet typically hosts "public" services, including DNS, mail, and web. We would like to think these servers are bastion hosts. A bastion is a well-fortified position. When applied to hosts on a network, fortifying involves hardening the operating system and applications according to best practices. As attacks over time have shown, these servers are not always well fortified; in fact, they are sometimes vulnerable despite being protected by a firewall. We must take extra care fortifying these hosts because they are the target of the majority of attacks and can bring the attacker closer to accessing even more critical internal resources.