|
Network Security
 Contents
Introduction
Critical Elements of Network Security
Identity
Perimeter Security
Data Privacy
Security Monitoring
Policy Management
Firewall
Virtual Private Network (VPN)
IPSec
What is IPSec?
Types of Network Attacks
Passive Eavesdropping/Packet Sniffing
IP Address Spoofing
Port Scans
Denial of Service Attacks
Application Layer Attacks
Introduction
The Internet is rapidly changing the way we do business, but even the Internet's
rapid growth has been tarried by a lack of security. The Internet is subject to
many threats, including loss of privacy, loss of data integrity, identity
spoofing, and denial-of-service. The goal of AMA TechTel is to address all of
these threats in the network when developing a scalable solution to connect your
business to the Internet, your customers, partners and suppliers.
Doing business on the Internet, like all business practices, entails risk.
Without appropriate precautions, Internet connectivity could compromise the very
information assets that make companies profitable and enable them to serve
customers. Network security breaches can result in damaging losses, and concerns
about information security sometimes prevent enterprises from implementing the
Internet-based solutions they need to stay competitive. In today's dynamic
business environment, this reluctance can quickly reduce a company's growth
potential and erode its competitive position.
Growth of Worldwide Internet Commerce on the Web
Critical Elements of Network Security
Identity
Identity is the accurate and positive identification of network users, hosts,
applications, services, and resources. Standard technologies that enable
identification include authentication protocols such as RADIUS and TACACS+,
Kerberos, and one-time password tools. New technologies such as digital
certificates, smart cards, and directory services are beginning to play
increasingly important roles in identity solutions.
Perimeter Security
This element provides the means to control access to critical network
applications, data, and services so that only legitimate users and information
can pass through the network. Routers and switches with access control lists and
stateful firewalling, as well as dedicated firewall appliances, provide this
control. Complementary tools, including virus scanners and content filters, also
help control network perimeters.
Data Privacy
When information must be protected from eavesdropping or tampering, the ability
to provide authenticated, confidential communication on demand is crucial.
Sometimes, data separation using tunneling technologies, such as generic routing
encapsulation (GRE) or Layer 2 Tunneling Protocol (L2TP), provides effective
data privacy. Often, however, additional privacy requirements call for the use
of digital encryption technology and protocols such as IPSec. This added
protection is especially important when implementing VPNs.
Security Monitoring
To ensure that a network remains secure, it's important to regularly test and
monitor the state of security preparation. Network vulnerability scanners can
proactively identify areas of weakness, and intrusion detection systems can
monitor and reactively respond to security events as they occur. Using security
monitoring solutions, organizations can obtain unprecedented visibility into
both the network data stream and the security posture of the network.
Policy Management
As networks grow in size and complexity, the requirement for centralized policy
management tools that leverage directory services grows as well. Sophisticated
tools, ones that can define, distribute, enforce, and audit the state of
security policy through browser-based user interfaces, enhance the usability and
effectiveness of network security solutions.
Firewall
With the spectacular growth of the Internet and online access, companies that do
business on the Internet face greater security threats. How can a company
prevent users who access their public Web site from accessing other highly
sensitive private network resources? And what about internal employees who wish
to transmit highly sensitive data from the corporate intranet to the outside
world? These are only a few examples of ways in which a company's corporate
security can be threatened.
The concept behind firewalling has been around for at least ten years. Firewalls
in use today use a dual-homed UNIX host and are called proxy servers. A proxy
server is an application gateway or circuit-level gateway that runs on top of a
general-purpose operating system such as UNIX or NT. These gateways operate at
the upper layer of the OSI model--Layer 7, which allows them to maintain session
state and support user authentication for good security. They connect a
company's local network to an external network via workstations running
specialized firewalling applications.
But this type of security comes at a cost in performance. First, proxy servers
work at Layer 7 of the OSI model. Operating at this layer is process intensive
and, therefore, proxy servers consume many CPU cycles. This is why even a
powerful UNIX machine such as a SPARC 10 that supports a proxy server can handle
only a limited number of sessions at one time. Because this architecture doesn't
scale well, companies will not be able to fully utilize high-speed Internet
connectivity options.
AMA TechTel uses the Cisco PIX Firewall in all our firewall applications. We do
not use, nor do we recommend using a Proxy server to do the work of a dedicated
firewall. Cisco's PIX Firewall delivers dramatic performance advantages through
a new feature called cut-through proxy. Whereas UNIX-based and NT-based proxy
servers are able to provide user authentication and maintain "state"
(information about a packet's origin and destination) to offer good security,
their performance suffers because they process all packets at Layer 7 of the OSI
model. The PIX Firewall's cut-through proxy, on the other hand, challenges a
user initially at the application layer, like a proxy server. But once the user
is authenticated and policy is checked, the PIX Firewall shifts the session
flow, and all traffic thereafter flows directly and quickly between the two
parties while maintaining session state. This "cut-through" capability allows
the PIX Firewall to perform dramatically faster than proxy servers.
Cisco’s PIX Firewall
more info on Cisco's PIX Firewall
Virtual Private Network (VPN)
Virtual Private Networks (VPN) are networks deployed on a public network
infrastructure that employ the same security, management, and quality of service
policies applied in a private network. Benefits of using VPNs include cost
savings and extending connectivity to telecommuters, mobile users and remote
offices as well as to new constituencies, such as customers, suppliers and
partners.
Our VPN solutions give you peace of mind by ensuring that all steps are taken to
ensure the integrity of your network, data and applications. Our VPNs employ the
IPSec encryption standard to ensure that your data is encrypted, identified,
authenticated, and safe from eavesdroppers. This gives you the ability to
transfer your most mission-critical data across a public network like the
Internet.
IPSec
The Internet holds unlimited promise for changing the way we do business, but
not without first addressing the security risks. IPSec provides a key piece of
the solution, because it allows security to be embedded at the network layer.
AMA TechTel utilizes IPSec in all of our remote networking and VPN solutions to
ensure your information is safe.
What is IPSec?
IPSec is a framework of open standards for ensuring secure private
communications over IP networks. Based on standards developed by the Internet
Engineering Task Force (IETF), IPSec ensures confidentiality, integrity, and
authenticity of data communications across a public IP network. IPSec provides a
necessary component of a standards-based, flexible solution for deploying a
network-wide security policy.
IPSec implements network layer encryption and authentication, providing an
end-to-end security solution in the network architecture itself. Thus the end
systems and applications do not need any changes to have the advantage of strong
security. Because the encrypted packets look like ordinary IP packets, they can
be easily routed through any IP network, such as the Internet, without any
changes to the intermediate networking equipment. The only devices that know
about the encryption are the end points. This feature greatly reduces both
implementation and management costs.
Types of Network Attacks
Passive Eavesdropping/Packet Sniffing
Attacker uses a packet sniffer to glean sensitive information from data streams
between two sites or to steal username/password combinations, either on a
private carrier or a public network. Even if applications were to encrypt
traffic within their own streams, a sniffer could still detect sites using that
specific application. The attacker could then concentrate on transmissions
involving that application
IP Address Spoofing
An attacker pretends to be a trusted computer by using an IP address that is
within the accepted range of IP addresses for an internal network.
Port Scans
An active method of determining to which ports on a network device a firewall is
listening. After attackers discover the holes in a firewall, they can
concentrate on finding an attack that exploits the applications that use those
ports.
Denial of Service Attacks
Differs from other types of attack because, instead of seeking access, the
attacker attempts to block valid users from accessing a resource or gateway.
This blockage can be achieved through SYN flooding a network resource to
exhaustion through using half open sessions (sending TCP packets with SYN bit
set from a false address) or by crafting packets that cause a resource to
perform incorrectly or crash.
Application Layer Attacks
Takes many forms, exploiting weaknesses in server software to access hosts by
obtaining the permission of the account that runs an application.
|
