Another security risk for your network involves direct attack. Connecting your network to the Internet provides a nice wide conduit for folks who want to try to crack your network security and gain access to valuable network resources.
Direct network attacks can take different forms, and many of them are possible because of the way the TCP/IP protocol stack operates. Each protocol in the TCP/IP stack communicates on a particular channel, called a well-known port number (port numbers are discussed in Chapter 12, "TCP/IP Network Administration"). For example, HTTP operates on port 80, and FTP operates on port 21. There are, in fact, more than 1,000 well-known port numbers , and each of these ports is a potential path for an attack on your network. Firewalls provide a strategy for blocking these ports, and we will discuss firewalls later in the chapter.
Another way that direct attacks are engineered involves important information such as login names and passwords being discerned by a cracker using snooping software such as protocol sniffers, which are discussed in Chapter 19. A cracker can sit outside your network on the Internet and intercept data transmissions that can provide enough information for a direct attack on the internal network.
A number of different kinds of attacks can be made on an IP network. A brief description of each follows :
Network administrators use all sorts of strategies to prevent these types of attacks. Secure routers provide one way to protect the internal network, and so do firewalls (discussed in the next section). Another method involves implementing Internet Protocol Security (IPSec) , which is a suite of cryptography-based protection services and security protocols that can be used to secure internal networks, networks that use WAN solutions for connectivity, and networks that take advantage of remote access solutions (such as Virtual Private Networking, which we discuss in Chapter 17).
Securing a network of any size will probably require more than one strategy. This means you need to create a security plan for your network. Once you have a plan, you can implement it with the appropriate hardware or software security tools. Network security is certainly a very hot topic and a very important aspect of any network administrator's job. Securing a network isn't easy, however. Even the big boys, such as Yahoo! and Microsoft, get hammered occasionally by network attacks. Let's end our discussion of network security on a high point with the discussion of a truly marvelous invention: the firewall.