Understanding Traditional Network Defenses

Previous page
Table of content
Next page

Traditional security networks rely heavily on router access lists, firewalls, and intrusion detection to protect the network against attacks. These products provide a good baseline for network security; however, you can supplement them with other security products to increase network security. These traditional network security products are also typically manually configured, often with different administrators and different graphical user interfaces (GUIs).

The remainder of this chapter discusses traditional network defenses and provides an overview of a self-defending network. This chapter also describes how integrated, centralized management can help to increase network security. Figure 1-1 shows a network with traditional network defense components.

Figure 1-1. Traditional Network Defense


Traditional network defenses are composed of the following products, which you will learn more about in the next sections:

  • Router access lists

  • Firewalls

  • Intrusion Detection Systems (IDS)

  • Virtual Private Networks (VPNs)

  • Antivirus programs

Router Access Lists

The access list, or access control list (ACL), is the cornerstone of network security. Access lists permit or deny network traffic based upon parameters including source IP address, destination IP address, and network service or port number. Router access lists are typically stateless, meaning that the router does not a maintain TCP connection state for each connection. Router access lists offer perimeter protection and a base defense because routers are typically both edge devices for perimeter networks and core devices for large networks. In addition to protecting edge and core networks, access lists are also often used to protect the network device itself.

Firewalls

Firewalls are prevalent in perimeter networks and data centers. Firewalls are often found in the perimeter to protect remote sites or edge networks. Network firewalls take their name from the traditional firewalls that can exist on trains and buildings to quarantine or block a fire from spreading from one area to another.

Network firewalls often follow a similar approach by protecting parts of the network from other parts of the network in the event of an attack. Firewalls maintain a TCP state for each connection that passes through the firewall. Firewalls can prevent attacked web servers or zombies from attacking other parts of the network. Network firewalls can also implement a demilitarized zone (DMZ) functionality. Portions or areas of the network can be classified as either outside the network, typically toward the Internet, or inside the network, typically toward the users or servers, or a DMZ. DMZs enable a layer of protection between the untrusted, in this case the outside of the network, and the trusted, or inside, part of the network. Router access lists and firewalls combine to compose the bedrock of traditional network security defenses.

Intrusion Detection Systems

Router access lists and firewalls have been pervasive since the early 1990s. Intrusion detection systems (IDSs) started to become widely deployed toward the end of the 1990s. IDSs are passive devices that monitor a copy of network traffic as it flows through the system. IDSs are often deployed in data centers near critical servers. As the name implies, these IDSs can detect a network attack based upon network traffic signatures or patterns of data in the network traffic.

IDSs typically detect rather than prevent the network attack because they are not inline, as they are operating on a copy of the network traffic. IDSs are highly valuable to network security defense, because they can provide an early warning that a network attack has been initiated.

Virtual Private Networks

VPNs are commonplace in most corporate networks. VPNs are essentially a security layer applied to a public or private network to make the network connection secure. VPNs are also considered to be leased-line or ISDN replacements. VPNs use authentication mechanisms including one-time passwords and encryption such as 3DES (Triple DES, pronounced "dez") or Advanced Encryption Standard (AES) to provide a secure layer on top of a network connection. Because VPNs often replace leased-lines like T1s or ISDN connections, they are often managed by the Network Operations group, or NetOps, rather than the Security Operations, or SecOPs, group. VPNs are not a major focus of this book as they are often managed by the NetOps group for a site-to-site connection or a remote access connection to the corporate data center.

Antivirus Programs

Many organizations have implemented an antivirus program to combat the frequent virus attacks against their network. Antivirus programs often scan received e-mail to identify and remove known virus attacks. While antivirus scanning components are valuable additions to the security of a network, antivirus components are traditionally standalone and not integrated into the network fabric. The ability to embed the antivirus functionality directly into a network enables the network to be self-defending as the security components can be integrated and centrally managed and provides a mechanism for the network to be self-healing and automatically defend itself against certain viruses or viral attacks.


Previous page
Table of content
Next page
Setf-Defending Networks(c) The Next Generation of network Security
Self-Defending Networks: The Next Generation of Network Security
ISBN: 1587052539
EAN: 2147483647
Year: N/A
Pages: 112
Authors: Duane De Capite
BUY ON AMAZON
ADO.NET 3.5 Cookbook (Cookbooks (OReilly))
Project Management JumpStart
Interprocess Communications in Linux: The Nooks and Crannies
A Practitioners Guide to Software Test Design
Managing Enterprise Systems with the Windows Script Host
Cisco IOS Cookbook (Cookbooks (OReilly))
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy