| |
 Defense
In Depth - A Layered Approach Network Security
By Leonard Loro
Contributing Writer
Article Date: 02.26.03
External information access from partners and employees is a very important
aspect in the design of security. Corporations need to be assured that their critical
servers are safe from different internet threats. Additionally, because the Web
is worldwide, it is impossible to create a global agreement on what traffic is
inappropriate and how that traffic should be regulated. A major problem IT departments
face is how to defend critical servers from hostile network traffic and network
addresses. How do we add layers of security to protect our internet servers and
internal systems?
First Level Filters - Routers and Core Network Devices
Filtering IP addresses can be achieved using a simple router. A filter can be
created to deny access to the internal network server ports. This solution is
useful for static lists and blocking IP packets from accessing certain ports on
the network. The disadvantage is that if network policies change frequently, maintaining
a list on a daily or weekly basis can become a nightmare.
Use first level filters for static access lists that are not likely to change
much or to block unwanted services, like SQL Server access to the internet.
Second Level Filters - Firewalls and Application Layer Devices
Firewalls are a good solution for adding security to your network and preventing
outsiders from accessing your internal servers. Most firewall providers offer
tiered pricing for special features like encryption, user authentication, web-proxy
and dynamic packet filtering.
Use second Level Filters for special security requirements such as dynamic packet
filtering and user authentication.
IP Forwarding IP forwarding or NAT (Network Address Translation) allows
one server to act as the IP address for all the devices on your network. The device
provides a gateway service for all devices on the network at the IP layer and
hides your network from the outside world. Some NAT devices may include other
services like static filtering or web proxy caching.
Third Level Filters - Web Proxies and Application Specific Security Software
A Web proxy cache allows users to pool their Web browser cache on one server.
With this tool, when a second user downloads the same file you just spent 20 minutes
downloading, the file is retrieved from the Web-caching server and not the Internet.
This method, integrated with third-party software that provides ongoing updates,
is a complete and scalable solution. It allows a single point of management and
provides a selection of filter categories to meet your needs.
Other Third-party Filtering Software
Filtering through software can involve a third-party developer who maintains and
updates a content database, and continually provides the updated information to
its customers. Filtering software supports a wide range of platforms. You can
run this filtering software on a stand-alone workstation or as a server-based
solution. A server-based solution gives you a central point of control and offers
the best solution for reducing expenses for support staff.
Filtering Network Traffic with Windows 2000 Filtering
Windows 2000 Filtering allows you to control what type of requests and transactions
your server accepts. There are a variety of ways to securely filter access to
and from the Internet, but none of these methods will block 100% of the attacks.
Figure 1. Enabling filtering IP traffic.
Most IT environments do not have the time or qualified staff to monitor critical
server activities every minute. Therefore it is necessary to implement a system
where servers can have Internet and network access without the direct supervision
of a staff member. The filtering function of Windows 2000 is geared toward network
administrators of large networked servers, such as Web Servers, Database Servers
and Mail servers. Windows 2000 filtering can protect unsafe network data from
outsiders and control which network applications are accessible to system users.
Port access is used to protect and control the server, limiting the access requests
to the information needed and controlling what ports can and cannot be accessed.
About This Section...
Whether you want to learn what network security is, how firewalls work, or how
to script a program in C to manage Active Directory security, this section is
designed to provide useful and easy to understand articles for all levels of Information
Technology professionals. Rather than provide theoretical views and terms of security
principles and systems, we will give you straightforward, real-life information
to apply at work. Some of the topics that we will put in plain words in our section
will be: How to Build a Firewall with Internet Security and Acceleration (ISA)
Server, Analyzing and Monitoring Network Attacks with Windows 2000 and Using and
Creating Advanced Windows 2000 Security Tools and Utilities with Simple Programs.
As a final point, we will focus on providing the depth necessary to pass any Microsoft-related
security exam.
Want a FREE network security evaluation? Please e-mail Leo Loro at leoloro@2000trainers.com,
or contact him at (310) 701-7385.
Article originally published at http://www.2000trainers.com/security/coursesandarticles/sec/sec-13-PF.html.
About the author:
| Mr. Leo Loro works with business executives
and technology professionals to protect their computer systems, servers and vital
information from theft and fraud. He holds more than a dozen industry certifications
and has worked for companies like Microsoft and other world-class organizations.
|
|
|
