Day 4: Security Applications

Besides antivirus, antispam and antispyware software you should make use of a firewall. This can come packaged as a standalone security appliance, a server-based firewall that installs on a network operating system (NOS), a module that can be installed or is integrated inside an existing router, or a personal firewall that installs on a network host. Firewalls are installed between two networks and can control traffic in the following ways:

• Filter traffic based on destination and source IP address or MAC address, block websites based on url or keywords, and filter traffic based on the type of application used for network transmission.
• Inspect incoming traffic and ensure that each incoming packet is a response to a legitimate outgoing request. This stateful packet inspection (SPI) can prevent DoS attacks.
• Firewalls can also provide network address translation (NAT) for additional security on an internal network.

A firewall can protect users on the intranet but some network devices may need greater access. Servers outside the internal network protected by another firewall are in the demilitarized zone (DMZ). This is typically an area more secure than a direct connection to the Internet lcoated between an internal and external firewall. When setting up a smaller network, you can create a subnet and configure a single integrated router/firewall to provide DMZ levels of security to only specific devices. A standard DMZ allows incoming requests on standard server ports like 80, 21 and 110 (POP3). I bet you know the other two :)
On larger networks you usually design firewall security in layers. Border routers filter packets and route traffic to the DMZ or an internal firewall. The internal firewall only allows outside traffic that was specifically requested by an internal device. Additional internal firewalls may seperate and protect sensitive areas. These can provide an extra layer of security in case an internal host is infected.

Short overview of two types of sensors available to detect and prevent network intrusions:

• Intrusion Detection Systems (IDS): monitors traffic on one port and notifies a management station. Can detect only the first malicious transmission but can reconfigure the router to block future attacks. Used on the network perimeter in front of a firewall to analyze attacks or behind a firewall to detect firewall configuration issues.
• Intrusion Prevention Systems (IPS): traffic passes through the IPS in one port and out another which filters suspicious traffic in real time. Can examine the entire data packet from L7 to L2. Usually placed behind a firewall to further examine packets destined for the internal network.

Both are implemented as software (Cisco IOS ISP), hardware and Adaptive Security Appliance (ASA).

Network security can also be improved by:

• Authentication requires users to verify their identity with a username and password using a RADIUS or TACACS server.
• Authorization limits access for users based on rights assigned to the user account by the administrator.
• Accounting tracks user network activity and application use.