Free Critical Thinking On Network Security
Network Security is a specialized field in networking whose primary objective is to secure a computer network and its infrastructure. Network security is a field that is handled by system administrators or in other places by network administrator and whose primary role or responsibility is to implements the network software, all security policies and hardware that are needed to protect a particular network and all the resources that are received, sent or stored through that network. They prohibit any unauthorized access and also ensure that the resources that are needed to work with employees are readily available through the network. The security system of the network has layers of protection, and it also consists of various components that include security software and networking monitoring in addition to appliances and other hardware
According to Beal (2013), there are a lot of network security threats that spread all over including on the Internet. Some of the most common include the Spyware and adware, Hacker attacks, Viruses, worms, and Trojan horses, Identity theft, Denial of service, zero-hour attacks and Data interception and theft .Ideally, all the network security system components must work together in order to improves security and minimizes the maintenance of the network. Some of the Network security components will includes the Firewall that are intended to block any unauthorized access to the network, Virtual Private Networks (VPNs) whose purpose is to provide secure remote access, Anti-virus and anti-spyware and Intrusion prevention systems (IPS) which identifies any threats.
Threats that are originating from inside a network are more dangerous than the external ones because those from inside have the knowledge of the network and all its available resources. Another reason is that inside users already have access to the system just because of the nature of their job. Traditional mechanisms such a firewalls and IPS are never adequately effective against internally generating.
Managing Network Security
Intrusion Detection and Prevention Systems
Intrusion usually occurs when a threat or an attacker tries to disrupt the normal operations or to gain entry into an information system with the intention of causing harm. Intrusion prevention will, therefore, consist of those activities that are aimed at deterring an interference from occurring. Intrusion detection will be composed of policies, systems and procedures that are operated to detect system intrusions. Intrusion reaction will entail actions that any organization wills undertakes when intrusion event is detected. When it detects any violation of its configuration, it automatically activates the alarm. Many IDSs makes it easy for to configure systems in a way they can notify them directly of trouble through e-mail or pagers .
Unified threat management
The Unified threat management is created on the premises that are powerful and customized in processing architectures of a computer that can handle, inspect and even block large amounts of network traffic. As such, that’s why emblematical UTM solutions characteristically bundle numerous functions, including Proxy services that seek to block the details of internal IP addressing and to examine any communications and transfers of data at the application level. It can also use Real-time packet decryption whose main purpose is to exploit special hardware to permit deep inspection to occur at network wire speeds. This makes many organizations apply content level controls that are encrypted data that later screen such data for policy compliance and malware filtering.
Authenticating Access to Cisco Router CLI
A lot of research has been conducted on how to grant access to the CLI (Command Line Interface) in Cisco router without the necessity of generating separate privileges for every user on each of the devices. RADIUS (remote Authentication Dial-In User Service) is an old and broadly used protocol for conducting centralized authentication services. In conjunction with a Cisco router, RADIUS is heavily employed in authentication of VPN users, SSH users and ASDM users. Below is a simple diagram that shows the procedure for authenticating access to Cisco router CLI through active directory using Microsoft NPS RADIUS Server.
A telnet/SSH connection is initiated to the CISCO router and login credentials entered
The router authenticates the entered username and password against a local database.
If the credentials are valid, the operator is granted access to the CLI
If the entered credentials are not found in the local database then the authentication request is passed to RADIUS.
RADIUS validates the username, password, and group membership against the Domain controller.
If the user belongs to the Network-Admins group access to the CLI is granted else access to the router is denied.
Access Control List and Network Security
Access Control Lists provides the filtering capabilities to a network by forwarding the network packets or totally blocking the sent packets at the router interface. The router carefully scrutinizes every packet and decides whether to forward or block the packet based on the criteria that was specified in the Access List. In most cases, ACLs are normally located on external routers with the sole aim of filtering network traffic from untrusted networks and known threats. To use ACLs, a de-militarized buffer zone is constructed within the network as shown below.
The external router is less restrictive providing access to all external network connections. Though the router is less restrictive, it still renders larger protection zones of the routing tables that the network administrator would wish to protect. The internal router has better restrictive ACLs intended to shield the internal network from common threats. Here, the ACLs are designed with unequivocal allow and deny statements for precise addresses and protocol services. Below is a sample ACL screenshot for granting permissions.
Zone-Based Firewall on a Cisco router
The Zone-Based firewall model transforms the stateful inspection model from the classic firewall interface-oriented type to much flexible, easily understandable zone-oriented configuration. Zone-Based Firewall creates disparate zones instead of assigning access-list to interfaces. Under this model, the router interfaces are confined to security zones and the traffic transported between the zones is inspected using a firewall inspection policy. An inter-zone security policy is implemented such that an interface is unable to forward traffic to interfaces located in other security zones until authorized by a policy allowing the said traffic. Interfaces comprise members of different zones as shown in the figure below.
The above figure shows three zones namely: LAN, WAN and DMZ. Secutiy policy is applied to traffic between zones such that packets cannot be transferred from a given interface and other interfaces in different zones until a policy is configured to permit the desired traffic.
Each interface can belong to only one security zone, though zones can have several interfaces. By default, Zone-Based firewall enforces a policy to block traffic between different zones.
Network Security Monitoring
Every person who practices as a network security specialist dreams of being able to collect and handle every packet crisscrossing his or her network. For these securities, specialists it is possible to build servers that are robust with well-engineered network interface, as well as fast hard drives. The basic principle of Network security and monitoring recommend that it is important to collect as many gigabytes of traffic as one can, without taking into consideration the ability to analyze it. To catch most of the high-end intrusions are detected and caught using batch analysis. This process can interpret the traversing networks by examining sessions, alerts, and all the statistical data In order to able to discover stealthy attackers. This process of batch analysis helps to identify any slow and low intruders who take advantage of their time and their diversity. Real-time analysts find it very difficult to detect the malicious activities of such low and slow attackers because they use many independent source addresses.
Design and install Site-to-Site IPsec VPN to secure connection between HQ and branch offices
A site to site IPsecVPN allows the networks located in various fixed locations such as the branch offices to establish a connection that is secure with the Head office Datacenter network over the Internet
A typical corporate network is designed in this section using secure VPN. In this case the Local Area network will consist of the head office router and branch office routers. The router in the head office will serve as a VPN Access Concentrator. It is the router that will allow for VPN access from the sites in the branch office or either from roaming laptop VPN clients.
The VPN access concentrator router in the headquarters will include the:
The Internet connection
Internet address which is fixed so that the branch offices and the roaming VPN for the client have a common target for the
VPN access from branch offices.
VPN access from roaming any users.
The routers in all the branch officeswill provides:
An ADSL Internet connection.
IPsec tunnel mode which will have a VPN access to head office
A fixed Internet address
Although there may exist a number of site-to-site VPN connectionsolutions, all the devices need to have the Public IP addresses ,Preshared key,NATed subnets that are behind the devices and the VPN parameters that will make sure that there is matching encoding and other settings
Design and install remote IPsec VPN to secure connection mobile users and HQ
Remote-Access is a type of VPN which is a user-to-LAN connection and is mainly used by the company whose workers may need to connect to the private network to be able to work from various remote locations. Such companies that wishes to set up a remote-access VPN which is large enough will provides Internet dial-up account to its users and therefore must use an Internet service provider .For example, a company with large number of sales people in the field may needs a remote-access VPN. This is to say that Remote-access VPNs will be secure and the connections will be encrypted the private network in the company head office and remote users who will use the third-party service provider.
Such a remote access VPNs must threat-protected. For example in the Cisco ASA Series, the extent of intrusion prevention, firewall that is aware of any application , antivirus and VPN security capacities will minimize the risk that security threat may use the VPN connection.
Networking especially through the wireless platform provides many good opportunities to increase productivity, as well as cut costs in any organization. However, it alters the overall computer security risk profile of any given organization.
It is always possible and achievable to obtain a certain level of security by adopting those approach that are systematic in management and assessment of risk ,although it is not practically and absolutely possible to eliminate all the risks that are associated with wireless networking. Various methods can, therefore, be used to reduce these risks to acceptable low levels.
Beal, V. (2013, May 14). Wedopedia. Retrieved from network security: http://www.webopedia.com/TERM/N/network_security.html
Cisco Networking Academy. (2010). Cisco Networking Academy's Introduction to Basic Switching Concepts and Configuration. CISCO, 12-14.
Dave Dittrich. (1996). Network monitoring/Intrusion Detection Systems (IDS). Washington DC: University of Washington Press.
Goguen, S., & Feringa. (July 2002). Risk management guide for Information Technology system . NIST Special Publication 800-30, 20-35.
Joe, W., & Harmening, J. (2009). Computer and Information Security Handbook. Chicago: Morgan Kaufmann Publications Elsevier Inc.
Keeping your Cloud To yourself. (2013, April 26). Retrieved from Preventing and Avoiding Network Security Threats and Vulnerabilities: http://www.tomsitpro.com/articles/threat_management-it_security-firewall-it_certification-network_security,2-477.html
Microsoft. (2013, November 14). Developer Network. Retrieved from Security Strategies: https://msdn.microsoft.com/en-us/library/cc723506.aspx
Oppenheimer., P. (Oct 2010). Developing Network Security Strategies. Ohio: Cisco Press.
Simmonds, P, S., & Ekert, v. (2004). An Ontology for Network Security Attacks. Lecture Notes in Computer Science: Lecture Notes in Computer Science.
Soupher, K. (2012). Best practices for System controls. Journal of Wireless Networking, 14-19.
Sue-lynn. (2014, May 2). CISCO. Retrieved from Making Critical Connections in http://www.cisco.com/
Tugor, W. (2006). Living in wireless denial. CIO Magazine., 69.
Mohd S, &Ahmad D. (2014). Survey on the Challenges Faced by the Lecturers in Using Packet Tracer Simulation in Computer Networking Course. Social and Behavioral Sciences, Volume 131, Pages 11-15
Dennis C., Kristen E., John T., &Mark C. (2014). An extensible micro-world for learning in the data networking professions. Information Sciences, Volume 264, Pages 91-103
Xiuquan Q, Guoshun N, Wei T, Lei G, Junliang C, Wei Q, &Yukai T. (2014). CCNxTomcat: An extended web server for Content-Centric Networking. Computer Networks, Volume 75, Part A, Pages 276-296
Jingcheng G, Yang X, Jing L, &Wei L. (2012). A survey of communication/networking in Smart Grids.Future Generation Computer Systems, Volume 28, Issue 2, Pages 391-404
Masayoshi K, Srini S, Guru P, Guido A& Joseph L (2014). Maturing of OpenFlow and Software-defined Networking through deployments. Computer Networks, Volume 61, Pages 151-175.
Scarfone, K., Mell, P. (2007). Guide to Intrusion Detection and Prevention Systems (IDPS): Recommendations of the National Institute of Standards and Technology. Available at: <http://csrc.nist.gov/publications/nistpubs/800-94/SP800-94.pdf>