Network Protection and Management
Network based security components and technologies

Appliance-based Firewalls
A firewall is a system or group of systems that enforces an access control policy between two or more networks . There are many dedicated hardware appliance-based firewalls available to secure a network. Appliance-based firewalls typically are custom designed platforms without hard drives. This allows them to boot faster, inspect traffic at higher data rates, and be less prone to failure. Cisco solutions include an integrated IOS Firewall and a dedicated Private Internet Exchange (PIX) Security Appliance. The IOS Firewall feature set can be installed and configured on perimeter Cisco routers. It adds features such as stateful, application-based filtering, dynamic per-user authentication and authorization, defense against network attacks, Java blocking, and real-time alerts. The PIX Security Appliance is a dedicated hardware/software security solution/appliance that provides packet filtering and proxy server technologies. Other appliance-based firewall vendors include Juniper, Nokia, Symantec, Watchguard, and Nortel Networks. For home networks, Linksys, DLink, Netgear, and SonicWALL provide lower cost models with basic firewall capabilities.

Server-based Firewalls
A server-based security solution runs on a network operating system (NOS) such as UNIX, NT or Win2K, or Novell. It is generally an all-in-one solution that combines a firewall, access control, and virtual private networking features into one package. Examples of a server-based security solution include Microsoft ISA Server, Linux, Novell BorderManager, and Check Point Firewall-1.

Remember that appliance-based firewalls are specialized computers as well, but they run only a single embedded firewall application or operating system, whereas server based firewalls run on top of a general purpose OS. Server based firewalls can be less secure than dedicated firewall because of security weaknesses of the general purpose OS. Server based firewalls typically do not perform as well in high bandwidth networks compared to dedicated firewalls . Furthermore, they are prone to higher failure rates since they utilized mechanical hard-drives.

Network-based Intrusion Detection Systems
Just like host-based intrusion technology, a network-based intrusion detection system (NIDS) can be based on active or passive detection. Figure illustrates a typical network deployment of intrusion technology. Sensors are deployed at network entry points that protect critical network segments. The network segments have both internal and external corporate resources. Sensors capture and analyze the traffic as it traverses the network. Sensors are typically tuned for intrusion detection analysis. The underlying operating system is stripped of unnecessary network services and essential services are secured. The Sensors report to a central Director server located inside the corporate firewall.

Virtual Private Networks
The broadest definition of a Virtual Private Network (VPN) is any network built upon a public network and partitioned for use by individual users. As a result, public Frame Relay, X.25, and ATM networks are considered VPNs. These types of VPNs are generically referred to as Layer 2 VPNs. The emerging form of VPNs consists of networks constructed across shared IP backbones, referred to as IP VPNs, which focus on Layer 3.

IP VPNs are not simply encrypted tunnels. IP VPNs, encompass an entire spectrum of technologies and supporting products including firewalls, encryption, authentication, intrusion detection, tunneling, QoS, and network management . There are fundamentally three different corporate or business uses of VPNs:

  • Remote-access VPNs
  • Site-to-site extranet and intranet VPNs
  • Campus VPNs

Trust and Identity
Identity refers to the accurate and positive identification of network users, hosts, applications, services, and resources. Standard technologies that enable identification include authentication protocols such as Remote Access Dial-In User Service (RADIUS) and Terminal Access Controller Access Control System Plus (TACACS+), Kerberos, and one-time password (OTP) tools. New technologies such as digital certificates, smart cards, and directory services are beginning to play increasingly important roles in identity solutions.

Throughout this course, authentication, authorization, and access control (AAA) are incorporated into the concept of identity . Although these concepts are distinct, they all pertain to each individual user of the network, be it a person or device. Each person or device is a distinct entity that has separate abilities within the network and is allowed access to resources based on who they are.


Web Links