Take the following four steps to reduce the pressure on your network. The following are some methods to enhance your network protection.
Recently, Microsoft has promoted that if you want to get a truly secure network, you must focus on five important fields. These fields include perimeter protection, network protection, application protection, data protection, and host protection. In this article, I will discuss network protection to help you obtain deep security.
Microsoft's security philosophy is that you should focus on five independent fields, as if you need to protect them independently. In this way, you can ensure that these fields are properly protected. By paying attention to these fields independently, you can also ensure that when one of the protection is under security threat, the other layer-4 protection can still work and protect your network. If you want to learn more about other fields to improve network security, refer to the followingArticle:
Enhance host protection on your network
Use these policies to protect your network
Use these suggestions to protect your data
Strengthen application protection against Network Attacks
What is network protection?
First, the concept of network protection is too broad and general. However, nothing in this field is redundant or too general. Network Protection solves the connection problem between networks and connects all networks into a whole network. Network protection does not solve problems such as external firewalls or dial-up connections. Peripheral Security includes these problems. Network protection does not cover the problem of a single server or workstation. It is a host protection problem. Network Protection covers protocols and routers.
Internal Firewall
Network protection does not contain external protection walls, but it does not mean that it does not involve firewalls at all. On the contrary, the first step of network protection I suggest is to use an internal firewall whenever possible. The internal firewall is the same as the External Firewall. The main difference between the two is that the main function of the internal firewall is to protect your machine from the harm of internal communication. There are many reasons for using the internal firewall.
First, imagine that if a hacker or virus controls your external firewall in some way, he can communicate with the internal network without being blocked by the firewall. Generally, this means that your network is completely open to the outside world. However, if you have an internal firewall, the internal firewall will block malicious data packets from the external firewall.
Another major reason for using the internal firewall is that many attacks are internal. First, you may have heard of this and think that internal attacks are unlikely to appear on your network, but I am in the Security Department of every company I work, have seen internal attacks.
In two places I have worked in, some people in other departments are hackers or have a passion for management. They will think it is cool and worth showing off to probe the network to get as much information as possible. Both of them are not subjective or malicious (or both declare that they are not malicious). They just want to show off in front of friends that they can attack the system. Whatever their motives, they do harm network security. You must prevent such attacks on your network.
In other parts of my work, I see people install software without authorization, but these software contains Trojans. After these Trojans enter the system, they can broadcast your information through specific ports. It is difficult for the firewall to prevent malicious packets from entering the network because the packets are already in the network.
These facts have led to an interesting phenomenon: Most of the technicians I know have asked their external firewalls to block most of the packets flowing into the network, however, there is no limit on outgoing communication packets. I suggest you be cautious with outbound communication as well as inbound communication, because you will never know when a Trojan horse will be hiding in your network, broadcasts information on your network.
The internal firewall can be deployed on any computer or any server. There are some good personal firewall products on the market, such as Symantec Norton Personal Firewall 2003. However, because Windows XP comes with a built-in personal firewall, you do not have to pay for your workstation to purchase an independent personal firewall.
If you want to use Windows XP firewall, right-click "My network" and select "properties" from the shortcut menu to open the "Network Connection" window. Next, right-click the network connection you want to protect and select Properties. Now, select the advanced menu and click the Internet Connection Firewall option. You can use the "set" button to select an open port. Although Windows XP firewall is an Internet firewall, it can also be used as an internal firewall.
Encryption
The next step I suggest is to encrypt your network communication. Use IPSEC whenever possible. Therefore, you need to understand the IPSec Security.
If you configure a machine to use IPsec, you should perform bidirectional encryption. If you want IPSec to require encryption, when other machines attempt to connect to your machine, they will be accused of requiring encryption. If other machines have the ability of IPsec Encryption, a secure communication channel can be established at the beginning of the Communication establishment. On the other hand, if other machines do not have the IPsec Encryption capability, the communication process will be rejected because the required encryption is not implemented.
The request encryption options are slightly different. When a machine requests a connection, it also requires encryption. If both machines support IPSec confidentiality, a secure channel will be established between the two machines, and the communication starts. If one machine does not support IPsec Encryption, the communication process starts, but the data is not encrypted.
For this reason, I provide some suggestions. First, I suggest placing all the servers in a website in a secure network. This network should be completely separated from the normal network. Each server you want to access should have two NICs, one connecting to the primary network and the other connecting to the private server network. This server network should only contain servers and should have dedicated hubs or switches.
In this way, you need to establish a dedicated backbone network between servers. All server-based communications, such as RPC or replication, can be performed in the dedicated backbone network. In this way, you can protect network-based communication and increase the number of available bandwidth for the main network.
Next, we recommend that you use IPsec. IPsec Encryption is required for server-only networks. After all, this network only has servers, so unless you have UNIX, Linux, Macintosh, or other non-Microsoft servers, your server has no reason not to support IPSec. Therefore, you can safely request IPsec Encryption.
Now, you should require encryption for all workstations and servers connected to important networks. In this way, you can gain an optimized balance between security and functionality.
Unfortunately, IPSec cannot distinguish between network adapters on multiple home computers. Therefore, unless a server is outside the server network, you may need to use the request encryption option, Otherwise other clients will not be able to access the server.
Of course, IPSec is not the only encryption method you can choose for network communication. You must also consider how you want to protect the communication between your network and your wireless network.
It is still difficult to talk about wireless encryption today because wireless network devices are still developing. Most network administrators think that wireless networks are insecure because network communication packets are spread in open spaces. Anyone can use a laptop with a wireless Nic card to intercept these packets.
Although wireless networks do have some risks, from a certain perspective, wireless networks are even safer than wired networks. This is because the main encryption mechanism of wireless communication is WEP encryption. WEP encryption ranges from 40-bit to 152-bit or higher. The actual length depends on the minimum communication participant. For example, if your Access Point supports 128-bit WEP encryption, but your wireless network user device only supports 64-bit WEP encryption, you can only get 64-bit encryption. However, basically all wireless devices currently support at least 128-bit encryption.
Many administrators do not realize that although wireless networks can use WEP encryption, this is not the only encryption method they can use. WEP encryption only encrypts all communication over the network. It does not care about the type of data it encrypts. Therefore, if you have used IPSec to encrypt data, WEP can perform the second encryption on the encrypted data.
Network isolation
If your company is very large, you may have a web server as the host of your company's website. If this network server does not need to access backend databases or other resources in your private network, there is no reason to place it in your private network. Since you can isolate this server from your own network, why should you place it inside the private network to give hackers a chance to access your private network?
If your web server needs to access the database or other resources in the private network, I suggest you place an ISA Server between your firewall and the network server. Internet users communicate with the ISA server instead of accessing the server directly. The ISA Server proxy requests between the user and the web server. You can establish an IPsec connection between the Web server and the database server, and establish an SSL connection between the Web server and the ISA Server.
Packet listening
After you have taken all the necessary steps to protect the communication in your network, I suggest occasionally using packet monitoring to monitor network communication. This is just a precaution, because it helps you understand exactly what type of communication occurs in your network. If you find unexpected packet types, you can find the sources of these packages.
The biggest problem with the protocol analyzer is that it may be used by hackers and become a powerful tool for hackers. Due to the characteristics of packet listening, I once thought it was impossible to find out who is listening in my network. Packet listening only monitors communication in cables. Since packet listening does not change the communication packet, how can we know who is listening?
In fact, it is much easier to check the packet listening than you think. All you need is a machine as bait. The bait machine should be a workstation that no one except you knows about its existence. Make sure that your bait machine has an IP address, but it is not in the domain. Now connect the bait machine to the network and make it generate some communication packets. If someone is listening to the network. Listen to the communication packets sent by the bait machine. The problem is that the listener knows the IP address of the bait machine, but does not know its host name. Generally, the listener performs a DNS query to find the host name of the machine. Since you are the only one who knows that this machine exists, no one will search for this machine through DNS. Therefore, if you find someone in the DNS log to search for your bait machine, you have reason to suspect that this machine is used to listen to the network.
Another step you can take to block listening is to replace all existing hubs with VLAN switches. These switches create virtual networks in the packet sender and receiver. The package no longer goes through all machines on the network. It will be sent directly from the sender to the receiver. This means that if a listener is listening to your network, it is difficult for the listener to obtain useful information.
this type of switch has other advantages. For a standard hub, all nodes are in the same domain. This means that if you have a total bandwidth of 100 Mbps, the bandwidth will be allocated among all nodes. However, this is not the case for VLAN switches. Each Virtual LAN has a proprietary bandwidth and does not need to be shared. This means that a 100 Mbps switch can process hundreds of Mbps of traffic simultaneously, and all communication occurs on different virtual networks. The use of VLAN switches can improve both security and efficiency.