Four steps to strengthen network protection _ security-related

Source: Internet
Author: User
Tags require switches
You can reduce the pressure to protect your network by using the following four steps. Here are some ways to strengthen your network defenses.
Recently, Microsoft is promoting that if you want to get a truly secure network, you have to focus on 5 important areas. These areas include perimeter protection, network protection, application protection, data protection, and host protection. In this article, I'll discuss network protection to help you get deep security.

Microsoft's philosophy of security is that you should focus on five separate areas, as if you need to defend them independently. In this way, you will be able to ensure that these areas are properly protected. By focusing on these areas independently, you can also ensure that when one of these defenses is compromised, the other four-tier defenses will still be effective and secure your network. If you want to learn more about other areas of information to improve network security, see the following articles:

What is network protection?

First, the concept of network protection seems too broad and general. But nothing in this field is superfluous or too general. Network protection solves the problem of connecting connections between networks, and connects all networks to an entire network. Network protection does not solve problems such as external firewalls or dial-up connections, and perimeter security includes these issues. Network protection does not cover the problem of a single server or workstation, which is a problem of host protection. Network protection covers issues such as protocols and routers.

Internal firewall

Network protection does not include an external wall, but that does not mean that it does not involve firewalls at all. Instead, the first step in my proposed network protection is to use an internal firewall if possible. The internal firewall is as secure as the external firewall. The main difference between the two is that the main job of the internal firewall is to protect your machine from internal communication. There are many reasons to use an internal firewall.

First, imagine that if a hacker or a virus somehow controls your external firewall, he can communicate with the internal network without a firewall blocking it. Typically, this means that your network is completely open to the outside world. However, if you have an internal firewall, the internal firewall blocks malicious packets that sneak in from an external firewall.

Another major reason for using an internal firewall is that many attacks are internal. First of all, you may have heard this and think that internal attacks are unlikely to be on your network, but I've seen internal attacks in the security departments of every company I've worked with.

Of the two places I've worked, some people in other departments are hackers or have a passion for management. They would think it would be cool and ostentatious to explore the web to get as much information as possible. In these two places, they have no subjective malice (or they declare themselves harmless), they just want to show off their ability to attack the system in front of their friends. Whatever their motives, they do harm to cyber security. You must guard against the attacks of your network by such people.

In other places where I've worked, I've seen people install their own software without authorization, and that includes Trojan horses. These Trojans can then broadcast your information through specific ports when they enter the system. Firewalls are hard to prevent malicious packets from entering the network because the packets are already in the network.

These facts lead to an interesting phenomenon: most of the technicians I know let their external firewalls block most of the packets flowing into the network, but they do not limit the packets flowing out. I recommend that you have to be as cautious about outgoing traffic as you do with incoming traffic, because you never know when a Trojan horse is hiding in your network and broadcasting your information out of your network.

An internal firewall can be placed on any computer or on any server. There are some good personal firewall products on the market, such as Symantec Norton Personal Firewall 2003. But because Windows XP has a built-in personal firewall, you don't have to pay for your workstation to buy a separate personal firewall.

If you want to use Windows XP firewall, right-click My network and choose Properties from the shortcut menu to open the Network Connections window. Next, right-click the network connection you want to protect and select Properties. Now, select the Advanced menu and click the Internet Connection Firewall option. You can use the "Settings" button to choose a port that remains open. Although the Windows XP firewall is an Internet firewall, it can also be used as an internal firewall.
Encryption

The next step I propose is to encrypt your network traffic. IPSec is used whenever possible. Therefore, you need to understand IPSec security.

If you configure a machine to use IPSec, you should do it for two-way encryption. If you allow IPSec to require encryption, then when other machines try to connect to your machine, they are told to encrypt. If other machines have the ability to encrypt IPSec, a secure communication channel can be established at the start of communication. On the other hand, if the other machines do not have the ability to encrypt IPSec, the communication process is rejected because the required encryption is not implemented.

The request encryption option is slightly different. When a machine requests a join, it also requires encryption. If both machines support IPSec secrets, a secure path is established between the two machines, and communication begins. If one of the machines does not support IPSec encryption, then the communication process starts, but the data is not encrypted.

For this reason, I offer some suggestions. First, I recommend putting all the servers in one site on a secure network. The network should be completely separate from the usual network. Each server that a user needs to access should have two network cards, one connected to the primary network and the other connected to the private server network. This server network should contain only servers and should have a dedicated hub or switch.

To do this, you need to establish a dedicated backbone network between servers. All server-based communications, such as RPC communication or replication, can be used in a dedicated backbone network. In this way, you can protect network-based communication and you can increase the amount of bandwidth available to the primary network.

Next, I recommend using IPSec. For networks that have only servers, IPSec encryption should be required. After all, this network has only servers, so unless you have UNIX, Linux, Macintosh, or other non-Microsoft servers, your server has no reason not to support IPSec. So you can confidently request IPSec encryption.

Now, for all workstations and servers connected to an important network, you should have the machine require encryption. In this way, you can achieve an optimal balance between security and functionality.

Unfortunately, IPSec cannot differentiate between network adapters on multiple home computers. Therefore, unless a server is located outside the server network, you may need to use the Request encryption option, otherwise the client will not be able to access the server.

Of course, IPSec is not the only way you can choose to encrypt your network traffic. You also have to think about how you want to protect the traffic that goes through your network and to your wireless network.

It's still a bit difficult to talk about wireless encryption today, as wireless networking devices are still evolving. Most network administrators believe that wireless networks are unsafe because network traffic is spread in open space, and anyone can intercept these packets with a laptop computer with a wireless NIC card.

While wireless networks do have some risks, in some ways, wireless networks are even more secure than wired networks. This is because the main encryption mechanism for wireless communications is WEP encryption. WEP encryption is from 40 bits to 152 digits or higher. The actual length depends on the lowest communication participant. For example, if your access point supports 128-bit WEP encryption, but one of your wireless network user devices only supports 64-bit WEP encryption, you will only get 64-bit encryption. But at the moment, almost all wireless devices support at least 128-bit encryption.

What many administrators don't realize is that although wireless networks can use WEP encryption, this is not the only way they can use encryption. WEP encryption is only encrypted for all traffic over the network. It doesn't care what kind of data it encrypts. Therefore, if you have used IPSec to encrypt the data, WEP will be able to encrypt the encrypted data for the second.
Network isolation

If your company is very large, then you are likely to have a Web server as the host of the company's Web site. If this Web server does not need access to the backend database or other resources in your private network, then there is no reason to put it in your private network. Since you can isolate this server from your own network, why put it inside a private network and give hackers a chance to get into your private network?

If your Web server needs access to the database or other resources in the private network, I recommend that you place an ISA Server between your firewall and the network server. Internet users communicate with ISA Server, rather than directly through a Web server. ISA Server will proxy the request between the user and the Web server. You can establish an IPSec connection between the Web server and the database server and establish an SSL join between the Web server and the ISA Server.

Packet monitoring

After you have taken all the necessary steps to protect the traffic that has passed through your network, I recommend that you occasionally use packet sniffing to monitor network traffic. This is just a precaution because it helps you understand what type of communication is happening in your network. If you find an unexpected packet type, you can find the source of the packets.

The biggest problem with the protocol analyzer is that it could be exploited by hackers and become a weapon in the hands of hackers. Because of the nature of packet sniffing, I used to think it was impossible to detect who was doing packet sniffing on my network. Packet monitoring is simply monitoring the communication that occurs in a cable. Because packet monitoring does not change the communication packet, how can you know who is listening?

It's actually easier to check the packet than you think. All you need is a machine as bait. The decoy machine should be a workstation where no one except you knows it exists. Make sure your decoy machine has an IP address, but it is not in the domain. Now connect the decoy machine to the network and let it generate some communication packets. If someone is listening on the network. Monitoring this will find these communications packets sent by the decoy machine. The problem is that the listener will know the IP address of the decoy machine, but does not know its host name. Typically, a listener makes a DNS lookup, trying to find the hostname of the machine. Since you are the only one who knows the existence of this machine, no one will perform DNS lookup to find this machine. So if you find that someone in the DNS log has a DNS lookup to find your decoy machine, then you have reason to suspect that the machine is being used to monitor the network.

Another step you can take to stop listening is to replace all existing hubs with VLAN switches. These switches create virtual networks for the sender and recipient of the package. The package no longer passes through all the machines in the network. It will be sent directly from the sender to the receiving end. This means that if a listener is listening to your network, it's hard to get useful information.

There are other advantages to this type of switch. For a standard hub, all nodes fall into the same domain. This means that if you have the total bandwidth of Mbps, bandwidth will be allocated across all nodes. But the VLAN switch is not so, each virtual LAN has the special bandwidth, it does not need to share. This means that a single Mbps switch can handle hundreds of Mbps of traffic at the same time, and all traffic occurs on a different virtual network. Using VLAN switches can improve security and efficiency at the same time.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.