Network Protection Layer configuration and physical security

Source: Internet
Author: User

Among the recorded malware events, the most attacks are initiated through the network. Generally, malicious software attacks are initiated to allow malicious software to access host devices in the organization's IT infrastructure by exploiting vulnerabilities in the perimeter protection of the Network. These devices can be clients, servers, routers, or even firewalls. One of the most difficult problems facing virus protection at this layer is to balance the functional requirements of IT system users and the restrictions required to create effective protection. For example, like many recent attacks, The MyDoom worm uses email attachments to copy itself. From the IT infrastructure perspective, blocking all attachments from being passed in is the simplest and safest option. However, the requirements of Email users in an organization may not be permitted. Compromise is required to strike a balance between the Organization's needs and the acceptable risk levels.

Many organizations have adopted multi-layer approaches to design their networks using both the internal network structure and the external network structure. Microsoft recommends this method because it fits into the deep protection security model.

Note: there is an increasing trend: the internal network is divided into multiple security areas to create peripherals for each security area. Microsoft also recommends this method because it helps reduce the overall risk of malware attacks attempting to access the internal network. However, this Guide only describes the protection for a single network. If you plan to use one peripheral network and multiple internal networks, you can apply this tutorial directly to each network.

The first network protection of an Organization refers to peripheral network protection. These protections are designed to prevent malicious software from entering the Organization through external attacks. As described earlier in this chapter, typical malware attacks focus on copying files to the target computer. Therefore, your virus protection should use the Organization's regular security measures to ensure that only authorized personnel can connect securely (such as through an encrypted virtual private network (VPN) access organization data.

Note: You should also regard any wireless LAN and VPN as peripheral networks. If your organization has adopted these technologies, it is important to protect them. If security cannot be provided, attackers may be allowed to directly access your internal network (avoiding Standard perimeter protection) to launch attacks.

In this Guide, it is assumed that the network security design provides the Organization with the required identification, authorization, encryption and protection levels to prevent unauthorized attackers from intruding directly. However, virus protection is incomplete. The next step is to configure network layer protection to detect and filter malicious software attacks that use allowed network communication (such as email, Web browsing, and instant messaging.

Network Anti-Virus Configuration

There are many specialized configurations and technologies designed to provide network security for organizations. Although these are important parts of the Organization's security design, this section only describes areas that are directly related to virus protection. Your network security and design team should determine how to use each of the following methods in the Organization.

Network Intrusion Detection System

Because the peripheral network is a very risky part of the network, it is extremely important for your network management system to detect and report attacks as soon as possible. The Network Intrusion Detection (NID) system only provides rapid detection and reporting of external attacks. Although the NID system is part of the overall system security design and is not a specific anti-virus tool, many initial signs of system attacks and malware attacks are the same. For example, some malware uses IP scanning to find systems that can be infected. For this reason, the NID system should be configured to work with the Organization's network management system, and any unusual network behavior warnings should be passed directly to the organization's security personnel.

A key issue to be aware of is that for any NID implementation, its protection is only equivalent to the process followed after intrusion detection. This process should be triggered to prevent attacks, and the protection should be continuously monitored in real time. This process can only be considered as part of a protection policy at this time. Otherwise, the NID system is more like a tool that provides review records after an attack occurs.

There are many enterprise-level network intrusion detection systems available for network designers. They can be independent devices or systems integrated into other network services (such as firewall services of an organization. For example, Microsoft Internet Security and Acceleration (ISA) Server 2000 and 2004 products include NID system functions and firewall and proxy services.

Application layer Filtering

Organizations are aware that using Internet filtering technology to monitor and shield illegal content (such as viruses) in network communication is not only useful, but also necessary. In the past, this filtering was performed using the packet layer Filtering provided by the Firewall Service. Only the network traffic can be filtered based on the source or target IP address or a specific TCP or UDP port. The application layer Filtering (ALF) works on the application layer of the OSI network model, So it allows you to check and filter data based on the data content. If ALF is used in addition to standard packet layer filtering, the security is much higher. For example, data packet filtering may allow you to filter network traffic through port 80 of the organization's firewall, so that it can only be passed to the Web server. However, this method may not provide sufficient security. By adding ALF to the solution, you can check all data uploaded to the Web server on port 80 to ensure that it is valid and does not contain any suspicious code.

The ISA Server can provide the ALF for data packets when they pass through the organizational firewall. Scan Web browsing and email to ensure that the content specific to each Web browsing and email does not contain suspicious data, such as spam or malware. The ALF feature in ISA Server enables deep content analysis, including the ability to detect, check, and verify traffic using any port or protocol.

Content Scanning

Content scanning is provided as a feature in more advanced firewall solutions, or as a separate service (such as email) component. Content scan query allows data to enter or exit the organizational network through a valid data channel. If the content scan is performed on an email, it usually works with the email server to check the features (such as attachments) of the email ). This method can scan and identify malware content in real time when data passes through the service. There are many partners working with Microsoft to provide enhanced security features (such as real-time anti-virus content scanning) for Microsoft Exchange Server and ISA Server.

URL filtering

Another option available for network administrators is URL filtering. You can use it to block problematic websites. For example, you may use URL filtering to block known hacker websites, download servers, and personal HTTP email services.

Note: Major HTTP email service sites (such as Hotmail and Yahoo) provide anti-virus scanning services, but many small sites do not provide anti-virus scanning services at all. This is a serious problem for organization protection because such a service provides a route directly from the Internet to the client.

The network administrator can use two basic URL filtering methods:

& #8226; blocked list. The firewall checks the predefined list of problematic sites before allowing connections. Allow users to connect to sites not listed in the blocked list.

& #8226; List allowed. This method only allows communication with the website entered in the predefined list of approved websites of the Organization.

The first method relies on identifying problematic websites and adding them to the list. Due to the size and variable nature of the Internet, This method requires an automated solution or a large amount of management overhead. It is usually useful only for websites with a small number of known problems, comprehensive protection solutions are not available. The second method provides better protection because its restriction feature allows you to control the sites accessible to system users. However, this method may be too restrictive for many organizations unless a correct investigation is conducted to identify all sites required by the user.

These two methods provide protection only when the client is under organization protection. This protection is not provided when the mobile client is directly connected to the Internet outside the office, which means your network may be attacked. If the mobile client in the Organization needs a URL filtering solution, you should consider using a client-based protection system. However, this method may bring a lot of management overhead, especially in environments with a large number of mobile clients.

Isolated Network

Another method that can be used to protect the network is to establish an isolated network for computers that do not meet the minimum security requirements of the Organization.

Note: This method should not be confused with the isolation feature provided in some anti-virus applications, which moves infected files to the security zone on the computer until they can be cleared.

The isolated network should limit (or even block) internal access to the Organization's resources, but provide a connection level (including the Internet) that allows the computers of temporary visitors to work efficiently, instead of putting security risks on the internal network. If a visitor's laptop is infected with malware and connected to the network, the isolated network can restrict the ability of the visitor to infect other computers on the internal network.

Similar methods have been successfully applied to VPN-type remote connections for some time. During the system test, the VPN Client is transferred to the temporary isolated network. If the client passes the test (for example, because it has the required security update and antivirus signature files), it will be granted access to the internal network of the Organization. If the client does not meet these requirements, it will disconnect them or allow them to access the isolated network, which can be used to obtain the updates necessary to pass the test. Network designers are now working on this technology to help improve the security of internal networks.

ISA Server Feature Pack

If your organization uses ISA Server 2000, Microsoft also recommends that you use other features provided in ISA Server Feature Pack 1. This free attachment provides other security features that you can use to improve the security of cross-firewall communication (including email) in network protection. You can use the following functions to improve anti-virus network protection:

& #8226; enhanced SMTP filter. This feature helps filter emails with enhanced reliability and security. Filter attachment-based names, sizes, or extensions, as well as senders, domains, keywords, and any SMTP commands and their lengths.

& #8226; enhanced Exchange Remote Procedure Call (RPC) filter. This feature protects Outlook Email communication with Exchange Server computers over untrusted networks, rather than requiring you to establish a VPN. To this end, the ISA Server Feature Pack 1 comes with the following additional features:

& #8226; the administrator can force RPC encryption between Outlook and Exchange Server.

& #8226; outbound RPC communication can be securely transmitted through the ISA Server, which allows the Outlook client connected to the ISA Server computer to access the external Exchange Server computer.

& #8226; UrlScan 2.5. This tool helps block malicious Web requests on the ISA Server computer before they can enter the network and access the Web Server.

& #8226; Outlook Web Access (OWA) wizard. You can use this wizard to quickly and easily configure the ISA Server to help protect the OWA deployment.

Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.