Network Security

Port Blocking / Filtering

A network layer firewall works as a packet filter by deciding what packets will pass the firewall according to rules defined by the administrator. Filtering rules can act on the basis of source and destination address and on ports, in addition to whatever higher-level network protocols the packet contains. Network layer firewalls tend to operate very fast, and transparently to users. Network layer firewalls generally fall into two sub-categories, stateful and stateless. Stateful firewalls hold some information on the state of connections (for example: established or not, initiation, handshaking, data or breaking down the connection) as part of their rules (e.g. only hosts inside the firewall can establish connections on a certain port).

Stateless firewalls have packet-filtering capabilities but cannot make more complex decisions on what stage communications between hosts have reached. Stateless firewalls therefore offer less security. Stateless firewalls somewhat resemble a router in their ability to filter packets.

Any normal computer running an operating system which supports packet filtering and routing can function as a network layer firewall. Appropriate operating systems for such a configuration include Linux, Solaris, BSDs or Windows Server.

Authentication

The process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization , which is the process of giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

Encryption

Encryption is part of a larger process of encoding and decoding messages to keep information secure. This process, though commonly called encryption, is more correctly called cryptography, is the use of mathematical transformations to protect data. Cryptography is primarily a software-based solution and, in most cases, should not include significant hardware costs. It is a key tool in protecting privacy as it allows only authorized parties to view the data. Encryption is also used to ensure data integrity, as it protects data from being modified or corrupted.

VLANs (Virtual Local Area Networks).

A virtual LAN (VLAN) is a logical grouping of network devices in the same broadcast domain that can span multiple physical segments.A VLAN is a group of devices in the same broadcast domain or subnet. VLANs are good at logically separating traffic between different groups of users. VLANs contain/isolate broadcast traffic, where you need a router to move traffic between VLANs.

Logically speaking, VLANs are subnets. A subnet, or a network, is a contained broadcast domain. A broadcast that occurs in one subnet will not be forwarded, by default, to another subnet.

Routers, or layer 3 devices, provide this boundary function. Each of these subnets requires a unique network number. And to move from one network number to another, you need a router. In the case of broadcast domains and switches, each of these separate broadcast domains is a separate VLAN; therefore, you still need a routing function to move traffic between different VLANs.

Extranets

An extranet is a private network that uses Internet protocols, network connectivity, to securely share part of an organization's information or operations with suppliers, vendors, partners, customers or other businesses. An extranet can be viewed as part of a company's Intranet that is extended to users outside the company normally over the Internet. An extranet requires security and privacy. These can include firewalls, server management, the issuance and use of digital certificates or similar means of user authentication, encryption of messages, and the use of virtual private networks (VPNs) that tunnel through the public network.
Advantages

  • Extranets can improve organization productivity by automating processes that were previously done manually.
  • Extranets allow organization or project information to be viewed at times convenient for business partners, customers, employees, suppliers and other stake-holders.
  • Information on an extranet can be updated, edited and changed instantly. All authorised users therefore have immediate access to the most up-to-date information.

Disadvantages

  • Extranets can be expensive to implement and maintain within an organisation
  • Security of extranets can be a big concern when dealing with valuable information.
  • Extranets can reduce personal contact (face-to-face meetings) with customers and business partners. This could cause a lack of connections made between people and a company

Intranet

Intranets differ from "Extranets" in that the former is generally restricted to employees of the organization while extranets can generally be accessed by customers, suppliers, or other approved parties. An intranet is a private computer network that uses Internet protocols, network connectivity, to securely share part of an organization's information or operations with its employees. Sometimes the term refers only to the most visible service, the internal website. The same concepts and technologies of the Internet such as clients and servers running on the Internet protocol suite are used to build an intranet. HTTP and other Internet protocols are commonly used as well, especially FTP and e-mail.

Antivirus Software.

Antivirus software consists of computer programs that attempt to identify, thwart and eliminate computer viruses and other malicious software. Antivirus software typically uses two different techniques to accomplish this:

  • Examining files to look for known viruses matching definitions in a virus dictionary
  • Identifying suspicious behavior from any computer program which might indicate infection. Such analysis may include data captures, port monitoring and other methods.

Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach.

Dictionary Approach:
When the antivirus software looks at a file, it refers to a dictionary of known viruses that the authors of the antivirus software have identified. If a piece of code in the file matches any virus identified in the dictionary, then the antivirus software can take one of the following actions:

  • attempt to repair the file by removing the virus itself from the file
  • quarantine the file
  • delete the infected file.

Suspicious Behavior Approach:
Unlike the dictionary approach, the suspicious behavior approach therefore provides protection against brand-new viruses that do not yet exist in any virus dictionaries. Most antivirus software are not using this approach much today. Using this approach the antivirus software:

  • Doesn't attempt to identify known viruses
  • Monitors the behavior of all programs.
  • If one program tries to write data to an executable program, the antivirus software can flag this suspicious behavior
  • alert a user and ask what to do.

Analysis Approach:

  • Antivirus software could try to emulate the beginning of the code of each new executable that the system invokes before transferring control to that executable.
  • If the program seems to use self-modifying code or otherwise appears as a virus, one could assume that a virus has infected the executable. However, this method could result in a lot of false positives.

Fault Tolerance:

Fault tolerance is the ability of a system to continue functioning when part of the system fails. Normally, fault tolerance is used in describing disk subsystems, but it can also apply to other parts of the system or the entire system. Fully fault-tolerant systems use redundant disk controllers and power supplies as well as fault-tolerant disk subsystems. You can also use an uninterruptible power supply (UPS) to safeguard against local power failure. Although the data is always available in a fault-tolerant system, you still need to make backups that are stored offsite to protect the data against disasters such as a fire.

Network Redundancy

Service interruptions on a network are not always the result of a computer or drive failure. Sometimes the network itself is to blame. For this reason, many larger internetworks are designed with redundant components that enable traffic to reach a given destination in more than one way. If a network cable is cut or broken, or if a router or switch fails, redundant equipment enables data to take another path to its destination. There are several ways to provide redundant paths. Typically, you have at least two routers or switches connected to each network, so that the computers can use either one as a gateway to the other segments. Example, you can build a network with two backbones. Each workstation can use either of the routers on its local segment as a gateway. You can also use this arrangement to balance the traffic on the two backbones by configuring half of the computers on each local area network (LAN) to use one of the routers as its default gateway and the other half to use the other router.

Storage

A redundant array of independent disks (RAID) is an example of a fault-tolerant storage device that uses data redundancy.

RAID

Redundant Array of Inexpensive (or Independent) Disks. A RAID array is a collection of drives which collectively act as a single storage system, which can tolerate the failure of a drive without losing data, and which can operate independently of each other.

Level 0
Referred to as striping, is not redundant. Data is split across drives, resulting in higher data throughput. Since no redundant information is stored, performance is very good, but the failure of any disk in the array results in all data loss.

Level 1
Referred to as mirroring with 2 hard drives. It provides redundancy by duplicating all data from one drive on another drive. Performance is better than a single drive, but if either drive fails, no data is lost. This is a good entry-level redundant system, since only two drives are required.

Level 2
Which uses Hamming error correction codes, is intended for use with drives which do not have built-in error detection. All SCSI drives support built-in error detection, so this level is not needed if using SCSI drives.

Level 3
Stripes data at a byte level across several drives, with parity stored on one drive. It is otherwise similar to level 4. Byte-level striping requires hardware support for efficient use.

Level 4
Stripes data at a block level across several drives, with parity stored on one drive. The parity information allows recovery from the failure of any single drive. Performance is very good for reads. Writes, however, require that parity data be updated each time. This slows small random writes, in particular, though large writes or sequential writes are fairly fast.

Level 5
Striping with distributed parity. Similar to level 4, but distributes parity among the drives. No single disk is devoted to parity. This can speed small writes in multiprocessing systems. Because parity data must be distributed on each drive during reads, the performance for reads tends to be considerably lower than a level 4 array.

Disaster recovery

Fault Tolerance

Most people think about disaster recovery in terms of restoration of the damaged network, but it’s actually less expensive to prevent a disaster than to restore one.

Fault tolerance is another term for redundancy. You can have redundant components within a server, redundant servers, and even redundant networks, in the case of a hot site. A fault-tolerant system simply has a spare part that takes over if another part fails. Fault tolerance can work for the following:

Memory

Some servers support error-correcting memory with a spare memory module to use in case of memory failure.

Network interface cards (NICs).

NICs can be redundant in two ways. They can share the network traffic, or one of the NICs can wait until the first fails before it kicks in.
Redundant Array of Inexpensive Disks (RAID).
Data is mirrored, shared, or striped across multiple disks. Pay attention to these versions of RAID:

RAID 1:
Mirroring disks connected to a single hard disk controller, or duplexing disks connected to two different hard disk controllers.

RAID 5:
A group of three or more disks is combined into a volume with the disk striped across the disks, and parity is used to ensure that if any one of the disks fails, the remaining disks will still have all data available.

Power supplies.
One power supply takes over if the original fails.

Clusters.
Two or more servers are grouped to provide services as if the group were a single server. A cluster is transparent to end users. Usually, a server member of a cluster can take over for a failed partner with no impact on the network.

Backup / restore

Offsite storage
A remote backup service, online backup service or managed backup service is a service that provides users with an online system for backing up and storing computer files. Managed backup providers are companies that have the software and server space for storing files.

Hot and cold spares

  • A hot spare disk is running, ready to start working in the case of a failure.
  • A cold spare disk is not running.

A hot spare is used as a failover mechanism to provide reliability in system configurations. The hot spare is active and connected as part of a working system. When a key component fails, the hot spare is switched into operation. Examples of hot spares are components such as networked printers, and hard disks. The equipment is powered on, or considered "hot", but not actively functioning in the system. In the case of a disk drive, data is being mirrored so when the hot spare takes over, the system continues to operate with minimal or no downtime.

Hot Spare Disk
is a disk or group of disks used to automatically or manually, replace a failing or failed disk in a RAID configuration. The hot spare disk reduces the mean time to recovery (MTTR) for the RAID redundancy group, thus reducing the probability of a second disk failure and the resultant data loss that would occur in any singly redundant RAID (e.g., RAID-1, RAID-5, RAID-10).

Hot, warm and cold sites

A backup site is a location where a business can easily relocate following a disaster, such as fire, flood. There are three types of backup sites, including cold sites, warm sites, and hot sites. The differences between the types are determined by the costs and effort required to implement each.

Hot Site is a duplicate of the original site of the business, with full computer systems as well as near-complete backups of user data. Following a disaster, the hot site exists so that the business can relocate with minimal losses to normal operations. Ideally, a hot site will be up and running within a matter of hours. This type of backup site is the most expensive to operate.

Warm Site is a location where the business can relocate to after the disaster that is already stocked with computer hardware similar to that of the original site, but does not contain backed up copies of data and information.

Cold Site is the most inexpensive type of backup site for a business to operate. It does not include backed up copies of data and information from the its original location, nor does it include hardware already set up. The lack of hardware contributes to the minimal startup costs of the cold site, but requires additional time following the disaster to have the operation running at a capacity close to that prior to the disaster.