The network attacks might come from hostile nations, terrorists, criminals, hackers, disgruntled employees, and corporate competitors. Hackers' motivations might include intelligence gathering, the theft of intellectual property, denial of service (DoS), the embarrassment of the company or clients, or the challenge of exploiting a notable target.
As enterprise open their networks to public, they also expose the networks to hacker attacks. This result in tighter security policies. Just imagine the damage posed to an E-bussiness compnay when a credit card information breach happened.
Organizations today are struggling with viruses and malicious attacks that are incredibly complex. These new blended threats package a combination of virus and worm technology into an extremely elusive attack vehicle.
Firewalls are designed to deny all traffic and only allow certain traffic by explicit exception. Basic firewalls perform static packet filtering, which examines a packet based on the information in its header. Protocol headers have accepted usage standards, which can be translated into rules for determining compliance that the firewall can enforce. The drawback to this approach is that most attacks actually adhere to protocol standards, rendering the firewall blind to their malicious intent.
More advanced firewalls can make stateful inspection, which tracks each connection traversing all interfaces of the firewall and makes sure they are valid. For example, a stateful firewall may examine not just the header information but also the contents of the packet up through the application layer in order to determine more about the packet than just information about its source and destination. As an added security measure against port scanning, stateful inspection firewalls close off ports until connection to the specific port is requested.
Stateful packet inspection is limited inspection that can only block on ports. Stateful packet inspection can not block malicious traffic based on data payload, at the application layer.
It is very common a stateful packet inspection followed by an intrusion prevention service/intrusion detection service (IPS/IDS) in the firewall traffic path. An IDS/IPS is a computer security device that monitor network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. IDS/IPS can blocking attacks such as buffer overflow attacks, denial of service (Dos) attacks, sophisticated intrusions, and a small percentage of worms that fit within a single packet.
Anti-virus and anti-spyware services are often put into the firewall traffic pipeline. These services are capable of scanning streams to search for viruses, worms, trojans and spyware by looking up virus and spyware signature database. Once a thread is found, the anti-virus and anti-spyware service cut off the malware installations and delivery at the gateway and deny previously installed malware from communicating outbound.
The last line of defense is secure all the end points on the network. Organizations usually automates deployment of anti-virus and anti-spyware software, as well as signature updates, ensuring they are loaded onto each and every endpoint as soon as an update is available.
Last but not least, Logging and alerting is very import for network security. Security appliance should keep comprehensive security logs and alert network administrators of important events, such as an attack to the security appliance. Log entry should contains the date and time of the event and a brief message describing the event.
In summary, an organization must implement a comprehensive security policy to mitigate the threads at each point of vulnerability in a network. A multi-layered approach should provides protection at every level:
- Gateway: gateway anti-virus, IPS/IDS, anti-spyware provides real time protection.
- packets are scanned as they enter the network.
- active thread protection provided by monitoring files as they come into the network.
- at end-points up to date anti-virus and anti-spyware should be installed.
- keep security logs and alert administrators.
- have policies preventing users from downloading unauthorized programs from external storage devices and websites.
- An organization can apply access control to resources using authentication, authorization and auditing. The authentication methods can be user/pass, certificate, smart cards or biometric, etc.
CCENT will ask you to Explain today’s increasing network security threats and the need to implement a comprehensive security policy to mitigate the threats.
Good luck for your CCENT and CCNA exam.
ICND1 and ICND2 break down