Network Security Overview Tales from the trenches
Why security? increasingly hostile public network cost of downtime value of the information
Increasingly hostile public network
Increasingly hostile public network(2) intruders are prepared and organized Internet attacks are easy, low risk, and hard to trace intruder tools are - increasingly sophisticated - easy to use, especially by novice intruders - designed to support large-scale attacks source code is not required to find vulnerabilities the complexity of the Internet, protocols, and applications are all increasing along with our reliance on them
Increasingly hostile public network(3)
Cost of downtime
Value of the information Large stores of Credit Card information stored on DB servers Intellectual property valued in the Millions
Basic Categories PolicyPhysical IP based Software/OS based
Holistic approach
Policy usage External services allowed Acceptable use User and resource architecture Virus response
IP based Routers Packet filtering Packet filteringFirewalls Packet inspection versus packet filter Packet inspection versus packet filter Ability to build rulesets Ability to build rulesetsSwitches/VLAN Isolating IP segments using VLANS Isolating IP segments using VLANS
Software Proxy servers Software firewalls vs. hardware OS security Unix/MS Patches and updates
Remote access security versus usability P: drive access P: drive access options for remote access extranet extranet web access web access VPN VPN Private dial up Private dial up
Extranet Secure web site with access to specific data Requires login Can provide access to all information available “on site”
VPN Virtual private network Creates a Secure Tunnel between two points on a network All data traveling on the tunnel is encrypted Should use encryption for tunnel creation
Physical security Data center access Multi-homed Redundant utilities (power, HVAC) Fire suppression