|
|
|
|
| |
 |
|
|
| |
|
|
| |
 |
|
|
| |
Network security
consists
of the provisions made in an underlying computer network
infrastructure, policies adopted by the network
administrator to protect the network and the
network-accessible resources from unauthorized access
and the effectiveness (or lack) of these measures
combined together.
Network security starts from authenticating any
user. Once authenticated, firewall enforces
access policies such as what services are
allowed to be accessed by the network users.
Though effective to prevent unauthorized access,
this component fails to check potentially
harmful contents such as computer worms being
transmitted over the network. An intrusion
prevention system (IPS) helps detect and prevent
such malware. IPS also monitors for suspicious
network traffic for contents, volume and
anomalies to protect the network from attacks
such as denial of service. Communication between
two hosts using the network could be encrypted
to maintain privacy. Individual events occurring
on the network could be tracked for audit
purposes and for a later high level analysis.
Honeypots,
essentially decoy network-accessible resources,
could be deployed in a network as surveillance
and early-warning tools. Techniques used by the
attackers that attempt to compromise these decoy
resources are studied during and after an attack
to keep an eye on new exploitation techniques.
Such analysis could be used to further tighten
security of the actual network being protected
by the honeypot.
A
firewall
is an
information technology (IT) security device which is
configured to permit, deny or proxy data connections set
and configured by the organization's security policy.
Firewalls can either be hardware and/or software based.
A firewall's basic task is to control traffic
between computer networks with different zones
of trust. Typical examples are the Internet
which is a zone with no trust and an internal
network which is (and should be) a zone with
high trust. The ultimate goal is to provide
controlled interfaces between zones of differing
trust levels through the enforcement of a
security policy and connectivity model based on
the least privilege principle and separation of
duties. |
|
| |
A firewall is also called a Border Protection
Device (BPD) in certain military contexts where
a firewall separates networks by creating
perimeter networks in a Demilitarized zone
(DMZ). In a BSD context they are also known as a
packet filter. A firewall's function is
analogous to firewalls in building construction. |
|
| |
Proper configuration of firewalls demands skill
from the firewall administrator. It requires
considerable understanding of network protocols
and of computer security. Small mistakes can
render a firewall worthless as a security tool. |
|
| |
|
|
| |
An
intrusion detection system
(IDS)
generally detects unwanted manipulations to
computer systems, mainly through the Internet.
The manipulations may take the form of attacks
by skilled malicious hackers, or script kiddies
using automated tools. |
|
| |
|
|
| |
An intrusion detection system is used to detect all
types of malicious network traffic and computer usage
that can't be detected by a conventional firewall. This
includes network attacks against vulnerable services,
data driven attacks on applications, host based attacks
such as privilege escalation, unauthorized logins and
access to sensitive files, and malware (viruses, trojan
horses, and worms).
|
|
| |
An IDS is composed of several components:
Sensors
which generate security events, a
Console to monitor events and alerts
and control the sensors, and a central
Engine that records events logged by
the sensors in a database and uses a system of
rules to generate alerts from security events
received. There are several ways to categorize
an IDS depending on the type and location of the
sensors and the methodology used by the engine
to generate alerts. In many simple IDS
implementations all three components are
combined in a single device or appliance. |
|
|
|
|
| |
A
virtual private network (VPN)
is a private
communications network often used by companies
or organizations, to communicate confidentially
over a public network. VPN traffic can be
carried over a public networking infrastructure
(e.g. the Internet) on top of standard
protocols, or over a service provider's private
network with a defined Service Level Agreement (SLA)
between the VPN customer and the VPN service
provider. A VPN can send data e.g. voice, data
or video, or a combination of these media,
across secured and encrypted private channels
between two points. |
|
| |
|
|
| |
|
|
| |
Using more than one factor is also called
strong authentication;
using just one factor, for example just a static
password, is considered by some to be weak
authentication. (Strong authentication also includes
multi-factor that do not include a physical factor, such
as a card or dongle. The multiple factors can both be
online for strong authentication.) |
|
| |
|
|
| |
Common
implementations of two-factor authentication use
'something you know' (a password) as one of the two
factors, and use either 'something you have' (a physical
device) or 'something you are' (a biometric such as a
fingerprint) as the other factor. A common example of
T-FA is a bank card (credit card, debit card); the card
itself is the physical "something you have" item, and
the personal identification number (PIN) is the
"something you know" password that goes with it. See
Chip and PIN for more information on this. |
|
| |
|
|
