|
|
|
|
| |


|
|
|
| |
|
|
| |


|
|
|
| |
Network
security consists of the provisions
made in an underlying computer network infrastructure, policies adopted
by the network administrator to protect the network and the
network-accessible resources from unauthorized access and the
effectiveness (or lack) of these measures combined together.
Network security starts from authenticating any
user. Once authenticated, firewall enforces access policies such as
what services are allowed to be accessed by the network users. Though
effective to prevent unauthorized access, this component fails to check
potentially harmful contents such as computer worms being transmitted
over the network. An intrusion prevention system (IPS) helps detect and
prevent such malware. IPS also monitors for suspicious network traffic
for contents, volume and anomalies to protect the network from attacks
such as denial of service. Communication between two hosts using the
network could be encrypted to maintain privacy. Individual events
occurring on the network could be tracked for audit purposes and for a
later high level analysis.
Honeypots,
essentially decoy network-accessible resources, could be deployed in a
network as surveillance and early-warning tools. Techniques used by the
attackers that attempt to compromise these decoy resources are studied
during and after an attack to keep an eye on new exploitation
techniques. Such analysis could be used to further tighten security of
the actual network being protected by the honeypot.
A firewall
is an information technology (IT) security device
which is configured to permit, deny or proxy data connections set and
configured by the organization's security policy. Firewalls can either
be hardware and/or software based.
A firewall's basic task is to control traffic
between computer networks with different zones of trust. Typical
examples are the Internet which is a zone with no trust and an internal
network which is (and should be) a zone with high trust. The ultimate
goal is to provide controlled interfaces between zones of differing
trust levels through the enforcement of a security policy and
connectivity model based on the least privilege principle and
separation of duties.
|
|
| |
A
firewall is also called a Border Protection Device (BPD) in certain
military contexts where a firewall separates networks by creating
perimeter networks in a Demilitarized zone (DMZ). In a BSD context they
are also known as a packet filter. A firewall's function is analogous
to firewalls in building construction. |
|
| |
Proper configuration of firewalls demands skill from the firewall
administrator. It requires considerable understanding of network
protocols and of computer security. Small mistakes can render a
firewall worthless as a security tool. |
|
| |
|
|
| |
An
intrusion
detection system (IDS) generally detects unwanted manipulations to
computer systems, mainly through the Internet. The manipulations may
take the form of attacks by skilled malicious hackers, or script
kiddies using automated tools. |
|
| |
|
|
| |
An
intrusion detection system is used to detect all types of malicious
network traffic and computer usage that can't be detected by a
conventional firewall. This includes network attacks against vulnerable
services, data driven attacks on applications, host based attacks such
as privilege escalation, unauthorized logins and access to sensitive
files, and malware (viruses, trojan horses, and worms).
|
|
| |
An
IDS is composed of several components: Sensors
which generate security events, a Console
to monitor events and alerts and control the sensors, and a central Engine
that records events logged by the sensors in a database and uses a
system of rules to generate alerts from security events received. There
are several ways to categorize an IDS depending on the type and
location of the sensors and the methodology used by the engine to
generate alerts. In many simple IDS implementations all three
components are combined in a single device or appliance. |
|
|
|
|
| |
A
virtual
private network (VPN)
is a private communications
network often used by companies or organizations, to communicate
confidentially over a public network. VPN traffic can be carried over a
public networking infrastructure (e.g. the Internet) on top of standard
protocols, or over a service provider's private network with a defined
Service Level Agreement (SLA) between the VPN customer and the VPN
service provider. A VPN can send data e.g. voice, data or video, or a
combination of these media, across secured and encrypted private
channels between two points.
|
|
| |
|
|
| |
|
|
| |
Using
more than one factor is also called
strong authentication;
using just one factor, for example just a static password, is
considered by some to be weak authentication. (Strong authentication
also includes multi-factor that do not include a physical factor, such
as a card or dongle. The multiple factors can both be online for strong
authentication.)
|
|
| |
|
|
| |
Common implementations of
two-factor authentication use 'something you know' (a password) as one
of the two factors, and use either 'something you have' (a physical
device) or 'something you are' (a biometric such as a fingerprint) as
the other factor. A common example of T-FA is a bank card (credit card,
debit card); the card itself is the physical "something you have" item,
and the personal identification number (PIN) is the "something you
know" password that goes with it. See Chip and PIN for more information
on this.
|
|
| |
|
|