Explain how to enhance security through network design and network security devices Network Security Design A network

security design is a comprehensive list of strategies and methods implemented in a system to provide enhanced security. The step by step approach in designing a network security helps in addressing varied security issues in different level of the system. An attack can emanate from multiple sources and affect different layers of the security. A well designed network can prevent attacks directed at all layers of the network and protect all the network devices and most importantly the data. A security design can be broken down into some categories: Identify Network Assets: An organization must first identify the goals and requirements for network security. Depending on the requirements network assets must be selected to design the network security. Network assets can include network hosts including the hosts' operating systems, applications, and data, internetworking devices such as, routers and switches, and network data that traverse the network. Analyze Security Risks: Risks can range from hostile intruders to untrained users who download Internet applications that have viruses. Hostile intruders can steal data, change data, and cause service to be denied to legitimate users. Malware attacks and Denial-of-service (DoS) attacks have become increasingly common in the past few years. Generally the risk associated with an organization can be attributed to the nature of the business, i.e. government, banks and financial organizations are prone to hostile attacks. Develop a Security Plan and a Policy: A security plan is the formal first step in designing the network security. A security plan is basically a high level documentation that details the steps to be taken to meet the security requirements. It specifies time, people, and resources both technical and non-technical to develop and implement the security design framework. In order to be useful, a security plan needs to have cooperation and support from management, end users, technical staff etc. A security policy is the combination of rules that the users of the network must abide by. Most common components of a security policy include Access Policy Authentication Policy Accountability Policy Privacy Policy Maintaining Security: The last and most important part of security design is to maintain security and be on the lookout for development in the security arena. There are several security measures that an organization can implement to enhance the design of the security. These include demilitarized zone (DMZ), which resides outside the secure network and acts as a separate network. This allows intruders to access the demilitarized zone but not the secure network. Through subnetting the users are allowed to access only specific sub-networks. This is done through the use of routers. Similar to subnetting, VLANs are used to logically group

scattered users around a building or a campus and allow them access to the secure network. It has the added capability of isolating sensitive traffic. Network Devices: The network hardware that are used in designing the network can provide a basic form of defense against threats. The inbuilt security features are generally useful for attaining minimal security against attackers. Some standard network devices include, Hub: A hub is a standard network device that connects multiple Ethernet devices so that they perform as a single network segment. It is a multipoint repeater that passes on whatever it receives. As it is on the Physical Layer it does not read the contents of the data or determine the source or destination. Because of this nature, it poses a sever security risk and that is why it is rarely used in the modern times Switches: It is similar to a Hub, but with a difference in assessing the data it receives. It operates on the Data Link Layer. Analyzing the media access control (MAC) address of frames that passes through, a switch can determine the port which the frame is intended to and pass it on to the designated port. It improves the security by separating the frames based on their destination ports. There are several attacks that can be prevented by applying certain defense mechanism in the switch. For example, MAC flooding can be prevented by using a switch that can close a port with too many MAC addresses. Whenever there is an overflow of MAC addresses it will automatically close that port to prevent further flooding. By assigning only one port per MAC address a switch can deny impersonating MAC addresses to get access. Also by securing the switch in a locked room it can prevent port mirroring as the attacker will not have access to the switch to connect his device. Routers: It operates at Network Layer. When it receives a packet of information it reads the destination address and then using information in its routing table it sends the packet to the next network toward its destination. The security function that a router can perform is to deny IP directed broadcasts or incoming packets that have invalid addresses. Load Balancers: It basically distributes work evenly across a network. It reduces overload on a single component, optimizes bandwidth and reduces network downtime. One of the major security advantages of using the load balancer is the detection and prevention of Denial of Service attacks and protocol attacks that have enormous load associated with each and can cripple a server within a short time. There are several network security devices that are specifically used for providing security on the network. These include: Firewalls: It is basically a packet filter that inspects each packet that comes to it and based on predefined settings it either grants access or denies entry to the network. The hardware firewalls generally are the first line of defense against the unauthorized packets. When a packet

reaches a firewall, it is prompted to take any of the following three actions based on the content, source and destination of the packet. These are allow, block or prompt for user intervention. In a stateless packet filtering a packet will pass through if its intended to a specific user or a network. But in a stateful packet filtering a user has to request a particular packet to be transmitted from an external server, before it can pass through the firewall. Proxies: A proxy server is a computer or an application program that intercepts a user request from the internal secure network and then processes that request on behalf of the user. Generally when a client requests a service it directly connects to the external server through a remote server. In case of a proxy server, the client first connects to the proxy server and checks the memory to see if any previous requests exists or had been met or not. If the request is not previously met it connects to the external server using its proxy IP address instead of the original clients IP address. This service as an intermediary serves as a security measure for the client. It prevents any malware from attacking the internal system by intercepting it before it can reach the core network. Honeypot: It is basically used to trick attackers into accessing a system stationed in the demilitarized zone to have all the authentic data. This serves several security purposes. It generally protects the core network by diverting attacks to a different location. It gives out early warning for any attacks that are brewing. Also it allows the network administrator to examine the attack patterns and then take necessary actions to protect the network itself. Intrusion Detection and Prevention: Almost all the above discussed devices provide passive security for the network. Intrusion detection system (IDS) provides active security to the network. It is active in the sense that it can detect as the threat occurs. It can perform statistical and anomaly analysis. An intrusion prevention system (IPS) can dynamically block traffic by adding rules to a firewall or by being configured to deny or allow traffic as it enters a firewall. So basically an IPS is a form of IDS that can prevent in addition to detecting an attack. There are two types of IDS devices: Host IDS: It resides on an individual host and monitors that host. So basically its present in each system such as a server or a desktop etc. It generally protects some common functions of a desktop system such as, system calls, file system access, system registry settings, host input/output etc. These are some of the security enhancements that help the desktop system to stay protected against any threats. These are designed to be integrated with the existing antivirus, anti-spyware and firewalls that are installed on local host computer. Network IDS: Monitors all network traffic that it comes across, searches for predefined signatures of malicious events. A network IDS is often placed on a subnet that is directly connected to a firewall. This allows the IDS to monitor the traffic that has been allowed and look for suspicious activity. Generally an NIDS uses protocol stack verification, application protocol verification and logs to evaluate each packet. This help in identifying zombie bots and packets

originating from those. This protects the system from Denial of Service and Distributed Denial of Service attacks. It helps the network administrator take necessary action as soon as possible as the detection occurs in real time.

References
http://www.ciscopress.com/articles/article.asp?p=1626588