Previous Page | Next Page

  1. Introduction
  2. Your Needs
  3. What to Protect
  4. Security Policies
  5. Security Policy Requirements
  6. Incident Procedures
  7. Security Categories
  8. Software Vulnerability Control
  9. Hostile Software
  10. Network Layout
  11. Traffic Filtering
  12. Mail
  13. Firewall Protection
  14. Network Intrusion Detection
  15. Network Port Scanning
  16. Network Tools
  17. Passwords
  18. Types of Attacks
  19. Protocol Use
  20. Entry Points
  21. Cost
  22. Application Level Protection
  23. System Protection
  24. User Issues
  25. Other Recommendations
  26. Terms
  27. Credits

Network Layout

The network layout has much influence over the security of the network. The placement of servers with respect to the firewall and various other computers can affect both network performance and security. There may even be areas of the network that are more secure than others. Some of these areas may be further protected with an additional firewall. A typical network is shown below.

General Network Layout with Firewall

In this network, the box labeled "IDS" is an intrusion detection system which may be a computer or deviced designed to log network activity and detect any suspicious activity. In this diagram it is shown outside the firewall, on the semi-private network and protecting the servers on the private network. It may be a good idea to place an IDS just inside the firewall to protect the entire private network since an attack may be first launched against a workstation before being launched against a server. The IDS protecting the servers could be moved to protect the entire private network, but depending on cost and requirements it is also good to protect your servers, especially the mail server.

The semi-private network is commonly called a "DMZ" (for DeMilitarized Zone) in many security circles. In this diagram the semi-private network contains a mail relay box to increase security since the mail server is not directly accessed. The mail relay box routes mail between the internet and the mail server.

Other network equipment used includes:

  • Routers - Used to route traffic between physical networks. Many routers provide packet filtering using access control lists (ACLs). This can enhance network security when configured properly. Routers can be configured to drop packets for some services and also drop packets depending on the source and/or destination address. Therefore routers can help raise the security between different segments on a network and also help isolate the spread of viruses.
  • Switches - A switch is used to regulate traffic at the data link layer of the OSI network model. This is the layer which uses the Media Sccess Control (MAC) address. It is used to connect several systems to the network and regulates network traffic to reduce traffic on the network media. This can reduce collisions.
  • Media - The physical cable that carries the signal for the network traffic.

Routers can be set up to perform packet filtering to enhance network security.

Network/User Functions

The consideration of how each computer system on the network is used is a very important part of computer and network security. These considerations can even be used to enhance cost savings where neccessary.

Many times when security vulnerabilities are published, an older version of software may not be supported by the manufacturer. This may require an operating system upgrade or an additional license to be purchased to upgrade specific software. This may be very cost prohibitive to many organizations. When dealing with these situations, it is important to consider your network layout and how it is used.

One consideration that should be kept in mind when dealing with network security is what users can perform what functions and what computers these users can use. For example the following situation may exist in an organization:

  • Some users can receive and send both internal and external e-mail while others can only send and receive internal e-mail.
  • User's who can only send and receive internal e-mail will not have users on their systems who can use external e-mail.

Considering this situation, the computers that can only receive internal e-mail are less of a security risk than those who can receive external e-mail. Many viruses spread with e-mail. If computers that send and receive external email do not get the virus, then it is not likely to spread to those computers that only deal with internal e-mail. Therefore it is more important to fix application vulnerabilities on computers that deal with external e-mail than on those that do not. In this way, a virtual perimeter of protection may be established in an organization. This may not be the most secure network configuration, but it is much more secure than not updating any computers at all.