Perimeter Defense Strategies
PERMITER DEFENSE STRATEGIES – NETWORK SEGMENTS
In order to effectively defend the internal network, any security personnel charged with this responsibility should first consider the perimeter. Basically, the perimeter is the network boundaries, the frontier where data flows in from (and out to) other network segments (Mosson, 2009). Segments of a network are joined by routers, switches, hubs, bridges and gateways (Cole, Krutz and Conley, 2005).
There are a number of general strategies used to protect internal network which are evaluated below.
Firewall Implementation
Often, the first thing people tend to think of in network perimeter defense is a firewall (Posey, 2003). In most common environments, firewalls would be placed at the terminal ends of every network segments (Cole, Krutz and Conley, 2005). A firewall’s basic job is to permit or stop packets from flowing into or out of a network. For perimeter security implementation, firewalls are available as a software (installed inside a route) or as a stand-alone hardware appliance (Mosson, 2009).
Any firewall implementation will not protect the network if it is not configured properly. Thus, a strategy, suggested by Troester (2004) is to use the “principle of least privilege”, meaning, denying all traffic.
In addition, Noonan (2004) argued that the firewall must be hardened. He suggested four (4) measures to achieve this which include:
1. Implementing authentication and authorization, allowing only authorized users to connect to and manage firewalls.
2. Hardening remote administration by turning-off web-based Telnet and SSH services.
3. Hardening firewall services and protocols such as SNMP, NTP, syslog and TFTP.
4. Using redundancy to harden firewall by getting identical hardware/software and configuring them accordingly.
A further defense strategy is to identify how well a firewall is functioning. Posey (2003) suggested that port scanning should be performed. A port scan is a technique by
In order to effectively defend the internal network, any security personnel charged with this responsibility should first consider the perimeter. Basically, the perimeter is the network boundaries, the frontier where data flows in from (and out to) other network segments (Mosson, 2009). Segments of a network are joined by routers, switches, hubs, bridges and gateways (Cole, Krutz and Conley, 2005).
There are a number of general strategies used to protect internal network which are evaluated below.
Firewall Implementation
Often, the first thing people tend to think of in network perimeter defense is a firewall (Posey, 2003). In most common environments, firewalls would be placed at the terminal ends of every network segments (Cole, Krutz and Conley, 2005). A firewall’s basic job is to permit or stop packets from flowing into or out of a network. For perimeter security implementation, firewalls are available as a software (installed inside a route) or as a stand-alone hardware appliance (Mosson, 2009).
Any firewall implementation will not protect the network if it is not configured properly. Thus, a strategy, suggested by Troester (2004) is to use the “principle of least privilege”, meaning, denying all traffic.
In addition, Noonan (2004) argued that the firewall must be hardened. He suggested four (4) measures to achieve this which include:
1. Implementing authentication and authorization, allowing only authorized users to connect to and manage firewalls.
2. Hardening remote administration by turning-off web-based Telnet and SSH services.
3. Hardening firewall services and protocols such as SNMP, NTP, syslog and TFTP.
4. Using redundancy to harden firewall by getting identical hardware/software and configuring them accordingly.
A further defense strategy is to identify how well a firewall is functioning. Posey (2003) suggested that port scanning should be performed. A port scan is a technique by
References: Cole, E, Krutz, R, Conley, J (2005). Network Protocols. Retrieved from: http://eccouncil.books24x7.com/viewer.asp?bookid=12199&chunkid=0466757851 Krebs, B (2003). A Short History of Computer Viruses & Attacks. Retrieved from http://www.securityfocus.com/news/2445 Mosson, A. (2009). Securing Your Network Perimeter. Retrieved from http://www.focus.com/briefs/security-edge-locking-down-network-perimeter/# Noonan, W (2004). Hardening Network Infrastructure. California: McGraw-Hill/Osborne Posey, B. (2003). Defend Your Network’s Perimeter with these strategies. Retrieved http://www.techrepublic.com/article/defend-your-networks-perimeter-with-these-strategies/5031673 Troester, S (2004). Implementing a Defense-indepth Strategy in a non-profit organization. Retrieved from http://www.giac.org/paper/gslc/33/implementing-defense-in-depth-strategy-non-profit-organization/105867