Thursday, February 8, 2007

Network Security

It is possible to divide network security into two general classes:
1)Methods used to protect data as it transits a network
2)Methods which control which packets may transit the network

While both drastically affect the traffic going to and from a site but their aims are quite different.
1) Transit Security:
There are no systems in use, which keep data secure as it transits a public network. Number of methods is available to encrypt traffic between sites. Two general approaches are as follows:

Virtual Private Networks:
It constructs a private network by using TCP/IP to support the lower levels of a second TCP/IP stack. In a encapsulate form IP traffic is sent across various forms of physical networks. Each system that attaches to the physical network implements a standard for sending IP messages over that link. Standards for IP packet transmission across various types of links exist and the most common are Ethernet and Point-to-Point links. Once an IP packet is received it is given to higher layers of the TCP/IP stack for processing.

When a virtual private network is designed, the lowest levels of the TCP/IP protocol are developed using an existing TCP/IP connection. There are a variety of ways to achieve this which tradeoff between abstraction and efficiency. This provides a benefit in terms of secure data transfer is only a single step further away as VPN allows complete control over the physical layer. It is completely within the network designer’s power to encrypt the connection at the physical layer. By allowing this all traffic of any type over the VPN will be encrypted whether it is at the application layer or at the lowest layers of the stack. The primary benefits of VPNs are: they offer private address space and they also provide the packet encryption or translation overhead to be done on dedicated systems reducing the load placed on production machines.

Packet Level Encryption:
Another way is to encrypt traffic at a higher layer in the TCP/IP stack is Packet Level Encryption. Numbers of methods present for the secure authentication and encryption of telnet and rlogin sessions which are examples of encryption at the highest level of the stack (the application layer). The benefits of encrypting traffic at the higher layer are that the processor overhead of dealing with a VPN is reduced, compatibility with current applications is not affected and it is much easier to compile a client program that supports application layer encryption than to build a VPN.
Above methods have performance impacts on the hosts, which implement the protocols and on the networks that connect those hosts. The easiest way of encapsulating or converting a packet into a new form requires CPU-time and uses additional network capacity. Encryption is a CPU-intensive process and encrypted packets need to be padded to uniform length to warranty the robustness of some algorithms. Further, both methods have impacts on other areas that require to be considered before any choice is made as to which is best for a particular case.

2) Traffic Regulation
The most common form of network security on the Internet is traffic regulation. If packets, which do something malicious to a remote host never get over there, the remote host will remain unaffected. Traffic regulation offers screen between hosts and remote sites. This happens at three basic areas: routers, firewalls and hosts. Each offers similar service at different points in the network.

a) Router traffic regulation:
Any traffic regulation that takes place on a router or terminal server is based on packet characteristics. This does not contain application gateways but does contain address translation.
b) Firewall traffic regulation:
By application gateways traffic regulation or filtering is performed
c) Host traffic regulation:
At the destination of a packet traffic regulation is performed. In traffic regulation, hosts are playing a smaller role with the advent of filtering routers and firewalls.

Filters and access lists
Regulating packets flow between two sites is a fairly simple concept on the surface. For any router or firewall, it isn’t difficult to decide simply not to forward all packets from a particular site. A few basic techniques are
i)Restricting access in but not out:
All packets are sent to destination UDP or TCP sockets. From remote hosts packets will attempt to reach one of the well-known ports. These ports are observed by applications, which offer services such as Mail Transfer, Delivery, Usenet News, the time, Domain Name Service and various login protocols. It is unimportant for modern routers or firewalls only to permit these types of packets through to the specific machine that offers a given service. Attempts to send any other type of packet will not be allowed. This protects the internal hosts but still permits all packets to get out.

ii) the problem of returning packets :
Unless remote user uses a secure, encrypting application such as S/Key Remote users do not log into your systems. By using telnet or ftp users can connect to remote sites. Restrict remote connections to one type of packet and permit any type of outgoing connection. Due to the nature of interactive protocols, they must consult a unique port number to use once a connection is established.

New modern routers and firewalls support the ability to dynamically open a small window for these packets to pass through if packets have been recently transmitted from an internal host to the external host on the same port. This permits connections that are initiated internally to connect and denies external connection attempts unless they are desired.

iii) Dynamic route filters :
When a particular set of circumstances occur, a new recent technique offer the ability to dynamically add entire sets of route filters for a remote site. By using these techniques, it is possible that routers automatically detects suspicious activity and deny a machine or entire site access for a short time. In many cases this will prevent any sort of automated attack on a site.
Filters and access lists took place on all three types of systems although they are most common on routers.

There are two types of network security transit security and traffic regulation which when combined can help warranty that the right information is securely transported to the right place. It should be clear that there is a requirement for ensuring that the hosts that receive the information will properly process it, this lifts up the entire specter of host security: a wide area which varies tremendously for each system. With the growth in business use of the Internet, network security is rapidly becoming vital to the development of the Internet. Security will become integral part of our day-to-day use of the Internet and other networks.