Network Security

 

Several components are responsible for ensuring security within a computer infrastructure, to achieve a system that has a confidence level greater than the sum of its parts.

The firewall provides perimeter security, and support secure connections to a WAN (Wide Area Network) via VPN tunnels with encryption, for example using a key 3DES (150 Mbps 3DES performance).

The system with active response IDS is able to avoid attacks such as Denial of Services, and all the intrusion attempts that exploit the network services supported by the server system.

The 802.1Q (VLAN tagging) and Layer-2 VLAN bridging, together with the virtualization technology of the firewall, allow for the implementation of policies to network traffic in granular mode.

In addition to traditionally defined policy, the network infrastructure must protect against intrusions and attacks of various kinds, through a series of advanced technologies:

  • Generalized flood protection
  • SYN Flood Protection
  • Strict TCP Validation
  • Rejection of bad TCP flag combinations Initial Sequence Number (ISN)
  • Rewriting for weak TCP stack implementations
  • Fragment flood protection with Robust Fragment Reassembly
  • Generalized IP Packet Validation

The firewall allows you to limit the risk of damage and disruptions in the corporate LAN systems (comprising several subnets) in the unlikely event of any intrusion on the system front-end or unauthorized access from external network.

 

Networking Logical Separation

 

The design of the infrastructure platform must logically separate three areas:

  • Internal LAN is made up of different subnets or VLANs (Application, Data Base, Network Management), protected internally by the perimeter firewall. In particular VLAN Application is attested on the firewall to ensure a greater level of internal security by limiting the risk of intrusion. The LAN is also controlled and protected in all its subnets from the Intrusion Detection System to verify any attacks on machines inside the network, even by the same internal LAN nodes
  • External network: the network segment protected from the outside perimeter firewall that can block unwanted access and provide VPN security
  • DMZ: network segment used for the placement of servers such as web server, dedicated to serving web pages both static and dynamic, and servers for the provision of standard Internet services (such as mail servers, news, DNS, etc) . For this segment, the outer perimeter firewall performs its function of blocking unwanted access also using the functionality of a system of Intrusion Detection.

 

IDS Intrusion Detection Systems

 

The Intrusion Detection System with active response is a system aimed at detecting intrusions and attempted attacks by handling the incident by recording log information and reacting automatically with active responses, such as TCP Reset on an hostile connection.

The main objective is to minimize a number of events classified as false positives or false negatives using the following criteria:

  • Multiple methods of inspection
  • Fingerprinting with support for Regular Expression
  • Validation Protocol
  • Control protocol anomalies with multiple instances
  • Event correlation in time (sequence) and space (groups)
  • Monitoring IDS evasion techniques by examining not only the transmitted packets but also the connections

The introduction of a system with active response IDS is recommended because of the number and technology reached today by network attacks.

The filter operated by firewalls in fact turns out to be just sufficient to ensure effective protection: network architectures based on Internet protocols are in fact subject to vulnerabilities and weaknesses that the only protection provided by the firewall is not able today to contain.

For example, the firewall should be configured to let pass transparently the HTTP protocol (used for traffic web sites), but unfortunately some bugs or special configurations or custom application development of Web Component Server for server systems can be exploited by hackers to control , assuming the role of administrators, those systems or cause damage and malfunctions.

The technology introduced by intrusion detection systems can detect situations similar to the scenario described.

These systems operate through a detailed analysis of communication messages over the IP network and an accurate control of these sessions, doing a comparison with a list of sequences known in the literature as possible intrusions or attacks, and could thus identify the threats.

After the detection phase, the system has different methods of response, such as:

  • Log
  • Alert, with gradual escalation and rule-based
  • Record Connection for forensic analysis
  • IP Blacklist
  • TCP Reset