The network is the entry point to your application. It provides the first gatekeepers that control access to the various servers in your environment. Servers are protected with their own operating system gatekeepers, but it is important not to allow them to be deluged with attacks from the network layer. It is equally important to ensure that network gatekeepers cannot be replaced or reconfigured by imposters. In a nutshell, network security involves protecting network devices and the data that they forward.
The Diagram below show the basic components of a network, which act as the front-line gatekeepers, are the router, the firewall, and the switch.
The router is the very first line of defense. It provides packet routing, and it can also be configured to block or filter the forwarding of packet types that are known to be vulnerable or used maliciously, such as ICMP or Simple Network Management Protocol (SNMP).
If you don't have control of the router, there is little you can do to protect your network beyond asking your ISP what defense mechanisms they have in place on their routers.
The configuration categories for the router are:
- Patches and updates
- Protocols
- Administrative access
- Services
- Auditing and logging
- Intrusion detection
Patches and Updates
Subscribe to alert services provided by the manufacturer of your networking hardware so that you can stay current with both security issues and service patches. As vulnerabilities are found — and they inevitably will be found — good vendors make patches available quickly and announce these updates through e-mail or on their Web sites. Always test the updates before implementing them in a production environment.
Use Ingress and Egress Filtering
Spoofed packets are representative of probes, attacks, and a knowledgeable attacker. Incoming packets with an internal address can indicate an intrusion attempt or probe and should be denied entry to the perimeter network. Likewise, set up your router to route outgoing packets only if they have a valid internal IP address. Verifying outgoing packets does not protect you from a denial of service attack, but it does keep such attacks from originating from your network.
Hi Luke,
ReplyDeleteHow are you? I hope you are fine. How's your life? I believe I am not close to 100 words yet but that doesn't really matter. I will reach the awesumzzzzz achievement of a hundred words soon. Notice I typed 'hundred' instead of typing in numerals as that takes up a couple more characters. Wait, it's 100 words right? Not characters. But that doesn't matter, it does no harm or does it? I don't know what to write anyway so I am typing aimlessly here. Please allow some time for me to get my head straight. Ok it seems that I have discovered what to write. Words will be over 9000!!!!! soon. Ok, here goes nothing-
I found this post very informative (pretty standard remark you know?), and I have learnt a lot about perimeter router security from it (another trite remark but who cares). Anyway, I liked how you drew an analogy between a gatekeeper and a perimeter router. The perimeter router acts sort of like a gatekeeper, being the first line of defence, and helps protect the internal network from attacks. Or at least that's what I gathered from your post. But it seems I have reached 100 words and thus I shall end my comment here. Good bye and have a nice day.
Julian