By using the following four steps, you can reduce the pressure of the protection network. Here are some ways to strengthen your network protection.
Recently, Microsoft is promoting if you want to get a real secure network, you must pay attention to five important areas. These areas include peripheral protection, network protection, application protection, data protection, and host protection. In this article, I will discuss network protection to help get deep security.
Author Tip
Microsoft's security philosophy is that you should pay attention to five independent areas, just like you need to protect them independently. In this way, you can ensure that these areas have been properly protected. By independently paying attention to these areas, you can also ensure that other four-story protection can also get effective and protect your network when one of the protection is subject to safety threats. If you want to learn more about other areas to improve network security, you can refer to these articles below:
Strengthen the protection of hosts in your network
Use these strategies to protect your network around you
Use these recommendations to protect your data
Enhance application protection to prevent cyber attacks
What is network protection?
First, the concept of network protection is too broad. But there is nothing in this field or too general. Network protection solves the problem of connected between networks and connects all the networks into a whole network. Network protection does not solve the problem such as external _blank "> firewall or dial-up join, the peripheral security contains these issues. Network protection does not cover a single server or workstation problem, which is a problem of host protection. Network protection coverage Problems including protocols and routers.
Interior _BLANK "> firewall
Network protection does not include external protective walls, but this does not mean that it does not involve _blank "> firewall. On the contrary, the first step in the network protection I suggest is to use internal _blank"> firewall in the possibility of possible. Internal _BLANK "> Firewall"> The firewall is the basis of security. The main difference between the two is the internal _BLANK "> The main job of the firewall is to protect your machine from internal communication. There are many internal _blank"> The reasons for firewalls.
First, imagine, if a hacker or a virus controls your exterior _blank "> firewall, then he can communicate with the internal network without _blank"> firewall hinders. Usually, this means that your network is completely open to the outside world. However, if you have internal _blank "> firewall, then internal _blank"> firewall will prevent malicious packets from exterior _blank "> boiled in the firewall.
Using the internal _blank "> Another major reason for the firewall is that many attacks are internal. First, you may have heard of this statement, and think that internal attacks are unlikely in your network, but I am in me. I have seen internal attacks in each company's security department.
In the two places I have worked, some people in other sectors are hackers or to the management right. They will think that the network is a cool and very worthy of the show. In these two places, they don't have any subjective malicious (or they all say that they are not malicious), they just want to show off their own attack systems in front of friends. Regardless of their motivation, they have caused harm to network security. You must prevent your network attack by such a person.
In some other places I have worked, I saw that people have installed software without authorization, but in these softwares contain Trojan Horse. These Trojan horses enter the system to broadcast your information through a specific port. _blank "> The firewall is difficult to prevent malicious packets from entering the network because the packet is already in the network.
These facts have led to an interesting phenomenon: most of the technicians I know make their externally _blank "> The firewall prevents most of the communication packs that flow into the network, but they do not add restrictions on the flow of communication packages. I It is recommended that the communication that is going to flow is as cautious as the communication flowing. Because you will never know, when will there be a Trojan horse hide in your network, broadcast the information in your network outwards. Internal _blank " > The firewall can be placed on any computer or on any server. There are some good personal _blank "> firewall products, such as Symantec Norton Personal FireWall 2003. But because Windows XP comes with a built-in personal _blank"> firewall, you don't have to be for you. Workstation spending money to buy independent personal _blank "> firewall.
If you want to use Windows XP_blank "> Firewall, right-click" My Network "and select" Properties "from the shortcut menu to open the Network Connection window. Next, right-click the network you want to protect Connect and select Properties. Now, select the Advanced Menu, then click on the Internet Connection_blank "> Firewall option. You can use the Settings button to select the portable port. Although Windows XP_BLANK "> Firewall is an Internet _blank"> firewall, it can also be used as an internal _blank "> firewall.
encryption
The next step I suggest is encrypted for your network communication. As long as possible, IPSec is used. Therefore, you need to understand IPsec security.
If you configure a machine to use IPsec, you should encrypt two-way encryption. If you let ipsec require encryption, then when other machines are trying to connect to your machine, they will be encrypted. If other machines have IPsec encryption capabilities, a secure communication channel can be created in the beginning of communication. On the other hand, if other machines do not have IPsec encryption, the communication process will be rejected because the required encryption is not implemented.
The request encryption option is slightly different. When a machine requests join, it also requires encryption. If both machines support IPSec confidential, a secure pathway will be established between the two machines, and the communication begins. If one of the machines do not support IPSec encryption, the communication process will begin, but the data is not encrypted.
For this reason, I offer some suggestions. First, I recommend putting all the servers in a site in a secure network. This network should be completely separated from usual networks. Each server that users need to access should have two network cards, one join to the primary network, and the other is connected to the private server network. This server network should only contain servers and should have a dedicated hub or switch.
Doing this, you need to establish a dedicated backbone network between servers. All servers-based communications, such as RPC communication or communication used by replication, can be performed in a dedicated backbone network. In this way, you can protect the network-based communication, you can also improve the number of available bandwidths of the main network.
Next, I recommend IPSec. For only the server of the server, IPSec encryption should be required. After all, there is only a server in this network, so unless you have UNIX, Linux, Macintosh or other non-Microsoft servers, your server has no reason not to support IPSec. So you can ask IPsec encryption very safely.
Now, for all workstations and servers connected to important networks, you should make the machine require encryption. This way, you can get an optimized balance between security and functionality.
Unfortunately, IPsec cannot distinguish between multiple family computers network adapters. Therefore, unless a server is in the server network, you may need to use the request encryption option, otherwise other clients cannot access the server. Of course IPsec is not a unique encryption method you can choose from network communication. You must also consider how you protect communications through your network and to your wireless network.
Talking about wireless encryption today is still difficult because wireless network equipment is still growing. Most of the network administrators think that the wireless network is unsafe because the network communication package is spread in open space, and anyone can use a laptop with wireless NIC card to take these communication packages.
Although the wireless network does have some risks, from a certain point of view, the wireless network is even more secure than the wired network. This is because the main encryption mechanism of wireless communication is WEP encryption. WEP encryption is even higher from 40 to 152 bits. The actual length depends on the lowest communication participants. For example, if your access point supports 128-bit WEP encryption, you only support 64-bit WEP encryption, then you can only get 64-bit encryption. But now all wireless devices are currently supporting at least 128 bits encryption.
Many administrators don't realize that although wireless networks can use WEP encryption, this is not the only encryption method they can use. WEP encryption is just encrypted all communication through the network. It doesn't care about what type of data you encrypted. Therefore, if you have used IPSec to encrypt data, WEP can encrypt the data that has been encrypted.
Network isolation
If your company is very big, you are likely to have a web server as the host of the company's website. If this web server does not need to access the background database or if you have other resources in your private network, then there is no reason to put it in your private network. Since you can isolate this server and your own network, why do you want to put it inside the private network, give a hacker an opportunity to enter your private network?
If your web server needs to access other resources in the database or private network, then I suggest that you place an ISA server between your _blank "> firewall and network server. Internet users communicate with the ISA server, not direct Access the .ISA server will proxy between users and web servers. You can establish an IPsec connection between the web server and the database server and establish an SSL join between the web server and the ISA server.
Package monitor
After you have taken all the necessary steps to protect communications in your network, I suggest that you can use the package monitor to monitor network communications. This is just a precaution, because it helps you understand which types of communications have occurred in your network. If you find an unexpected communication package type, you can find the source of these packages.
The biggest problem with the protocol analyzer is that it may be utilized by hackers, becoming a weapon in hackers. Due to the characteristics of the package listen, I think it is impossible to detect who is in my network to listen. The package monitor is merely the communication that occurs in the cable. How can I know who can know because the bag monitor does not change the communication package?
In fact, check the package monitor is much easier than you think. What you need is just a machine as a bait. The bait machine should be an except for anyone else to know the workstation it exists. Make sure your bait machine has an IP address, but is not in the domain. Now connect the bait machine to the network and let it generate some communication packages. If someone is listening to the network. Mono this will find that these communications packages from the bait machine. The problem is that the listener will know the IP address of the bait machine, but do not know its host name. Typically, the listener will perform DNS lookup and try to find the host name of this machine. Since you are the only person who knows this machine, no one will perform DNS lookup to find this machine. So, if you find someone in the DNS log to find your bait machine, then you have reason to suspect that this machine is used to listen to the network.
Another step you can take to prevent listening is to replace all existing hubs with a VLAN switch. These switches create virtual networks in the package of senders and recipients. The package will no longer pass all the machines in the network. It will be sent directly from the sender to the receiving end. This means that if there is a listener to listen to your network, he is hard to get useful information. This type of switch has other advantages. For a standard hub, all nodes fall in the same domain. This means that if you have a total bandwidth of 100 Mbps, the bandwidth will be allocated between all nodes. But the VLAN switch is not the case, and each virtual LAN has a proprietary bandwidth, which does not need to be shared. This means that a 100 Mbps switch can handle hundreds of Mbps traffic at the same time, all communications happen on different virtual networks. The VLAN switches can be used to improve security and efficiency simultaneously.
