Network Security and Design
A computer network is a simple interlinking of computer through wires or wireless devices. Networks are the most efficient, simple and fastest way to communicate, share documents and information a group of people, community or company employees.
As networks are growing broader and larger, there is a need to establish a system to protect and secure the information on the net.
Importance of Networks in iTekx Company:
Networks are formed to share information, communicate, share single hardware devices like printers, scanners, etc. Businesses and organizations exchange their work, information, with online payments systems. Internet offers all businesses, social, and commercial operations in a fast shortest possible time at much reduced cost. iTekx company has now realized that network of worldwide users has changed the way businesses our done today. It has increased profitability and reduced time period in which businesses, commerce and trade are accomplished. This is due to the tremendous exposure of businesses iTekx is facing on the net with worldwide users. In this way to compete today’s market and to fully access growing advantages, organizations and companies need to implement network (intranet & internet) in their core technology.
Designs of Network
Networks are designed in many different ways in order to comply with the requirements of users. Different topological designs apply to different situations. The most important factor is to guard security against threats that can do vast range of damage to the connected computers.
The most commonly terms used in internetnetworking is TCP/IP and UDP. TCP/IP stands for Transport Control Protocol/Internet Protocol. “ TCP/IP is the “language” of the Internet. Anything that can learn to “speak TCP/IP” can play on the Internet. This is functionality that occurs at the Network (IP) and Transport (TCP) layers in the ISO/OSI Reference Model. Consequently, a host that has TCP/IP functionality (such as Unix, OS/2, MacOS, or Windows NT) can easily support applications (such as Netscape’s Navigator) that uses the network.” (Curtin, 1997)
“UDP (User Datagram Protocol) is a simple transport-layer protocol. It does not provide the same features as TCP, and is thus considered “unreliable.” Again, although this is unsuitable for some applications, it does have much more applicability in other applications than the more reliable and robust TCP.” (Curtin, 1997)
There are different types of network designs. Each design has a different scope and task to cover. Different kind of topologies covers different areas.
CAN – Campus Area Network, “a network spanning multiple LANs but smaller than a MAN, such as on a university or local business campus.” (Mitchell) It is also called “Controller Area Network and Cluster Area Network” (Mitchell)
DAN – Desk Area Network (confined to limited number of desk)
LAN – Local Area Network (Covered only locally in specified area)
MAN – Metropolitan Area Network (cover a particular city or town) “a network spanning a physical area larger than a LAN but smaller than a WAN, such as a city. A MAN is typically owned an operated by a single entity such as a government body or large corporation.” (Mitchell)
PAN – Personal Area Network (between personal computers and home offices)
SAN – “Storage Area Network, System Area Network, Server Area Network, or sometimes Small Area Network.” “Storage area connects servers to data storage devices through a technology like Fibre Channel.” And System area “links high-performance computers with high-speed connections in a cluster configuration. Also known as Cluster Area Network.” (Mitchell)
WAN – Wide Area Network (Cover a broader range of area as compared to local and metropolitan). It can cover different countries.
WLAN – Wireless Local Area Network (Wireless network covering local area) “a LAN based on WiFi wireless network technology” (Mitchell)
LAN and WAN are the most popular and initial forms of network used. However many others new kind of networks has emerged according to growing need of networks. In addition to the these network types there are other topologies like ring topology (formed in rings), star topology (star shaped) and bus topology.
iTekx Company can employ any of the following designs
LAN – Local Area Network
Local Area network is used in area in local regions where distance between the networking computers is very short. LAN is very useful in industries and offices spread over small location. Offices and homes can be linked with these networks. iTekx can use LAN for local offices.
CAN – Campus Area Network
It can use CAN for its first and ground floor.
WAN – Wide Area Network
iTekx company can use WAN to connect to world wide users. WAN are the Networks needed to cover larger distances is called WAN. The most common day example is use of Internet that connects the computers to the World Wide Web. WAN is created by interlinking LANS dispersed over different geographical locations. Different LANs from various locations are connected via router to form wider area networks. Router retains the LAN and WAN addresses.
There are different kinds of technologies used to implement each network for the distance they cover. iTekx company can use following technologies while implementing WAN are
WAN is not owned by any company or country but it is managed by the assigned group of experts.
Home network users are usually provided with LAN. Internet Service providers (ISP) provide them with this service via broadband modem. They connect to the WAN (Internet) using an ISP service. Internet Service providers allot a private IP address to the home network users. It is called dedicated IP address. An IP address is also allotted to the modem that is used by various interlinking home users.
Another kind of network iTekx company can use is UCCP (Unix-to-Unix CoPy). It is relatively unpopular as compared to Internet and its usage has decline over the years. “UUCP was originally developed to connect Unix (surprise!) hosts together. UUCP has since been ported to many different architectures, including PCs, Macs, Amigas, Apple IIs, VMS hosts, everything else you can name, and even some things you can’t. Additionally, a number of systems have been developed around the same principles as UUCP.” (Curtin, 1997)
Significance of Secure Networks in iTekx Company
As with so much opportunity on the Internet one cannot deny great benefits it provides to its users. However, there are certain security risks, which are inherent to the Internet. But one cannot remain isolate or keep their business away from this big opportunity due to the threats on the networks. There is a need to secure networks to protect it from being in the hands of illegitimate users or even legitimate users who are not allowed to assess private information. Network security will protect loss of any private, secret information exchanged between authorized users from unauthorized users. Information may include any type of data saved on hard disks of interconnected computers, on web servers, transmission over the Internet like email messaging, financial and business information.
Security also implies to the protection of systems on which data is saved. This includes protecting computers, networking elements, services and applications.
Protecting networks is important for keeping the information confidential, to maintain the integrity of information, authentication of legalize users, and availability of data.
Possible threats and dangers to the Networks in iTekx Company
A threat to the secure data on computers comes from both inside and outside users. It may be intended or it may be unintentional and accidental. There are also passive and active threats. Passive threats are those where only secure information is released without affecting the system (Computer Security, 1998). In case of active threats, information and system both are affected (Computer Security, 1998) and this is mostly intentional.
Threats could be from hackers who masquerade for accessing secure data or spreading virus. Insider attacks could come from the loss of confidential secure data by authorized users where as outsider attacks are intentional site invasion or data access by illegitimate users. Creation of trap doors that allow unauthorized person to access information. Virus attacks that may damage important data, files and hardware. Exhaustion attacks to access passwords or any other encrypt data. Other accidental failures including hazards to equipment and systems. For e.g., power failures, rain/snow/air storm, earthquakes etc.
Protection from outside threat
Protection from external threats include implications of following measures:
Encryption is to encode the information into an unreadable format using specific mathematical key. In this way message cannot be read in the hands of unauthorized persons. Only authorized person having the same matching key can decrypt and read the message.
There are different encryption models for encrypting/decrypting files. These models in turn have variable keys, coming in various size and numbers. The smaller the key, the easier is to crack the message. Therefore, for very secure and confidential information, larger and tougher keys should be used to encode and decode the messages.
Two types of keys are important for encryption system i.e., single key and public/private key. In case of single key there is only one key which is exchanged by the companies privately and which is not known by any third party or unauthorized users. Where as public/private key is a pair of public and private key. Public key is known to public and anyone can use that key to send encrypted messages to the company. While private key is only known by the company to send encrypted messages and to verify digital signatures.
There is a system called Public key infrastructure operated by certifying authorities to provide key management. It is a secure management of encryption key to give access to only those users who are authorized and should be available to them only when it is needed.
In addition there are Data Encryption Standard (DES) and Advanced Encryption Standard (AES) which are widely used for data encryption. These encryption methods use private key, which could have trillions or quadrillions possible keys. For sending and reviewing the message same key should be applied on both sides.
Checking for any new viruses and worms is mandatory like Trojan horse. Companies should have technical staff and virus scanners updated to prevent any new virus intervene into the network.
All users should be limited to access only those areas of network where they have their job to be done. Shared accounts should be avoided. Monitoring of account activity is also necessary. Implementation of authentic system into such remote areas is mandatory. There should be proper log off and log on systems using passwords. All users should be abiding by user agreement.
Implementation of passwords
Passwords are very useful in restricting access to any type of data. Implementation of passwords to the system should be properly done by technical and well-trained staff.
Installation of firewalls
Firewalls are the most important way of controlling flow of information on Internet and providing sound security. This security mechanism is called metaphorically as firewall as its work is same as physical firewall. It stands as a barrier and protects the network and access to the information from malicious attacks (fire). Firewall may be software or hardware that filters the incoming messages and keeps away dangerous messages like messages containing viruses or decryption codes (Tyson). Any information flowing from Internet to private network is controlled. Its installation needs expert assistance. If large numbers of computers are connected together with one or more connection lines to the Internet without the placement of the firewalls any computer will have access to the data on any other computer on the net through FTP, telnet etc. However, if a firewall is installed correctly at each Internet connection it will permit and block traffic only to limited number of computers. By setting up rules for Web servers, Telnet and FTP servers the company can control employees access to the websites, local networks, information retrieval and loss.
There are different methods of using firewalls; they may be Network level firewalls (also called packet filtering), application level firewall (proxy service) and stateful inspection/filtering method for securing inflow and outflow of traffic from network. In case of packet filtering (network level firewalls) routers form connections at various levels of network. It involves filtering of packets, which are small pieces of data, and then sending it to the requesting system. However, routers cannot perform complex functions. In case of proxy server (application level firewalls) information retrieved from and sent to the Internet is checked. It provides high level of security. Stateful inspection is the method in which individual packets are analyzed for sensitive data within the packet, which is then compared with other reliable database rules and information. In addition, characteristics of out-flowing and in-flowing information are also compared to be permitted through the network or rejected.
The function of circuit gateway is to control the flow of packets b/w client and server. It validates the session before establishing a circuit b/w client and server. Once the connection is complete, data of similar matching information is allowed to pass.
Isolating secure data from public data
Data for public use must be isolated from private firewalls. Web servers of the company that intend to provide information for public use must not be mingled with private firewall locations. Instead, public information should be located in a separate place other than private information.
Protection from inside threat
Insider threats include those of unintentional or accidental access to confidential information by legitimate users. These threats may from intentional break-ins.
Staff employed for technical problems and networking maintenance should be well trained and trustworthy. Though, most network security threats would be accidental due to common human mistakes. This unintentional access to secure data due to some networking problems even mistakenly is risk worthy. Therefore, personnel employed in an organization should be honest to comply with security policies.
Protecting information in transmission:
Secure Sockets Layers (SSL) servers are responsible for transmission of financial, payment and billing transactions through a web browser. In this case a web browser generates an encrypted message with a random key that should be matched with hosts public key for accessing the data (Introduction, chap 9).
Messages could be authenticated using digital signatures, time stamps, sequence numbers, digital certificates and encryption. Digital signatures protect the message in a way that if messages are somehow altered during transmission it could be instantaneously detected. If the signature is not change during transmission it validates that the message is not changed (Introduction, chap 9). Another way to authenticate message is to embed time stamps, sequence numbers or random numbers within the message. The precise sequence of these identifies the originality of the message. Any change in the message will change the sequence, which can alert the users that the message has been read and intervened. In case of digital certificates the person receiving the message should first authenticate his identity to read the message. The services of digital certificates are provided by third-party agents. These are authorized certificate providers to verify the authorized users. Information sent over the Internet is extremely vulnerable due to high level of exposure on worldwide network. Encryption of messages is the best method to counteract the acts of assault in sent message.
Backups are also important part of recovery process to access lost or corrupt data.
Whatever opportunities and threats today’s technology offers, one has to be very sensible in using benefits and imposing safeguards against dangers. However, there is no such perfection attained by any company in this case iTekx Company to implement security measures. Every Internet or Intranet network is vulnerable, to some extent, to any malicious types of attacks from outside or unintentional release of insider’s confidentiality.
iTekx Company should have a security policy and rules to define the security system within their network system. These policies and rules should only define protection against threats but also detection of cause of attacks and recovery in case of malicious attacks (Computer Security, 1998). Such policies are based on cost and risk analysis of the company’s network. Every user of the network must be abide by company’s policy. This could only be effective if they read, understand, and practically implicate it.
Security policy should include measures for physical security for e.g., providing locks to protect from theft of valuable information, protecting from natural disasters, desktop security, LAN/WAN security. Technical security measures include protection of email messaging, encryption, protection from viruses like Trojan horse, ftp and web security, monitoring secure networks, and safe distribution of software.
However, whatever security is implemented in the company’s network should be upgraded, monitored, audited according to new threats and assaults weekly, monthly or quarterly.
iTekx Company on one side should provide their employees with reasonable source of information on the net whereas, simultaneously preventing any unauthorized access by legitimate or illegitimate users. Encouraging the users to use valuable information and simultaneously ensuring complete protection of sensitive data is a great challenge for security system on the network. There is a constant need for upgrading the security system with modern applications preventing every new threat.
Computer Security Framework and Principles. (1998) Mon 10, 2003 from World Wide Web: http://wssg.berkeley.edu/public/projects/SecurityInfrastructure/reports/framework.html
Curtin, Matt (1997) . Introduction to Network Security. Retireved from World Wide Web: http://www.interhack.net/pubs/network-security/
Introduction to Network Security.(chapter 9). Mon 10, 2003 from World Wide Web: http://nces.ed.gov/pubs98/safetech/chapter9.html
Mitchell, Bradley. Introduction to Network Types. Retrieved from http://compnetworking.about.com/
Network Security and the Internet. Mon 10, 2003 from World Wide Web: http://www.swc.com/news/articles/netsecurity_internet.htm
Tyson, Jeff. How Firewalls work? Mon 10, 2003 from world wide web: http://www.howstuffworks.com