Network Security Options

It is possible to divide network security into two general classes: methods used to protect data as it transits a network, and methods which control which packets may transit the network. While both drastically affect the traffic going to and from a site, their aims are quite different.

1. Transit Security
There are no systems in use which keep data secure as it transits a public network. There are a number of methods available to encrypt traffic between sites. Two general approaches are as follows:

Virtual Private Networks
It constructs a private network by using TCP/IP to support the lower levels of a second TCP/IP stack. In a encapsulate form, IP traffic is sent across various forms of physical networks. Each system that attaches to the physical network implements a standard for sending IP messages over that link. Standards for IP packet transmission across various types of links exist, and the most common are Ethernet and Point-to-Point links. Once an IP packet is received it is given to higher layers of the TCP/IP stack for processing.

When a virtual private network is designed, the lowest levels of the TCP/IP protocol are developed using an existing TCP/IP connection. There are a variety of ways to achieve this which trade-off between abstraction and efficiency. This provides a benefit in terms of secure data transfer, as a VPN allows complete control over the physical layer. It is completely within the network designer’s power to encrypt the connection at the physical layer. By allowing this, all traffic over the VPN will be encrypted whether it is at the application layer or at the lowest layers of the stack. The primary benefits of VPNs are that they offer private address space, and also provide packet encryption or translation overhead to be done on dedicated systems, reducing the load placed on production machines.

Packet Level Encryption
Another way is to encrypt traffic at a higher layer in the TCP/IP stack. Many methods are present for the secure authentication and encryption of Telnet and rlogin sessions, which are examples of encryption at the highest level of the stack (the application layer). The benefits of encrypting traffic at the higher layer are that the processor overhead of dealing with a VPN is reduced, compatibility with current applications is not affected, and it is much easier to compile a client program that supports application layer encryption, than to build a VPN.

The above methods have a performance impact on hosts that implement the protocols, and on the networks that connect to those hosts. The easiest way of encapsulating or converting a packet into a new form requires CPU-time and uses additional network capacity. Encryption is a CPU-intensive process, and encrypted packets need to be padded to uniform length to warranty the robustness of some algorithms. Further, both methods have impacts on other areas that require to be considered before any choice is made as to which is best for a particular case.

2. Traffic Regulation
The most common form of network security on the Internet is traffic regulation. If packets which do something malicious to a remote host never get there, the remote host will remain unaffected. Traffic regulation offers a screen between hosts and remote sites. This happens at three basic areas: routers, firewalls, and hosts. Each offers similar service at different points in the network.

a. Router Traffic Regulation
Any traffic regulation that takes place on a router or terminal server is based on packet characteristics. This does not contain application gateways but does contain address translation.

b. Firewall Traffic Regulation
By applying gateways, traffic regulation or filtering is performed.

c. Host Traffic Regulation
Traffic regulation is performed at the destination of a packet. In traffic regulation, hosts are playing a smaller role with the advent of filtering routers and firewalls.

Filters and Access Lists
Regulating packet flow between two sites is a fairly simple concept on the surface. For any router or firewall, it isn’t difficult to decide simply not to forward all packets from a particular site. A few basic techniques are:

i. Restricting Access In but Not Out
All packets are sent to destination UDP or TCP sockets. From remote hosts, packets will attempt to reach one of the well-known ports. These ports are observed by applications which offer services, such as Mail Transfer, Delivery, Usenet News, time, Domain Name Service, and various login protocols. It is unimportant for modern routers or firewalls only to permit these types of packets through to the specific machine that offers a given service. Attempts to send any other type of packet will not be allowed. This protects the internal hosts but still permits all packets to get out.

ii. The Problem of Returning Packets
Unless remote users use a secure, encrypting application such as S/Key they cannot log into your system. Using Telnet or FTP, users can connect to remote sites. Restrict remote connections to one type of packet, and permit any type of outgoing connection. Due to the nature of interactive protocols, they must consult a unique port number to use once a connection is established.

Modern routers and firewalls support the ability to dynamically open a small window for these packets to pass through, if packets have been recently transmitted from an internal host to the external host on the same port. This permits connections that are initiated internally to connect and denies external connection attempts unless they are desired.

iii. Dynamic Route Filters
When a particular set of circumstances occur, a new recent technique offers the ability to dynamically add entire sets of route filters for a remote site. Using these techniques, it is possible that routers automatically detect suspicious activity and deny a machine or entire site access for a short time. In many cases, this will prevent any sort of automated attack on a site.

Filters and access lists took place on all three types of systems, although they are most common on routers.

There are two types of network security: transit security and traffic regulation, which when combined can help warranty that the right information is securely transported to the right place. It should be clear that there is a requirement for ensuring that the hosts that receive the information will properly process it, this lifts up the entire specter of host security: a wide area which varies tremendously for each system. With the growth in the business use of the Internet, network security is rapidly becoming vital to the development of the Internet. Security will become integral part of our day-to-day use of the Internet and other networks.