Network Security and the Demilitarized Zone - Coursework Example

The Demilitarized Zone (DMZ) The demilitarized zone operates as a part of a firewall configuration in order to secure the local area networks. If a DMZ is configured on the whole network or on specific workstations, they are known to be in a DMZ. Moreover, the zone also facilitates workstations that are configured behind the firewall to initialize request that are considered as outbound traffic to the DMZ. The functionality of DMZ is similar to a proxy server, as the workstations configured in DMZ interact with the public networks. Furthermore, the most significant advantage for a DMZ is that it protects the local area network domains by segregating the network layer (RE: [FW1] DMZ advantages). Likewise, the disadvantages associated with DMZ are not significant, but one issue can be highlighted, as the segregation may create a hassle for the network administration because DMZ requires frequent updates and maintenance. Moreover, the hardware cost is high and requires dedicated hardware in order to implement DMZ within the network. Deployment includes a switch, separate firewall and IDS etc. Intranet / Extranet The most significant advantage that is shared by both of these technologies is communication. However, intranet provides limited communication as compared to extranet, but it is still effective. In order to implement intranet, local area network and a host is required. The network must adhere to the requirements of the intranet application. Moreover, the application will be deployed on a separate workstation called as a host or server. The star topology is recommended for intranet-based networks as the network administrator can manage and administer intranet issues in a centralized environment. Furthermore, presence of intranet will enable new trends for communication. For example, paper less communication between employees, chatting, e-mails and blogs etc. disadvantage includes maintenance and security issues. Hardware requirements for an extranet are similar, except Extranet provides a wide coverage for employees, who want to work from home, or communicate while travelling. However, in order to provide or publish contents on the Internet, certain advanced protocols are required. For instance, VPN is a secure choice. Accordingly, due to its broad functionality, security issues are also more as compared to the intranet. Network Address Translation (NAT) Network address translation is defined as “An Internet protocol that allows individual sites to support more IP hosts than the number of IP addresses assigned to it. This is done using special Internet addresses that have been reserved for this purpose. These special addresses are invalid in the Internet itself. The hosts using these addresses may communicate among themselves, but they cannot access the Internet directly”(Campus infrastructure guidelines). NAT translates private IP addresses into global IP addresses, making it simple for the network administrator, as incremental changes are required without modifying host and routers. Moreover, the disadvantage NAT has is that, it is slow because each packet is processed, prior to the decision of translating it or not. ‘IP traceability’ also becomes difficult as data packets are difficult to trace. Tunneling Tunneling is also called as port forwarding. Port forwarding is configured for a secure channel within the medium or corporate networks. One way of implementing a tunneling protocol is to configure a DSL modem by defining the port number that is allocated for using specific service. For instance, in order to access remote desktop via port forwarding, port number 3389 and RDP service is defined in the router against the IP address of the workstation on which the service needs to be executed. A popular tunneling protocol developed by Microsoft is knows as Point to Point Tunneling Protocol (PPTP). This protocol provides a secure data communication channel for users to access Virtual Private Networks (VPN). However, port forwarding does not ensure data security as there is no encryption during data transmission. Moreover, tunnel needs to be defined for each service and routes, creating redundancy and complex configurations. Access Control List Access Control Lists are defined in a router, firewall, multi-layer switches etc. Considering a scenario of a router, when a data packet tries to pass through a router, it encompasses the security rules and policies. Similarly, when considering an operating system environment, ACL identifies the operating system regarding the user rights on files and directories. The attributes for assigning privileges to files and folders are read, write and execute. Therefore, ACL provides security for system files and folders and network data transmission. Sub Netting Sub netting is defined in “document RFC 950, originally referred to the subdivision of a class-based network into sub networks, but now refers more generally to the subdivision of a CIDR block into smaller CIDR blocks” (Subnetting ). A single subnet in IPv4 only contains 254 assignable IP addresses. These IP addresses need to be managed efficiently as broadcast issues are always triggered, producing network congestion and disruption of services. In order to overcome these issues, IP addresses are broken down in to smaller class C networks for effective network management and security. Moreover, global IP addresses are limited, in order to operate a corporate network; sub netting is required to allocate private IP addresses to the inbound network, while the global IP addresses will only be configured on the WAN devices. Virtual Local Area Network (VLAN) For providing security mechanism to the internal data communication, Virtual local area networks (VLAN) are recommended. The VLAN separates the domain of the departments within the organization. VLAN uses encryption techniques for transmitting data over the network. Access policy list is also configured in the VLAN for defining the routes. Moreover, VLAN is considered as a broadcast domain. It concludes that the broadcast generates from one computer can only be received to the destination which is defined by some criteria in the broadcast domain. The advantage of VLAN implementation includes an efficient way of bandwidth utilization and eliminating the network from possible broadcast storms, which results in denial of service. Furthermore, by implementing VLANs, the capacity of switching technology is utilized to its full potential. VLAN also supports ‘VLAN trunking protocol’. The ‘VLAN trunking protocol’ will significantly reduce administration for the switched network Suspicious File Types ‘Exe files’ ‘Com Files’ ‘Bat Files’ ‘SCR files’ ‘MP3’ and other executable files Exe file types are executable files for Microsoft windows environment. These files are used to initialize a program. Hackers develop these executable virus files with a commonly used item. For instance, a virus executable file can be in the form of a folder so that the user can click it and the executable virus program installs itself on the computer to take full control of resources and data. Com files are the extension of Command that is used as a command prompt in Microsoft Windows environment. Viruses can be executed by clicking this file in the form of an old ‘DOS’ based game (Understand common virus attacks before they strike your apps ). References RE: [FW1] DMZ advantages Retrieved 4/14/2011, 2011, from http://www.mail-archive.com/fw-1-mailinglist@beethoven.us.checkpoint.com/msg02113.html Campus infrastructure guidelines Retrieved 4/14/2011, 2011, from http://system.vccs.edu/its/guidelines/Campus_Infrastructure_Guidelines2.htm Subnetting Retrieved 4/14/2011, 2011, from http://www.lincoln.edu/math/rmyrick/ComputerNetworks/InetReference/24.htm Understand common virus attacks before they strike your apps Retrieved 4/14/2011, 2011, from http://msdn.microsoft.com/en-us/magazine/cc164146.aspx Read More