Network security comprises the growing science of protecting data stored and transmitted across information networks. Security of data (and voice) transmissions has become an increasingly important issue as the Internet has expanded, and once-private corporate networks conduct a great deal of business in public cyberspace over the Internet and wide area networks. The danger of information being intercepted, corrupted, or misappropriated has escalated, as has the fear of hackers breaking into servers and altering source code published on Web sites or conducting Denial-of-Service attacks. As a result computer and network security procedures, practices, and technologies have developed into a science of their own. Today computer and network security take many forms and offer varying levels of protection, ranging from physical measures such as data-drive locks to access codes, user identification passwords, authentication devices, firewalls, data encryption, router access-control lists (ACLs), virtual LANS (VLANS), and Virtual Private Networks (VPNs). Methodologies to increase security are also proliferating and include the concept of layering defenses to engaging in intrusion detection to using a demilitarized zone (DMZ) for unprotected communications.
Physical measures to ensure network security include such precautions as confining network wiring to locked closets, restricting access to data and network operation centers (NOCs), installing electronic locks on doors, requiring visitor registration and badges, and installing security guard stations at key access points. These measures, long evident at all telephone companies and carrier headquarters--such as MCI WorldCOM, Sprint, Qwest, AT&T--are increasing in use at many companies using networks. Physical measures extend to using keyboard locks, data-drive locks, or desk locks, which become especially useful in places where workstations offer network access to wiring hubs, LAN servers, and bridge-routers.
Authentication measures on networks also offer a fairly standard means of network security. Basic authentication occurs on dial-up ports at networks when users using modems dial in and first transmit a user id and password. If this data corresponds with data stored on access control lists, then the user is permitted access to the network. Limits on access attempts also prevent unauthorized users from breaking in. Log-on security can be applied on any network, local or remote, and can be fine-tuned to identify users by workgroup or department. Complex and newer measures include the use of multilevel passwords, and biometric measures such as hand prints, voice patterns, or retinal prints.
Access levels offer another means of securing networks. Network administrators can delineate access levels for users as public, private, or shared. Public access would allow users to read but not alter data. Private access would allow read-write access, meaning users can both read and alter data. Shared access would allow all users to read and write to all files.
Data encryption is another means of ensuring privacy over networks. This has evolved in many ways over the last two decades and comprises an almost essential feature of data transmission these days on major networks. Encryption defines the conversion of data into a form unreadable by anyone without a secret decryption key. Its purpose is to ensure privacy by keeping the data hidden from all unintentional recipients, even those who can see the encrypted data. On networks, this measure requires that data and voice be scrambled first with an encryption algorithm before traversing the network. Pretty Good Privacy (PGP) is an example of a highly effective encryption algorithm that uses a public key to protect e-mail and computer data. Public-key cryptography means that all recipients are supplied a public key with the message, while a corresponding private key resides already on the recipient's computer. The private key is then used to decode the message. Data encryption is often accompanied by digital authentication through a digital signature, which ensures that the receiver can be confident of the identity of the sender or the integrity of the message. Authentication protocols can be based on either conventional secret-key cryptosystems or on public-key systems; authentication in public-key systems uses digital signatures. The signature is an unforgeable piece of data asserting that a named person wrote or otherwise consented to the document to which the signature is attached.
Firewalls offer means of protecting a network from other, untrustable networks. A firewall can be thought of as a shield that blocks untrustworthy communications while simultaneously allowing reliable communications to enter and go through. Firewalls can take many forms, and like everything else on the Internet, are constantly evolving. Some firewalls specialize in blocking unsafe traffic while others emphasize permitting safe traffic. Firewalls can be set up around whole networks or on specific routers or servers. Packet filtering offers one kind of firewall protection; here, data packets received by a network are first screened through a firewall device. The screening limits access based on the packet's source or originating machine or site, time of day, date, or even day of week, number of sessions permitted or other such specification.
Transparent proxies are often used with firewalls to secure communications. In this case, firewalls act as deflectors, creating dynamic, transparent proxy routers to deflect and forward data. When packets looking for a router hit the firewall (set up as the default router), the firewall software immediately sets up a proxy that does not route the packets but connects to an intermediate host, which then forwards the data. Proxies are often used instead of routers as a means of traffic control, in order to ensure that traffic does not pass directly between trusted and untrusted networks. Proxies can implement protocol-specific security as well, since they necessarily understand application protocols. This means that they can be used, for instance, to allow outgoing FTPs and block incoming FTPs.
Virtual LANS (VLANS) offer another means of internal security. Virtual networking refers to the ability of switches and routers to configure logical topologies on top of the physical network infrastructure, allowing variable network elements to be configured to appear as a single LAN. Virtual LANs function by logically segmenting a network into different broadcast domains so that packets are only switched between ports designated for the same VLAN. Data traffic, whether internal or external, is then confined to a specific area within the company network, and can be further controlled internally by the network. This technology promotes highly targeted and secure communications and preserves bandwidth.
For both public communications over the Internet and for private corporate traffic, Virtual Private Networks (VPNs) are increasing in usage. VPNs allow companies to use public networks or the open, distributed infrastructure of the Internet, to privately transmit data between corporate sites. Companies using an Internet VPN would connect to their Internet service provider (ISP) and use their ISP's VPN to transmit data. Over the VPN, data is encrypted to increase security, since the Internet is a public network. VPNs can be used at corporate sites, branch offices, and by mobile workers. Because all workers can connect to their company's VPN by dialing into the local POP (Point of Presence) of their ISP, this greatly cuts down on long-distance charges and capital outlays while ensuring private and secure communications.
IPSEC, short for IP Security, is a set of protocols developed by the Internet Engineering Task Force (IETF) to support secure exchange of packets at the IP layer, and it has been deployed widely to implement VPNs. IPSEC requires that the sending and receiving devices must share a public key, and accomplishes this through a protocol that allows the receiver to obtain a public key and authenticate the sender using digital certificates.
SSL, short for Secure Sockets Layer, is another protocol that allows the transmission of private documents via the Internet. SSL uses a public key to encrypt data and is supported by both major browsers, Netscape Navigator and Internet Explorer. Many web sites use SSL to obtain confidential user information such as credit card numbers and bank account information. Web pages carrying confidential data over an SSL connection start with https: instead of http:. Secure HTTP (S-HTTP) is a very similar secure transmission protocol. The difference between the two is that SSL allows any number of communiqués to be exchanged over a secure connection established between a client and a server, while S-HTTP is designed to transmit individual messages securely. SSL and S-HTTP, therefore, are complementary rather than competing technologies and have both been approved by the IETF as a standard.
This is the complete article, containing 1,368 words
(approx. 5 pages at 300 words per page).
