Total Pageviews

Search: This Blog, Linked From Here, The Web, My fav sites, My Blogroll

12 November 2009

Protecting Enterprise Catenets: a big eye view

  • two-key cryptographyA 'white hat' is a person who 'uncovers a vulnerability and exploits it with authorization;
  • A 'black hat' is one who 'uncovers a vulnerability and illegally exploits it and/or tells others how to;
  • A 'gray hat' is one who 'uncovers a vulnerability, does not illegally exploit it or tell others how to do it, but works with the vendor;

I disagree and prefer's definitions, where:
  • 'white hats' find vulnerabilities and tell vendors without providing public exploit code;
  • 'black hats' find vulnerabilities, code exploits, and maliciously attack victims;
  • 'gray hats' find vulnerabilities, publish exploits, but do not illegally use them.

Protecting Enterprise Catenets

There are as many unique data catenets as there are enterprises that build and operate them. Each organization has:
  • different users
  • different objectives
  • different topologies and
  • different equipment
Moreover, they have different numbers of users with different skill levels that work with different applications. In addition, they are likely to have mixtures of equipment that reflect their historical evolution. Some still operate with a base of 10 Mbps shared medium Ethernets. Others will have 100 Mbps repeatered and switched hubs supporting desktop operations fed by 1,000-Mbps servers. Yet others will have Ethernets, Token Rings, and FDDI networks operating at various speeds.

Transport will be by twisted pairs, optical fiber, or radio at speeds from 28.8 kbit/s to 622.08 Mbps. Because of the multitude of possibilities, no two catenets are exactly alike.

Operating Environment
Consider the environment in which enterprise catenets operate.
  • If we define a catenet as several individual networks linked together to facilitate the execution of distributed data operations, and
  • we define a network as a (complex) tool that facilitates the execution of distributed data applications
we have a description that does not depend on the business purpose for which the owning enterprise exists. Furthermore, we can generalize the nature of the data traffic that flows in the network:
  • File transfers
  • application sharing
  • e-mail and
  • printer sharing
produce the majority of the traffic. These activities are manifest by bursts of data separated by periods of silence.

Enterprise Catenet
Figure 6.1 shows an enterprise catenet. It is a hierarchical network with four levels. They are designated as follows.
  • Desktop: Several interconnected clients, servers, and printer stations, perhaps on a single floor. Consists of individual stations connected by a LAN (mostly Ethernet or rarely Token Ring) that employs a common bus or a repeatered or switched hub. Each hub port may support a single user or a small number of end users. A desktop network is the lowest level of the catenet hierarchy.
  • Workgroup: Interconnected desktop networks (LANs) that may be situated in several areas (floors, bays, and so forth). Consists of two or more desktop networks bridged together. Provides intercommunication among desktop networks in the workgroup.
  • Campus: Interconnects workgroup networks within a single location. Consists of one or more workgroup networks bridged together and finally connected to an edge switch or edge router. Provides communication among workgroup bridges on a campus and facilitates communication to other campus networks.
  • Backbone: Interconnects campus networks. The connection may be distributed or collapsed:
    Distributed backbone: A (wide area) network (e.g., frame relay or ATM network) that interconnects campus networks to create an enterprise catenet. It provides moderate to high bandwidth over moderate to long distances. Collapsed backbone: A single core switch or router that interconnects all campus networks in the enterprise catenet. It can provide very large aggregate bandwidth.
In Figure 6.1, both styles of backbone are shown.
  • The distributed backbone is represented as a set of nodes in a frame relay or ATM network. It might be suited to a larger corporation with worldwide operations.
  • The collapsed backbone is a single switch that can give faster service to a smaller network.
They are shown in the same diagram for comparison purposes. It is unlikely they would be used in tandem.

In Figure 6.1, the campus networks are likely to be owned (or leased) by the enterprise. The links, bridges, hubs, and desktop stations are focused on producing the value-added services the enterprise provides. In linking the campus networks together, the enterprise owner may use:
  • Private facilities owned or leased exclusively by the enterprise. This arrangement prevents the acquisition of company data by external operators and preserves its confidentiality for the enterprise. The combination of campus networks and collapsed backbone shown in Figure 6.1 could be an example of a catenet formed from private facilities. All the campus edge routers/switches are connected by a single core router/switch (Collapsed backbone). The entire network has one purpose—to further the internal communications of the enterprise.
  • Leased facilities, such as permanent virtual circuits from a frame relay network provider or virtual circuits from an ATM provider. This arrangement preserves confidentiality with respect to most external operators. It is probably no impediment for a determined hacker. The combination of campus networks and distributed backbone shown in Figure 6.1 could be an example of an enterprise catenet using some leased facilities. The edge switches are connected to core switches in a frame relay or ATM network. In the frame relay network, the enterprise owner has use of specific permanent virtual circuits that interconnect the campus networks. In the ATM network, the enterprise owner has use of certain virtual circuits in defined paths that link the campus networks. As long as the connection tables limit the use of the virtual circuits to frames addressed to terminations in the catenet, the owner will have a catenet that is focused on facilitating the objectives of the enterprise.
  • Internet facilities, the arrangement of which links the campus networks to the world. As soon as a public connection is added to a private network, it becomes vulnerable to unauthorized access by the curious, the mischievous, and the criminally motivated. Special techniques must be employed to restore privacy yet retain the ability to use the Internet to the advantage of the enterprise. With the maturing of the Internet, enterprise catenets need no longer be limited to accepting frames from and delivering them to stations within the enterprise. Now it is possible for communications to span the globe and connect to distant resources. Figure 6.2 shows the campus networks’ end routers connected to Internet service providers (ISPs) that give access to the Internet. The Internet can be used for interconnecting campus network to campus network, connecting campus networks to sources of public information, and connecting between stations inside and outside the catenet. It is a distributed backbone of immense proportions.
    The extension of the catenet to global distances provides the opportunity for enterprise stations to address the stations (clients or servers) in the catenet or stations anywhere within the millions of users in the Internet community. In addition, it gives the opportunity for competitors and others to read (and perhaps sabotage) the data communications of the enterprise.

Connecting a private network to the Internet has certain advantages. Among other things, doing so facilitates:
  • the acquisition of public information
  • the exchange of e-mail between enterprise members and persons in other organizations, and
  • the supply of information on enterprise products to persons in other organizations or to members of the public.

In addition, connecting a private network to the Internet has certain disadvantages. Doing so permits:
  • enterprise employees to browse the Internet for personal reasons
  • outsiders to access the enterprise network for illegal purposes
  • virus attacks
  • denial of service, and other nuisances.
To restore integrity to a catenet that employs the Internet (or other public network) have been developed the following techniques:

Combating Loss of Privacy
Loss of privacy can be countered by:
  • simple rules attached to internal addresses
  • more complex rules known as proxies that entail evaluating relationships between frames ,and
  • by creating secure connections between specific stations in the Internet and stations in the private network.

Network Address Translation
We just know that private IP address spaces have been created for use by organizations. Specifically, they are:
  • to
  • to
  • to
These addresses do not appear in Internet tables. When access to the Internet is required, network address translation (NAT) must be performed. It creates an Internet readable address that is used to return data. The principle is shown in Figure 6.3.

Suppose a station with an IP address p.p.p.p in the private network wishes to communicate with a station with an IP address r.r.r.r in the Internet. The IP address field in the frame sent from the sending station to the edge router will be p.p.p.p|r.r.r.r→, where p.p.p.p is the sending address, and r.r.r.r is the destination address. Because p.p.p.p is not recognized in the Internet, it must be changed at the edge router to a valid Internet address. Suppose this is s.s.s.s. On entering the Internet, the frame will have a destination address of r.r.r.r and a sending address of s.s.s.s. When information is returned, the address field will read ← s.s.s.s|r.r.r.r in the Internet, and ← p.p.p.p|r.r.r.r in the private network. Because the private addresses do not appear in the public network, they are unknown to the public stations. Thus, knowledge of the topology of the private network is denied to public stations and the task of predators becomes a little more difficult.

In the network world, a proxy is a package of software or hardware that performs a function defined by the proxy giver. A proxy is a rule that is applied to traffic within its purview. Thus, a list and supporting logic for denied destinations of frames from users with certain privileges are a proxy. Situated between the private catenet and the edge router, a proxy server can filter frames using lists of sites that are specifically permitted or denied to users with different levels of privilege. Particular sites can be blocked outright, and others can be controlled based on
  • the identity of the user
  • the service requested
  • the port or
  • the IP domain.
A proxy server can implement the address translation function(NAT). Further, it may provide domain name system (DNS) service, Dynamic Host Configuration Protocol (DHCP) service, and other functions.

A proxy server can be used at other locations in the private network to restrict or prevent traffic between sections of the catenet. In this application, address translation is not required.

The complexity of the proxies employed depends on the value the network owner places on protecting the products in the private network. In addition, the complexity of the proxies depends on the imagination of the network administrator. Three levels of proxies are:
  • Frame filtering: After checking the address fields and contents of the frame for keywords, passage of the frame to its destination is permitted or denied. Working from lists, frame filtering is relatively easy to design and relatively fast to execute. It is also relatively crude.
  • Circuit-level filtering: By observing the grouping of frames, a connection between client and server is detected. Using rules to determine whether the source and destination are compatible (i.e., are likely to have legitimate business to transact), the passage of information is permitted or denied. Circuit-level filtering requires more reference information, may not be that difficult to design, but takes longer to execute because of the number of frame evaluations that have to be made.
  • Application-level filtering: By testing the data contained in frames that constitute a communication by the characteristics of the destination, the acceptability of the communication is determined and the passage of information is permitted or denied. Application-level filtering can be the most complex strategy. It requires evaluation of the data being passed. Therefore, it must be custom designed for each application. Because it requires the observation of several frames, execution is likely to be slow. If the owner values the data highly enough, the simultaneous application of two or three strategies can be considered.

In Figure 6.2, the campus networks are connected into the enterprise catenet by a distributed backbone formed from Internet circuits. The data they carry is vulnerable to eavesdropping and alteration by wrongdoers. To prevent these acts, the enterprise owner can construct a tunnel between each pair of campus networks.
A tunnel is a secure temporary connection between two points in an insecure public network.
Because users within each campus network may attempt to eavesdrop and alter
messages, tunneling may be extended to the users’ interfaces. Figure 6.4 shows a tunnel that connects a secure client in one campus network to a secure server in another campus network. Connections between campus networks are not the only application for this technique. No matter where they are situated, tunneling can be
applied between stations that communicate over a public network to create a temporary private connection.

The techniques of encapsulation and encryption are used to create tunnels.
Tunneling is the action of encapsulating an encrypted datagram inside another datagram so that it can be forwarded between two points over an insecure temporary connection without revealing its contents.

Figure 6.5 illustrates the concept of tunneling. Data to be sent in a secure way is assembled in an IP datagram by the sending station. It contains the IP network addresses of the sending station and the receiving station. I will call this datagram, D(1). D(1) is encapsulated by a network interface header and trailer, and sent to the router facing the Internet (R1). Here, the header and trailer are stripped from D(1), it is encrypted, and wrapped (encapsulated) in a second IP datagram. I will call this datagram D[D(1)]2 to symbolize an encrypted IP datagram [D(1)] encapsulated by a
second datagram D(2). D(2) contains the IP address of the router R(2) serving the
destination campus network and the IP address of the sending router R(1). At R(2),
D[D(1)]2 is decrypted and unwrapped (decapsulated) to give D(1). D(1) is encapsu-
lated with network interface header and trailer information and sent on to the destination address it contains.

Remote users who must use a telephone connection, can use this technique. After establishing a normal dial-up networking (DUN) connection to a local ISP, the remote user generates an IP datagram addressed to an enterprise destination. This
datagram is encapsulated in a PPP frame and may be encrypted. It becomes the users data in a second IP datagram addressed to the intranet tunnel router serving the home station. The encapsulated datagram travels from tunnel server to tunnel server on the basis of the network addresses contained in the encapsulated datagram. Thus, an eavesdropper is denied the knowledge of the true origin and destination of the original datagram. At the tunnel server, the original IP datagram is unwrapped and forwarded to its destination. In effect, the action of tunneling has created a private connection out of public facilities.

If it is important that the message information be protected throughout its journey, the sender can encrypt it before forming the original frame. Decryption at the receiving station can serve to confirm (authenticate) that the message originated from the expected source (see the following).

Encryption, Decryption, and Authentication
Through the application of one or more rules, of encryption is the action of making readable (clear-text) data frames into not-readable (cipher-text) data frames. The rules for encryption are chosen so that the application of the same rules, or a set of rules based on them, will restore the not- readable frame to readability.
Decryption is the reverse of encryption. Through the application of one or more rules based on those employed to encrypt a packet, an encrypted frame is resotred to its original meaning.
These two rules are known as keys. Common encryption systems use a single key or two keys.
  • Single-key cryptography: Also known as secret-key cryptography, employs the same key for encryption and decryption. Keys are bit patterns of any convenient length (40, 64, and 128, 256 are common values). The longer the key, the harder the code is to break. To be effective, the key must be kept secret from everyone except the users. Because of the need to keep the single key secret even though both encrypter and decrypter are using it, the management of single-key systems is more difficult than two-key systems. For this reason, most encryption systems use two-key cryptography.
  • Two-key cryptography: Also known as public-key cryptography, employs two keys. One key is available to the public (public key); the other key is known only to its owner (private key). Either key can be used to create encrypted messages. They are decrypted by the other key.
Two-key systems provide other advantages. Through the use of the keys in specific order, the sender can guarantee:
the message to achieve both:
  • privacy and
  • authentication
Suppose there are two stations.
  • Station 1 knows its own private (S1) and public (P1) keys, and can obtain the public key of Station 2 (P2).
  • In similar fashion, Station 2 knows its own private (S2) and public (P2) keys, and the public key of Station 1 (P1).
  1. If Station 1 wishes to send a private message to Station 2, it encrypts the message (M) with Station 2’s public key to produce P2⊗M, where ⊗ stands for the action of encrypting or decrypting.
  2. Upon receiving P2⊗M, Station 2 uses its private key to decrypt the frame. This produces S2⊗{P2⊗M} = M.
  3. Because Station 1 used Station 2’s public key to encrypt the message, only Station 2 can decrypt it using its private key. Privacy is assured, but Station 2 cannot be sure of the origin of the message.
  1. If Station 1 wishes to send a message to Station 2 and have Station 2 know with certainty that it came from Station 1, Station 1 encrypts it with its private key. This produces S1⊗M.
  2. Station 2 decrypts S1⊗M with Station 1’s public key. This produces P1⊗{S1⊗M} = M.
  3. Because Station 1 used its private key to encrypt the message, the frame can only have come from Station 1. However, any station with Station 1’s public code can decrypt it. Authentication is assured, but privacy is not.
  1. If Station 1 wishes to send a private message to Station 2 and have Station 2 know with certainty that it came from Station 1, Station 1 encrypts the message with Station 1’s private key and then with Station 2’s public key. This produces P2⊗S1⊗M.
  2. Station 2 decrypts P2⊗S1⊗M with its private key and then with Station 1’s public key. This produces S2⊗P1⊗{P2⊗S1⊗M} = M.
  3. Privacy is obtained by encryption with P2 and decryption with S2. Authentication is obtained by encryption with S1 and decryption with P1.
Cryptography is an important ingredient in national security. For this reason, the U.S. Government is ever vigilant to ensure that commercial cryptography does not compromise national cryptography. In addition, law-enforcement agencies are anxious to limit the effectiveness of commercial cryptography so that codes used by criminals can be broken.

IP Security

A set of protocols known as IPsec (IP security) has been developed by the IETF to
provide authentication and privacy services for IPv4 and IPv6.
Authentication provides the receiver with the ability to check that the immutable fields in the received frame are identical to those in the frame that was sent. (Immutable fields are those that do not change during transport.) Thus are immutable:
  • the message
  • the transport header and
  • parts of the network header
Items such as time-to-live(TTL) and network checksum vary with the number of nodes the frame passes through. They are mutable and are carried as 0s when calculating the hash information.
Operating at the Internet layer, the services allow the stations to select a level of security that matches their security requirements. The parameters for each security
service are collected and stored by the receiver. They are called a security association (SA). As a minimum, an SA includes:
  • an identification number (security parameters index);
  • a cryptographic algorithm;
  • a key or keys that implement the algorithm;
  • the lifetime of the key(s); and
  • a list of sending stations that can use the security association.
Each destination creates its own SAs. In addition, it stores a number of mandatory algorithms. To identify a specific SA requires both the security parameters index and the destination address.

In IPv4, authentication information is carried in an authentication header inserted between the Internet layer header and the transport layer header in the IP datagram.

In IPv6, the IP datagram consists of a base header, extension headers, transport layer header, and message. The authentication header is one of the extension headers.

Figure 6.6 shows IPv4 and IPv6 datagrams that include authentication headers. The authentication header provides data integrity through the use of keyed hashing. Hash functions represent a variable-length message by a fixed-length data string. The hashing algorithm is negotiated during SA setup. It provides address and payload integrity by hashing those entries in the IP header that do not change and the entire payload.

To provide additional security, IPsec can create new keys after a set amount of data has been transferred or a certain time has elapsed. When authentication and privacy are required, IPsec employs an encapsulating security payload (ESP). ESP has three sections:
  1. an ESP header that is positioned between the Internet header and the transport header
  2. an ESP trailer that follows the message, and
  3. an ESP authentication that follows the ESP trailer.
Neither the authentication protocol, nor ESP, fits the definition of tunneling given earlier in this section. True, they provide authentication and/or encryption, but they do not wrap an encrypted datagram inside another datagram so that it can be forwarded between two points over an insecure temporary connection without making use of its contents.

IPsec defines tunneled versions of the authentication header and the encapsulating security payload. They are shown in Figure 6.7. Each contains the original IP datagram encapsulated by a second Internet header that contains the IP addresses of the tunnel ends. In addition, an authentication header or an ESP header is positioned next to the original datagram. An ESP trailer and ESP authentication field follow the original datagram in the ESP tunneling datagram.

Other Tunneling Protocols
Industry groups have developed other tunneling protocols. Of note are:
  • Point-to-Point Tunneling Protocol (PPTP): A data link sublayer (Layer 2) protocol that encapsulates PPP frames in IP datagrams for transmission over an IP network. PPTP supports a single tunnel between client and server.
  • Layer 2 Tunneling Protocol (L2TP): A data link sublayer (Layer 2) protocol that encapsulates PPP frames for transmission over IP, X.25, frame relay, or ATM. L2TP supports multiple tunnels. L2TP combines the best features of PPTP and L2F, an early product from Cisco Systems Corporation. When used in an IP network, L2TP uses UDP for tunnel creation and transmission. Both tunneled data and control frames share the same UDP stream. L2TP uses IPsec for cryptographic services. Figure 6.8 shows an L2TP datagram encapsulated
    by PPP and encrypted by IPsec. The original datagram is wrapped in a PPP frame. The PPP frame is then incorporated in a new IP datagram with a UDP header and an L2TP header. Adding an IPsec encapsulating security payload header and trailer and an IPsec authentication trailer provides message integrity and authentication. Finally, an IP header is attached that contains the network addresses of the beginning and ending of the tunnel.

In a catenet that has Internet connections, preventing eavesdropping, hacking, or theft of information and controlling the amount and nature of internal traffic forwarded to Internet are a formidable task. Most schemes rely on establishing and
maintaining an electronic firewall:
which is a software/hardware device that denies unauthorized callers access to a private network, and controls calls from the private network to destinations reached over the public network.
Situated between an intranet and the Internet, a firewall consists of
  • screening routers
  • dedicated servers and
  • computer logic that implement rules to determine which connections are allowed and which are not.
As noted earlier:
  • the rules are called proxies. They restrict the number of services available to outside connections and prevent the manipulation of services to provide unauthorized levels of access.
  • In addition, a firewall can be used to limit the flow of specific information to callers from within the intranet and serve as the termination of tunnels through the Internet.
Figure 6.9 generalizes the relationship between a firewall, a private network, and the Internet.

Conceptually, the firewall prevents the free exchange of data frames between the private and public networks. If it compares favorably with one or more databases managed by servers and meets other tests (if applicable), a data frame will be passed around the wall. The internal router passes it on to the appropriate subnetwork. For a catenet with several campus networks connected by the Internet, a firewall is used to isolate each campus network from the Internet.

Functions Performed in Firewall
In Figure 6.9, a representative sampling is shown of the database and testing capabilities in the firewall servers and associated devices.
  • For small networks, some can be combined, and not all of them may be necessary.
  • In large networks, they may all be individual units, and more may be necessary to handle special situations.
When a private network is connected to the Internet, it is usual for management to be concerned about the time wasted by employees surfing the Web for personal reasons. This concern leads to a request for a policy that only authorized users may
access the Internet. To implement this policy requires the manual entry of each authorized user in a database. For a large user community, this can be a lot of work, particularly if there is significant turnover.

If dynamic IP addressing is in use (i.e., each station receives an address at the start of a session and is entitled to its use for a fixed time called lease), the procedure will be complicated by changes in station addresses.
If the station operator is changed frequently, the procedure may be complicated by changes in usernames and passwords. If banning all http:// traffic is impossible, perhaps the best approach is to maintain activity logs and question excessive use or the use of specific addresses. Briefly, the functions that may be implemented at the firewall can be described as follows:
  • Authentication: Knowing that the incoming message has not been changed on its journey through the public network and that the sender is correctly identified is important for incoming traffic. Knowing the correct identity of those that make outgoing calls to use Internet services or contact persons is equally important. Proxy and/or Remote Authentication Dial-In Service (RADIUS) servers make appropriate tests on the data frames. They work with username and password information and may challenge originating or terminating entities to confirm information.
  • Simple mail transport service (SMTP), domain name service (DNS), File Transfer Protocol (FTP), and World Wide Web (WWW): Standard Internet services may require individual handling. Some users will have more privileges than others, and some may have none. All traffic should be recorded in segregated logs for review and troubleshooting.
  • Network address translation: By using special addresses that are not recognized by Internet devices, a private network may be hidden from Internet stations. For traffic to be accepted from the Internet, the incoming addresses must be translated from Internet IP addresses to private network IP addresses.
  • Cryptography: The firewall can serve as the origin and termination of tunnels across the Internet to other campus networks, employees on the road, and authorized customers and suppliers. The firewall must know what certificate authorities (CAs) to use, which cryptographic algorithms are authorized, and what kind of key management is expected. A certificate authority is a trusted third-party organization or company that issues digital keys (certificates) used to create digital signatures and public/private cryptographic keys. For IPsec, the encryption scheme is defined by the firewall. Other encryption schemes are determined by the destination IP address.
  • Electronic commerce: Tunnel calls between enterprise employees and customers or suppliers are set up in accordance with agreed proxies. Both customers and suppliers are likely to be permitted only a limited group of internal contacts.
Altogether, the capability of the devices in the firewall is sufficient to create a secure network out of the combination of campus networks and Internet. They permit enterprises to have confidence in their data communication facilities, while taking advantage of the flexibility and pervasiveness of the Internet. Perhaps it is too much to hope that there will be a neat set of standardized devices in the future.

Virtual Private Networks
A virtual private network (VPN) is a data network composed of private and public sections that permits sending confidential data over unprotected public connections without the risk of compromise by eavesdroppers, thieves, or those who would sabotage information. To the users, a VPN appears as a private network.
The success of the Internet has inspired companies and organizations to distribute an increasing amount of information over circuits using Internet protocols. In a format made easy to read by incorporating the graphical interfaces and hypertext
techniques of the Web, companies and organizations are able to provide proprietary
information to employees and product information to the public. To serve them, companies and organizations use the public Internet.
To serve their internal needs, companies and organizations use private internets called intranets.
At first, users from inside and outside the enterprise were pleased to communicate with one another and do business together. However, once the user community had suffered a few episodes of eavesdropping, hacking, or thefts of information, they sought to achieve privacy without sacrificing the flexibility acquired from using the public Internet. To do this, they created a VPN.
However, it would be wrong to imagine that VPNs can be created solely from public Internet facilities. They use the full-range of communication facilities including leased telephone circuits, frame relay or ATM links, communication satellite hops, ISDN, and POTS.

Types of VPNs
VPNs can be divided in several ways. One set of configurations is:
  • Intranet VPN: A VPN in which several enterprise campus networks are interconnected by tunnels over Internet connections (distributed backbone).
  • Extranet VPN: An intranet VPN used by customers, suppliers, and vendors. Tunnels are established over Internet connections to a secure enterprise server.
  • Remote access VPN: A VPN in which enterprise employees on the move can establish a dial-up connection to a remote ISP and create tunnels to enterprise campus networks.
  • Intracompany VPN: A single campus network or an intranet VPN, in which encrypted communications are used to protect against security breaches within the enterprise.
Using any of these arrangements ensures the owner has a significant level of control over who can read information (i.e., read only), work with information (i.e.,
download), and contribute or change information (i.e., author or edit). Furthermore, they can restrict electronic mail and other traffic to within the company. In addition, the network uses a popular set of protocols that are familiar to many persons. Moreover, campus networks (intranets) can be connected over a distributed backbone supplied by the Internet.

Basic Connections
There are as many kinds of data networks as there are enterprises using them. It is unlikely that any fall neatly in the categories listed earlier. Privacy in the commercial world is difficult to implement and almost impossible to guarantee. It is even harder when some of the communication facilities are used by the public, and company loyalty is not what it used to be. Nevertheless, the lure of a pervasive network that is significantly cheaper than leasing private lines, is hard to refuse. For clients operating within company facilities, the keys to success are
  • user authentication (e.g., passwords)
  • address management(e.g., network address translation) and
  • proxies (e.g., content filtering).
For clients operating in the public domain, overriding importance must be given to
  • encryption and
  • tunneling.
In addition, they are the keys to private connections between campus networks over the Internet. Figure 6.10 illustrates some basic connections between the facilities that I have
described. At the top of the diagram a straightforward connection to Internet is
made through the campus firewall that will include many of the individual protections shown in Figure 6.9. Unauthorized communications by persons on campus and off campus can be prevented while providing access for legitimate purposes.

The middle diagram shows a campus-to-campus connection. Because the information exchanged is important, an encrypted tunnel is employed. At the bottom is an arrangement that a remote client can employ. The client makes use of a third party’s facilities by calling an 800 number. The POP connects the call through a server and a secure connection to the campus firewall. A level of security is provided by IPsec.

Enterprises have recognized that the Internet is an affordable, worldwide medium that can be used to interconnect private networks and carry sensitive data. Their demand has created an opportunity for ISPs to offer value-added services that emphasize scalability and network management. That they can provide worldwide
transport is a non issue. Of course, they can! But can they provide worldwide security? Irrespective of their promises, security must remain the responsibility of
whoever wants to preserve confidentiality. Prudent managers understand this and
will institute their security measures at their firewalls._


A professional’s guide to data communication in a TCP/IP world by E. Bryan Carne.
ISBN 1-58053-909-2

No comments:

Post a Comment