In this world, everything is connected with networks. In the digital world, every device is connected through networks. If our network remains insecure or vulnerable, then we become vulnerable. In this article, we will describe best practices to secure networks.
But before we dive into the practices of securing a network, we have to understand a few basics of networking.
Understand the OSI Model
OSI model stands for Open Systems Interconnect model. The International Standard Organization(ISO) built the OSI model in 1981. The OSI model has seven layers that provide the basis of communication over the network between computers. if anyone wants to build a strong network connection he has to understand the OSI model. The OSI model:
|Layer||Functions||Protocols or Standards|
|Layer 1: Physical||Physically interfaces with transmission medium and sends data over the network||EIA RS-232, EIA RS-449, IEEE, 802|
|Layer 2: Data link||Provides error checking and transfer of message frames||Ethernet, Token Ring, 802.11|
|Layer 3: Network||Performs packet routing||IP, OSPF, ICMP, RIP, ARP, RARP|
|Layer 4: Transport||Supports end-to-end delivery of data||TCP, UDP, SPX|
|Layer 5: Session||Negotiates and establishes a connection with another computer||SQL, X- Window, ASP, DNA, SCP, NFS, RPC|
|Layer 6: Presentation||Provides tools type services encryption, code conversion, and data formatting||MPEG, JPEG, TIFF|
|Layer 7: Application||Provides online services such as e-mail, file transfers, and file servers||HTTP, FTP, TFTP, DNS, SMTP, SFTP, SNMP, RLogin, BootP, MIME|
Understand Network Devices
To build a strong network and protect it, you need to understand the devices that comprise it. Here are the main types of network devices:
- Hubs connect different kinds of local area network (LAN) devices together. A hub also acts as a repeater that amplifies signals that are degraded after traveling long distances on connecting cables. The hub does not perform packet filtering or addressing functions. Hubs operate at the physical level.
- Switches play a significantly more sophisticated role than networking hubs. They serve as critical connectors for local area networks (LANs), efficiently managing the interconnection of multiple network segments. Operating primarily at the data link layer switches intelligently analyze packet headers and perform appropriate processing actions. One of their key capabilities is extracting hardware addresses from incoming packets, enabling precise transmission to the intended destination.
- Routers help route packets to their destinations by charting a path through a sea of interconnected network devices. They carefully extract packets from incoming frames, analyze their contents individually, and assign them unique IP addresses. Routers typically operate at the network layer of the OSI model.
- Bridges are used to connect hosts or network segments together. The basic role of bridges in network architecture is to store and forward frames between different parts of the bridge. They use hardware Media Access Control (MAC) addresses to transfer frames. Bridges operate only at the Layer 1 and Layer 2 layers of the OSI model.
- Gateways typically operate at the transport and session layers of the OSI model. At the transport layer and above, there are numerous protocols and standards from different vendors; Gateway is used to deal with them.
Understand Network Defenses
A firewall is the most important defense mechanism for a network. Firewalls can either be standalone systems or incorporated into other devices such as routers or servers. There are both hardware and software firewall solutions.
Intrusion detection system (IDS)
An IDS enhances cybersecurity by identifying a hacker or malicious software on a network so you can remove it immediately to prevent breaches or other problems, and use logged data about events to better protect against similar intrusion incidents in the future.
Intrusion prevention system (IPS)
An Intrusion Prevention System (IPS) serves as a powerful network security measure, capable not only of identifying potential intruders but also thwarting their attempts to carry out known attacks. By amalgamating the strengths of firewalls and intrusion detection systems, IPS provides comprehensive protection. Nevertheless, deploying an IPS on a significant scale can incur considerable expenses, necessitating businesses to evaluate their IT risks prudently before committing to such an investment. Additionally, it is worth noting that certain intrusion prevention systems may not match the swift and robust performance exhibited by certain firewalls and intrusion detection systems, making them less ideal for situations where speed is of utmost importance.
Network access control (NAC)
Network Access Control (NAC) is an important process that enables you to control network resource accessibility to endpoint devices based on adherence to your established security policies. Some NAC solutions have the ability to automatically correct any non-compliant devices, confirming their security posture before granting access. NAC proves particularly advantageous in environments characterized by a relatively stable user landscape that can be tightly managed, such as enterprises and government agencies. However, in dynamic settings where users and devices are constantly evolving, such as in the education and healthcare sectors, NAC may face practical limitations.
Web filters act as solutions that prevent users’ browsers from accessing certain pages on certain websites. These filters serve a variety of purposes including individual, family, institutional and enterprise use.
Proxy servers act as intermediaries that facilitate communication between client software and other servers. When a client wants to access a particular resource, such as a website, it connects to the proxy server and submits its request. The proxy server then evaluates the request and decides to grant or deny access. These servers are typically deployed in organizations to improve performance and control traffic by filtering data.
Anti-DDOS devices have the ability to quickly detect the onset of a distributed denial of service (DDOS) attack, effectively mitigate incoming traffic surges, and efficiently identify the source of malicious attacks.
Load balancers act as hardware devices that efficiently distribute the workload across multiple servers within a network. Their primary function involves intelligently routing computers to individual servers based on various factors, including server processor usage, connection count, and overall server performance. Strategic implementation of load balancers by organizations aims to reduce the risk of server overload and maximize bandwidth allocation for each computer within the network.
Email spam filters are specialized tools that efficiently detect and block unwanted emails, protecting users from their intrusion. These filters work using predefined principles or predefined patterns, carefully developed by companies or vendors. To increase accuracy, advanced filters use a heuristic approach, carefully examining suspicious sound patterns and frequencies to identify and flag potential spam messages.
Network segments can be classified into the following categories:
Public networks like the Internet are designed to provide limited accessibility to users. However, this openness also means that public networks often contain considerable amounts of both inconsistent and vulnerable data. Unfortunately, the security measures implemented on these networks are often inadequate.
A semi-private network strikes a balance between public networks and private networks, occupying a unique position in terms of security. It has the power to transmit confidential information, albeit subject to certain regulations and guidelines.
Private networks include organizational networks responsible for maintaining data privacy and ensuring data availability. Each organization has the ability to own one or more private networks. In situations where an organization operates across a wide geographic area, private networks in different locations can be interconnected using the Internet or other public networks.
A demilitarized zone (DMZ) serves as a secure zone on the outskirts of a private network protected by a firewall. It is typically employed by organizations to host public servers that need access by potentially untrusted individuals By isolating a server within a DMZ, its ability to reach other parts of the network is hidden or excluded. Although internal network users can still connect to the server, external parties are prevented from accessing additional network resources.
Software-defined networking (SDN) has emerged as a contemporary approach that holds significant potential for deploying security devices and effectively segmenting networks. By virtualizing the entire network infrastructure, SDN simplifies the process of network segmentation, empowering administrators to conveniently position virtual security devices at their discretion.
Here is the second part of the article —> Part 2