Network Security consists of the provisions made in an underlying computer network

infrastructure, policies adopted by the network administrator to protect the network and
the network-accessible resources from unauthorized access and the effectiveness (or lack)
of these measures combined together.

Network security starts from authenticating any user. Once authenticated, firewall
enforces access policies such as what services are allowed to be accessed by the network
users. Though effective to prevent unauthorized access, this component fails to check
potentially harmful contents such as computer worms being transmitted over the network.
An intrusion prevention system (IPS)[1] helps detect and prevent such malware. IPS also
monitors for suspicious network traffic for contents, volume and anomalies to protect the
network from attacks such as denial of service. Communication between two hosts using
the network could be encrypted to maintain privacy. Individual events occurring on the
network could be tracked for audit purposes and for a later high level analysis.

Honeypots, essentially decoy network-accessible resources, could be deployed in a

network as surveillance and early-warning tools. Techniques used by the attackers that
attempt to compromise these decoy resources are studied during and after an attack to
keep an eye on new exploitation techniques. Such analysis could be used to further
tighten security of the actual network being protected by the honeypot.[2]

Research:
http://www.interhack.net/pubs/network-security/

Types and Sources of Network Threats

Denial-of-Service

DoS (Denial-of-Service) attacks are probably the nastiest, and most difficult to address.
These are the nastiest, because they're very easy to launch, difficult (sometimes
impossible) to track, and it isn't easy to refuse the requests of the attacker, without also
refusing legitimate requests for service.

The premise of a DoS attack is simple: send more requests to the machine than it can
handle. There are toolkits available in the underground community that make this a
simple matter of running a program and telling it which host to blast with requests. The
attacker's program simply makes a connection on some service port, perhaps forging the
packet's header information that says where the packet came from, and then dropping the
connection. If the host is able to answer 20 requests per second, and the attacker is
sending 50 per second, obviously the host will be unable to service all of the attacker's
requests, much less any legitimate requests (hits on the web site running there, for
example).
Such attacks were fairly common in late 1996 and early 1997, but are now becoming less
popular.

Some things that can be done to reduce the risk of being stung by a denial of service
attack include

• Not running your visible-to-the-world servers at a level too close to capacity

• Using packet filtering to prevent obviously forged packets from entering into your
network address space.

Obviously forged packets would include those that claim to come from your own
hosts, addresses reserved for private networks as defined in RFC 1918 [4], and the
loopback network (127.0.0.0).

• Keeping up-to-date on security-related patches for your hosts' operating systems.

Unauthorized Access

``Unauthorized access'' is a very high-level term that can refer to a number of different
sorts of attacks. The goal of these attacks is to access some resource that your machine
should not provide the attacker. For example, a host might be a web server, and should
provide anyone with requested web pages. However, that host should not provide
command shell access without being sure that the person making such a request is
someone who should get it, such as a local administrator.

Executing Commands Illicitly

It's obviously undesirable for an unknown and untrusted person to be able to execute
commands on your server machines. There are two main classifications of the severity of
this problem: normal user access, and administrator access. A normal user can do a
number of things on a system (such as read files, mail them to other people, etc.) that an
attacker should not be able to do. This might, then, be all the access that an attacker
needs. On the other hand, an attacker might wish to make configuration changes to a host
(perhaps changing its IP address, putting a start-up script in place to cause the machine to
shut down every time it's started, or something similar). In this case, the attacker will
need to gain administrator privileges on the host.

Confidentiality Breaches
We need to examine the threat model: what is it that you're trying to protect yourself
against? There is certain information that could be quite damaging if it fell into the hands
of a competitor, an enemy, or the public. In these cases, it's possible that compromise of a
normal user's account on the machine can be enough to cause damage (perhaps in the
form of PR, or obtaining information that can be used against the company, etc.)

While many of the perpetrators of these sorts of break-ins are merely thrill-seekers
interested in nothing more than to see a shell prompt for your computer on their screen,
there are those who are more malicious, as we'll consider next. (Additionally, keep in
mind that it's possible that someone who is normally interested in nothing more than the
thrill could be persuaded to do more: perhaps an unscrupulous competitor is willing to
hire such a person to hurt you.)

Destructive Behavior
Among the destructive sorts of break-ins and attacks, there are two major categories.

Data Diddling.
The data diddler is likely the worst sort, since the fact of a break-in might not be
immediately obvious. Perhaps he's toying with the numbers in your spreadsheets, or
changing the dates in your projections and plans. Maybe he's changing the account
numbers for the auto-deposit of certain paychecks. In any case, rare is the case when
you'll come in to work one day, and simply know that something is wrong. An
accounting procedure might turn up a discrepancy in the books three or four months after
the fact. Trying to track the problem down will certainly be difficult, and once that
problem is discovered, how can any of your numbers from that time period be trusted?
How far back do you have to go before you think that your data is safe?

Data Destruction.
Some of those perpetrate attacks are simply twisted jerks who like to delete things. In
these cases, the impact on your computing capability -- and consequently your business --
can be nothing less than if a fire or other disaster caused your computing equipment to be
completely destroyed.

Firewall

A firewall is simply a group of components that collectively form a barrier between two
networks.

3 basic types of Firewalls

Application Gateways
The first firewalls were application gateways, and are sometimes known as proxy
gateways. These are made up of bastion hosts that run special software to act as a proxy
server. This software runs at the Application Layer of our old friend the ISO/OSI
Reference Model, hence the name. Clients behind the firewall must be proxitized (that is,
must know how to use the proxy, and be configured to do so) in order to use Internet
services. Traditionally, these have been the most secure, because they don't allow
anything to pass by default, but need to have the programs written and turned on in order
to begin passing traffic.
 Figure 5: A sample application gateway

These are also typically the slowest, because more processes need to be started in order to
have a request serviced. Figure 5 shows a application gateway.

Packet Filtering
Packet filtering is a technique whereby routers have ACLs (Access Control Lists) turned
on. By default, a router will pass all traffic sent it, and will do so without any sort of
restrictions. Employing ACLs is a method for enforcing your security policy with regard
to what sorts of access you allow the outside world to have to your internal network, and
vice versa.

There is less overhead in packet filtering than with an application gateway, because the
feature of access control is performed at a lower ISO/OSI layer (typically, the transport or
session layer). Due to the lower overhead and the fact that packet filtering is done with
routers, which are specialized computers optimized for tasks related to networking, a
packet filtering gateway is often much faster than its application layer cousins. Figure 6
shows a packet filtering gateway.

Because we're working at a lower level, supporting new applications either comes
automatically, or is a simple matter of allowing a specific packet type to pass through the
gateway. (Not that the possibility of something automatically makes it a good idea;
opening things up this way might very well compromise your level of security below
what your policy allows.)

There are problems with this method, though. Remember, TCP/IP has absolutely no
means of guaranteeing that the source address is really what it claims to be. As a result,
we have to use layers of packet filters in order to localize the traffic. We can't get all the
way down to the actual host, but with two layers of packet filters, we can differentiate
between a packet that came from the Internet and one that came from our internal
network. We can identify which network the packet came from with certainty, but we
can't get more specific than that.

Hybrid Systems
In an attempt to marry the security of the application layer gateways with the flexibility
and speed of packet filtering, some vendors have created systems that use the principles
of both.

Figure 6: A sample packet filtering gateway

In some of these systems, new connections must be authenticated and approved at the
application layer. Once this has been done, the remainder of the connection is passed
down to the session layer, where packet filters watch the connection to ensure that only
packets that are part of an ongoing (already authenticated and approved) conversation are
being passed.

Other possibilities include using both packet filtering and application layer proxies. The
benefits here include providing a measure of protection against your machines that
provide services to the Internet (such as a public web server), as well as provide the
security of an application layer gateway to the internal network. Additionally, using this
method, an attacker, in order to get to services on the internal network, will have to break
through the access router, the bastion host, and the choke router.

Secure Network Devices

It's important to remember that the firewall is only one entry point to your network.
Modems, if you allow them to answer incoming calls, can provide an easy means for an
attacker to sneak around (rather than through ) your front door (or, firewall). Just as
castles weren't built with moats only in the front, your network needs to be protected at
all of its entry points.