External information access from partners and employees is a very important aspect in the design of security. Corporations need to be assured that their critical servers are safe from different internet threats. Additionally, because the Web is worldwide, it is impossible to create a global agreement on what traffic is inappropriate and how that traffic should be regulated. A major problem IT departments face is how to defend critical servers from hostile network traffic and network addresses. How do we add layers of security to protect our internet servers and internal systems?
First Level Filters – Routers and Core Network Devices
Filtering IP addresses can be achieved using a simple router. A filter can be created to deny access to the internal network server ports. This solution is useful for static lists and blocking IP packets from accessing certain ports on the network. The disadvantage is that if network policies change frequently, maintaining a list on a daily or weekly basis can become a nightmare.
Use first level filters for static access lists that are not likely to change much or to block unwanted services, like SQL Server access to the internet.
Second Level Filters – Firewalls and Application Layer Devices
Firewalls are a good solution for adding security to your network and preventing outsiders from accessing your internal servers. Most firewall providers offer tiered pricing for special features like encryption, user authentication, web-proxy and dynamic packet filtering.
Use second Level Filters for special security requirements such as dynamic packet filtering and user authentication.
IP Forwarding IP forwarding or NAT (Network Address Translation) allows one server to act as the IP address for all the devices on your network. The device provides a gateway service for all devices on the network at the IP layer and hides your network from the outside world. Some NAT devices may include other services like static filtering or web proxy caching.
Third Level Filters – Web Proxies and Application Specific Security Software
A Web proxy cache allows users to pool their Web browser cache on one server. With this tool, when a second user downloads the same file you just spent 20 minutes downloading, the file is retrieved from the Web-caching server and not the Internet. This method, integrated with third-party software that provides ongoing updates, is a complete and scalable solution. It allows a single point of management and provides a selection of filter categories to meet your needs.
Other Third-party Filtering Software
Filtering through software can involve a third-party developer who maintains and updates a content database, and continually provides the updated information to its customers. Filtering software supports a wide range of platforms. You can run this filtering software on a stand-alone workstation or as a server-based solution. A server-based solution gives you a central point of control and offers the best solution for reducing expenses for support staff.
Filtering Network Traffic with Windows 2000 Filtering
Windows 2000 Filtering allows you to control what type of requests and transactions your server accepts. There are a variety of ways to securely filter access to and from the Internet, but none of these methods will block 100% of the attacks.
Figure 1. Enabling filtering IP traffic.
Most IT environments do not have the time or qualified staff to monitor critical server activities every minute. Therefore it is necessary to implement a system where servers can have Internet and network access without the direct supervision of a staff member. The filtering function of Windows 2000 is geared toward network administrators of large networked servers, such as Web Servers, Database Servers and Mail servers. Windows 2000 filtering can protect unsafe network data from outsiders and control which network applications are accessible to system users. Port access is used to protect and control the server, limiting the access requests to the information needed and controlling what ports can and cannot be accessed.
About This Section…
Whether you want to learn what network security is, how firewalls work, or how to script a program in C to manage Active Directory security, this section is designed to provide useful and easy to understand articles for all levels of Information Technology professionals. Rather than provide theoretical views and terms of security principles and systems, we will give you straightforward, real-life information to apply at work. Some of the topics that we will put in plain words in our section will be: How to Build a Firewall with Internet Security and Acceleration (ISA) Server, Analyzing and Monitoring Network Attacks with Windows 2000 and Using and Creating Advanced Windows 2000 Security Tools and Utilities with Simple Programs. As a final point, we will focus on providing the depth necessary to pass any Microsoft-related security exam.
Want a FREE network security evaluation? Please e-mail Leo Loro at leoloro@2000traines.com,
or contact him at (310) 701-7385.
Article originally published at http://www.2000trainers.com/security/coursesandarticles/sec/sec-13-PF.html.
Leonard Loro, MCSE, MCSD, ISS, MCT, CCNA, is a recognized e-Business specialist. His experience includes engaging, managing and implementing large consulting projects for government agencies and companies like Microsoft, Nissan as well as other Fortune 500’s. Leonard can be reached at Leonardo.loro@enresource.com.
