External information access from partners and employees is a very important
aspect in the design of security. Corporations need to be assured that their
critical servers are safe from different internet threats. Additionally, because
the Web is worldwide, it is impossible to create a global agreement on what
traffic is inappropriate and how that traffic should be regulated. A major
problem IT departments face is how to defend critical servers from hostile
network traffic and network addresses. How do we add layers of security to
protect our internet servers and internal systems?



First Level Filters - Routers and Core Network Devices

Filtering IP addresses can be achieved using a simple router. A filter can be
created to deny access to the internal network server ports. This solution is
useful for static lists and blocking IP packets from accessing certain ports on
the network. The disadvantage is that if network policies change frequently,
maintaining a list on a daily or weekly basis can become a nightmare.



Use first level filters for static access lists that are not likely to change
much or to block unwanted services, like SQL Server access to the internet.



Second Level Filters - Firewalls and Application Layer Devices

Firewalls are a good solution for adding security to your network and preventing
outsiders from accessing your internal servers. Most firewall providers offer
tiered pricing for special features like encryption, user authentication,
web-proxy and dynamic packet filtering.



Use second Level Filters for special security requirements such as dynamic
packet filtering and user authentication.



IP Forwarding IP forwarding or NAT (Network Address Translation) allows one
server to act as the IP address for all the devices on your network. The device
provides a gateway service for all devices on the network at the IP layer and
hides your network from the outside world. Some NAT devices may include other
services like static filtering or web proxy caching.



Third Level Filters - Web Proxies and Application Specific Security Software


A Web proxy cache allows users to pool their Web browser cache on one server.
With this tool, when a second user downloads the same file you just spent 20
minutes downloading, the file is retrieved from the Web-caching server and not
the Internet. This method, integrated with third-party software that provides
ongoing updates, is a complete and scalable solution. It allows a single point
of management and provides a selection of filter categories to meet your needs.




Other Third-party Filtering Software

Filtering through software can involve a third-party developer who maintains and
updates a content database, and continually provides the updated information to
its customers. Filtering software supports a wide range of platforms. You can
run this filtering software on a stand-alone workstation or as a server-based
solution. A server-based solution gives you a central point of control and
offers the best solution for reducing expenses for support staff.



Filtering Network Traffic with Windows 2000 Filtering




Windows 2000 Filtering allows you to control what type of requests and
transactions your server accepts. There are a variety of ways to securely filter
access to and from the Internet, but none of these methods will block 100% of
the attacks.

Figure 1. Enabling filtering IP traffic.



Most IT environments do not have the time or qualified staff to monitor critical
server activities every minute. Therefore it is necessary to implement a system
where servers can have Internet and network access without the direct
supervision of a staff member. The filtering function of Windows 2000 is geared
toward network administrators of large networked servers, such as Web Servers,
Database Servers and Mail servers. Windows 2000 filtering can protect unsafe
network data from outsiders and control which network applications are
accessible to system users. Port access is used to protect and control the
server, limiting the access requests to the information needed and controlling
what ports can and cannot be accessed.



About This Section...

Whether you want to learn what network security is, how firewalls work, or how
to script a program in C to manage Active Directory security, this section is
designed to provide useful and easy to understand articles for all levels of
Information Technology professionals. Rather than provide theoretical views and
terms of security principles and systems, we will give you straightforward,
real-life information to apply at work. Some of the topics that we will put in
plain words in our section will be: How to Build a Firewall with Internet
Security and Acceleration (ISA) Server, Analyzing and Monitoring Network Attacks
with Windows 2000 and Using and Creating Advanced Windows 2000 Security Tools
and Utilities with Simple Programs. As a final point, we will focus on providing
the depth necessary to pass any Microsoft-related security exam.



Want a FREE network security evaluation? Please e-mail Leo Loro at leoloro@2000traines.com,
or contact him at (310) 701-7385.

Top

About the Author:

Leonard Loro, MCSE, MCSD, ISS, MCT, CCNA, is a recognized e-Business specialist.
His experience includes engaging, managing and implementing large consulting
projects for government agencies and companies like Microsoft, Nissan as well as
other Fortune 500's. Leonard can be reached at Leonardo.loro@enresource.com.

Bookmark/Search this post with:

| | | | | | | | | | |