Secure Network Components in this society has benefited from the Internet. All of the interconnections, the communication capabilities, the digital transformations, and the speed of sharing information have changed and, in some cases, saved lives. Almost every industry has advanced by exploiting Internet capabilities; healthcare, retail, banking, industrial control, military, government, and telecommunications are all more efficient and effective, to the benefit of the stake- holders of their services and products.
However, with all of the positives, there is a counterbalance of negatives. The Inter- net also provides a lucrative target for malicious people who have illegal and unethical motives. Assets such as sensitive personal and financial information are accessed by cyber criminals and stolen for resale, identity theft, or to steal money from a person’s bank or credit accounts. In the case of critical infrastructure, as in government, healthcare, or industrial control organizations, the objective of the criminal may be to disrupt or deny service to the organization. For security professionals, the impact on information availability of a DDoS attack is just as concerning as the confidentiality and integrity concerns that come from unauthorized data access or information theft. A discussion of how security professionals must balance the pros and cons includes the various architectures, net- work designs, and networking devices required to protect assets and access to information.
That discussion begins with the typical configuration of a single intranet and extranet network into several interconnecting components or subnetworks (subnets) as segments. There are numerous advantages to segmentation strategies for networks:
- Performance: Systems that communicate frequently are grouped together, and others are segmented in groups that communicate less frequently.
- Reduced communication problems: Rather than broadcast traffic across an entire network and cause congestion, segmentation can isolate and reduce destination systems to the minimum required.
- Security: An unsegmented network is considered flat, meaning that all network devices are accessible across the network. The ability to isolate traffic and enforce access controls on a granular level is made possible by A layered approach is achieved using a combination of switch-based VLANs, routers, or firewalls.
Tip A private LAN or intranet, a DMZ, and an extranet are all types of network segments.
The tools used to accomplish network segmentation include a number of security device categories. These devices are found in all types of networks. You do not need all of the following devices in every network, but one or more types are commonly present.
In fact, following a defense in depth approach, it is usually more advantageous to have a full complement of these devices working together at different OSI layers and performing different services. A single device will almost never satisfy every security requirement.
That said, improperly used, incorrectly configured, or unmanaged security devices implemented in excess can result in security failure too. You need to analyze requirements and provide tailored risk-based solutions.
A range of network components exists across the spectrum of hardware, software, and services. Using the right ones and making sure they are configured or employed in ways that will increase security is essential. The sections that follow will examine the security considerations of such network components as firewalls, NAT, intrusion detection systems (IDSs), security information and event management (SIEM), hardware devices, transmission media, endpoints, and content distribution networks (CDNs).
