APLawrence.com -  Resources for Unix and Linux Systems, Bloggers and the self-employed

Hardening your perimeter

© November 2006 Michael Desrosiers

2006/11/01 Michael Desrosiers

More Articles

Happy Halloween to All!

This month's topic is about what techniques are available to harden or secure your network perimeter.

We are all aware of how today's Internet based threats can effect our day to day lives. They can arrive and you have no defense for them. Fortunately, there are some basic, common sense steps you can take to harden your network and provide layers of security. You may not know exactly what the threat is, but you can certainly deploy some proactive steps like these that might stop such a problem right in its tracks.

Network Access Control

One of the easiest ways for malicious software or Internet users to access your network is not through holes in your firewall, brute-force password attacks or anything else that might occur on your network. It is through your remote, mobile users when they try to connect to your business network while on the road or through kiosks. Neither of these categories of machines are subject to your stringent security policies and that is a major problem.

Internet Protocol Security (IPsec)

IPsec encapsulates communications in a layer of encryption that is difficult to break, but it also allows you to restrict communications to and from certain machines based on whether their machine certificates are signed and valid. By doing this, the machines restricted by IPsec would simply ignore it, even if an exploit was introduced into your network. Using IPsec in this way also forms the basis for using network access control.

Virtual LANs (VLANs)

VLANs are essentially multiple logical boundaries created within one physical network. VLANs are an easy way to divide critical areas of your network from others. For instance, you could have one VLAN for servers and another for client machines, or ou could segregate machines based on department, or any other scheme you choose. Creating a VLAN in and of itself doesn't necessarily create a layer of protection, but it forms the basis for any number of other hardening techniques, and it provides a way to limit the scope of security procedures to only the most critical areas of a network.

Intrusion Detection/Prevention system (IDS/IPS)

Intrusion detection/prevention systems often use heuristics that can detect malicious activity on your network before an actual definition is created by anti-virus and anti-malware vendors. IDS/IPS systems also provide a solid foundation for forensic analysis in case you care to examine how an exploit entered your network or penetrated your network defenses.

Wireless Access Point Encryption

Simply using media access control (MAC) filtering and not broadcasting your service set identifier (SSID) are methods that just do not cut it anymore in a corporate setting. WEP has been cracked numerous times and even the ankle biters will have no trouble gaining access to your wireless network protected only by WEP. Look into WPA2 to really filter out the bad guys.

Stateful Firewall & Perimeter Defense

This almost goes without saying (which is why I put it at the end of my list), but perimeter defense is the first, best and most effective way to protect against zero-day exploits in a variety of forms. To help prevent your network from being a vector of delivery for a nasty vulnerability, deploy a firewall immediately. Better yet, deploy a security appliance and perform regular audits of that firewall if you aren't doing audits already.

There you have it. To better protect your electronic assests, you must approach this from a layered prospective or principle of least privilege model.

To respond to this or previous newsletters or to inquire about an on-site presentation, please feel free to call us at 508-995-4933 or email us at mdesrosiers@m3ipinc.com.


Michael Desrosiers
m3ip, Inc.
We Manage Risk, So You Can Manage Your Business

Got something to add? Send me email.

(OLDER)    <- More Stuff -> (NEWER)    (NEWEST)   

Printer Friendly Version

-> Hardening your perimeter

Inexpensive and informative Apple related e-books:

Take Control of Numbers

Photos for Mac: A Take Control Crash Course

iOS 8: A Take Control Crash Course

Take control of Apple TV, Second Edition

Take Control of the Mac Command Line with Terminal, Second Edition

More Articles by © Michael Desrosiers

Printer Friendly Version

Have you tried Searching this site?

This is a Unix/Linux resource website. It contains technical articles about Unix, Linux and general computing related subjects, opinion, news, help files, how-to's, tutorials and more.

Contact us

Printer Friendly Version

Technology is both a tool for helping humans and for destroying them. This is the paradox of our times which we're compelled to face. (Frank Herbert)

Linux posts

Troubleshooting posts

This post tagged:




Unix/Linux Consultants

Skills Tests

Unix/Linux Book Reviews

My Unix/Linux Troubleshooting Book

This site runs on Linode