UPDATES

Wizertech Informatics Pvt Ltd is An ISO 9001:2008 and ISO 14001:2004 certified IT Infrastructure Consultancy & System Integration company having presence all across India.

Home » SOLUTION » IP Infrastructure Solutions » Data Security(Perimeter & End Point)

Data Security(Perimeter & End Point)

Why Layered Security Approach??

It’s becoming increasingly clear that the current model for network security — defend the perimeter and patch, patch, patch — has some serious shortcomings.

First, relying on signature files and patches doesn’t provide the absolute protection that some vendors promise. Even if your perimeter systems are fully up to date, new attacks that signature files don’t recognize will still get through. That was the case in January 2003 when the Slammer worm struck; spreading so quickly around the world that it slipped right past signature-based defenses and reached most vulnerable hosts within 18 minutes.

Fast worms such as Slammer and new blended attacks that combine worms and viruses will likely become more common this year. Because only their authors know what forms these attacks will take, IT teams have no way of blocking them with signature files. For all the investment being made in perimeter defenses, enterprise networks remain vulnerable.

Second, this maintenance-heavy approach to network security is expensive — too expensive. A recent study by The Yankee Group found that the largest area of enterprise IT spending, 25%, is allocated to staffing costs. Why is IT organizations spending so much on staffing? In part, because today’s security model is so labor-intensive. IT organizations need staffers for a growing list of low-level security tasks, such as reading the latest pile of security bulletins, tracking down patches, reprogramming firewalls and so on. When you consider that all this security work still leaves networks vulnerable to fast worms and blended attacks, perhaps it’s time to put down the patch CDs, sit back and rethink our approach to network security.

For enterprises today, the network is where business takes place. Every department in an organization relies on the network for applications and for a growing share of communications, not only e-mail and instant messaging, but soon telephony as well. The mission of network security is to ensure that applications can do their jobs and that applications have the network bandwidth and the availability needed to support the operations of the company.

There’s also a broader perspective on network requirements. It’s a holistic view that encompasses security as well as availability, bandwidth and control. We call it network integrity. This is the real goal behind securing a network. When the network is functioning properly, providing applications with the bandwidth and availability they need, then the network has integrity, and security is doing its job, even when the network is under attack.

Along with investing primarily at the perimeter, network managers would do well to adopt this broader approach, recognizing the unique vulnerabilities and requirements of each area of the network and deploying a layered security architecture designed to coordinate network operations overall and achieve network integrity.

Threat Categories

There are four general categories of security threats to the network:

  1. Unstructured threats – Generated by Amateurs…… Unstructured threats, which are technically unskilled or unsophisticated, can be external or internal. In external threats, an individual outside the organization may commit intrusions; with an internal threat, an individual inside the organization may exploit the system.
  2. Structured threats – Generated by Professionals Organized efforts to attack a specific target;
  3. Structured threats – Generated by Professionals Organized efforts to attack a specific target;
  4. External threats – Virus, Worms, Hacking etc … A threat originating outside a company, government agency, or institution. In contrast, an internal threat is one originating inside the organization —typically by an employee or “insider.”
  5. Internal threats – Data Theft, Unwanted data tampering…… A threat originating inside a company, government agency, or institution, and typically an exploit by a disgruntled employee denied promotion or informed of employment termination. Such exploits also can be launched by an attacker who has sought temporary employment with a target and uses social engineering skills to get on the inside.


All of the following can be used to compromise your system:

  1. Reconnaissance attacks – Unstructured Treats….
  2. Reconnaissance – ‘a preliminary survey to gain information’ cannot be entirely prevented but measures can be taken
  3. There are two main types of Reconnaissance mitigation:
  4. a) ICMP echo request/reply disabled on edge routers to stop ping sweeps.

    b) IDS (NIDS/HIDS) to identify when an attack is underway

  5. Access attacks – Structured Treats….. The Attack which is launched for gaining access of the Network Architecture.
  6. Denial of service attacks – External Attacks……. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers.
  7. Denial of service attacks – External Attacks……. A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to carry out, motives for, and targets of a DoS attack may vary, it generally consists of the concerted efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely. Perpetrators of DoS attacks typically target sites or services hosted on high-profile web servers such as banks, credit card payment gateways, and even root name servers.
  8. Worms, viruses, and Trojan horses- Internal & External. Malicious codes or activities which create security holes in the network system & exploit the vulnerabilities inside the network & OS.


3-Tier Security Model

Perimeter Security – Layer 1

PERIMETER – STATEFUL FIREWALL (In computing, a stateful firewall (any firewall that performs stateful packet inspection (SPI) or stateful inspection) is a firewall that keeps track of the state of network connections (such as TCP streams, UDP communication) traveling across it. The firewall is programmed to distinguish legitimate packets for different types of connections. Only packets matching a known connection state will be allowed by the firewall; others will be rejected.

Early attempts at producing firewalls operated at the application level of the seven-layer OSI model but this required too much CPU speed. Packet filters operate at the network layer (layer-3) and function more efficiently because they only look at the header part of a packet. However, pure packet filters have no concept of state as defined by computer science using the term finite state machine and are subject to spoofing attacks and other exploits.)

+ CONTENT SECURITY (Provides Security Against Virus. Worm, Adware, Malware, Spyware etc.)

+ URLFILTERING (Policy Based Web Site Access restriction or Access)

+ CONTENT FILTERING (Policy Based Control over Contents to be transferred over the Internet) .

+ NETWORK INTRUSION PREVENTION SYSTEM (An Intrusion Prevention System is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology. The term “Intrusion Prevention System” was coined by Andrew Plato who was a technical writer and consultant for *Network ICE)

Server Farm Security Layer – 2

SERVER FARM- STATEFUL FIREWALL + NETWORK INTRUSION PREVENTION SYSTEM (An Intrusion Prevention System is a network security device that monitors network and/or system activities for malicious or unwanted behavior and can react, in real-time, to block or prevent those activities. Network-based IPS, for example, will operate in-line to monitor all network traffic for malicious code or attacks . When an attack is detected, it can drop the offending packets while still allowing all other traffic to pass. Intrusion prevention technology is considered by some to be an extension of intrusion detection (IDS) technology. The term “Intrusion Prevention System” was coined by Andrew Plato who was a technical writer and consultant for *Network ICE)

End Point Security Layer – 3

SERVERS- HOST INTRUSION PREVENTION SYSTEM (A host-based IPS (HIPS) is where the intrusion-prevention application is resident on that specific IP address, usually on a single computer. HIPS complements traditional finger-print-based and heuristic antivirus detection methods, since it does not need continuous updates to stay ahead of new malware. As ill-intended code needs to modify the system or other software residing on the machine to achieve its evil aims, a truly comprehensive HIPS system will notice some of the resulting changes and prevent the action by default or notify the user for Permission.) + SIGNATURE BASED ANTI-VIRUS SOLUTION.

DESKTOPS- HOST INTRUSION PREVENTION SYSTEM (A host-based IPS (HIPS) is where the intrusion-prevention application is resident on that specific IP address, usually on a single computer. HIPS complements traditional finger-print-based and heuristic antivirus detection methods, since it does not need continuous updates to stay ahead of new malware. As ill-intended code needs to modify the system or other software residing on the machine to achieve its evil aims, a truly comprehensive HIPS system will notice some of the resulting changes and prevent the action by default or notify the user for permission.) + SIGNATURE BASED ANTI-VIRUS SOLUTION.

3 Layers of Security Solution is proposed and based on monitoring & periodical testing the Security policies & future security devices can be considered.

Security Best Practices suggestion is to have a regular health check of the Security Architecture, Regular Monitoring & Periodic testing of the Architecture by a professional.

On this given technology road map, we, at Wizertech, understand all possible edges for a end to end DATA security needs & solution associated it and have a wide range of product line & service line. Wizertech has globally certified engineers on Data Security solution implementation who are technically qualified to understand & implement any kind of Data Security requirements.