Layer on your security.
Denial-of-service (DOS) and distributed denial-of-service (DDoS) attacks are the most common type of enterprise security breach. These attacks can originate from anywhere in the world and are launched from compromised computers, which either have defective software (many users forget to download the recommended patches) or have remotely controllable soltware loaded on them.
Specific Web sites are the most common targets of DoS and DDoS attacks, hut because these attacks are often self-perpetuating and difficult to stop once they start, they can also quickly reach the servers of an enterprise. The result of a DoS or a DDoS attack is network paralysis-the server becomes overwhelmed and cannot process the requests, often causing legitimate business to slip through the cracks. To prevent DoS and DDoS attacks, enterprises should take a layered approach to security.
The first line of defense is a CPE-based, Layer 3 stateful packet inspection firewall. CPE-based firewalls are housed on the customer's premise and provide protection for the in-building LAN. Companies can set their firewall to only accept traffic from specific people and businesses and, thus, thwart unauthorized packets from entering the company's network.
CPE-based firewalls are dependent on good information from the on-site IT staff and/or the service provider managing the service. If a dangerous source is mistakenly approved, the enterprise becomes vulnerable. Companies should constantly monitor the flow of traffic, looking for anomalies and warning signals. This way, new threats can be quickly assessed and the firewall adjusted accordingly.
Due to the unique placement of the device within the service provider's network, the network-based firewall can push protection into the ISP cloud, allowing for DoS and DDoS detection, alerting and mitigation before it reaches the enterprise's firewall.
A network-based firewall also enables the ISP to customize its settings for each enterprise, implementing the same policies the customer has on its premise into the network. This type of security is particularly attractive to small and medium-sized companies that may not have an IT person on staff to constantly monitor the flow of traffic.
Some enterprises choose to implement an IP virtual private network (VPN) service in tandem with either or both the on-premise and network-based firewalls. An IP VPN service allows enterprises to create their own virtual network, sending information within companies without fear of attack or confidentiality being breached. Because of the settings on the IP VPN, only authenticated members of the communication's flow have the "key" to decode the encrypted message. Normally, a communications provider configures and manages this service, taking the data from end-users, encrypting it and sending it to its destination.
This type of premise-to-premise data encryption may be required by businesses in industries with mandated privacy acts, such as healthcare with the Health Insurance Portability and Accountability Act and financial services companies with the Gramm Leach Bliley Act.
This multilayered approach to security is best for companies that rely on mission-critical data to manage their business, host Web sites or maintain e-mail servers, communicate between multiple locations or transmit valuable data over their networks.
For more information from Time WornerTelecom:
This article was provided by Mike Rouleau, a senior vice president at Time Warner Telecom, Littleton, Colo.
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Network Security|
|Date:||Mar 1, 2005|
|Previous Article:||Reduce the threat from computers: adding network-based policy enforcement to the LAN protects against endpoint attacks.|
|Next Article:||Shore up your network.|