Computer Network Security

This post summarizes some aspects of information security on computer networks.

Network Security Controls

Security Gateway

Security gateway is a broad term to refer to a network edge security device.

Firewall

Firewall is a control. Proxy servers are a type of firewall. You can read more about it on this post.

Intrusion Detection System (IDS)

Intrusion Detection System (IDS) is a device or software application that monitors a network or systems for malicious activity or policy violations.

Host-based Intrusion Detection System (HIDS) is an IDS for a host.

Network Intrusion Detection System (NIDS) is an IDS for a network.

You can find a list of IDS on this post.

Intrusion Prevention System (IPS) is an IDS that apply prevention controls in addition to detective controls.

Application Gateway

An application gateway typically refers to a device or software component that provides application-layer services, such as protocol translation, SSL termination, load balancing, and sometimes limited security functionalities.

Application gateways often act as intermediaries between clients and servers, handling communication between different types of applications or protocols.

In the context of networking, application gateways are often used to enable secure access to specific applications or services, such as web servers, email servers, or database servers.

Secure Web Gateway

Secure Web Gateway (SWG) is an on-premise or cloud-delivered network security service. Sitting between users and the Internet, secure web gateways provide advanced network protection by inspecting web requests against company policy to ensure malicious applications and websites are blocked and inaccessible.

Network Access Translation (NAT)

Network Access Translation (NAT) substitutes the IPv4 address of an internal device with another IPv4 address. This translation is 1 to 1 for each internal user.

Port Access Translation (PAT), overloaded NAT, network and port address translation (NPAT) and network address and port translation (NAPT) allows a 1 to many translation from a public IPv4 to internal devices.

Honeypots

You can read more about honeypots on this post.

Bastion Host

A bastion host is a server used to manage access to an internal or private network from an external network.

Jumpbox

A jump server, jump host or jumpbox is a device that is used to connect different security zones.

Identity and Access Management

Identity and Access Management (IAM) includes internal network AAA, web-based IAM and directory services. You can find more about this on this post.

Network Log Management

NetFlow is a network protocol developed by Cisco for collecting IP traffic information and monitoring network flow.

Network Segmentation

Networks are subdivided into smaller organizational units called segments.

Segments can be created with the following individual or combined elements:

  • Airgaps
  • Switch-based VLANs
  • Routers
  • Subnet divisions
  • Firewalls, like internal segmenation firewalls (ISFW)

Advantages of network segmentation:

  • Network performance
  • Reduction of communication issues
  • Security enhancement

An out-of-band pathway is a separate and distinct network structure for traffic that would otherwise interfere with the production network or that may itself be put at risk if placed on the production network.

Examples of uses of secondary or additional network paths are data storage traffic (such as with SANs), VoIP, backup data, patch distribution, and managment operations.

Microsegmentation is achieved through VLANs.

You might also be interested in…

External References

  • Microsegmentation
    • M. Chapman, “CISSP Official Study Guide 9th Edition”, Section “Microsegmentation”, pp. 526-527; Wiley, 2021

Leave a Reply

Your email address will not be published. Required fields are marked *