The network layout has much influence over the security of the network. The placement of servers with respect to the firewall and various other computers can affect both network performance and security. There may even be areas of the network that are more secure than others. Some of these areas may be further protected with an additional firewall. A typical network is shown below.
In this network, the box labeled "IDS" is an intrusion detection system which may be a computer or deviced designed to log network activity and detect any suspicious activity. In this diagram it is shown outside the firewall, on the semi-private network and protecting the servers on the private network. It may be a good idea to place an IDS just inside the firewall to protect the entire private network since an attack may be first launched against a workstation before being launched against a server. The IDS protecting the servers could be moved to protect the entire private network, but depending on cost and requirements it is also good to protect your servers, especially the mail server.
The semi-private network is commonly called a "DMZ" (for DeMilitarized Zone) in many security circles. In this diagram the semi-private network contains a mail relay box to increase security since the mail server is not directly accessed. The mail relay box routes mail between the internet and the mail server.
Other network equipment used includes:
- Routers - Used to route traffic between physical networks. Many routers provide packet filtering using access control lists (ACLs). This can enhance network security when configured properly. Routers can be configured to drop packets for some services and also drop packets depending on the source and/or destination address. Therefore routers can help raise the security between different segments on a network and also help isolate the spread of viruses.
- Switches - A switch is used to regulate traffic at the data link layer of the OSI network model. This is the layer which uses the Media Sccess Control (MAC) address. It is used to connect several systems to the network and regulates network traffic to reduce traffic on the network media. This can reduce collisions.
- Media - The physical cable that carries the signal for the network traffic.
Routers can be set up to perform packet filtering to enhance network security.
The consideration of how each computer system on the network is used is a very important part of computer and network security. These considerations can even be used to enhance cost savings where neccessary.
Many times when security vulnerabilities are published, an older version of software may not be supported by the manufacturer. This may require an operating system upgrade or an additional license to be purchased to upgrade specific software. This may be very cost prohibitive to many organizations. When dealing with these situations, it is important to consider your network layout and how it is used.
One consideration that should be kept in mind when dealing with network security is what users can perform what functions and what computers these users can use. For example the following situation may exist in an organization: