ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Jobs
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Network management Toolkit

Strengthen your network defences

Brien M Posey

Published: 30 Apr 2003 15:45 BST

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Encryption
The next step I recommend is to encrypt your network traffic. Begin by implementing IPSec wherever possible. Here are a few things that you need to know about implementing IPSec security.

When you configure a machine to use IPSec, you can configure IPSec to either require encryption or to request encryption. If you configure IPSec to require encryption, any machine that the machine attempts to connect to will be informed that encryption is required. If the other machine is capable of IPSec encryption, a secure channel will be established and the communications session will begin. If the other machine is incapable of IPSec encryption, the communications session will be denied because the required encryption can't occur.

The request encryption option works a little differently. When a machine requests a connection, it also requests encryption. If both machines support IPSec encryption, a secure channel is established and communications begin. If one of the machines doesn't support IPSec encryption, the communications session is established anyway, but the data isn't encrypted.

There are a couple of things I suggest doing. First, I recommend placing all of the servers within a site on a secure network. This network should be completely isolated from the normal network. Each server that users require access to should have two network cards, one for connecting to the main network and the other for connecting to the private server network. The server network should consist only of servers and should have a dedicated hub or switch.

By implementing such a configuration, you create a dedicated backbone between the servers. All server-based traffic, such as RPC traffic and traffic used for replication, can flow across this dedicated backbone. This will help secure the server-based traffic and increase the amount of available bandwidth on the main network.

Second, for the server-only network, I recommend that you configure IPSec to require encryption. After all, this network consists of nothing but servers, so unless you have UNIX, Linux, Macintosh, or some other non-Microsoft server, there's no reason why all of your servers shouldn't support IPSec. Therefore, you're perfectly safe requiring encryption. For all of the workstations and the server connections on the primary network, you should configure the machines to request encryption. By doing so, you've achieved the optimal balance between security and functionality.

Unfortunately, IPSec can't distinguish between network adapters on multihomed computers. Therefore, unless a server is attached exclusively to the server network, you'll want to use the request encryption option; otherwise, clients may not be able to access the server.

Of course, IPSec isn't the only type of encryption available for your network traffic. You must also consider how you'll secure traffic that flows through your perimeter and traffic that flows across your wireless networks.

Wireless encryption tends to be a touchy subject because wireless networking devices are still evolving. Many administrators view wireless networks as inherently insecure since network packets are flying through the air and anyone with a laptop and a wireless NIC card can intercept them.

Although there are certainly risks associated with wireless networks, in some ways, wireless networks are more secure than wired networks. The reason is that the primary mechanism for encrypting wireless traffic is WEP encryption. WEP encryption ranges in strength from 40-bit on up to 152-bit or even higher. The actual strength depends on the lowest common denominator. For example, if your access point supports 128-bit WEP encryption, but one of your wireless clients supports only 64-bit WEP encryption, you'll be limited to using 64-bit encryption. These days, however, just about all wireless devices support at least 128-bit WEP encryption.

What many administrators fail to realise is that just because wireless networks use WEP encryption, it isn't the only encryption type they can use. WEP encryption simply encrypts whatever traffic is flowing across the network, regardless of the type of traffic. Therefore, if you are already encrypting data with IPSec, as you should be, then WEP will simply provide a second level of encryption to the already encrypted data.

Next

Previous

1 2 3


  • Email
  • Trackback
  • Clip Link
  • Print friendlyPrint with Konica

Did you find this article useful?
147 out of 323 people found this useful


In association with Intel

Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Network management


Company/Topic Alerts

Create a new alert from the list below:







Related Jobs

Network Engineer 3rd Line

Clinical Project Manager (CPM) - New Projects Division - North East

Senior IT Network Systems Engineer

On The Road Blog

Hands on: Blackberry Storm

Vodafone were demo-ing early models of the Blackberry Storm in their HQ today - so I took a few minutes to check out what all the fuss is about. I should say upfront that I am already... More

Post a comment

Unwittingly Working For Google.

Yes I did exactly what the title says. This afternoon, I poped into the local mobile phone (let us give you the world for a contract) shop and asked them what they thought of the... More

3 comments

Bloggers test mobile WiMax in US

Now that Sprint's XOHM network is up and running, hacks and bloggers got invited to Baltimore (now 70 percent covered in WiMax-y goodness) to check it out and test it out. The jkOnTheRun... More

Post a comment