Technically Secure
Juniper Employee
Juniper Employee
‎09-23-2008 03:21 PM
‎09-23-2008 03:21 PM

As a long distance runner, completing a marathon felt like a formidable task. Assigning a time target for the 26.2 mile race seemed almost impossible. The strategy that has worked for me is to break the race into 5 parts of 5 miles each (last one being 6.2 miles) and assign time targets that would collectively help me reach my time goal.  A similar approach can work with securing the network – divide and conquer.

 

In security parlance this is referred to as layered defense, where each part is a layer targeting specific threats. The first and most important layer is the network edge protection – deployed at the perimeter or in a data center.

 

I believe the essential technologies that form the network edge and protect your networks include FW, VPN, DoS Protection and Content validation.

 

  • Firewall – Flexible access control all the way from Layer 2 (datalink layer) to Layer 7 (application layer) is very important. Access control based on users and roles rather than IP addresses is becoming more relevant these days with the huge amount of mobility options out there. On this front, integration with a Network Access Control (NAC) framework is necessary, and the good news is there is a standardization effort in this space. You can read more about this in my colleague Steve Hanna’s blog: Got the NAC
  • Virtual Private Networks (VPN) – The perimeter security solution should provide options for secure tunneling of data (VPN) between sites and telecommuting clients from the Internet.
  • Denial of Service (DoS) Protection  – DoS and DDoS (Distributed Denial of Service) continue to be a vector of attack against publicly hosted services with botnets as the most common sources.  You need a solution that can signal into the cloud to filter the attack traffic at the ISP network edge or earlier, thereby freeing the final hop for the clean traffic. Check out additional efforts standardization at  Dissemination of flow specification rules
  • Protocol/Content validation – The capability to inspect application data for protocol anomalies and attacks is necessary as software vulnerabilities are constantly popping up and it is difficult to keep all the systems patched up to date. The solution must be dynamically updated with the latest protection pack without requiring any downtime in order to secure your network.

 

Let me know if you have any additional thoughts and/or questions about securing the network edge!