Network security refers to all measures undertaken to ensure proper authentication, authorization, integrity, confidentiality or privacy and availability of shared resources in a network. Servers, being the devices which share an enormous amount of data are prone to attacks. This calls for not only common ways of enhancing security but also creative and innovative ways to always go beyond the minds of criminals and prevent possible attacks. This paper provides advanced mechanisms of ensuring data security as it flows from the end users to the servers and vice versa. It also delves into how various applications, devices, and protocols have been improved to provide additional security features at various levels. Using the defense in depth approach, the model provides strategies that can be applied at every level to ensure security threat in one level can be mitigated to another level. Figure 1 below shows how various security measures are implemented at various levels.
Figure 1: Network diagram showing various security measures in Defense in Depth approach.
Designed by use of Edraw Max software.
In the structure presented above, seven levels explained include:
1. Hosts and Application Security
The most important security measure at this point is user authentication. This is always done to verify the source of information being channeled to the server. It is more imperative to always authenticate the users of network resources so that a sense of responsibility is created in case data security is breached. Usually, these operations use unique IDs and passwords which are combined to identify the users of the resources. However, by just talking about this authentication mechanisms is not enough. The model also takes into consideration the issue password lengths and complexities to ensure strict account policy.
These passwords and other unique identifiers are always changed to reduce the chances of compromising passwords. In the scenario presented in the diagram above, if an employee who usually uses node 4, decides to get to the server using the user name of the person who usually uses node 3, tracking the use of resource usage by specific users becomes a hard task. Without authentication also, users can decide to temper with resources knowing that they can’t be traced. Looking at this, it is clear that user authentication and identification is a way of ensuring server security. Enough application security plans such as using advanced anti-viruses and proper set up of firewall filters are done during server installation. This ensures that various applications by looking at the risk they pose to the server can be prevented from getting directly to the server.
2. Data encryption.
Data encryption is always done at the presentation layer in the OSI model. At the destination node, which in this case is the server, a decryption algorithm is used to scramble the packet contents. This ensures that the information shared between specific nodes can only be seen by the correct server which has a decrypting code. The algorithm used is very sophisticated. More complex algorithms make access to data harder.
3. Maintaining sessions and use of Secure Socket Layers(SSL)
When a node sends a message to the server requesting for connection to be established, a series of measures must be undertaken by the server to provide secure, authenticated connection with the nodes for the entire period of communication. Some details will be required from the node and the application or software that is currently being used by the user. The question here is how to ensure that the perceived user is still the one accessing the server and how to ensure that there is no direct access to some files by providing a direct link that goes beyond authentication home page for instance in web systems. These fears can be quashed by use of Secure Socket Layers (SSL).
The SSL technology can provide more form of security enforcement in a network. SSL is one of the most effective security tools especially when dealing with payment information on the Internet.Authentication can be done both on the client side and at the server’s side.At the server, side authentication can be done by the Certificate Authority (CA) by use of public key cryptography. The SSL Handshake Protocol provides a platform by which authenticated client and server can communicate.
4. Securing data and information in transit
IP address can is used to locate a system on the internet. An intruder will need only an IP address and a port number to intercept communication. A computer system has 65535 ports (Anagha, 2013).Ports can be classified into three categories namely: Known, registered and dynamic. This is where transport level security is applied. TCP and UDP ports are commonly used. An FTP uses TCP port 21.It is recommended that the network administrators should always change the default port number and divulge the new port number to authorized users only (Anagha, 2013). This will confuse and prevent potential intruders by using private ports in place of common ports. Trojans usually target specific TCP and UDP ports .A port that is infected by this virus will require antivirus software. A secure form of TCP can also be used to improve port security.
5. Proper and secure mechanisms for providing IP addresses and routing
Every node has a unique number (IP address) which is used to identify them in a network. The router uses this IP address to identify the destination of the data packets. This also helps to get the most effective path to the destination. Data packets will simply be lost without any trace of their position if IP address is missing. However, IP Addresses make it quite easy to manage networks and act as an integral part of this process. Security issue here will arise from the assignments of these addresses and how secure these addresses can be maintained. Always Dynamic Host Configuration Protocol (DHCP) is used to assign IP addresses.
DHCP is commonly used due to its ease of use, minimal chances of human error and flexibility. However, it is easy for any user to hack into DHCP.When this happens, they falsely get an IP address and participate in communications. To solve this problem, static IP address can be used instead of DHCP
6. Data Security As It Crosses Various Networks(Switching)
In this level, a switch plays a very major role determining which network is the data frame destined. This is because every device in the network has a MAC address which tells which segment of a network it operates. By using MAC address attached to the frames, a switch can be able to forward it to the right network segment. In our model above, Switch 1 checks to determine whether, packets are destined to a home network or network C. Yes, this means that if you are not aware of the exact MAC Address of a network, there is no way through which you can connect to this network. Protecting ports in a switch from unnecessary plugging is one of the main security strategies at this level.
7. Physical Protection of Servers and Other Devices.
Many times, the ostensibly trivial yet key aspects of security in our systems are assumed. These are all physical protection mechanisms starting from securing the transmission channels to the data centers from unauthorized persons. Beginning with physical data transit through the physical layer, there is a need to ensure that the cables that are used are not susceptible to spoofing by man-in-the-middle attacks. Some of the information transmitted over these channels can be identified by studying the electromagnetic radiations from the cable. This exposes the data to spoofing. An additional security measure here is to use a thick cable which is not prone to electromagnetic radiations.
The other aspect of physical security is protecting unauthorized access to data centers. These are places where servers are stored. Access to these machines is left to Authorized personnel only. A security breach will occur here if an employee entrusted with using the servers gives out permission to other employees who are not authorized. Some employees may just decide also to cause a lot of destruction. This is minimized by employing security guards specifically for server rooms who can be responsible for any harm against servers.
Lastly, another threat to servers is natural disasters. These may include earthquake, landslides, hurricanes, tornadoes, volcanic eruptions, etc. Because no one knows when and where these natural calamities may strike, it is important to have other servers at a remote place offering the same services as the other ones. This will act as a backup plan.
In conclusion, it is clear that any security measure taken cannot in itself eradicate all security threats. It is through the combination of all possible measures that threats can be quashed. Relying only on the available technologies is not enough in protecting servers. It calls for additional ingenious mechanisms by the Server administrators to improve its security. This calls for additional security measures which can fill that gap as presented in this paper. By following good security practices, risks can be reduced, isolated or even brought to an acceptable level.
Holden, J. M., Levin, S. E., Wrench Jr, E. H., & Snow, D. W. (1998). U.S. Patent No. 5,828,832. Washington, DC: U.S. Patent and Trademark Office.
Senhaji, Y., & Medromi, H. (2015). Network Security: Hybrid IDPS. Network Security, 9(5).
Williams, T. C. (2001). U.S. Patent No. 6,304,973. Washington, DC: U.S. Patent and Trademark Office.