Java Reference
In-Depth Information
Physical
Network
Operating System
Applications
and Databases
Information
Figure 2.2
Conceptual drawing of defense-in-depth.
but also blocks the traic from entering a network, thereby protecting it. Several irewalls today
come equipped with IPS capabilities. hese were some controls for the perimeter.
We have deployed technologies to protect against malicious traic from the Internet, but how
does the organization protect a sensitive internal network zone from the rest of the internal net-
work, which does not need to have access to the sensitive network zone? Additional controls like
network segmentation using devices like irewalls or Layer 3
*
switches with virtual LANs
†
may be
implemented to segment the network into diferent zones. he sensitive network zone may be in a
zone, another zone could be the servers of the organization, and the other segment may be the rest
of the organization's network, which does not have access to the sensitive network zone.
2.2.3.2 Host Security
he users of the organization use the Internet for their work. hey use emails and some mobile
users also use laptops for their work. How do we protect against that? Content iltering for users
having access to the Internet may be one of the solutions. Equipping all desktops and laptops with
antivirus and antispyware software is another solution. his protects against viruses and worms
that propagate through the Internet and emails. But will an antivirus solution that is not updated
be of any use? Processes must be in place to update the antivirus, antispyware, and malware signa-
tures on a daily basis. All the desktops and laptops in the organization must be scanned for viruses
and other malware regularly and action must be taken in case of a virus outbreak.
*
A Layer 3 switch is a high-performance device for network routing. It is diferent from an ordinary network
switch (Layer 2 switch) in that it works on the third layer of the OSI Model, which is the network layer. his
provides the Layer 3 switch all the functionality of the router including some packet iltering and network seg-
mentation capability.
†
Virtual LANs have been designed to provide segmentation services generally provided by routers in a LAN
environment. Multiple subnets and networks may be conigured on the routers or the Layer 3 switch to provide
network segmentation as if it were on physically separate LANs.
Search WWH ::
Custom Search