Security Laboratory

Security Laboratory

Sec Lab: Network Security Essentials by Dr. Eric Cole

This series of essays provides a comprehensive look at computer networks.

Other Related Articles in Sec Lab: Network Security Essentials by Dr. Eric Cole


Types of Networks


Eric Cole

A key tenet of network security is "know thy system". You cannot secure something that you do not understand or know how it works. In order to be proficient in network security, you have to understand the different types of networks since each network type poses different challenges, issues and risks.

Local Area Network
A Local Area Network (LAN) is a relatively small network that is confined to a small geographic area, such as a single office or a building. Laptops, desktops, servers, printers, and other networked devices that make up a LAN are located relatively close to each other. A key characteristic is that all of the equipment that comprises a LAN, is owned by a single entity. [1]

From a security context, LANs are the point at which trusted users typically access your network and server resources. Often, enterprises extend too much trust to users in LANs who have otherwise unrestricted access to information resources. Consider the plight of an organization that fires an employee, but permits the employee to return to their computer under the guise of removing personal data. With unrestricted access to network resources, the disgruntled employee has the ability to delete or tamper with information that is critical to the organization. Even happy, trustworthy employees can be a critical threat to information security. An employee who is tricked into installing malicious software or accidentally introduces a computer virus or worm to an organization can cause immeasurable damage if he is granted access to critical systems.

Threat Posed to a Local Area Network
For example, an employee of a large corporation logged into their computer and set off a logic-bomb that deleted all the programs that ran the company's engineering operations. Former system administrator turned disgruntled employee, who had been fired from the company shortly before implementing his attack, planted the logic-bomb. The result: the company lost $12 million in revenue and had to lay off 80 employees as a result of their losses. [2]

It is easy to identify employees as the potential inside threat, with all others in the external threat category. The problem with this classification method is that LAN users are not always employees. Contractors, business partners, vendors, and students are all examples of people who might use a company LAN but are not trusted with limitless access to information resources. It is important to consider all access to LAN resources - not just traditional users - when evaluating the internal threat to an organization.

Metropolitan Area Network
The term Metropolitan Area Network (MAN) is typically used to describe a network that spans a citywide area or a town. MANs are larger than traditional LANs and predominantly use high-speed media, such as fiber optic cable, for their backbones. MANs are common in organizations that need to connect several smaller facilities together for information sharing. This is often the case for hospitals that need to connect treatment facilities, outpatient facilities, doctor's offices, labs, and research offices for access to centralized patient and treatment information. MANs share many of the same security threats as LANs, but on a larger scale. The plight of an administrator in a central location granting access to countless offices that are scattered within a city is a difficult one that demands strict access control mechanisms to protect against unauthorized information access.

One example is the Healthlink Miami Valley project in Montgomery Valley, Ohio (U.S.A.). Tasked with providing a community-wide information network to provide universal care to uninsured and marginally insured patients, the Healthlink team developed a MAN to connect partner hospitals, clinics, and doctor's offices to provide coordinated care to patients through a centralized information system, while remaining in compliance with federal regulations regarding confidentiality of patient information. [3]

Wide Area Network
A Wide Area Network (WAN) covers a significantly larger geographic area than LANs or MANs. A WAN uses public networks, telephone lines, and leased lines to tie together smaller networks such as LANs and MANs over a geographically dispersed area. Connecting devices in different geographic areas together for information sharing, WANs are an important piece of enterprise networks. For example, consider the VisaNet global network used by Visa International. The VisaNet network connects locations throughout 150 countries to validate and debit credit-card transactions at over 24 million locations. By providing security and simplicity over a standard-based WAN architecture, Visa International relies on their network infrastructure to provide reliable access to merchants who accept Visa credit cards for transactions. [4]

The Internet
The Internet is an example of a network that connects many WANs, MANs, and LANs into the world's largest global network. Internet Service Providers (ISPs), such as UUNet and QWest connect the networks. These providers are responsible for maintaining the integrity of the Internet while providing connectivity between WANs, MANs, and LANs throughout the world. ISPs provide customers with access to the Internet through the use of points-of-presence (POP), also called network access points (NAP), in cities throughout the world. Customers are provisioned access to POPs from their own WANs, MANs, and LANs to Internet access to their users.

In addition to providing customer access to the Internet, ISPs also provide connectivity between each other at "peering points." Large peering points are called metropolitan area exchanges (MAE, pronounced "may"), where ISPs are able to exchange traffic originating in one ISP that is to be delivered to a different ISP. Three major peering points exist in the United States; they are MAE-East in Washington D.C., MAE-Central in Dallas, Texas, and MAE-West in San Jose, California. Qwest maintains a map that shows the connection of these peering points. [5]

Personal Area Network
A more recent term used to describe a type of network is a Personal Area Network (PAN). PAN networks are usually wireless, established in an on-demand or ad-hoc fashion when needed to communicate between two or more devices. PAN networks can be used between devices owned by two different parties, or between two devices owned by one person, such as a PDA and a laptop or mobile phone. These networks are usually characterized as short-range, often limited to 10 meters or less in range.

An example of a PAN technology is Bluetooth wireless networking. Bluetooth is designed as a cable-replacement technology, allowing users to discard the serial and USB cables used by many of today's peripheral devices and rely on a Bluetooth PAN for communication. Bluetooth PANs support up to 7 devices in a single network and can be used for proprietary protocols (such as PDA synchronization) or standards-based protocols, including Internet access over IP and the Bluetooth Network Encapsulation Protocol (BNEP).

Summary

It is critical to understand what type of network you are dealing with since each has its own unique set of challenges and risks that need to be dealt with. Too often organizations try to implement security when they do not understand the foundational items of the networks they are trying to secure.


References
[1] http://comm.ncifcrf.gov/networking/whatislan.html
[2] http://www.secretservice.gov/ntac_its.shtml
[3] http://www.med.wright.edu/healthlink/
[4] http://www.corporate.visa.com/mc/facts/corporate/visanet.shtml
[5] http://www.qwest.com/largebusiness/hosting/QwestCyberCenters/QwestIPNetwork050701.jpg