153
Chapter 11:
Securing Your Network
Consider placing a web server designed for people outside the company
outside your firewall (in other words, between the firewall and the router that
connects you to the Internet--this area is called a demilitarized zone). This way,
even if crackers are able to break into the web server, they won't have an easy
time getting to the rest of your network.
Safely guard your e-mail traffic. E-mail is one of the most commonly used
means to get viruses or Trojan horse programs into a company. Make sure you
run virus-scanning software suitable for your e-mail server, and that the virus
signatures are updated at least daily.
DoS Threats
DoS attacks are those that deny service to a network resource to legitimate users.
These are often targeted at e-mail servers and web servers, but they can affect an
entire network. DoS attacks usually take one of two forms: they either deny service by
flooding the network with useless traffic or they take advantage of bugs in network
software that can be used to crash servers. DoS attacks against an e-mail server usually
flood the server with mail until the e-mail server either denies service to legitimate
users or crashes under the load placed on it.
Here are few ways to help prevent DoS attacks:
Make sure to keep your various network software current.
Use settings on your firewall to disallow Internet Control Message Protocol
(ICMP) traffic service (which handles ping requests) into the network.
Deny access to servers from outside the LAN that do not need to be accessed
from outside the LAN. For example, the company's accounting system server
probably does not need to be accessed from outside the LAN. In such a case,
you would configure the firewall or packet-filtering router to deny all outside
traffic to or from that server's IP address.
DEFINE-IT! Demilitarized Zone
When you place computers between your firewall (on the other side of the
firewall from your network) and your connection to an external network, such
as the Internet, the area between those two devices is called the demilitarized zone,
or DMZ for short. Usually, an organization will place its public web server in the
DMZ, and that computer will not have any sort of confidential information on
it. This way, if the security of that computer is broken, the attacker hasn't gained
entry to the network itself.