Autor: Alexander Eichhorn

Networking Security

None of the publicly available networking technologies provides sufficient security measures for critical business operations or private use.

Security has in fact never been a primary design target in architecting the core Internet protocols (IP, TCP and UDP). If security is required, it is the responsibility of the end points to establish a secure connection end-to-end. This is reasonable because it leaves more flexibility, choice and room for innovation for the type of security properties a particular application needs. It also allows us to fix vulnerabilities faster (or at all), because you cannot just update the entire Internet when a new vulnerability becomes public.

Communication Security

There is up to four important things you may want to protect when communicating over a public networks like the Internet:

  • Confidentiality: which is the property of information to remain secret.
  • Integrity: which is the property of information to remain unaltered, or at least the ability to detect manipulation.
  • Authenticity: which is the ability to verify the original source of information.
  • Availability: which is the property of information or a service to be accessible within a reasonable time-frame.

All four properties are challenged in public networks because a third party can read, modify, inject and delete messages without the legit communication parties knowing about that fact. TLS to the rescue! Transport layer security can protect the first three properties above. It's more complex, however, to guarantee availability.

TLS transport encryption

Transport Layer Security (TLS) is the major protocol for establishing secure communication channels over the public Internet. (Sometimes people call it wrongly SSL, which is in fact the name of its insecure predecessor.) TLS is an end-to-end protocol that works on top of TCP. TLS securely negotiates encryption methods and keys, it encrypts, decrypts and verifies traffic on both sides and it optionally authenticates communication partners based on certificates and public-keys.

Almost every popular application protocol has a secure version that is based on TLS, such as HTTPS for securing web traffic, SMTPS and IMAPS for secure email delivery, FTPS for secure file transfer, etc. There is different TLS versions v1.0, v1.1, v1.2 and sometimes you still see the now deprecated and insecure SSLv3. Security is a fast moving field, so the higher the version of your security software the better. Apply security updates on a regular basis and take very old servers or very old client software out of service.

TLS uses certificates to establish trust in remote communication parties. TLS enabled servers present their certificate and a cryptographic proof of ownership to a client as the first thing when a new connection starts. Web browsers validate and display such information next to the URL. To be valid, a certificate needs to be signed by a commonly trusted 3rd party, which in this case is called certification authority (CA). Web browsers, mobile phones and every desktop operating system comes with a list of trusted CA's pre-loaded. You can add new CAs to this list, but this should not be necessary practically. Always be suspicious when a certificate check fails and ask for a second opinion when in doubt about how to proceed.

Network firewalls

A firewall is a network security device that monitors and controls all incoming and outgoing network traffic. Firewalls inspect network packets and determine based on pre-defined rules which packets are allowed to pass. In that sense they act as a gatekeeper in front of your network. They can block undesired and malicious traffic from entering your organisation's internal network and they can prevent internal data from leaking outside. A firewall can improve availability by early discarding packet floods (denial of service attacks, DoS) before they hit your servers. To be effective the firewall must control every possible network path between your internal network and the outside. They are useless if you allow employees to bring their own devices to work or if you use mobile (LTE) connections in combination with your wired and firewalled infrastructure.

Mobile security

Working remotely means your equipment is outside the premises of your organisation and also outside the perimeter of your corporate firewall. You are much more vulnerable to attack and even your own corporate firewall sees you as a regular outsider and won't grant you access to internal services.

Now there is two types of software you can use to improve the level of security for mobile remote workers: personal firewalls and virtual private networks.

Personal firewalls

A personal firewall is a special firewall software that protects personal laptop or desktop computers. The firewall learns which applications you regularly use and whom they talk to on the Internet, but the important thing is that it warns you when an unknown application wants to send data to the outside and even when trusted applications want to send data to unkown destinations. Personal firewalls are a very poweful way to protect your mobile computer, but they require some knowlegde about DNS names, IP addresses, TCP/UDP ports and the way your applications interact with the network.

Virtual private networks

A virtual private network (VPN) is an encrypted overlay network that connects a single computer or an entire LAN with a remote private LAN across the Internet. Thanks to encryption the internal network traffic is not publicly exposed. Technically a VPN uses a so called tunnel that carries link-layer packets over the Internet. This effectively creates the illusion of an extended local network making all internal services remotely available. The only observable difference may be an increased latency and limited throughput when using them from remote.

Related Articles: