2.7 Network Security

The first step most companies take for their physical security is simple: locked doors to keep out potential intruders. Network security plays a similar role in computer security, by simply keeping unauthorized personnel away from your sensitive data. Network security also needs to address the times when data must be transmitted outside of your company's secure network and should address the possibility of your network's outer security being compromised. I'll discuss two kinds of network security in this book: boundary security, which is a technique that protects your network from outside attack and is intended to protect your network from intrusion, and data encryption, which protects data that travels outside your network and provides data protection within your secure network.

2.7.1 Boundary Security

Network security, like physical security, starts with strong walls. Typically, those walls are provided by firewalls, which prevent unauthorized data from traveling to and from your network. Windows Server 2003 doesn't provide the functionality required of a firewall, although it does provide an excellent platform for firewall products, such as Microsoft's Internet Security and Acceleration Server.

There are a wide variety of firewall products on the market, including some that are built into or run on various Microsoft operating systems. Other firewalls are implemented as standalone devices. All networks should have one or more firewalls, period. Exactly which firewall product you should use, where you should place it, and how you should configure it, is beyond the scope of this book. However, you'll find dedicated books available for most major firewall products that can help you make those decisions.

Windows Server 2003 does provide one feature that firewalls can take advantage of: port blocking. Port blocking allows Windows Server 2003 to accept or reject specific types of data sent to or from specific IP addresses or ports. Firewalls use this capability to prevent unauthorized data from entering or leaving your network. Firewalls usually expand on this capability by analyzing data and allowing only authorized users to send or receive data outside your network. You can read more about Windows Server 2003's basic port blocking capabilities in Chapter 14.

Another feature provided by Windows Server 2003 that can effectively block some communications is IP Security (IPSec). IPSec is normally used to secure or digitally sign TCP/IP traffic. However, it can very effectively block network traffic as well. IPSec is covered in depth in Chapter 8.

Windows Server 2003 has a firewall feature?called the Internet Connection Firewall, or ICF?that's designed to provide basic protection for computers on the Internet. You may be familiar with ICF from Windows XP Professional and Windows XP Home. However, don't mistake ICF for a dedicated firewall product. ICF doesn't contain the broad features, scalability, or functionality of a dedicated firewall solution, and you shouldn't rely on ICF alone to protect a corporate network from Internet-based attacks. Because I don't consider ICF an appropriate solution for network administrators, I won't cover it in detail. If you'd like to learn more about ICF for use on a home network, check out Windows' Help and Support Center.

It is worth noting that many of today's attacks come from inside the network. Certainly a huge number of attackers are trying to gain access to your network through your firewalls, web servers, and so forth. But an increasing number of attacks are coming from trusted users, vendors, and guests who have direct access to your network. In these cases, boundary security that consists of a single boundary between your network and the Internet is useless. Only layered security will help mitigate this attack. Layering security is discussed throughout this book.

2.7.2 Data Encryption

When data must leave your network, it should be protected from electronic eavesdropping. Data encryption can provide that protection. Windows Server 2003 supports IP Security, or IPSec, which includes built-in data encryption capabilities. Windows Server 2003 also supports the use of Virtual Private Networks, which provide an easy means for encrypting data transmitted between two points. You'll learn about IPSec in Chapter 8, and Virtual Private Networks are covered in Chapter 14. IPSec is most useful within your network, while Virtual Private Networks are designed for data traveling between networks over the Internet. IPSec, in fact, provides the encryption technology for one type of Virtual Private Network, as you'll learn in Chapter 14.

Even if your network has powerful firewalls to keep intruders out, you must plan for the possibility that those firewalls will fail or that an intruder will find a way around them. The example of the Trojan horse from classical mythology teaches us that intruders can sneak inside your perimeter, and if you don't provide security at an internal layer, your enterprise (or Troy) will be compromised. By routinely encrypting sensitive data on your network and taking the other important security measures I'll discuss throughout this book, you'll protect your network even if intruders manage to break through your "outer walls." Data encryption is also useful for those who need to access sensitive corporate data from across the public Internet.