Many organisations segregate network traffic depending on business rules and hence different levels of access. Network traffic can be categorised in two forms namely external and internal traffic. External or non-trusted traffic is all traffic activity that originates from outside your network. Internal traffic is what happens inside your network boundary. Perimeter firewalls segregate and control these two types of traffic. This protects your network from online hackers who target your systems to access your information. Internal traffic can be further subdivided into various categories. For instance servers hosting services such as web or email accessible from the internet are located in a demilitarised zone normally abbreviated to DMZ. Your internal servers running databases and storing user documents are located in dedicated segments away from end user networks or subnets connected to wireless access points setup to give temporary guest access. Firewalls also serve as a means of controlling this internal traffic through access policies with organisational access requirements.

Think of firewalls as systems which control which door is left open or closed. On their own, firewalls do not control what passes through that door once it is open. An intrusion prevention system works in conjunction with a firewall so that it validates whether traffic is legitimate or malicious.  Intrusion detection appliances make use of highly specialised hardware to ensure the right protection during packet inspection without impacting network performance with unnecessary latency. These appliances are more commonly referred to as network-based IPS (NIPS).  Other types of IPS exist; host based IPS (HIPS) whereby the intrusion prevention application runs on server or client hosts.

It is very common for organisations to interconnect different branches and to give access to internal resources and information to remote users.  This is done using what are known as virtual private networks, abbreviated to VPNs.  These are networks that allow remote locations to connect using insecure communications mediums such as the Internet.  Apart from connectivity, VPNs must allow for confidentiality of data during transport to ensure that data cannot be read if captured during transit, integrity to ensure that information is not changed while being transmitted and also authentication to ensure remote parties communicate with who they intend to.  Remote branches use the Internet Protocol Security (IPsec) protocol for VPN connectivity.  Connecting remote users to your network can be done in various ways.  One method is to install what is known as a VPN client on the user’s host.  These clients are usually configured with IPsec combined with server certificates to give the required network connectivity.  Another method that is becoming increasingly popular is using Secure Sockets Layer (SSL) VPNs.  This method is especially useful when specialised client software cannot be installed and hence access to internal information is provided using applications that are commonly found on the end-users’ system, such as the web browser.  Today, it is becoming increasingly popular to ensure that before remote clients are given access to an internal resource, the client is first checked to ensure that it is free from any malware content.  Failure to comply with a number of predefined security measures, such as latest updates for malware protection software, operating system updates or personal firewall activation, would deny any access unless these measures are adhered to.

SIEM deployments are driven by two main requirements – the need for added security monitoring capabilities plus address regulatory compliance issues.  SIEM solutions collect logs from network and server systems to provide log archiving and reporting, plus real-time analysis and correlation of collected data.  This allows for visibility of activity within the whole IT infrastructure, originating from both internal and external network access.

Access to any IT system, whether a server operating system, network appliance or firewall, is controlled by privileged accounts.  These accounts are traditionally managed using strong passwords and manual activation and deactivation.  Shared Account Password Managements (SAPM) solutions address the security limitations and threats posed by such methods by allowing IT administrators to automate privileged account policies and apply these to their IT systems.  These policies allow for strong passwords to be regularly changed and stored in secure password vaults, provide unique identities to each individual administrator, centralise and limit host access based on the strict requirement access levels, plus provide measures of identifying who used privileged accounts.

The use of multifactor authentication is widely used especially in highly sensitive environments – it adds an extra level of security by not limiting this to a simple username and password combination.  An undetected keylogger installed on the remote host would record the authentication credentials of the remote user and hence enabling the opportunity for unauthorised access.  Multifactor authentication methods include the use of USB or soft tokens, authentication tokens that display a new code either on demand or every few seconds, using an authentication matrix for use during a challenge response authentication process, using host fingerprinting that allows for authentication to be performed only from specified hosts, or SMS authentication whereby access codes are sent directly to your mobile phone.