The latest statistics on the Internet indicate that it consists of over 30,000 networks with a total of over 2.5 million hosts. With so many network users on the Internet, there is, unfortunately, a small segment of users who are malicious hackers. This situation is similar to moving to a large city that has its share of criminals. In this case, it is wise to protect your abode using locked doors. Prudence on your part also demands that if someone knocks on your door, you should have the ability to examine the person before allowing them entrance into your abode. Persons who appear to be harmful or look dangerous (high-security risks) should not be allowed entrance. In a similar manner, the screening router examines incoming packets to determine which of them could be potentially harmful.
The enterprise network's boundary is called the security perimeter. Because malicious hackers abound on the Internet, it is useful to define a zone of risk. The zone of risk includes all TCP/IP-capable networks that are directly accessible through the Internet. TCP/IP-capable means that the host supports the TCP/IP protocol and its support protocols. Directly accessible would mean that there are no strong security measures (no ‘locked doors') between the Internet and hosts on your enterprise network.
From your point of view, the Internet's regional, national, and backbone networks represent a zone of risk. Hosts within the zone of risk are vulnerable to attacks. Placing your networks and hosts outside the zone of risk is highly desirable. However, without a device that can block attacks made against your network, the zone of risk will extend to your network. The screening router is one such device that can reduce the zone of risk so that it does not penetrate your network's security perimeter.
Not all hosts in your enterprise network may be TCP/IP-capable. Even so, these non-TCP/IP hosts can become vulnerable despite the fact that they are not technically part of the zone of risk. It can occur if the non-TCP/IP host is connected to the TCP/IP host. The intruder can use a protocol common to both the TCP/IP host and the non-TCP/IP host to access the non-TCP/IP host from the TCP/IP host. If the hosts are on the same Ethernet segment, for example, an intruder can reach the non-TCP/IP host through the Ethernet protocol.
The enterprise network's boundary is called the security perimeter. Because malicious hackers abound on the Internet, it is useful to define a zone of risk. The zone of risk includes all TCP/IP-capable networks that are directly accessible through the Internet. TCP/IP-capable means that the host supports the TCP/IP protocol and its support protocols. Directly accessible would mean that there are no strong security measures (no ‘locked doors') between the Internet and hosts on your enterprise network.
From your point of view, the Internet's regional, national, and backbone networks represent a zone of risk. Hosts within the zone of risk are vulnerable to attacks. Placing your networks and hosts outside the zone of risk is highly desirable. However, without a device that can block attacks made against your network, the zone of risk will extend to your network. The screening router is one such device that can reduce the zone of risk so that it does not penetrate your network's security perimeter.
Not all hosts in your enterprise network may be TCP/IP-capable. Even so, these non-TCP/IP hosts can become vulnerable despite the fact that they are not technically part of the zone of risk. It can occur if the non-TCP/IP host is connected to the TCP/IP host. The intruder can use a protocol common to both the TCP/IP host and the non-TCP/IP host to access the non-TCP/IP host from the TCP/IP host. If the hosts are on the same Ethernet segment, for example, an intruder can reach the non-TCP/IP host through the Ethernet protocol.
0 comments:
Post a Comment