There are two basic types of network security, transit security and traffic regulation, which when combined can help guarantee that the right information is securely delivered to the right place. It should be apparent that there is also a need for ensuring that the hosts that receive the information will properly process it, this raises the entire specter of host security: a wide area which varies tremendously for each type of system. With the growth in business use of the Internet, network security is rapidly becoming crucial to the development of the Internet.

 
Abstract
There are two basic types of network security, transit security and traffic regulation, which when combined can help guarantee that the right information is securely delivered to the right place. The Open Systems Interconnection Basic Reference Model (OSI Reference Model or OSI Model for short) is a layered, abstract description for communications and computer network protocol design. The primary advantages of VPNs are: they allow private address space (you can have more machines on a network), and they allow the packet encryption/translation overhead to be done on dedicated systems, decreasing the load placed on production machines. One way to protect data is through encryption. Encryption mathematically converts your data into a form that is not directly readable. Remote Authentication Dial In User Service (RADIUS) is a networking protocol that uses access servers to provide centralized management of access to large networks.

Network Security
There are two basic types of network security, transit security and traffic regulation, which when combined can help guarantee that the right information is securely delivered to the right place. It should be apparent that there is also a need for ensuring that the hosts that receive the information will properly process it, this raises the entire specter of host security: a wide area which varies tremendously for each type of system. With the growth in business use of the Internet, network security is rapidly becoming crucial to the development of the Internet.

OSI Model
The Open Systems Interconnection Basic Reference Model (OSI Reference Model or OSI Model for short) is a layered, abstract description for communications and computer network protocol design. The Open System Interconnection (OSI) reference model describes how information from a software application in one computer moves through a network medium to a software application in another computer. The Department of Defense (DOD), a division of the United States government, developed a model that would be used as the developing basis for their own protocol suite known as the Internet protocol suite. The OSI model provides a conceptual framework for communication between computers, but the model itself is not a method of communication. Encapsulation is the process of inserting the information of upper layer into the data field of a lower layer. Flow control is a process of adjusting the flow of data packets to ensure the reliability of data delivery and data integrity. The OSI, or Open System Interconnection, model defines a networking framework for implementing protocols in seven layers. Control is passed from one layer to the next, starting at the application layer in one station, and proceeding to the bottom layer, over the channel to the next station and back up the hierarchy. The OSI 7 layers model has clear characteristics.

Firewalls
Since firewalls are so commonly used it is worth exploring them in greater depth. Corporations often set up rules for managing their Web connections using firewalls. A firewall enables a company to designate how all end users can use their network and decide what information is passed through Web servers and other servers.

There are several methods a firewall uses to control traffic that comes into and goes out of the network. One way firewalls do this is through packet filtering. During this process a firewall analyzes small packets of information against pre-designated filters. All data is sent via small packets of information through filters. Safe information is passed through and unsafe information is generally removed.

Another way firewalls mitigate traffic is through proxy service. This means the firewall retrieved information from the Web and sends it to the requesting computer. Still another method of traffic control used by firewall is stateful inspection. This technique allows the firewall to compare certain parts of the data packet to information gathered from trusted sources. Information going to the firewall from the Internet is monitored to determine whether it contains key characteristics that suggest the information is safe rather than harmful. Information designated as safe passes through freely and other information is blocked.

The methods a company selects will depend on a number of factors including personal preferences. Regardless of the method a firewall uses however a company or network administrator can customize the firewall to filter information based on a pre-established set of criteria.

Virtual Private Networks
This is the concept of creating a private network by using TCP/IP to provide the lower levels of a second TCP/IP stack. This can be a confusing concept, and is best understood by comparing it to the way TCP/IP is normally implemented. In a nutshell, IP traffic is sent across various forms of physical networks. Each system that connects to the physical network implements a standard for sending IP messages across that link. Standards for IP transmission across various types of links exist, the most common are for Ethernet and Point to Point links (PPP and SLIP). Once an IP packet is received, it is passed up to higher layers of the TCP/IP stack as appropriate (UDP, TCP and eventually the application). When a virtual private network is implemented, the lowest levels of the TCP/IP protocol are implemented using an existing TCP/IP connection. There are a number of ways to accomplish this which tradeoff between abstraction and efficiency. The advantage this gives you in terms of secure data transfer is only a single step further away. Because a VPN gives you complete control over the physical layer, it is entirely within the network designers power to encrypt the connection at the physical (virtual) layer. By doing this, all traffic of any sort over the VPN will be encrypted, whether it be at the application layer (such as Mail or News) or at the lowest layers of the stack (IP, ICMP). The primary advantages of VPNs are: they allow private address space (you can have more machines on a network), and they allow the packet encryption/translation overhead to be done on dedicated systems, decreasing the load placed on production machines.

Packet Level Encryption
Another approach is to encrypt traffic at a higher layer in the TCP/IP stack. Several methods exist for the secure authentication and encryption of telnet and rlogin sessions (Kerberos, S/Key and DESlogin) which are examples of encryption at the highest level of the stack (the application layer). The advantages to encrypting traffic at the higher layer are that the processor overhead of dealing with a VPN is eliminated, inter-operability with current applications is not affected, and it is much easier to compile a client program that supports application layer encryption than to build a VPN. It is possible to encrypt traffic at essentially any of the layers in the IP stack. Particularly promising is encryption that is done at the TCP level which provides fairly transparent encryption to most network applications.

It is important to note that both of these methods can have performance impacts on the hosts that implement the protocols, and on the networks which connect those hosts. The relatively simple act of encapsulating or converting a packet into a new form requires CPU-time and uses additional network capacity. Encryption can be a very CPU-intensive process and encrypted packets may need to be padded to uniform length to guarantee the robustness of some algorithms. Further, both methods have impacts on other areas (security related and otherwise- such as address allocation, fault tolerance and load balancing) that need to be considered before any choice is made as to which is best for a particular case.

Encryption
One way to protect data is through encryption. Encryption mathematically converts your data into a form that is not directly readable. The conversion between readable and encrypted data is generally controlled by a password or "shared secret" (sometimes generated automatically). Only a person (or program) that knows the password (or the method to generate the shared secret) can read the encrypted data. Encryption can be useful for files stored on your local computer as well as files that you are transmitting over the network.

Secure Protocols

• Kerberos is an authentication system originally developed at MIT. It encrypts your communications on the network like the other protocols described here. But Kerberos also adds a secure authentication system that provides a way for computers to verify the identity of users and other computers from a central database, handling your password only on the local computer and never sending it, even in encrypted form, over the network.

• SSH is an open-source software system that is used to create encrypted network connections between programs running on different computers. Unlike Kerberos, it does not use a central authentication database such as your SUNet ID. Instead, if the program on the server computer needs to authenticate you, it must prompt for your username and password. Your password is encrypted by SSH before it is sent over the network. But this is slightly less secure than Kerberos, which never sends your password over the network.

•  The SSL protocol (originally developed by Netscape, but now an Internet standard) is a general purpose protocol for authenticating and encrypting data on the network, but it is primarily used to create secure web sites. It relies upon "certificates" created by a trusted authority (such as Verisign) to prove that you are connecting to the correct computer. If you've ever bought something online, for example, you've probably been told that you were using a secure web site and noticed that the address uses the protocol type https rather than simple http.

Antivirus Software
Antivirus software is a computer program that attempt to identify, neutralize or eliminate malicious software. Antivirus is so named because the earliest examples were designed exclusively to combat computer viruses; however most modern antivirus software is now designed to combat a wide range of threats, including worms, phishing attacks, root-kits, trojan horses and other malware. Antivirus software typically uses two different approaches to accomplish this:

• Examining (scanning) files to look for known viruses matching definitions in a virus dictionary, and identifying suspicious behavior from any computer program which might indicate infection.
• The second approach is called heuristic analysis. Such analysis may include data captures, port monitoring and other methods.

Most commercial antivirus software uses both of these approaches, with an emphasis on the virus dictionary approach.

Worm
A computer worm is a program which copies itself across a network. A computer worm differs from a computer virus in that a computer worm can run itself. A virus needs a host program to run, and the virus code runs as part of the host program. A computer worm can spread without a host program, although some modern computer worms also use files to hide inside.

Buffer Overflows
In computer security and programming, a buffer overflow, or buffer overrun, is an anomalous condition where a process attempts to store data beyond the boundaries of a fixed-length buffer. The result is that the extra data overwrites adjacent memory locations. The overwritten data may include other buffers, variables and program flow data, and may result in erratic program behavior, a memory access exception, program termination (a crash), incorrect results or ? especially if deliberately caused by a malicious user ? a possible breach of system security. Buffer overflows can be triggered by inputs specifically designed to execute malicious code or to make the program operate in an unintended way. As such, buffer overflows cause many software vulnerabilities and form the basis of many exploits. Sufficient bounds checking by either the programmer, the compiler or the runtime can prevent buffer overflows.

DoS (Denial of Service)
A denial-of-service attack (DoS attack) or distributed denial-of-service attack (DDoS attack) is an attempt to make a computer resource unavailable to its intended users. Although the means to, motives for, and targets of a DoS attack may vary, it generally consists of the concerted, malevolent efforts of a person or persons to prevent an Internet site or service from functioning efficiently or at all, temporarily or indefinitely.

Spoofing
In the context of computer security, a spoofing attack is a situation in which one person or program successfully masquerades as another by falsifying data and thereby gaining an illegitimate advantage. Another kind of spoofing is "webpage spoofing," also known as phishing. In this attack, a legitimate web page such as a bank's site is reproduced in "look and feel" on another server under control of the attacker. The intent is to fool the users into thinking that they are connected to a trusted site, for instance to harvest user names and passwords.

Email Spam Protection
E-mail spam, also known as "bulk e-mail" or "junk e-mail," is a subset of spam that involves nearly identical messages sent to numerous recipients by e-mail. A common synonym for spam is unsolicited bulk e-mail (UBE). Definitions of spam usually include the aspects that email is unsolicited and sent in bulk. "UCE" refers specifically to "unsolicited commercial e-mail."

By filtering inbound email messaging at the Internet gateway with an integrated set of defenses, email security products provide the most effective method to make your email stream secure and reliable, while minimizing administration costs. The email security solution improves employee productivity and reduces your risks and liabilities by adding a vital layer of antispam, anti-phishing, antivirus, and connection management security to existing firewalls and VPNs, without requiring changes to your enterprise applications, protocols, or end-user procedures. It scales readily and provides centralized management and reporting. And since this solution works at the Internet gateway, it conserves bandwidth by blocking viruses, spam, and other unwanted email content-before they enter the corporate network.

Wireless Security
Wireless security is the prevention of unauthorized access or damage to computers using wireless networks. Wireless networks are very common, both for organizations and individuals. Many laptop computers have wireless cards pre-installed. The ability to enter a network while mobile has great benefits. However, wireless networking has many security issues. Crackers have found wireless networks relatively easy to break into, and even use wireless technology to crack into wired networks. Recommended solution is to only allow approved wireless devises all with proper encryption methods enabled.

RADIUS
Remote Authentication Dial In User Service (RADIUS) is a networking protocol that uses access servers to provide centralized management of access to large networks. RADIUS is commonly used by ISPs and corporations managing access to the internet or internal networks employing a variety of networking technologies, including modems, DSL, wireless and VPNs.

The RADIUS server checks that the information is correct using authentication schemes like PAP, CHAP or EAP. The user's proof of identification is verified, along with, optionally, other information related to the request, such as the user's network address or phone number, account status and specific network service access privileges. Historically, RADIUS servers checked the user's information against a locally stored flat file database.