Managing isolated systems is already a complicated task. Network connectivity from outside the Local Area Network (LAN) introduces new complexities that must be taken into account when designing an information security plan. The most significant concern when connecting a LAN to the Internet is protecting internal information from external attackers. Connecting geographically distinct branches together creates another set of challenges.
When considering the complexities of protecting internal information from external attackers, information security professionals must consider the wide variety of network-based attacks and the range of systems available to protect internal systems. Some attacks seek to exploit known defects in software available via the network to install malicious code on internal systems. Once executed, the malicious code could damage the operating system, corrupt or steal company information, or install a backdoor program that allows the attacker to gain access to the system at a later time. Other attacks seek to gain access to systems by impersonating trusted users. These attacks generally seek to gain entry to the system by attempting to guess a user's password. Finally, another category of network-based attack does not try to gain access to the system at all. In fact, this category exploits defects in software in order to prevent other users from accessing the services provided by the system. These denial-of-service (DoS) attacks may not result in data loss, but they can impact productivity (Whitman & Mattord, 2009).
Understanding the wide variety of network-based attacks can help an information security professional decide how best to protect the company's systems. A firewall creates a buffer between the untrusted, public network and the trusted, private network. The first big hurdle in implementing a corporate firewall is deciding which architecture is most appropriate for the existing systems. Firewall devices have a range of options. Packet filtering firewalls use address and port information to determine whether a packet should be allowed to pass to the trusted network. At the other end of the spectrum are stateful inspection firewalls, which maintain information about sessions through the firewall. This allows the firewall to make decisions based on session information rather than simple packet filtering. This decision pales in comparison to the complexity of the various firewall architectures (Whitman & Mattord, 2009).
A firewall system is a combination of devices. Screened host, dual-homed host, and screened subnet firewalls are different architectures that provide various levels of security and complexity. A screened host firewall uses a packet filtering firewall and proxy server to protect internal systems. A dual-homed host firewall is similar, but the proxy server has two network connections. All packets destined for the internal network must come into the untrusted side of the proxy server and out the trusted side. Finally, screened subnet firewalls use multiple servers to provide proxy access to secure data inside the trusted network. This provides the highest level of security and scalability (Whitman & Mattord, 2009).
The final complexity related to firewalls involves the implementation and maintenance of the systems. During the initial deployment of the firewall system, a great deal of work may be required depending on the complexity of the internal systems and what information is being made available externally. Unfortunately, the work is not over when the system is deployed. As information systems mature and technology changes, the firewall system will need to be frequently updated to reflect those changes. This includes when services are added and retired. Maintenance of these systems requires dedicated professionals with a specialized skill set (Whitman & Mattord, 2009).
When companies have geographically distinct facilities, it is common for these facilities to communicate. Securing this communication is a significant concern for information security professionals. Communication between facilities is most frequently accomplished with Virtual Private Networks (VPNs). There are different kinds of VPNs. Originally, facilities were connected using circuits leased from telephone companies. The security of these networks relied on the telephone companies' ability to secure the devices and physical facilities that made up the circuit. Modern VPNs use secure, encrypted tunnels to create networks across the Internet. Like firewall systems, the deployment and maintenance of VPNs requires dedicated professionals with specialized skills (Whitman & Mattord, 2009).
Whitman, M. E. & Mattord, H. J. (2009). Principles of information security (3rd ed.). Boston: Thomson Course Technology.