Connecting with Confidence
By John Stewart
LANs that provide Web, mail, and FTP services generally manage security at three points: the entry onto that LAN (usually a router interface), the LAN medium itself (usually a switch), and the computers connected to that LAN (the servers). Such a design ensures that the network doesn't fall victim to the "hard crunchy outside, soft mushy middle" problem. Companies with this configuration rely on firewalls to protect their servers but never account for the fact that the servers must be able to protect themselves from attack. Conversely, the three-point design also ensures that the network doesn't have a "hard crunchy middle, soft mushy outside" configuration, in which the servers must handle and make decisions about dangerous traffic.
Component Features
Each component—router, switch, and server—typically has a common set of capabilities when it comes to protecting the network topology. This month I'll outline some of the feature sets that should be a part of each component you select.
Routers
The router is the best example of an intelligent network device that can protect a computer (besides the computer itself). When designing your external network topology, look for routers that have access control lists (ACLs). ACLs are rulesets that, when applied to a network interface, control the type of traffic that can pass beyond the router to machines on the other side. For instance, email typically is sent on network port 25.
