Chapter 9: Network Requirements and Preparation Planning and Installation Guide
ShoreTel 11.1 129
encryption is used, and the second is whether a consistent throughput can be maintained
when encryption is enabled. Typically, the trade-off between performance and price is
debated from a software-based versus hardware-based encryption perspective.
9.10.4 Integrated Security Appliances
A number of major vendors provide integrated broadband security appliances to eliminate
security concerns. These devices use custom ASICs to deliver wire-speed firewall, Triple
DES IPSec VPN, and traffic shaping in an easy-to-deploy, cost-effective solution. Installing
a security appliance, such as a NetScreen-5, eliminates the need to deal with complex PC
software installations and allows IT to centrally manage the security policies of these
remote offices and teleworkers. The firewall protection secures sensitive data at the remote
site and can prevent both U-turn attacks and the launching of denial-of-service attacks
from these computers. By combining broadband access technologies with an integrated
security appliance, enterprises and service providers can safely and securely capitalize on
all of the benefits of the broadband Internet.
9.11 Firewalls
A firewall is the first major purchase and the foundation of network security
(Figure 9-2). It prevents unauthorized access to the network or web site by examining both
incoming and outgoing traffic. Based on the predefined security policies, each individual
packet is inspected and processed. Any type of traffic that is deemed to be “illegal” (based
on rules that specify protocol type, source or destination IP address, and so on) is not
allowed through the firewall. Using this tool, administrators can achieve tight control over
the activities they allow into and out of their corporate network or e-business site. In a
corporate network, a firewall prevents intruders from accessing corporate resources while
allowing employees Internet access. In an e-business site, it allows outside access to the
web server while preventing unauthorized access or attacks.
Often, a typical network access point, called a DMZ (demilitarized zone), is implemented
to offer an “outside” presence for e-commerce clients, e-business partners, and web surfers.
The DMZ acts as the gateway through which all Internet communications with the
company or site transpire. It allows for controlled access to front-end web servers while
protecting mission-critical resources (databases, routers, servers, and so on). Thus, the
DMZ needs to be flexible, reliable, and available.
The firewall is often the first line of defense in this environment. Always vigilant, this
device must look into all traffic for the site. As part of its duty, the firewall recognizes and
deals with denial-of-service attacks, such as TCP SYN flood and Ping of Death. In each of
these attacks, the hackers are simply attempting to overwhelm the devices that provide an
Internet presence for the company.
With a TCP SYN flood, a stream of TCP SYN packets is sent to the receiving device (often
the firewall). The finite memory and size of the TCP entry tables can be overrun by
spurious SYN packets, preventing any real users from making a TCP connection required
for HTTP communications.
An ICMP flood attack also floods a device, by streaming ICMP echo packets at a recipient
destination. This flood of packets requires the device to process and respond to these pings,
burning precious resources and preventing other traffic from being serviced. By examining
the site’s traffic patterns, advanced firewalls can apply logical rules that prevent the device
1. Note that Internet VPNs, though useful for data, may not offer sufficient protection against latency and
packet loss for VoIP.
Terms of Use | Privacy Policy | DMCA Policy