Methods and technologies for computer networks protection (network, transport and application layers)

Abstract

Standard solutions that are supported by manufacturers of equipment for computer networks (switches the 2nd and 3rd levels, routers), implemented in the operating systems and protocols, and can be used for the development and implementation of integrated corporate network protection systems are considered in this article. The article is the second of a series of articles devoted to the analysis of methods and technologies of protection. The typical threats to computer network at the network (substitution the IP addresses of the nodes, imposing the wrong route, intercepting the IP address range and receiving information about the logical structure of the network, DDoS attacks on external channels), transport (Interception of information and connection to open ports of transport layer protocols) and application  (Information interception, viruses and spyware) layers of OSI model are given and the features of methods and technologies to protect at are analyzed. Technology of Network Address Translation and Access Control Lists are analyzed to prevent threats to the network level. Features of using the “Blackhole” BGP function for protection against DDoS attacks on external channels are considered. The features of the protocol Secure Socket Layer / Transport Layer Security to protect against threats to the transport layer are analyzed. Approaches of “Statefull” Inspection and content filtering that allow implementing control of connection, data control between specific applications and performing filtering unwanted information are considered at the application level. Also, features of network security providing in heterogeneous virtual computing environments such as GRID-systems and cloud computing are noted. The approaches to protection which ware considered in work allow to effectively counter acting, first of all, external violation of information security. In the previous article of the cycle the methods and technologies of the physical and channel levels that were aimed at protecting against internal attacks on computer networks were considered. Analysis of methods and protection technologies at various levels of the OSI model which was conducted in work allows making informed decisions about choosing methods to protect networks for different purposes and with different requirements regarding data protection. Configuring the proper functionality on the network equipment allows carrying out the monitoring of compliance with network security policies and implement protection as close to possible sources of violations. Ref. 16, tabl. 1.