Nat addresses concerns over the dwindling ipv4 address space by

PART ONE

Foundations of Network Security

Fundamentals of Network Security 2

Firewall Fundamentals 41

VPN Fundamentals 74

Network Security Threats and Issues 103

Fundamentals of Network Security

COMPUTER NETWORK SECURITY is very complex. New threats from inside and outside networks appear constantly. Just as constantly, the security community is developing new products and procedures to defend against threats of the past and unknowns of the future.

As companies merge, people lose their jobs, new equipment comes online, and business tasks change, people do not always do what you expect. Network security configurations that worked well yesterday might not work quite as well tomorrow. In an ever-changing business climate, whom should you trust? Has your trust been violated? How would you even know? Who is attempting to harm your network this time? And why?

Because of these complex issues, you need to understand the essentials of network security. This chapter will introduce you to the basic elements of network security. Once you have a firm grasp of these fundamentals, you will be well equipped to put effective security measures into practice on your organization’s network.

1 CHAPTER

2

Chapter 1 Topics

This chapter covers the following topics and concepts:

• What network security is

• What you are trying to protect within the seven domains of a typical IT infrastructure

• What the goals of network security are

• How you can assess the success of your network security implementation

• Why written network security policies are important

• Who is responsible for network security

• What some examples of network infrastructures and related security concerns are

• Which controls can enhance the security of wired vs. wireless local area network (LAN) infrastructures

• What some examples of internal and external network issues are

• Which common network security components are used to mitigate threats throughout the IT infrastructure

Chapter 1 Goals

When you complete this chapter, you will be able to:

• Describe the key concepts and terms associated with network security

• Describe the importance of a written security policy and explain how policies help mitigate risk exposure and threats to a network infrastructure

• Define network security roles and responsibilities and who within an IT organization is accountable for these security implementations

• Identify examples of network security concerns or threats that require enhanced security countermeasures to properly mitigate risk exposure and threats

• Describe the security requirements needed for wired versus wireless LAN infrastructures in order to provide an enhanced level of security

• Compare and contrast common network security components and devices and their use throughout the IT infrastructure

3

1 Fundam

entals of N

etw ork Security

What Is Network Security?

Network security is the control of unwanted intrusion into, use of, or damage to commu- nications on your organization’s computer network. This includes monitoring for abuses, looking for protocol errors, blocking non-approved transmissions, and responding to problems promptly. Network security is also about supporting essential communication necessary to the organization’s mission and goals, avoiding the unapproved use of resources, and ensuring the integrity of the information traversing the network.

Network security includes elements that prevent unwanted activities while supporting desirable activities. This is hard to do efficiently, cost effectively, and transparently. Efficient network security provides quick and easy access to resources for users. Cost-effective network security controls user access to resources and services without excessive expense. Transparent network security supports the mission and goals of the organization through enforcement of the organization’s network security policies, without getting in the way of valid users performing valid tasks.

Computer networking technology is changing and improving faster today than ever before. Wireless connectivity is now a realistic option for most companies and individuals. Malicious hackers are becoming more adept at stealing identities and money using every means available.

Today, many companies spend more time, money, and effort protecting their assets than they do on the initial installation of the network. And little wonder. Threats, both internal and external, can cause a catastrophic system failure or compromise. Such security breaches can even result in a company going out of business. Without network security, many businesses and even individuals would not be able to work productively.

Network security must support workers in doing their jobs while protecting against compromise, maintaining high performance, and keeping costs to a minimum. This can be an incredibly challenging job, but it is one that many organizations have success- fully tackled.

Network security has to start somewhere. It has to start with trust.

What Is Trust? Trust is confidence in your expectation that others will act in your best interest. With computers and networks, trust is the confidence that other users will act in accordance with your organization’s security rules. You trust that they will not attempt to violate the stability, privacy, or integrity of the network and its resources. Trust is the belief that others are trustworthy.

Unfortunately, sometimes people violate your trust. Sometimes they do this by accident, oversight, or ignorance that the expectation even existed. In other situations, they violate trust deliberately. Because these people can be either internal personnel or external hackers, it’s difficult to know whom to trust.

So how can you answer the question, “Who is trustworthy?” You begin by realizing that trust is based on past experiences and behaviors. Trust is usually possible between

4 PART 1 | Foundations of Network Security

people who already know each other. It’s neither easy nor desirable to trust strangers. However, once you’ve defined a set of rules and everyone agrees to abide by those rules, you have established a conditional trust. Over time, as people demonstrate that they are willing to abide by the rules and meet expectations of conduct, then you can consider them trustworthy.

Trust can also come from using a third-party method. If a trustworthy third party knows you and me, and that third party states that you and I are both trustworthy people, then you and I can assume that we can conditionally trust each other. Over time, someone’s behavior shows whether the initial conditional trust was merited or not.

A common example of a third-party trust system is the use of digital certificates that a public certificate authority issues. As shown in Figure 1-1, a user communicates with a Web e-commerce server. The user does not initially know whether a Web server is what it claims to be or if someone is “spoofing” its identity. Once the user examines the digital certificate issued to the Web server from the same certificate authority that issued the user’s digital certificate, the user can then trust that the identity of the Web site is valid. This occurs because both the user and the Web site have a common, trustworthy third party that they both know.

Ultimately, network security is based on trust. Companies assume that their employees are trustworthy and that all of the computers and network devices are trustworthy. But not all trust is necessarily the same. You can (and probably should) operate with different levels or layers of trust. Those with a higher level of trust can be assigned greater permissions and privileges. If someone or something violates your trust, then you remove

FIGURE 1-1

An example of a third- party trust system.

Example of a Third-party Trust System

Certi�cate issued to User

Certi�cate issued to Web site

Initial unknown trust relationship

Web E-commerce Server Web User

Certi�cate Authority

CHAPTER 1 | Fundamentals of Network Security 5

1 Fundam

entals of N

etw ork Security

the violator’s access to the secure environment. For example, companies terminate an untrustworthy employee or replace a defective operating system.

Who—or What—Is Trustworthy? Determining who or what is trustworthy is an ongoing activity of every organization, both global corporations and a family’s home network. In both cases, you offer trust to others on a conditional basis. This conditional trust changes over time based on adherence to or violation of desired and prescribed behaviors.

If a program causes problems, it loses your trust and you remove it from the system. If a user violates security, that person loses your trust and might have access privileges revoked. If a worker abides by the rules, your trust grows and privileges increase. If an Internet site does not cause harm, you deem it trustworthy and allow access to that site.

To review, trust is subjective, tentative, and changes over time. You can offer trust based on the reputation of a third party. You withhold trust when others violate the rules. Trust stems from actions in the past and can grow based on future behaviors.

In network security, trust is complex. Extending trust to others without proper background investigation can be devastating. A network is only as secure as its weakest link. You need to vet every aspect of a network, including software, hardware, configu- ration, communication patterns, content, and users, to maintain network security. Otherwise, you will not be able to accomplish the security objectives of your organiza- tion’s network.

What Are Security Objectives? Security objectives are goals an organization strives to achieve through its security efforts. Typically, organizations recognize three primary security objectives:

• Confidentiality/privacy • Integrity/nonrepudiation • Availability/uptime

Confidentiality is the protection against unauthorized access, while providing authorized users access to resources without obstruction. Confidentiality ensures that data is not intentionally or unintentionally disclosed to anyone without a valid need to know. A job description defines the person’s need to know. If a task does not require access to a specific resource, then that person does not have a need to know that resource.

Integrity is the protection against unauthorized changes, while allowing for authorized changes performed by authorized users. Integrity ensures that data remain consistent, both internally and externally. Consistent data do not change over time and remain in sync with the real world. Integrity also protects against accidents and hacker modification by malicious code, or software written with malicious intent.

Availability is the protection against downtime, loss of data, and blocked access, while providing consistent uptime, protecting data, and supporting authorized access to resources. Availability ensures that users can get their work done in a timely manner with access to the proper resources.

6 PART 1 | Foundations of Network Security

Authentication is the proof or verification of a user’s identity before granting access to a secured area. This can occur both on a network as well as in the physical, real world. While the most common form of authentication is a password, password access is also the least secure method of authentication. Multifactor authentication is the method most network administrators prefer for secure logon.

Authorization is controlling what users are allowed and not allowed to do. Authorization is dictated by the organization’s security structure, which may focus on discretionary access control (DAC), mandatory access control (MAC), or role-based access control (RBAC). Authorization restricts access based on need to know and users’ job descriptions. Authorization is also known as access control.

Nonrepudiation is the security service that prevents a user from being able to deny having performed an action. For example, nonrepudiation prevents a sender from denying having sent a message. Auditing and public-key cryptography commonly provide nonrepudiation services.

Privacy protects the confidentiality, integrity, and availability of personally identifiable or sensitive data. Private data often includes financial records and medical information. Privacy prevents the unauthorized watching and monitoring of users and employees.

Maintaining and protecting these security objectives can be a challenge. As with most difficult tasks, breaking security down into simpler or smaller components will help you to understand and ultimately accomplish this objective. To support security objectives, you need to know clearly what you are trying to protect.

What Are You Trying to Protect?

In terms of security, the things you want to protect are known as assets. An asset is anything used to conduct business. Any object, computer, program, piece of data, or other logical or physical component employees need to accomplish a task is an asset.

Assets do not have to be expensive, complicated, or large. In fact, many assets are relatively inexpensive, commonplace, and variable in size. But no matter the character- istics, an asset needs protection. When assets are unavailable for whatever reason, people can’t get their work done.

For most organizations, including SOHO (small office, home office) environments, the assets of most concern include business and personal data. If this information is lost, damaged, or stolen, serious complications result. Businesses can fail. Individuals can lose money. Identities can be stolen. Even lives can be ruined.

What causes these problems? What violates network security? The answer includes accidents, ignorance, oversight, and hackers. Accidents happen, including hardware failures and natural disasters. Poor training equals ignorance. Workers with the best of intentions damage systems if they don’t know proper procedures or lack necessary skills. Overworked and rushed personnel overlook issues that can result in asset compromise or loss. Malicious hackers can launch attacks and exploits against the network, seeking to gain access or just to cause damage.

CHAPTER 1 | Fundamentals of Network Security 7

1 Fundam

entals of N

etw ork Security

Hacking originally meant tinkering or modifying systems to learn and explore. However, the term has come to refer to malicious and possibly criminal intrusion into and manipulation of computers. In either case, a malicious or criminal hacker is a serious threat. Every network administrator should be concerned about hacking.

Some important aspects of security stem from understanding the techniques, methods, and motivations of hackers. Once you learn to think like a hacker, you may be able to anticipate future attacks. This enables you to devise new defenses before a hacker can successfully breach your organization’s network.

So how do hackers think? Hackers think along the lines of manipulation or change. They look into the rules to create new ways of bending, breaking, or changing them. Many successful security breaches have been little more than slight variations or viola- tions of network communication rules.

Hackers look for easy targets or overlooked vulnerabilities. Hackers seek out targets that provide them the most gain, often financial rewards. Hackers turn things over, inside out, and in the wrong direction. Hackers attempt to perform tasks in different orders, with incorrect values, outside the boundaries, and with a purpose to cause a reaction. Hackers learn from and exploit mistakes, especially mistakes of the network security professionals who fail to properly protect an organization’s assets.7-Domains of a Typical IT Infrastructure

User Domain

Workstation Domain

Computer

LAN Domain

Hub

Server

LAN-to-WAN Domain

Firewall

Router Firewall

Mainframe Application & Web Servers

Remote Access Domain

System/Application Domain

Computer

FIGURE 1-2

The seven domains of a typical IT infrastructure.

8 PART 1 | Foundations of Network Security

Why is thinking like a hacker critically important? A sixth century Chinese military strategist and philosopher, Sun Tzu, in his famous military text The Art of War, stated: “If you know the enemy and know yourself you need not fear the results of a hundred battles.” Once you understand how hackers think, the tools they use, their exploits, and the attack techniques they employ, you can create effective defenses to protect against them.

You’ve often heard that “the best defense is a good offense.” While this statement may have merit elsewhere, most network security administrators do not have the luxury— or legal right—to attack hackers. Instead, you need to turn this strategic phrase around: The best offense is a good defense. While network security administrators cannot legally or ethically attack hackers, they are fully empowered to defend networks and assets against hacker onslaughts.

Seven Domains of a Typical IT Infrastructure Hackers look for any and every opportunity to exploit a target. No aspect of an IT infra- structure is without risk, nor is it immune to the scrutiny of a hacker. When thinking like a hacker, analyze every one of the seven domains of a typical IT infrastructure (Figure 1-2) for potential vulnerabilities and weaknesses. Be thorough. A hacker needs only one crack in the protections to begin chipping away at the defenses. You need to find every possible breach point to secure it and harden the network.

The seven domains of a typical IT infrastructure are:

• User Domain—This domain refers to actual users, whether they are employees, consultants, contractors, or other third-party users. Any user who accesses and uses the organization’s IT infrastructure must review and sign an acceptable use policy (AUP) prior to being granted access to the organization’s IT resources and infrastructure.

• Workstation Domain—This domain refers to the end user’s desktop devices such as a desktop computer, laptop, VoIP telephone, or other endpoint device. Workstation devices typically require security countermeasures such as antivirus, anti-spyware, and vulnerability software patch management to maintain the integrity of the device.

• LAN Domain—This domain refers to the physical and logical local area network (LAN) technologies (i.e., 100Mbps/1000Mbps switched Ethernet, 802.11 family of wireless LAN technologies) used to support workstation connectivity to the organization’s network infrastructure.

• LAN-to-WAN Domain—This domain refers to the organization’s internetworking and interconnectivity point between the LAN and the WAN network infrastructures. Routers, firewalls, demilitarized zones (DMZ), and intrusion detection systems (IDS) and intrusion prevention systems (IPS) are commonly used as security monitoring devices in this domain.

CHAPTER 1 | Fundamentals of Network Security 9

1 Fundam

entals of N

etw ork Security

• Remote Access Domain—This domain refers to the authorized and authenticated remote access procedures for users to remotely access the organization’s IT infra- structure, systems, and data. Remote access solutions typically involve SSL-128 bit encrypted remote browser access or encrypted VPN tunnels for secure remote communications.

• WAN Domain—Organizations with remote locations require a wide area network (WAN) to interconnect them. Organizations typically outsource WAN connectivity from service providers for end-to-end connectivity and bandwidth. This domain typically includes routers, circuits, switches, firewalls, and equivalent gear at remote locations, sometimes under a managed service offering by the service provider.

• System/Application Domain—This domain refers to the hardware, operating system software, database software, client/server applications, and data that is typically housed in the organization’s data center and/or computer rooms.

The first step is recognizing that the potential for compromise exists throughout an organization. The next step is to comprehend the goals of network security.

Goals of Network Security

Network security goals vary from organization to organization. Often, however, they include a few common mandates:

• Ensure the confidentiality of resources • Protect the integrity of data • Maintain availability of the IT infrastructure • Ensure the privacy of personally identifiable data • Enforce access control • Monitor the IT environment for violations of policy • Support business tasks and the overall mission of the organization

Whatever your organization’s security goals are, to accomplish them, you need to write down those goals and develop a thorough plan to execute them. Without a written plan, security will be haphazard at best and will likely fail to protect your assets. With a written plan, network security is on the path to success. Once you define your security goals, these goals will become your organization’s roadmap for securing the entire IT infrastructure.

How Can You Measure the Success of Network Security?

An organization measures the security of its network by how well its stated security goals are accomplished and its security standards maintained. In essence, this becomes the organization’s baseline definition for information systems security. For example, if private information on the network does not leak to outsiders, then your efforts to maintain confi- dentiality were successful. Or, if employees are able to complete their work on time and on budget, then your efforts to provide system integrity protection were successful.

10 PART 1 | Foundations of Network Security

If violations take place that compromise your assets or prevent the accomplishment of a security goal, however, then network security was less than successful. But let’s face it, security is never perfect. In fact, even with well-designed and executed security, accidents, mistakes, and even intentional harmful exploits will dog your best efforts. The perfect security components do not exist. All of them have weaknesses, limitations, backdoors, work-arounds, programming bugs, or some other exploitable element.

Fortunately, though, successful security doesn’t rely on the installation of just a single defensive component. Instead, good network security relies on an interweaving of multiple effective security components. You don’t have just one lock on your house. By combining multiple protections, defenses, and detection systems, you can rebuff many common, easy hacker exploits.

Network security success is not about preventing all possible attacks or compromises. Instead, you work to continually improve the state of security so that in the future, the network is better protected than it was in the past. As hackers create new exploits, security professionals learn about them, adapt their methods and systems, and establish new defenses. Successful network security is all about constant vigilance, not creating an end product. Security is an ongoing effort that constantly changes to meet the challenge of new threats.

Why Are Written Network Security Policies Important?

A clearly written security policy establishes tangible goals. Without solid and defined goals, your security efforts would be chaotic and hard to manage. Written plans and procedures focus security efforts and resources on the most important tasks to support your organization’s overall security objectives.

A written security policy is a road map. With this map, you can determine whether your efforts are on track or going in the wrong direction. The plan provides a common reference against which security tasks are compared. It serves as a measuring tool to judge whether security efforts are helping rather than hurting the accomplishment of your organization’s security objectives.

With a written security policy, all security professionals strive to accomplish the same end: a successful, secure work environment. By following the written plan, you can track progress so that you install and configure all the necessary components. A written plan validates what you do, defines what you still need to do, and guides you on how to repair the infrastructure when necessary.

Without a written security policy, you cannot trust that your network is secure. Without a written security policy, workers won’t have a reliable guide on what to do, and judging security success will be impossible. Without a written policy, you have no security.

Planning for the Worst Things invariably go wrong. Users make mistakes. Malicious code finds its way into your network. Hackers discover vulnerabilities and exploit them. In anticipating problems that threaten security, you must plan for the worst.

CHAPTER 1 | Fundamentals of Network Security 11

1 Fundam

entals of N

etw ork Security

This type of planning has many names, including contingency planning, worst-case scenario planning, business continuity planning, disaster recovery planning, and contin- uation of operations planning. The name is not important. What’s crucial is that you do the planning itself.

When problems occur, shift into response gear: respond, contain, and repair. Respond to all failures or security breaches to minimize damage, cost, and downtime. Contain threats to prevent them from spreading or affecting other areas of the infra- structure. Repair damage promptly to return systems to normal status quickly and efficiently. Remember, the goals of security are confidentiality, integrity, and availability. Keep these foremost in mind as you plan for the worst.

The key purpose of planning for problems is to be properly prepared to protect your infrastructure. With a little luck, a major catastrophe won’t occur. But better to prepare and not need the response plan than to allow problems to cause your business to fail.

Who Is Responsible for Network Security?

Network security is the responsibility of everyone who uses the network. Within an organization, no one has the luxury of ignoring security rules. This applies to global corporations as well as home networks. Every person is responsible for understanding his or her role in supporting and maintaining network security. The weakest link rule applies here: If only one person fails to fulfill this responsibility, security for all will suffer.

Senior management has the ultimate and final responsibility for security. This is for good reason—senior management is the most concerned about the protection of the organization’s assets. Without the approval and support of senior management, no security effort can succeed. Senior management must ensure the creation of a written security policy that all personnel understand and follow.

Senior management also assigns the responsibility for designing, writing, and executing the security plan to the IT staff. Ideally, the result of these efforts is a secure network infrastructure. The security staff, in turn, must thoroughly manage all assets, system vulnerabilities, imminent threats, and pertinent defenses. Their task is to design, execute, and maintain security throughout the organization.

In their role as overseers of groups of personnel, managers and supervisors must ensure that employees have all the tools and resources to accomplish their work. Managers must also ensure that workers are properly trained in skills, procedures, policies, boundaries, and restrictions. Employees can mount a legitimate legal case against an organization that requires them to perform work for which they are not properly trained.

Network administrators manage all the organization’s computer resources. Resources include file servers, network access, databases, printer pools, and applications. The network administrator’s job is to ensure that resources are functional and available for users while enforcing confidentiality and network integrity.

An organization’s workers are the network users and operators. They ultimately do the work the business needs to accomplish. Users create products, provide services,

12 PART 1 | Foundations of Network Security

perform tasks, input data, respond to queries, and much more. Job descriptions may apply to a single user or a group of users. Each job description defines a user’s tasks. Users must perform these tasks within the limitations of network security.

Auditors watch for problems and violations. Auditors investigate the network, looking for anything not in compliance with the written security policy. Auditors watch the activity of systems and users to look for violations, trends toward bottlenecks, and attempts to perform violations. The information uncovered by auditors can help improve the security policy, adjust security configurations, or guide investigators toward appre- hending security violators.

All of these roles exist within every organization. Sometimes different individuals perform these roles. In other situations, a single person performs all of these roles. In either case, these roles are essential to the creation, maintenance, and improvement of security.

Examples of Network Infrastructures and Related Security Concerns

As you design a network, you need to evaluate every aspect in light of its security consequences. With limited budgets, personnel, and time, you must also minimize risk and maximize protection. Consider how each of the following network security aspects affects security for large corporations, small companies, and even home-based businesses.

Workgroups A workgroup is a form of networking in which each computer is a peer or equal. Peers are equal in how much power or controlling authority any one system has over the other members of the same workgroup. All workgroup members are able to manage their own local resources and assets, but not those of any other workgroup member.

Workgroups are an excellent network design for very small environments, such as home family networks or very small companies. In most cases, a workgroup comprises fewer than 10 computers and rarely contains more than 20 computers. No single rule dictates the size of a workgroup. Instead, the administrative overhead of larger workgroups encourages network managers to move to a client/server configuration.

Figure 1-3 shows a typical workgroup configuration. In this example, a switch inter- connects the four desktop workgroup members as well as an Internet connection device and a wireless access point. Additional clients can connect wirelessly via the access point or wired via a cable connecting to the switch.

Workgroups do not have a central authority that controls or restricts network activity or resource access. Instead, each individual workgroup member makes the rules and restrictions over resources and assets. The security defined for one member does not apply to nor affect any other computer in the workgroup.

CHAPTER 1 | Fundamentals of Network Security 13

1 Fundam

entals of N

etw ork Security

Due to system-by-system–based security, a worker or a workgroup member needs to have a user account defined on each of the other workgroup members to access resources on those systems. Each of these accounts is technically a unique user account, even if it is created by using the same characters for the username and password.

This results in either several unique user accounts with different names and different passwords or several unique user accounts with the same name and same password. In either case, security is poor. In the former case, the user must remember several sets of credentials. This often results in the user writing down the credentials. In the later case, an intruder need compromise only one set of credentials.

This lack of central authority is both a strength and weakness of workgroups. This characteristic is a strength in that each user of each computer can make his or her own choices about sharing resources with others. However, this is at the same time a weakness because of the inconsistent levels of access.

Workgroups are easy to create. Often, the default network configuration of operating systems is to be a member of a workgroup. A new workgroup is created by just defining a unique name on a computer. Once one computer names the workgroup, it now exists. Other computers become members of the new workgroup just by using the same name.

Seven Domains of a Typical IT Infrastructure

Cable Modem

L2 Switch

Workstation

WorkstationWorkstation

Workstation

Printer Wireless Router

LaptopLaptop

FIGURE 1-3

An example of a typical workgroup.

14 PART 1 | Foundations of Network Security

Since workgroups lack a central authority, anyone can join or leave a workgroup at any time. This includes unauthorized systems owned by rogue employees or external parties.

Most workgroups use only basic resource-share protections, fail to use encrypted protocols, and are lax on monitoring intrusions. While imposing some security on workgroups is possible, usually each workgroup member is configured individually. Fortunately, since workgroups are small, this does not represent a significant amount of effort.

SOHO Networks SOHO stands for small office, home office. SOHO is a popular term that describes smaller networks commonly found in small businesses, often deployed in someone’s home, garage, portable building, or leased office space. A SOHO environment can be a workgroup or a client/server network. Usually a SOHO network implies purposeful design with business and security in mind.

SOHO networks generally are more secure than a typical workgroup, usually because a manager or owner enforces network security. Security settings defined on each work- group member are more likely to be consistent when the workgroup has a security administrator. Additionally, SOHO networks are more likely to employ security tools such as antivirus software, firewalls, and auditing.

Client/Server Networks A client/server network is a form of network where you designate some computers as servers and others as clients. Servers host resources shared with the network. Clients access resources and perform tasks. Users work from a client computer to interact with resources hosted by servers. In a client/server network, access is managed centrally from the servers. Thus, consistent security is easily imposed across all network members.

Figure 1-4 shows a possible basic layout of a client/server network. In this example, three servers host the resources, such as printers, Internet connectivity, and file storage shared with the network. Both wired and wireless clients are possible. Switches interconnect all nodes. Client/server networks are more likely to use hardware or appliance firewalls.

Client/server networks also employ single sign-on (SSO). SSO allows for a single but stronger set of credentials per user. With SSO, each user must perform authentication to gain access to the client and the network. Once the user has logged on, access control manages resource use. In other words, client/server authentication with SSO is often more complex than workgroup authentication—but it’s more secure. Users only need to log on once, not every time they contact a resource host server.

Because of their complexity, client/server networks are invariably more secure than SOHO and workgroup networks. But complexity alone is not security. Instead, because they are more complex, client/server networks require more thorough design and planning. Security is an important aspect of infrastructure planning and thus becomes integrated into the network’s design.

CHAPTER 1 | Fundamentals of Network Security 15

1 Fundam

entals of N

etw ork Security

Client/server networks are not necessarily secure because you can deploy a client/ server network without any thought toward security. But most organizations understand that if they overlook network security, they are ensuring their ultimate technological downfall. Security is rarely excluded from the deployment process. And some networks are by nature more secure than others.

LAN Versus WAN LAN stands for local area network. A LAN is a network within a limited geographic area. This means that a LAN network is located in a single physical location rather than spread across multiple locations. Some LANs are quite large, while others are very small. A more distinguishing characteristic of a LAN is that all of the segments or links of a LAN are owned and controlled by one organization. A LAN does not contain or use any leased or externally owned connections.