CITS3002 Computer Networks  
prev
next CITS3002 help3002 CITS3002 schedule  

Security at Network Boundaries

Whereas many forms of network-based attacks can come from within our own LANs, the greatest opportunity is provided to an attacker who connects to the LAN from the wider Internet.

Attacks from the Internet can, of course, attempt to bypass the user- or system-level security of a single machine, or possibly undertake a denial-of-service attack on the LAN itself.

In general, we wish to develop security practices at the boundary between a LAN and the wider Internet, to constrain the types of network traffic that may cross the boundary.

Specifically, we would like to:

  • control network traffic based on both senders' and receivers' network (IP) address,
  • control network traffic based on requested services (IP ports),
  • not expose our LAN topology to the wider-Internet, hiding hostnames, addresses, and available services,
  • constrain some network traffic based on its content,
  • only permit internal access from remote users and services, based on their verified identities and (possibly) location, and
  • log all Internet connections, attempts, and (suspect?) traffic.

We may have political and administrative control of 'both ends' of a permitted connection, but require that connection's traffic to cross the 'unfriendly' Internet.

CITS3002 Computer Networks, Lecture 11, Security of TCP/IP, p15, 15th May 2024.