Author Archives: Admin

Server Virtualization

Published by:

Server Virtualization

Server virtualization takes advantage of idle resources to reduce the number of servers required to provide services to users.

A special program called the hypervisor is used to manage the computer resources and various VMs. It provides VMs access to all of the hardware of the physical machine such as CPUs, memory, disk controllers, and NICs. Each of these VMs runs a complete and separate operating system.

With virtualization, enterprises can now consolidate the number of servers. For example, it is not uncommon for 100 physical servers to be consolidated as virtual machines on top of 10 physical servers using hypervisors. In the figure, the previous eight dedicated servers have been consolidated into two servers using hypervisors to support multiple virtual instances of the operating systems.

Server Virtualization

The figure displays the hypervisor structure on two servers. The hardware component is at the lowest level with the hypervisor on top of the hardware. Connected to the hypervisor are four instances of the operating system. For server 1 there are four instances of the Windows OS. On server 1, above the four instances of the Windows OS are services for Web Server, Email Server, SQL server and File server. For server 2 there are two instances of the Windows OS and two instances of a Linux OS. On server 2, above the two instances of the Windows OS are services for DHCP server and AD server. On server 2, above the two instances of the Linux OS are services Radius server and NMS server.

Client-Side Virtualization

Many organizations use server virtualization to optimize network resources and reduce equipment and maintenance costs. Organizations are also using client-side virtualization to enable users with specific needs to run VMs on their local computer.

Client-side virtualization is beneficial for IT staff, IT support people, software developers and testers, and for educational reasons. It provides users with resources to test new operating systems, software, or to run older software. It can also be used to sandbox and create a secure isolated environment to open or run a suspicious file.

Some terms that are used when discussing client-side virtualization include:

  • Host computer – This is the physical computer controlled by a user. VMs use the system resources of the host machine to boot and run an OS.
  • Host operating system (host OS) – This is the operating system of the host computer. Users can use a virtualization emulator such as VirtualBox on the host OS to create and manage VMs.
  • Guest operating system (guest OS) – This is the operating system that is running in the VM. Drivers are required to run the different OS version.

The guest OS is independent of the host OS. For example, the host OS could be Windows 10 and the VM could have Windows 7 installed. This guest of the VM would be Windows 7. In this example, the guest OS (Windows 7) does not interfere with the host OS (Windows 10) on the host computer.

Host and guest operating systems do not need to be of the same family. For example, the host OS could be Windows 10, while the guest OS is Linux. This is of benefit for users that need to increase the functionality of their host computer by running multiple operating systems at the same time.

The figure displays a logical virtual machine diagram. The bottom gray box represents the physical computer with its host OS (e.g., Windows 10). Hyper-V, Virtual PC, and VirtualBox are examples of virtualization software or emulator that could be used to create and manage the three VMs shown in the top of the figure.

The figure on this page is a diagram that represents a logical virtual machine. Three boxes aligned horizontally are each labeled as, ‘Virtual Machine’. Each of the virtual machines contains two smaller boxes stacked vertically and labeled as, ‘Applications on Guest OS’ and ‘Guest OS’. Below the three virtual machines is a larger box the width of the three virtual machines. This box is labeled as, ‘Physical Machine’. The physical machine contains two smaller boxes, also the width of the three virtual machines, stacked vertically and labeled as, ‘Virtualization Software (Hyper-V, Virtual PC, VirtualBox, etc.)’ and ‘Host OS’. Below this is a label of physical machine.

Cloud Computing and Virtualization

Published by:

Cloud Computing and Virtualization

The terms “virtualization” and “cloud computing” are often used interchangeably although they mean different things.

Virtualization enables a single computer to host multiple independent virtual computers that share the host computer hardware. Virtualization software separates the actual physical hardware from the virtual machine (VM) instances. VMs have their own operating systems and connect to hardware resources through software running on the host computer. An image of a VM can be saved as a file and then be re-started when required.

It is important to remember that all the VMs share the resources of the host computer. Therefore, the limiting factor on the number of VMs that can run at the same time is directly related to the amount of processing power, memory, and storage.

Cloud computing separates the applications from the hardware. It provides organizations with on-demand delivery of computing services over the network. Service providers such as Amazon Web Services (AWS) own and manage the cloud infrastructure that includes the networking devices, servers, and storage devices and is usually housed in a data center.

Virtualization is the foundation which supports cloud computing. Providers such as AWS offer cloud services using powerful servers that can dynamically provision virtual servers as required.

Without virtualization, cloud computing, as it is most-widely implemented, would not be possible.

Figure of a businessperson holding a tablet with cloud computing icons floating above it.

Traditional Server Deployment

To fully appreciate virtualization, it is first necessary to understand how servers are used in an organization.

Traditionally, organizations delivered applications and services to their users using powerful dedicated servers as shown in the figure. These Windows and Linux servers are high-end computers with large amounts of RAM, powerful processors, and multiple large storage devices. New servers are added if more users or new services are required.

Traditional Server Deployment

Problems with the traditional server deployment approach include:

  • Wasted resources – This occurs when dedicated servers sit idle for long periods waiting until they are needed to deliver their specific service. Meanwhile, these servers waste energy.
  • Single-point of failure – This occurs when a dedicated server fails or goes offline. There are no backup servers to handle the failure.
  • Server sprawl – This occurs when an organization does not have adequate space to physically house underutilized servers. The servers take up more space than is warranted by the services that they provide.

Virtualizing servers to use resources more efficiently addresses these problems.

The figure displays historical operating installation with eight servers: a web server, Email server, SQL server, LAN server, DHCP server, Active Directory server, AAA RADIUS server, and a Network Management server. The first six servers are Windows servers and the last two are Linux servers.

Hard Drive Recycling and Destruction

Published by:

Hard Drive Recycling and Destruction

Companies with sensitive data should always establish clear policies for storage media disposal. There are two choices available when a storage media is no longer needed.

Hard Drive Recycling and Destruction

The media can either be:

  • Recycled – Hard drives that have been wiped can be reused in other computers. The drive can be reformatted, and a new operating system installed. Two types of formatting can be performed as described in the figure.
  • Destroyed – Destroying the hard drive fully ensures that data cannot be recovered from a hard drive. Specifically designed devices such as hard drive crushers, hard drive shredders, incinerators, and more can be used for large volumes of drives. Otherwise physically damaging the drive with a hammer is effective.

A company may choose an outside contractor to destroy their storage media. These contractors are typically bonded and follow strict governmental regulations. They may also offer a certificate of destruction to provide evidence that the media has been completely destroyed.

The image describes methods of hard drive recycling and destruction. Low-level format definition, the surface of the disk is marked with sector markers identifying tracks where the data will be physically stored on the disk. Most often performed at the factory after the hard drive is assembled. Standard format definition, also called high-level formatting. Process creates a boot sector and a file system. A standard format can only be performed after a low-level format has been completed.

Securing a Computer

Computers and workstations should be secured from theft. This is a standard practice in a company as computers are typically secured in locked rooms.

To prevent unauthorized users from stealing or accessing local computers and network resources, lock your workstation, laptop, or server when you are not present. This includes physical security as well as password security.

If you must leave a computer in an open public area, cable locks should be used to deter theft.

Data displayed on your computer screen should also be protected. This is especially true when using a laptop in a public location such as an airport, coffee house, or customer site. Use a privacy screen to protect the information displayed on your laptop screen from prying eyes. A privacy screen is a clear plastic panel attached to the computer screen that only permits the user in front of the screen to see the information displayed.

Access to your computer must also be protected. There are three levels of password protection that can be used on a computer as described in the figure.

The image describes Three Types of Password Protection. BIOS password prevents the operating system from booting and changing BIOS settings. Login password prevents unauthorized access to the local computer. Network password prevents access to network resources by unauthorized personnel.

Data Wiping Magnetic Media

Published by:

Data Wiping Magnetic Media

Protecting data also includes removing files from storage devices when they are no longer needed. Simply deleting files or reformatting the drive may not be enough to ensure your privacy.

For example, deleting files from a magnetic hard disk drive does not remove them completely. The operating system removes the file reference in the file allocation table but the actual data remains on the drive. This deleted data is only overwritten when the hard drive stores new data in the same location.

Data Wiping Magnetic Media

Software tools can be used to recover folders, files, and even entire partitions. This could be a blessing if the erasure was accidental. But it could also be disastrous if the data is recovered by a malicious user.

For this reason, storage media should be fully erased using one or more of the methods listed in the figure.

Note: Data wiping and degaussing techniques are irreversible, and the data can never be recovered.

The image describes three different ways to wipe data from a hard disk drive. Data wiping software definition, also known as secure erase. Software tools specifically designed to overwrite existing data multiple times, rendering the data unreadable. Degaussing wand defintion, consists of a wand with very powerful magnets which is held over exposed hard drive platters to disrupt or eliminate the magnetic field on a hard drive. Hard drive platters must be exposed to the wand for approximately 2 minutes. Electromagnetic degaussing device definition, useful for erasing multiple drives. Consists of a magnet with an electrical current applied to it to create a very strong magnetic field that disrupts or eliminates the magnetic field on a hard drive. Very expensive but fast (erases a drive in seconds).

Data Wiping Other Media

SSDs are comprised of flash memory instead of magnetic platters. Common techniques used for erasing data such as degaussing are not effective with flash memory. Perform a secure erase to fully ensure that data cannot be recovered from an SSD and hybrid SSD.

Other storage media and documents (e.g., optical disks, eMMC, USB sticks) must also be destroyed. Use a shredding machine or incinerator that is designed to destroy documents and each type of media. For sensitive documents that must be kept, such as those with classified information or passwords, always keep them locked in a secure location.

When thinking about what devices must be wiped or destroyed, remember that devices besides computers and mobile devices store data. Printers and multifunction devices may also contain a hard drive that caches printed or scanned documents. This caching feature can be turned off in some instances, or the device needs to be wiped on a regular basis to ensure data privacy. It is a good security practice to set up user authentication on the device, if possible, to prevent an unauthorized person from changing any settings that concern privacy.

File and Folder Encryption

Published by:

File and Folder Encryption

Encryption is often used to protect data. Encryption is where data is transformed using a complicated algorithm to make it unreadable. A special key must be used to return the unreadable information back into readable data. Software programs are used to encrypt files, folders, and even entire drives.

File and Folder Encryption

Encrypting File System (EFS) is a Windows feature that can encrypt data. EFS is directly linked to a specific user account. Only the user that encrypted the data will be able to access it after it has been encrypted using EFS. To encrypt data using EFS in all Windows versions, follow these steps:

Step 1. Select one or more files or folders.

Step 2. Right-click the selected data >Properties.

Step 3. Click Advanced…

Step 4. Select the Encrypt contents to secure data check box and click OK. Windows will display an informational message stating that it is applying attributes.

Step 5. Files and folders that have been encrypted with EFS are displayed in green, as shown in the figure.

The image shows a Windows File Explorer window with encrypted files and folders that have been encrypted with EFS are displayed in green.

Windows BitLocker and BitLocker To Go

You can also choose to encrypt an entire hard drive using a feature called BitLocker. To use BitLocker, at least two volumes must be present on a hard disk. A system volume is left unencrypted and must be at least 100 MB. This volume holds the files required by Windows to boot.

Windows BitLocker and BitLocker To Go

Note: BitLocker is built into the Windows Enterprise editions, Windows 7 Ultimate, Windows 8 Pro, and Windows 10 Professional.

Before using BitLocker, the Trusted Platform Module (TPM) must be enabled in BIOS. The TPM is a specialized chip installed on the motherboard. The TPM stores information specific to the host computer, such as encryption keys, digital certificates, and passwords. Applications, like BitLocker, that use encryption can make use of the TPM chip. Figure 1 lists the steps to enable TPM on a Lenovo laptop.

To turn on BitLocker full disk encryption in all versions of Windows, follow the steps listed in Figure 2.

Once the steps are completed, the Encryption in Progress status bar is displayed. After the computer reboots, you can verify BitLocker is active as shown in Figure 3. You can click TPM Administration to view the TPM details, as shown in Figure 4.

BitLocker encryption can also be used with removable drives by using BitLocker To GoBitLocker To Go does not use a TPM chip, but still provides encryption for the data and requires a password.

The page has four figures. Figure 1: Lists the 5 steps to enabling TPM. Step 1. Start the computer, and enter the BIOS configuration. Step 2. Look for the TPM option within the BIOS configuration screens. Consult the manual for your motherboard to locate the correct screen. Step 3. Choose Enable or Activate the security chip. Step 4. Save the changes to the BIOS configuration. Step 5. Reboot the computer. Figure 2: Steps to Enabling BitLocker. Step 1.Click Control Panel > BitLocker Drive Encryption. Step 2. On the BitLocker Drive Encryption page, click Turn On BitLocker on the operating system volume. (If TPM is not initialized, follow the instructions provided by the wizard to initialize the TPM). Step 3. The Save the recovery password page enables you to save the password to a USB drive, to a network drive or other location, or print the password. After saving the recovery password, click Next. Step 4.On the Encrypt the selected disk volume page, select the Run BitLocker System Check check box and click Continue. Step 5. Click Restart Now. Figure 3: Shows the BitLocker Drive Encryption window verifying that BitLocker is on. The BitLocker Drive Encryption window can be reached from the System and Security category view in the Control Panel. Figure 4: From the BitLocker Drive Encryption window you can click TPM Administration to view details.

Data Backups

Published by:

Data Backups

Backing up data is one of the most effective ways of protecting against data loss. A data backup stores a copy of the information on a computer to removable backup media that can be kept in a safe place. If the computer hardware fails, the data can be restored from the backup to functional hardware.

Data backups should be performed on a regular basis as identified in the security policy. Data backups are usually stored offsite to protect the backup media if anything happens to the main facility. Windows hosts have a backup and restore utility. This is useful for users to backup their data to another drive or to a cloud-based storage provider. The macOS includes the Time Machine utility to perform backup and restore functions.

Data Backups

Click each + button in the figure to learn about backup consideration.

The image has clickable buttons to learn more about different Data Backup Considerations: Frequency definition, perform backups on a regular basis as identified in the security policy. Full backups can be time-consuming, therefore perform monthly or weekly full backups with frequent partial backups of changed files. Storage definition, backups should be transported to an approved offsite storage location on a daily, weekly, or monthly rotation, as required by the security policy. Validation definition, backups should be protected using strong passwords. The password is required to restore data. Storage definition, always validate backups to ensure the integrity of the data and validate the file restoration procedures.

File and Folder Permissions

Permissions are rules you configure to limit folder or file access for an individual or for a group of users. The figure lists the permissions that are available for files and folders.

To configure file- or folder-level permissions in all versions of Windows, right-click the file or folder and select Properties > Security > Edit…

Users should be limited to only the resources they need in a computer or on a network. For example, they should not be able to access all files on a server if they only need access to a single folder. It may be easier to provide users access to the entire drive, but it is more secure to limit access to only the folder that is needed to perform their job. This is known as the principle of least privilege. Limiting access to resources also prevents malicious programs from accessing those resources if the user’s computer becomes infected.

File and Folder Permissions

Folder redirection allows a user with administrative privileges to redirect the path of a local folder to a folder on a network share. This makes the folder’s data available to the user when they log into any computer on the network where the network share is located. With user data redirected from local to network storage, administrators can back up the user data when the network data folders are backed up.

File and network share permissions can be granted to individuals or through membership within a group. These share permissions are much different than file and folder level NTFS permissions. If an individual or a group is denied permissions to a network share, this denial overrides any other permissions given. For example, if you deny someone permission to a network share, the user cannot access that share, even if the user is the administrator or part of the administrator group. The local security policy must outline which resources and the type of access allowed for each user and group.

When the permissions of a folder are changed, you are given the option to apply the same permissions to all sub-folders. This is known as permission propagation. Permission propagation is an easy way to apply permissions to many files and folders quickly. After parent folder permissions have been set, folders and files that are created inside the parent folder inherit the permissions of the parent folder.

Also, the location of the data and the action performed on the data determine how the permissions are propagated:

  • Data is moved to the same volume – It will keep the original permissions
  • Data is copied to the same volume – It will inherit new permissions
  • Data is moved to a different volume – It will inherit new permissions
  • Data is copied to a different volume – It will inherit new permissions

The image is a list of File and Folder Permissions and what they mean. Full Control definition, see the content of a file or folder. Change and delete existing files and folders.Create new files and folders. Run programs in a folder. Modify definition, change and delete existing files and folders. Users cannot create new files or folders. Read and Execute definition, see the contents of existing files or folders and run programs in a folder. Read definition, see the contents of a folder and open files and folders. Write definition, create new files and folders. Make changes to existing files and folders.

Securing Computers and Network Hardware

Published by:

Securing Computers and Network Hardware

Organizations must protect their computing and network infrastructure. This includes cabling, telecommunication equipment, and network devices.

There are several methods of physically protecting computer and networking equipment as listed in the figure.

Network equipment should only be installed in secured areas. As well, all cabling should be enclosed within conduits or routed inside walls to prevent unauthorized access or tampering. Conduit is a casing that protects the infrastructure media from damage and unauthorized access.

Access to physical switch ports and switch hardware should be restricted to authorized personnel by using a secure server room and locking hardware cabinets. To prevent the attachment of rogue or unauthorized client devices, switch ports should be disabled through the switch management software.

Factors that determine the most effective security equipment to use to secure equipment and data include:

  • How the equipment is used
  • Where the computer equipment is located
  • What type of user access to data is required

For instance, a computer in a busy public place, such as a library, requires additional protection from theft and vandalism. In a busy call center, a server may need to be secured in a locked equipment room. Server locks can provide physical chassis security by preventing access to power switches, removable drives, and USB ports. Where it is necessary to use a laptop computer in a public place, a security dongle and key fob ensure that the computer locks if the user and laptop are separated. Another tool for physical security is the USB lock which is locked into place in a USB port and requires a key to be removed.

Security policies can be applied to mobile devices in a corporate network through Mobile Device Management software. MDM software can manage corporate-owned devices and Bring Your Own Device (BYOD). The software logs use of devices on the network and determines if it should be allowed to connect, known as onboarding, or not based on administrative policies.

The image shows a door with security keypad entrance. Below the image there is a list of best practices to Securing the Computing and Network Infrastructure: Use webcams with motion-detection and surveillance software. Install physical alarms triggered by motion-detection sensors. Label and install RFID sensors on equipment. Use locking cabinets or security cages around equipment. Fit equipment with security screws. Keep telecommunication rooms locked. Use cable locks with equipment.

Data – Your Greatest Asset

Data is likely to be an organization’s most valuable assets. Organizational data can include research and development data, sales data, financial data, human resource and legal data, employee data, contractor data, and customer data.

Data can be lost or damaged in circumstances such as theft, equipment failure, or a disaster. Data loss or data exfiltration are terms used to describe when data is intentionally or unintentionally lost, stolen, or leaked to the outside world.

Data Loss

Data loss can negatively affect an organization in multiple ways as listed in Figure 1. Losing data regardless of circumstances can be detrimental or even catastrophic to an organization.

Data can be protected from data loss using the methods listed in Figure 2.

Data loss prevention (DLP) is preventing data loss or leakage. DLP software uses a dictionary database or algorithm to identify confidential data and block the transfer of that data to removable media or email if it does not conform to predefined policy.

The page has two figures. Figure 1: The image shows what Data loss can result in: Brand damage/Loss of reputation. Loss of competitive advantage. Loss of customers. Loss of revenue. Legal action resulting in fines and civil penalties. Significant cost and effort to notify affected parties. Significant cost and effort to recover from the breach. Mitigating Data Loss. Protecting Data. Data backups. File and folder permissions. File and folder encryption. Figure 2: an image of a Venn diagram where Protecting data is the intersection of Data Backups, File and Folder Permissions, and File and Folder Encryption.

Securing Devices and Data

Published by:

Securing Devices and Data

The goal of the security policy is to ensure a safe network environment and to protect assets. As shown in the figure, an organization’s assets include their data, employees, and physical devices such as computers and network equipment.

The security policy should identify hardware and equipment that can be used to prevent theft, vandalism, and data loss.

Securing Devices and Data

The image depicts a pie chart divided into 3 equal parts: Data, Employees, and Equipment (Hardware)

Physical Security

Physical security is as important as data security. For example, if a computer is taken from an organization, the data is also stolen or worse, lost.

Physical security involves securing:

  • Access to an organization’s premise
  • Access to restricted areas
  • The computing and network infrastructure

The level of physical security implemented depends on the organization as some have higher physical security requirements than others.

For example, consider how data centers, airports, or even military installations are secured. These organizations use perimeter security including fences, gates, and checkpoints posted with security guards.

Entrance to a building premise and restricted areas is secured using one or more locking mechanism. Building doors typically use self-closing and self-locking mechanisms. The type of locking mechanism required varies based on the level of security required.

A visitor accessing a secure building may have to pass through a security checkpoint manned by security guards. They may scan you and your belongings, and have you sign in an entry control roster when you enter the building and sign out when you leave.

Higher security organizations have all employees wear identification badges with photographs. These badges could be smart cards containing the user information and security clearance to access restricted areas. For additional security requirements, RFID badges can also be used with proximity badge readers to monitor the location of an individual.

The image shows a man holding up a security smart card RFID badge to a proximity badge reader to enter the door’s security entrance.


In high-security environments, mantraps are often used to limit access to restricted areas and to prevent tailgating. A mantrap is a small room with two doors, one of which must be closed before the other can be opened.

Typically, a person enters the mantrap by unlocking one door. Once inside the mantrap, the first door closes and then the user must unlock the second door to enter the restricted area.

The figure illustrates how a mantrap is used to secure access to a restricted area.


The image is of a Mantrap Floorplan which consists of an insecure (public) area, there is a locked door with a smart card scanner to enter the mantrap, inside there is a locked door with a biometric scanner to a secure internal area. The user must enter the building using a smart card to open the locked door to the mantrap. Once the user successfully enters the mantrap, the first door locks and they must now unlock the next door using the biometric reader. The user must have their thumbprint scanned to unlock the locked door to the secure internal area.

Social Engineering

Published by:

Social Engineering

To secure networks and hosts, organizations often deploy the network security solutions and latest anti-malware solutions for their hosts. However, they still have not addressed the weakest link … the users.

Social engineering is likely the single most serious threat to a well-configured and well-secured network.

Cybercriminals use social engineering techniques to deceive and trick unsuspecting targets to reveal confidential information or violate security gain information. Social engineering is an access attack that attempts to manipulate individuals into performing actions or divulging confidential information.

Social engineers prey on people’s weaknesses and often rely on human nature and people’s willingness to be helpful.

Note: Social engineering is often used in conjunction with other network attacks.

The image depicts a pointing finger highlighting a button on a digital screen titled Social Engineering.

Social Engineering Techniques

Social Engineering Techniques

There are many different ways to use social engineering techniques. Some social engineering techniques are used in-person while others may use the telephone or Internet.

Social Engineering Techniques

For example, a hacker could call an authorized employee with an urgent problem that requires immediate network access. The hacker could appeal to the employee’s vanity, invoke authority using name-dropping techniques, or appeal to the employee’s greed.

Protecting Against Social Engineering

Enterprises must train and educate their users about the risks of social engineering, and develop strategies to validate identities over the phone, via email, or in person.

The figure lists recommended practices that should be followed by all users.

The image is a circle of text bubbles surrounding the main concept: Protecting against social engineering attacks. Never give your username / password credentials to anyone. Never leave your username / password credentials where they can easily be found. Never open emails from untrusted sources. Never release work related information on social media sites. Never re-use work related passwords. Always lock or sign out of your computer when unattended. Always report suspicious individuals. Always destroy confidential information according to the organization policy.


Published by:


The following two terms are commonly used to describe when a threat is detected:

  • Zero-day – Sometimes also referred to as zero-day attacks, zero-day threat, or zero-day exploit. This is the day that an unknown vulnerability has been discovered by the vendor. The term is a reference to the amount of time that a vendor has had to address the vulnerability.
  • Zero-hour – This is the moment when the exploit is discovered.

A network remains vulnerable between the zero-day and the time it takes a vendor to develop a solution.


In the example in the figure, a software vendor has learned of a new vulnerability. The software can be exploited until a patch that addresses the vulnerability is made available. Notice that in the example, it took several days and a few software patch updates to mitigate the threat.

How can networks be protected against all of the threats and zero-day attacks?

The image is a timeline of the response to a zero-day attack. The timeline starts with a vendor software vulnerability being discovered which starts the timeline at the zero day and zero hour. Day 16, the first patch is released and a security advisory is issued by the vendor. Day 17, the second patch is released and the vendor software is patched. Day 18 the third patch is released.

Protecting Against Network Attacks

Many network attacks are fast moving, therefore, network security professionals must adopt a more sophisticated view of the network architecture. There is no one solution to protect against all TCP/IP or zero-day attacks.

Protecting Against Network Attacks

One solution is to use a defense-in-depth approach also known as a layered approach to security. This requires a combination of networking devices and services working together in tandem.

Consider the network in the figure. There are several security devices and services implemented to protect its users and assets against TCP/IP threats.

All network devices including the router and switches are also hardened as indicated by the combination locks on their respective icons. This indicates that they have been secured to prevent attackers from tampering with the devices.

The image is a topology diagram of a campus area network showing a defense in-depth approach to network security. The image has 5 interactive buttons on the diagram for more information about important network security devices in the network: a VPN edge router which is used to provide secure VPN services with corporate sites and remote access support for remote users using secure encrypted tunnels. An ASA firewall router which is a dedicated device providing stateful firewall services. It ensures that internal traffic can go out and come back, but externally traffic cannot initiate connections to inside hosts. An intrusion prevention system (IPS) which monitors incoming and outgoing traffic looking for malware, network attack signatures, and more. If it recognizes a threat, it can immediately stop it. An email security appliance (ESA) which filters spam and suspicious emails, combined with a web security appliance (WSA) which filters known and suspicious internet malware sites. There is also an Authentication, Authorization, and Accounting (AAA) server that contains a secure database of who is authorized to access and manage network devices. Network devices authenticate administrative users using the AAA server and database.