Ask the Experts

Ask the Experts

Enterprise network security

• Remote access audit: Assessing remote desktop access software

  Is your remote desktop access software really secure? Randall Gamby offers advice for conducting a remote access audit to validate security.  Continue Reading

• Network perimeter security: How to audit remote access services

  Matt Pascucci discusses the best tools to audit Internet-facing remote access services and boost network perimeter security.  Continue Reading

• Secure remote access best practices: Guidelines for the enterprise

  Remote access threats are on the rise. Use expert Randall Gamby's secure remote access best practices to help users make good security decisions.  Continue Reading

• Network topology mapping: How to automate network documentation

  Network topology mapping to boost security can be time-consuming. Learn how to automate network documentation with network management tools.  Continue Reading

• UTM devices: Efficient security or a firewall failure risk?

  UTM devices provide more protection than a simple firewall, but do they increase the risk of an enterprise firewall failure?  Continue Reading

• The switch to HTTPS: Understanding the benefits and limitations

  Expert Mike Cobb explains the value and limitations of HTTPS, and why making the switch to HTTPS may be easier than it seems.  Continue Reading

• Use Telnet alternative SSH to thwart Telnet security risks

  The inherently insecure Telnet protocol shouldn’t be used on modern networks. Learn why and what to use in its place.  Continue Reading

• Is it possible to prevent DDoS attacks?

  A distributed denial-of-service (DDoS) attack can consume all your network bandwidth. Learn how to prevent a DDoS attack in this expert response.  Continue Reading

• BIOS management best practices: BIOS patches and BIOS updates

  Amid growing concern over BIOS threats, expert Mike Cobb discusses how organizations should manage BIOS patches and BIOS updates.  Continue Reading

• Firewall network security: Thwarting sophisticated attacks

  Firewall network security is still a critical part of securing an enterprise. Learn what sophisticated attacks a firewall can effectively prevent.  Continue Reading

• How to bolster BIOS security to prevent BIOS attacks

  BIOS attacks can be thwarted by implementing NIST guidelines for BIOS security.  Continue Reading

• How DHCP works and the security implications of high DHCP churn

  Learn about the potential problems with high DHCP churn and whether it should be a concern to your organization.  Continue Reading

• How secure is a VPN? Exploring the most secure remote access methods

  Virtual private networks are a common means of providing remote access, but expert Mike Chapple addresses whether it is the most secure option available.  Continue Reading

• Network security metrics: Basic network security controls assessment

  Get advice on how to devise appropriate network security metrics for your enterprise from expert Mike Chapple.  Continue Reading

• PCI Requirement 12.8.2: When is client compliance necessary?

  Find out whether the PCI 12.8.2 requirement forces an organization working with a payment card merchant to become compliant.  Continue Reading

• Is laptop remote wipe needed for effective laptop data protection?

  Expert Michael Cobb explains how laptop remote wipe technology can ease data loss fears, but shouldn’t be solely relied upon.  Continue Reading

• How MAC and HMAC use hash function encryption for authentication

  Hash function encryption is the key for MAC and HMAC message authentication. See how this differs from other message authentication tools from expert Michael Cobb.  Continue Reading

• How to set up SFTP automation for FTP/DMZ transfer

  Transferring files from a DMZ to an internal FTP server can be risky. In this expert response, Anand Sastry explains how to use SFTP automation to lock it down.  Continue Reading

• Locate IP address location: How to confirm the origin of a cyberattack

  What's the best way to determine the origin of a cyberattack? Expert Nick Lewis weighs in.  Continue Reading

• How to set up a site-to-site VPN to coexist with a DMZ

  When setting up a site-to-site VPN, where should the VPN endpoint be in the DMZ? Learn more in this expert response.  Continue Reading

• How to find a real IP address using proxy server logs

  While using proxy server logs to identify the real IP address of an attacker using a proxy server is technically easy, there are other difficulties along the way. Expert Mike Chapple explains.  Continue Reading

• Guidance on dual-homed server security

  Learn more about how a dual-homed server operates, and what security restrictions it entails in this expert response from Anand Sastry.  Continue Reading

• How to monitor network traffic: Appliance placement and choke points

  Monitoring network traffic is crucial, but where's the best place to put network monitoring tools? Expert Anand Sastry gives advice.  Continue Reading

• Managing remote workers: Musts for setting up a secure home network

  Is it the enterprise's responsibility to ensure that remote workers' home networks are secure? And, if so, how should they do it? Get expert advice from Nick Lewis.  Continue Reading

• How to use Wget commands and PHP cURL options for URL retrieval

  When TCP or HTTP connections aren't behaving as expected, free tools like Wget and cURL can help with URL retrieval. Learn more in this expert response from Anand Sastry.  Continue Reading

• What to include in a remote access audit

  When conducting a remote access audit, there are specific questions you should be sure to ask to make sure everything is secure. In this expert response, Randall Gamby describes what to look for.  Continue Reading

• Will biometric authentication devices integrate with in-house software?

  Biometric devices may provide an added level of security, but how much effort is required to integrate them with existing software and systems, particularly those systems custom made for an organization? Learn more in this expert response from ...  Continue Reading

• Secure OpenVPN config with PAM

  Network security expert Anand Sastry explains the relationship between OpenVPN and TLS, and points out where to learn about using OpenVPN and PAM.  Continue Reading

• Secure DMZ Web server setup advice

  Network security expert Anand Sastry describes how to ensure a secure DMZ Web server setup involving network attached storage (NAS).  Continue Reading

• Biometric security technology: The safest types of biometric devices

  Expert Randall Gamby explains which biometrics devices are most secure, and which could work best in your enterprise.  Continue Reading

• How to defend against a sync flood attack

  Nick Lewis explains how to protect your organization from sync flood attacks.  Continue Reading

• Proxy server security: Defending against DoS and other attacks

  In this expert response, find out how to boost proxy server security in the enterprise.  Continue Reading

• Is an SMTP TLS certificate the same as an FTP SSL certificate?

  Are all security transportation-level certificates (TLSes) the same, or are there different certificates for different protocols? In this expert response, Randall Gamby discusses SMTP and FTP certificates.  Continue Reading

• Can secure FTP services protect sensitive data from hackers?

  Does secure FTP services protect against hackers and attacks? In this expert response, Michael Cobb explains why using a secure FTP service is vital for handling sensitive data transfers.  Continue Reading

• How to set up a split-tunnel VPN in Windows Vista

  Setting up a split-tunnel VPN in Vista can help quicken network flow in the enterprise. In this expert response, Mike Chapple explains the steps to create a split-tunnel VPN.  Continue Reading

• What is the difference between static and dynamic network validation?

  Network data analysis is essential to understanding the security configuration of your network. But what is the difference between static data validation and dynamic data validation? Find out in this expert response.  Continue Reading

• Securing the intranet with remote access VPN security

  Connecting remote offices with the main branch can be done many ways, but for those companies looking at tightly securing their intranet, they may need to consider remote access with VPN security. Learn more in this expert response.  Continue Reading

• How to manage network bandwidth with distributed ISP bandwidth

  As enterprises grow, demand for bandwidth can increase exponentially. In this expert answer, Mike Chapple explains different techniques for managing network bandwidth with ISP distribution.  Continue Reading

• How to securely connect a LAN POS to a remote point-of-sale device

  Looking to connect your LAN POS securely to your remote point-of-sale device? Mike Chapple, network security expert, explains how to use encryption and a VPN to lock down this connection.  Continue Reading

• A short enterprise VPN deployment guide

  When deploying a VPN in your enterprise, first check out this guide for some basic best practices, including how to define authentication requirements for the VPN and create a written user access policy.  Continue Reading

• What is the difference between a VPN and remote control?

  Mike Chapple reviews VPNs, remote controls, and how the two security technologies can be used in tandem.  Continue Reading

• What are the disadvantages of proxy-based firewalls?

  Network security expert Mike Chapple explains why he strongly recommends the use of proxy-based firewalls.  Continue Reading

• Should enterprises be running multiple firewalls?

  While there may be scenarios where a single firewall is an appropriate architecture for an organization, it's equally true that many environments may benefit from the use of more than one network device  Continue Reading

• What are best practices for fiber optic cable security?

  Mike Chapple compares the security of fiber optic cables to copper ones.  Continue Reading

• Creating an SSL connection between servers

  Learn the most secure way to create and SSL connection between servers with this advice from network security expert Mike Chapple.  Continue Reading

• Comparing an application proxy firewall and a gateway server firewall

  There are many types of firewalls in use in today's enterprises, so it's easy to get confused about the functions of each. In this expert response, learn the difference between a proxy server firewall and a gateway server firewall.  Continue Reading

• How to set up a DMZ

  Looking to set up a DMZ? Look no further. In this expert response, Mike Chapple explains the steps to creating a demilitarized zone.  Continue Reading

• How to implement PCI network segmentation

  When trying to comply with PCI DSS, network segmentation can be a tricky subject. In this expert response, Mike Chapple explains how to separate payment system's credit card processing functionality from the rest of an enterprise network.  Continue Reading

• Can S/MIME, XML and IPsec operate in one protocol layer?

  It is possible to build security systems that reside within a single layer of the OSI model, but why limit yourself?  Continue Reading

• How to configure firewall ports for webmail system implementation

  Network security expert Mike Chapple explains why he always recommends placing any server accessible from the Internet into the DMZ.  Continue Reading

• How to create a secure network through a shared Internet connection

  When setting up a corporate network through a shared Internet connection, security is of paramount importance. Learn best practices for creating this kind of network from expert Mike Chapple.  Continue Reading

• What security software should be installed on Internet café computers?

  The security provided by many Internet cafes and other similar public access points has greatly improved over the last few years. But that's no substitute for due diligence on the part of users, says expert Michael Cobb.  Continue Reading

• How to secure SSL following new man-in-the-middle SSL attacks

  Man-in-the-middle SSL attacks at Black Hat D.C. exposed a flaw in the https structure, so how can you avoid such an attack at your enterprise? Find out in Mike Chapple's expert response.  Continue Reading

• What is the best operating system for an FTP server implementation?

  When it comes to recommending an operating system for a task such as hosting an FTP server, expert Michael Cobb says it depends on what in-house expertise you have.  Continue Reading

• When should a database application be placed in a DMZ?

  Mike Chapple explains the best network location for an important database application. Chapple also reveals the appropriate level of access to grant remote users.  Continue Reading

• Comparing FTP vs. TFTP

  There are some differences between FTP and TFTP, but here's the catch: both are inherently insecure protocols.  Continue Reading

• Front-end/back-end firewalls vs. chassis-based firewalls

  Network security expert Mike Chapple explores the different characteristics of devices using a front-end/back-end topology and chassis-based firewalls.  Continue Reading

• How to configure a firewall to communicate with an upstream router

  When incorprating a new firewall product, configuration problems can occur between the network device and the router. Mike Chapple reviews some common implementation problems.  Continue Reading

• What firewall controls should be placed on the VPN?

  The level of control you place on VPN traffic should be at least as strong as the level of control you place on traffic from similar users on your corporate network. Network expert Mike Chapple explains which firewall controls are necessary.  Continue Reading

• What OSI Layer 4 protocol does FTP use to guarantee data delivery?

  What OSI Layer 4 protocol does FTP use to guarantee data delivery?  Continue Reading

• What are 'phlashing' attacks?

  Phlashing attacks target network devices and other hardware systems that rely upon firmware to contain their operating systems. Network security expert Mike Chapple explains why the threat is more than theoretical.  Continue Reading

• What firewall features will best protect a LAN from Internet hack attacks and malware?

  In the case of a small network, the necessary firewall doesn't need to be anything complicated. Network security expert Mike Chapple reviews the key features of the network device.  Continue Reading

• The top LAN security issues in a client-server network environment

  In this SearchSecurity.com Q&A, network security expert Mike Chapple lays out four of the biggest LAN security threats.  Continue Reading

• How will many firewalls serving as the default gateway affect the DMZ?

  If you attempt to have multiple firewalls connected to the same network segment, all serving as the default gateway, routing problems will ensue. Network security expert Mike Chapple explains.  Continue Reading

• Comparing access control mechanisms and identity management techniques

  In the IAM world, what's the difference between access control and identity management. This IAM expert response explains how the two relate as well as some best practices for both access control mechanisams and identity management.  Continue Reading

• Can software tools automate the server hardening process?

  Michael Cobb explores the Windows Server 2003 Hardening Guide and how you can tighten the security on your servers.  Continue Reading

• Could someone place a rootkit on an internal network through a router?

  If a hacker gains control of a router and then uploads a new configuration opening ports up for communication, it may be possible to place a rootkit on the internal network. In this IAM expert response, learn how this attack might happen, and how to...  Continue Reading

• Allowing select access to IP addresses using Windows Server 2003

  Switching from Zone Alarm 2000 to Windows Server 2003, a SearchSecurity.com reader asks expert Mike Chapple how to limit inbound connections.  Continue Reading

• Should iPhone email be sent without SSL encryption?

  SSL encrypts all of the communication between your iPhone and your mail server. Network security expert Mike Chapple explains how important that feature really is.  Continue Reading

• Which is a more secure data access technology: SPAN or TAP?

  When monitoring traffic on a network, which is the best tool to use? Network security expert Mike Chapple gives advice.  Continue Reading

• Which operating system can best secure an FTP site?

  In this expert Q&A, platform security expert Michael Cobb explains how a secure FTP protocol can improve websites and Web services.  Continue Reading

• Should a domain controller be placed within the DMZ?

  When creating an Active Directory network, is it necessary to place domain controllers in the DMZ? Network security expert Mike Chapple explains.  Continue Reading

• What ports should be opened and closed when IPsec filters are used?

  In this SearchSecurity.com Q&A, application security expert Michael Cobb explains how to set up separate branch IPsec filters that connect with a head office.  Continue Reading

• If one server in a DMZ network gets attacked from outside, will the other servers be corrupted?

  An attack to a DMZ server is a big security risk. But does it necessarily mean that other servers are infected? Network security expert Mike Chapple weighs in.  Continue Reading

• How to secure an FTP connection

  Network security expert Mike Chapple offers three tips that enable an FTP connection without opening up an enterprise to security risks.  Continue Reading

• DMVPN configuration: Should a firewall be between router and Internet?

  Cisco's Dynamic Multipoint VPN (DMVPN) product allows the configuration of site-to-site VPNs across WAN connections. Security expert Mike Chapple explains how a firewall fits into this particular network setup.  Continue Reading

• How to protect DNS servers

  The DNS database is the world's largest distributed database, but unfortunately, DNS was not designed with security in mind. Application security expert Michael Cobb explains how to keep a DNS server from being hijacked.  Continue Reading

• How should the ipseccmd.exe tool be used in Windows Vista?

  Ipseccmd is a command-line tool for displaying and managing IPsec policy and filtering rules. Expert Michael Cobb explains how to get the scripting utility to work with Vista.  Continue Reading

• Can Trojans and other malware exploit split-tunnel VPNs?

  The beauty of split tunneling is that an enterprise doesn't need to provide the general Internet access point for a VPN user. Mike Chapple, however, also explains why split-tunnel VPNs provide a false sense of security.  Continue Reading

• What are the risks of connecting a Web service to an external system via SSL?

  Security pro Joel Dubin discusses the risks associated with SSL connections, and offers advice on how to avoid them.  Continue Reading

• Open source vs. commercial network access control (NAC) products

  There are now a number of free and open source network access control (NAC) products, but how do they stack up against the commercial options? Network professional Mike Chapple reviews the free alternatives, but also warns readers that a "stepping ...  Continue Reading

• A security checklist: How to build a solid DMZ

  As part of his monthly response to readers, Mike Chapple provides a list of security add-ons that no DMZ should be without.  Continue Reading

• What to consider before opening a port

  Recently, a reader asked network expert Mike Chapple, "What would be the security implications of opening six ports through a firewall?" Chapple reviews what questions need to be addressed before an organization exposes any network ports.  Continue Reading

• Does Teredo present security risks to the enterprise?

  Teredo allows internal networks to transition to IPv6, interconnecting them through their NAT devices and across the IPv4 Internet. Ed Skoudis explains why this function isn't as innocent as it seems.  Continue Reading

• How to prevent hackers from accessing your router security password

  In this Q&A, Joel Dubin unveils the best practices for protecting a router security password from compromise.  Continue Reading

• Comparing proxy servers and packet-filtering firewalls

  In the world of security, judging proxy servers and packet-filtering firewalls together is like comparing apples and oranges. But that won't stop network security expert Mike Chapple from giving such comparisons a try.  Continue Reading

• Will FTP ever be a secure way to transfer files?

  A SearchSecurity.com member asks our network security expert Mike Chapple: Is the File Transfer Protocol a secure way to transfer files? As one of his many monthly responses to readers, Chapple reveals a better alternative to FTP.  Continue Reading

• Is it possible to identify a fake wireless access point?

  A network's identity is easy to fake. If you're looking for proof of a valid access point, Mike Chapple reveals some secure wireless options.  Continue Reading

• Why does Skype connect to so many servers?

  Skype is a peer-to-peer service that uses a distributed network of "supernodes" to facilitate communication throughout the world. But is it safe to have so many "volunteer" connections? Mike Chapple explains.  Continue Reading

• What are the dangers of Web-based remote access systems?

  Identity management and access control expert Joel Dubin discusses the security risk associated with using Web-based remote access systems, such as LogMeIn and GoToMyPC.  Continue Reading

• How expensive are IPsec VPN setup costs?

  Although IPsec VPN tunnels tend to be fairly low maintenance, their setup and maintenance costs can quickly mount, depending on an enterprise's equipment. In this expert Q&A, Mike Chapple reveals how much enterprises can expect to pay on a new ...  Continue Reading

• What is the relationship between open port range and overall risk?

  Exposing a large number of well-known ports could be a substantial risk, depending upon their nature. In this expert Q&A, Mike Chapple explains why it may be best to narrow down a port range.  Continue Reading

• Will iptables screen UDP traffic?

  UDP is a connectionless protocol that can't be screened using strict stateful inspection. However, most modern firewalls, including iptables, treat UDP in the same manner as a connection-oriented protocol. Mike Chapple explains the process in this ...  Continue Reading

• Will deploying VoIP on an 802.1x network create security problems?

  Voice over IP telephony is beginning to replace traditional PBX in the enterprise. In this expert Q&A, Mike Chapple explains how the popular VoIP technology has its own unique security implications.  Continue Reading

• Should a router be placed between the firewall and DMZ?

  Modern firewalls have the ability to serve as a router, negating the need of another device on a network. There are exceptions to this router rule, however. Network security expert Mike Chapple explains.  Continue Reading

• How does SSL 'sit' between the network layer and application layer?

  SSL is neither a network layer protocol nor an application layer protocol. In this SearchSecurity.com Q&A, Michael Cobb explains how SSL "sits" between both layers.  Continue Reading

• Will log-in form data posted to an SSL page always be encrypted?

  If a Web page login form is not SSL-protected, but the login data is posted to an SSL page, is the information encrypted and safe? Not at all, says Michael Cobb in this SearchSecurity.com Q&A.  Continue Reading

• Is it safe to use remote access tools to grant system access?

  In this SearchSecurity.com Q&A, security expert Joel Dubin discusses remote access tools and examines whether or not these products can have negative effects.  Continue Reading

• What evaluation criteria should be used when buying a firewall?

  Choosing a firewall for the enterprise isn't always easy. In this expert Q&A, Mike Chapple provides three important points to consider before deciding on a product.  Continue Reading

• Creating a personal digital certificate

  In this SearchSecurity.com expert Q&A, identity management and access control pro Joel Dubin discusses the pros and cons associated with creating a personal digital certificate.  Continue Reading