Community of interest (computer security)

Last updated November 10, 2024

Community of interest (COI or CoI) is a means in which network assets and or network users are segregated by some technological means for some established purpose. COIs are a strategy that fall under the realm of computer security which itself is a subset of security engineering. Typically, COIs are set up to protect a network infrastructure from a group or groups of users who are performing some esoteric functions. COIs are also designed to protect their user community from the rest of the enclave user population. Not only does this refer to the simplicity of the network, but it also includes a group of people that come together on different social networks to share data. There are multiple examples such as Wikipedia, Facebook, Blogs, YouTube, and many more where people come together as a community of interest to work together towards a common goal, learn from each other, critique, and share ideas. These users and group of people are separated into categories and segregated into logical groups. There can be professional groups, health groups that include people interested in specific diets, business groups, self-start up groups, and so many other countless categories. A COI is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives.^[1]

Definition

A COI can be defined as a logical or physical grouping of network devices or users with access to information that should not be made available to the general user population on a LAN or WAN infrastructure. A COI can be used to provide multiple levels of protection for a LAN or WAN infrastructure from the activities within a COI. A COI can consist of a logical perimeter around the community (or enclave). It can allow for separate security management and operational direction. COI's generally do not dictate separate internal security policies (e.g., password policies, etc.) because they fall under the jurisdiction and management of the LAN or WAN owners. However, they can and often do have a laxed subset of the overall Network security policy. The terms "Segregation Mechanism" and "Security Mechanism" for the purposes of this article are interchangeable. The COI segregates in order to achieve security.

A distinction between the CoP's and the CoI's

A CoP may operate with any of the following attributes:

Some sponsorship
A vision and/or mission statement
Goals and/or objectives
A core team and/or general membership
Expected outcomes and/or impacts
Measures of success
Description of operating processes
Assumptions and/or dependencies
Review and/or reflection

Often CoIs span similar organizations (e.g., DoD, particularly when there is a common interest in an outcome).

Individual members may be expected to:

Support the CoP through participation and review/validation of products
Attempt to wear the "one hat" associated with the CoP while maintaining the integrity and autonomy of their individual organizations.
Participate voluntarily with the blessing of their organizations that determine their level of participation and investment.^[2]

COI Types and Mechanisms
Segregation Mechanism	Cost	Description
MS Active Directory	Low	Provides logical separation in the form of group formations utilizing MS Active Directory controls.
VLAN	Medium	Provides logical separation and network layer 2 separation (see the OSI model for more information). Virtual Local Area Networks are usually constructed on the network switches which connect devices together.
Router	High	Provides physical device separation, while maintaining a desired level of communication with the rest of the LAN or WAN infrastructure.
Firewall	High	Provides physical device separation much like the router separation but adds the added security benefits of firewall components like ACLs, proxies, SPI.
VPN	High	Provides physical device separation and support for multiple sites, which have no communication with the LAN or WAN infrastructure. A VPN device adds the ability to encrypt all data from the COI to others sites thus providing another layer of protection.
Complete Physical Separation	Very High	Provides highest level of separation through complete physical separation of COIs. Very high cost because network resources cannot be leveraged against.

Security mechanisms

COI security requirements can range in sophistication from simple network file shares to an interconnection of physically separate sites that are connected via dedicated communication circuits. COI security mechanisms and the respective basic characteristics are identified in the Table. These security mechanisms may be utilized individually and in combinations to provide the requisite security for each COI. COI architecture can overlay the existing LAN or WAN architecture in order to maximize the use of existing resources and to provide the required COI separation in the most efficient manner.^[3]

COIs that require additional dedicated physical resources (e.g., dedicated router, VPN and firewalls devices) are usually more complex in nature and expensive to operate because of the added network devices and the personnel to operate and manage them. They also add the benefit of more security utilizing the defense in depth approach. A COI does not necessarily imply a physical separation of the infrastructure, but can do so.

Construction

A standard approach to COI segregation can be through the use of group policies if the LAN or WAN infrastructure utilizes the Microsoft Windows operating system utilizing the Active Directory service. Additional dedicated COI boundary security components such as a router, VPN, firewall, and IDS can be provided depending upon the requirement needs of a COI. COIs can be designed and deployed by employing the security mechanisms that are listed in the Table. Typically each individual COI may have unique characteristics and requirements. The security mechanisms listed above are the basic building blocks in the construction of all COIs.

Related Research Articles

Frame Relay is a standardized wide area network (WAN) technology that specifies the physical and data link layers of digital telecommunications channels using a packet switching methodology. Originally designed for transport across Integrated Services Digital Network (ISDN) infrastructure, it may be used today in the context of many other network interfaces.

Virtual private network (VPN) is a network architecture for virtually extending a private network across one or multiple other networks which are either untrusted or need to be isolated.

In computer security, a DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is protected behind a firewall. The DMZ functions as a small, isolated network positioned between the Internet and the private network.

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers. Each person who uses computers within a domain receives a unique user account that can then be assigned access to resources within the domain. Starting with Windows Server 2000, Active Directory is the Windows component in charge of maintaining that central database. The concept of Windows domain is in contrast with that of a workgroup in which each computer maintains its own database of security principals.

An overlay network is a computer network that is layered on top of another network. The concept of overlay networking is distinct from the traditional model of OSI layered networks, and almost always assumes that the underlay network is an IP network of some kind.

<span class="mw-page-title-main">LogMeIn Hamachi</span> Virtual private network application

LogMeIn Hamachi is a virtual private network (VPN) application developed and released in 2004 by Alex Pankratov. It is capable of establishing direct links between computers that are behind network address translation (NAT) firewalls without requiring reconfiguration. Like other VPNs, it establishes a connection over the Internet that emulates the connection that would exist if the computers were connected over a local area network (LAN).

strongSwan is a multiplatform IPsec implementation. The focus of the project is on authentication mechanisms using X.509 public key certificates and optional storage of private keys and certificates on smartcards through a PKCS#11 interface and on TPM 2.0.

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, a quick alternative at the time to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

A home network or home area network (HAN) is a type of computer network that facilitates communication among devices within the close vicinity of a home. Devices capable of participating in this network, for example, smart devices such as network printers and handheld mobile computers, often gain enhanced emergent capabilities through their ability to interact. These additional capabilities can be used to increase the quality of life inside the home in a variety of ways, such as automation of repetitive tasks, increased personal productivity, enhanced home security, and easier access to entertainment.

A computer network is a set of computers sharing resources located on or provided by network nodes. Computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are made up of telecommunication network technologies based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies.

Split tunneling is a computer networking concept which allows a user to access dissimilar security domains like a public network and a local area network or wide area network at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a LAN network interface controller (NIC), radio NIC, Wireless LAN (WLAN) NIC, and VPN client software application without the benefit of an access control.

CyberCIEGE is a serious game designed to teach network security concepts. Its development was sponsored by the U.S. Navy, and it is used as a training tool by agencies of the U.S. government, universities and community colleges.

In computing, a firewall is a network security system that monitors and controls incoming and outgoing network traffic based on predetermined security rules. A firewall typically establishes a barrier between a trusted network and an untrusted network, such as the Internet.

Software-defined networking (SDN) is an approach to network management that uses abstraction to enable dynamic and programmatically efficient network configuration to create grouping and segmentation while improving network performance and monitoring in a manner more akin to cloud computing than to traditional network management. SDN is meant to improve the static architecture of traditional networks and may be employed to centralize network intelligence in one network component by disassociating the forwarding process of network packets from the routing process. The control plane consists of one or more controllers, which are considered the brains of the SDN network, where the whole intelligence is incorporated. However, centralization has certain drawbacks related to security, scalability and elasticity.

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

<span class="mw-page-title-main">Endian Firewall</span> Linux distribution

Endian Firewall is an open-source router, firewall and gateway security Linux distribution developed by the South Tyrolean company Endian. The product is available as either free software, commercial software with guaranteed support services, or as a hardware appliance.

Endpoint security or endpoint protection is an approach to the protection of computer networks that are remotely bridged to client devices. The connection of endpoint devices such as laptops, tablets, mobile phones, and other wireless devices to corporate networks creates attack paths for security threats. Endpoint security attempts to ensure that such devices follow compliance to standards.

A secure access service edge (SASE) is technology used to deliver wide area network (WAN) and security controls as a cloud computing service directly to the source of connection rather than a data center. It uses cloud and edge computing technologies to reduce the latency that results from backhauling all WAN traffic over long distances to one or a few corporate data centers, due to the increased movement off-premises of dispersed users and their applications. This also helps organizations support dispersed users.

Computer network engineering is a tech discipline within engineering that deals with the design, implementation, and management of computer networks. These systems form the backbone of modern digital communication and consist of both physical components, such as routers, switches, and cables, and logical elements, such as protocols and network services. Computer network engineers ensure that data is transmitted efficiently, securely, and reliably over both local area networks (LANs) and wide area networks (WANs), as well as the broader Internet.

References

↑ "Join a Community of Interest | NCCoE". nccoe.nist.gov. Retrieved 2017-06-02.
↑ "Communities of Interest and/or Community of Practice". The MITRE Corporation. 2013-08-28.
↑ Russell, Deborah (1991). Computer Security Basics . O'Reilly Media, Inc. pp. 12. ISBN 9780937175712.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Join a Community of Interest | NCCoE". nccoe.nist.gov. Retrieved 2017-06-02.

[2] "Communities of Interest and/or Community of Practice". The MITRE Corporation. 2013-08-28.

[3] Russell, Deborah (1991). Computer Security Basics . O'Reilly Media, Inc. pp. 12. ISBN 9780937175712.

[1]

[2]

[3]