Community of interest (computer security)

Last updated May 09, 2022

Community of interest (COI or CoI) is a means in which network assets and or network users are segregated by some technological means for some established purpose. COIs are a strategy that fall under the realm of computer security which itself is a subset of security engineering. Typically, COIs are set up to protect a network infrastructure from a group or groups of users who are performing some esoteric functions. COIs are also designed to protect their user community from the rest of the enclave user population. Not only does this refer to the simplicity of the network, but it also includes a group of people that come together on different social networks to share data. There are multiple examples such as Wikipedia, Facebook, Blogs, YouTube, and many more where people come together as a community of interest to work together towards a common goal, learn from each other, critique, and share ideas. These users and group of people are separated into categories and segregated into logical groups. There can be professional groups, health groups that include people interested in specific diets, business groups, self-start up groups, and so many other countless categories. A COI is a group of professionals and advisors that share business insights, technical expertise, challenges, and perspectives.^[1]

Definition

A COI can be defined as a logical or physical grouping of network devices or users with access to information that should not be made available to the general user population on a LAN or WAN infrastructure. A COI can be used to provide multiple levels of protection for a LAN or WAN infrastructure from the activities within a COI. A COI can consist of a logical perimeter around the community (or enclave). It can allow for separate security management and operational direction. COI's generally do not dictate separate internal security policies (e.g., password policies, etc.) because they fall under the jurisdiction and management of the LAN or WAN owners. However, they can and often do have a laxed subset of the overall Network security policy. The terms "Segregation Mechanism" and "Security Mechanism" for the purposes of this article are interchangeable. The COI segregates in order to achieve security.

A distinction between the CoP's and the CoI's

A CoP may operate with any of the following attributes:

Some sponsorship
A vision and/or mission statement
Goals and/or objectives
A core team and/or general membership
Expected outcomes and/or impacts
Measures of success
Description of operating processes
Assumptions and/or dependencies
Review and/or reflection

Often CoIs span similar organizations (e.g., DoD, particularly when there is a common interest in an outcome).

Individual members may be expected to:

Support the CoP through participation and review/validation of products
Attempt to wear the "one hat" associated with the CoP while maintaining the integrity and autonomy of their individual organizations.
Participate voluntarily with the blessing of their organizations that determine their level of participation and investment.^[2]

COI Types and Mechanisms
Segregation Mechanism	Cost	Description
MS Active Directory	Low	Provides logical separation in the form of group formations utilizing MS Active Directory controls.
VLAN	Medium	Provides logical separation and network layer 2 separation (see the OSI model for more information). Virtual Local Area Networks are usually constructed on the network switches which connect devices together.
Router	High	Provides physical device separation, while maintaining a desired level of communication with the rest of the LAN or WAN infrastructure.
Firewall	High	Provides physical device separation much like the router separation but adds the added security benefits of firewall components like ACLs, proxies, SPI.
VPN	High	Provides physical device separation and support for multiple sites, which have no communication with the LAN or WAN infrastructure. A VPN device adds the ability to encrypt all data from the COI to others sites thus providing another layer of protection.
Complete Physical Separation	Very High	Provides highest level of separation through complete physical separation of COIs. Very high cost because network resources cannot be leveraged against.

Security mechanisms

COI security requirements can range in sophistication from simple network file shares to an interconnection of physically separate sites that are connected via dedicated communication circuits. COI security mechanisms and the respective basic characteristics are identified in the Table. These security mechanisms may be utilized individually and in combinations to provide the requisite security for each COI. COI architecture can overlay the existing LAN or WAN architecture in order to maximize the use of existing resources and to provide the required COI separation in the most efficient manner.^[3]

COIs that require additional dedicated physical resources (e.g., dedicated router, VPN and firewalls devices) are usually more complex in nature and expensive to operate because of the added network devices and the personnel to operate and manage them. They also add the benefit of more security utilizing the defense in depth approach. A COI does not necessarily imply a physical separation of the infrastructure, but can do so.

Construction

A standard approach to COI segregation can be through the use of group policies if the LAN or WAN infrastructure utilizes the Microsoft Windows operating system utilizing the Active Directory service. Additional dedicated COI boundary security components such as a router, VPN, firewall, and IDS can be provided depending upon the requirement needs of a COI. COIs can be designed and deployed by employing the security mechanisms that are listed in the Table. Typically each individual COI may have unique characteristics and requirements. The security mechanisms listed above are the basic building blocks in the construction of all COIs.

Related Research Articles

Frame Relay is a standardized wide area network (WAN) technology that specifies the physical and data link layers of digital telecommunications channels using a packet switching methodology. Originally designed for transport across Integrated Services Digital Network (ISDN) infrastructure, it may be used today in the context of many other network interfaces.

A virtual local area network (VLAN) is any broadcast domain that is partitioned and isolated in a computer network at the data link layer. LAN is the abbreviation for local area network and in this context virtual refers to a physical object recreated and altered by additional logic. VLANs work by applying tags to network frames and handling these tags in networking systems – creating the appearance and functionality of network traffic that is physically on a single network but acts as if it is split between separate networks. In this way, VLANs can keep network applications separate despite being connected to the same physical network, and without requiring multiple sets of cabling and networking devices to be deployed.

A virtual private network (VPN) extends a private network across a public network and enables users to send and receive data across shared or public networks as if their computing devices were directly connected to the private network. The benefits of a VPN include increases in functionality, security, and management of the private network. It provides access to resources that are inaccessible on the public network and is typically used for remote workers. Encryption is common, although not an inherent part of a VPN connection.

In computer security, a DMZ or demilitarized zone is a physical or logical subnetwork that contains and exposes an organization's external-facing services to an untrusted, usually larger, network such as the Internet. The purpose of a DMZ is to add an additional layer of security to an organization's local area network (LAN): an external network node can access only what is exposed in the DMZ, while the rest of the organization's network is firewalled. The DMZ functions as a small, isolated network positioned between the Internet and the private network.

Internet security Branch of computer security specifically related to Internet, often involving browser security and the World Wide Web

Internet security is a branch of computer security. It encompasses the Internet, browser security, web site security, and network security as it applies to other applications or operating systems as a whole. Its objective is to establish rules and measures to use against attacks over the Internet. The Internet is an inherently insecure channel for information exchange, with high risk of intrusion or fraud, such as phishing, online viruses, trojans, ransomware and worms.

A Windows domain is a form of a computer network in which all user accounts, computers, printers and other security principals, are registered with a central database located on one or more clusters of central computers known as domain controllers. Authentication takes place on domain controllers. Each person who uses computers within a domain receives a unique user account that can then be assigned access to resources within the domain. Starting with Windows Server 2000, Active Directory is the Windows component in charge of maintaining that central database. The concept of Windows domain is in contrast with that of a workgroup in which each computer maintains its own database of security principals.

LogMeIn Hamachi is a virtual private network (VPN) application developed and released in 2004 by Alex Pankratov. It is capable of establishing direct links between computers that are behind network address translation ("NAT") firewalls without requiring reconfiguration ; in other words, it establishes a connection over the Internet that emulates the connection that would exist if the computers were connected over a local area network ("LAN").

Wireless security is the prevention of unauthorized access or damage to computers or data using wireless networks, which include Wi-Fi networks. The term may also refer to the protection of the wireless network itself from adversaries seeking to damage the confidentiality, integrity, or availability of the network. The most common type is Wi-Fi security, which includes Wired Equivalent Privacy (WEP) and Wi-Fi Protected Access (WPA). WEP is an old IEEE 802.11 standard from 1997. It is a notoriously weak security standard: the password it uses can often be cracked in a few minutes with a basic laptop computer and widely available software tools. WEP was superseded in 2003 by WPA, or Wi-Fi Protected Access. WPA was a quick alternative to improve security over WEP. The current standard is WPA2; some hardware cannot support WPA2 without firmware upgrade or replacement. WPA2 uses an encryption device that encrypts the network with a 256-bit key; the longer key length improves security over WEP. Enterprises often enforce security using a certificate-based system to authenticate the connecting device, following the standard 802.11X.

A home network or home area network (HAN) is a type of computer network that facilitates communication among devices within the close vicinity of a home. Devices capable of participating in this network, for example, smart devices such as network printers and handheld mobile computers, often gain enhanced emergent capabilities through their ability to interact. These additional capabilities can be used to increase the quality of life inside the home in a variety of ways, such as automation of repetitive tasks, increased personal productivity, enhanced home security, and easier access to entertainment.

A computer network is a set of computers sharing resources located on or provided by network nodes. The computers use common communication protocols over digital interconnections to communicate with each other. These interconnections are made up of telecommunication network technologies, based on physically wired, optical, and wireless radio-frequency methods that may be arranged in a variety of network topologies.

There are a number of security and safety features new to Windows Vista, most of which are not available in any prior Microsoft Windows operating system release.

Split tunneling is a computer networking concept which allows a user to access dissimilar security domains like a public network and a local LAN or WAN at the same time, using the same or different network connections. This connection state is usually facilitated through the simultaneous use of a Local Area Network (LAN) Network Interface Card (NIC), radio NIC, Wireless Local Area Network (WLAN) NIC, and VPN client software application without the benefit of access control.

In computing, network virtualization is the process of combining hardware and software network resources and network functionality into a single, software-based administrative entity, a virtual network. Network virtualization involves platform virtualization, often combined with resource virtualization.

CyberCIEGE is a serious game designed to teach network security concepts. Its development was sponsored by the U.S. Navy, and it is used as a training tool by agencies of the U.S. government, universities and community colleges.

The Junos operating system used in Juniper Networks network devices creates an environment for accelerating the deployment of services and applications over a single network.

Software-defined networking (SDN) technology is an approach to network management that enables dynamic, programmatically efficient network configuration in order to improve network performance and monitoring, making it more like cloud computing than traditional network management. SDN is meant to address the static architecture of traditional networks. SDN attempts to centralize network intelligence in one network component by disassociating the forwarding process of network packets from the routing process. The control plane consists of one or more controllers, which are considered the brain of the SDN network where the whole intelligence is incorporated. However, centralization has its own drawbacks when it comes to security, scalability and elasticity and this is the main issue of SDN.

SoftEther VPN is free open-source, cross-platform, multi-protocol VPN client and VPN server software, developed as part of Daiyuu Nobori's master's thesis research at the University of Tsukuba. VPN protocols such as SSL VPN, L2TP/IPsec, OpenVPN, and Microsoft Secure Socket Tunneling Protocol are provided in a single VPN server. It was released using the GPLv2 license on January 4, 2014. The license was switched to Apache License 2.0 on January 21, 2019.

Application Defined Network (ADN) is an enterprise data network that uses virtual network and security components to provide a dedicated logical network for each application, with customized security and network policies to meet the requirements of that specific application. ADN technology allows for a simple physical architecture with fewer devices, less device configuration and integration, reduced network administration and a lower tax on IT resources. ADN solutions simplify businesses' need to securely deploy multiple applications across the enterprise footprint and partner networks, regardless of where the application resides. ADN platforms provide policy-based, application-specific delivery to corporate data centers, cloud services and/or third-party networks securely and cost-effectively. Some ADN solutions integrate 3G/4G wireless backup services to enable a second internet connection automatically and instantly when connectivity is lost on the primary access connection. The ADN design provides an application-to-application (A2A) based model that evolves enterprise networks beyond the site-to-site (S2S) private model.

Endian Firewall is an open-source router, firewall and gateway security Linux distribution developed by the South Tyrolean company Endian. The product is available as either free software, commercial software with guaranteed support services, or as a hardware appliance.

A secure access service edge (SASE) is a technology used to deliver wide area network (WAN) and security controls as a cloud computing service directly to the source of connection rather than a data center. Security is based on digital identity, real-time context, and company and regulatory compliance policies. A digital identity may be attached to anything from a person to a device, branch office, cloud service, application software, IoT system, or an edge computing location. The term was coined by marketing analyst firm Gartner.

References

↑ "Join a Community of Interest | NCCoE". nccoe.nist.gov. Retrieved 2017-06-02.
↑ "Communities of Interest and/or Community of Practice". The MITRE Corporation. 2013-08-28.
↑ Russell, Deborah (1991). Computer Security Basics . O'Reilly Media, Inc. pp. 12. ISBN 9780937175712.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Join a Community of Interest | NCCoE". nccoe.nist.gov. Retrieved 2017-06-02.

[2] "Communities of Interest and/or Community of Practice". The MITRE Corporation. 2013-08-28.

[3] Russell, Deborah (1991). Computer Security Basics . O'Reilly Media, Inc. pp. 12. ISBN 9780937175712.

[1]

[2]

[3]