Chapter 12
Network Security
Security Policy Life Cycle
A method for the development of a comprehensive network security policy is known as the security policy development life cycle (SPDLC).
Network Security
A successful network security implementation requires a marriage of technology and process. Roles and responsibilities and corporate standards for
business processes and acceptable network-related p p behavior must be clearly defined, effectively shared, universally understood, and vigorously enforced for implemented network security technology to be effective.
Security vs. Productivity Balance
The optimal balance point that is sought is the proper amount of implemented security implemented security process and technology that will adequately protect corporate information resources while optimizing user productivity.
Network Security Policy
Protective Measures
The major categories of potential
protective measures are:
Virus protection Virus protection Firewalls Authentication Encryption Intrusion detection
Threats and Protective Measures
Once policies have been developed, it is
up to everyone to support those policies
in their own way.
in their own way.
Having been included in the policy
Executive’s Responsibilities
Management's Responsibilities
User’s Responsibilities
Security Architecture
A representative
example of a security
architecture that clearly
maps business and
technical drivers through
security policy and
processes to
implemented security
technology.
Virus Protection
Virus protection is often the first area of
network security addressed by
individuals or corporations.
A comprehensive virus protection plan
must combine policy, people, processes,
and technology to be effective.
Too often, virus protection is thought to
be a technology-based quick fix.
Virus Infection
Virus Points of Attack
The typical points of attack for virus i f ti d infection and potential protective measures to the combat those attacks.Anti-virus Strategies
Firewalls
When a company links to the Internet, a two-way access point out of as well as into that company’s confidential information systems is
d created.
Firewall software usually runs on a dedicated server that is connected to, but outside of, the corporate network.
Firewalls
Firewalls provide a layer of isolation between the inside network and the outside network. The underlying assumption in such a design scenario is that all of the threats come from scenario is that all of the threats come from the outside network.
Incorrectly implemented firewalls can actually exacerbate the situation by creating new, and sometimes undetected, security holes. There are a number of Firewall types…
Packet Filter Firewall
Trusted Gateway
Dual-homed Gateway
Firewall – Behind DMZ
Firewall – in front of DMZ
Authentication and Access Control
The purpose of authentication is to ensure that users attempting to gain access to networks are really who they claim to be. Password protection was the traditional Password protection was the traditional
means to ensure authentication. Password protection by itself is no longer
sufficient to ensure authentication. A wide variety of technology has been
developed to ensure that users really are who they say they are.
Challenge-Response Authentication
Kerberos Architecture
Kerberos architecture consists of three consists of three key components: client software authentication server software application server softwareEncryption
Encryption involves the changing of data into an indecipherable form before transmission. If the transmitted data are somehow
intercepted they cannot be interpreted intercepted, they cannot be interpreted. The changed, unmeaningful data is known as
ciphertext.
Encryption must be accompanied by decryption, or changing the unreadable text back into its original form.
Private Key Encryption
Public Key Encryption
Security Design Strategies
Make sure that router operating system software has been patched
Identify those information assets that are most critical to the corporation and protect most critical to the corporation, and protect those servers first.
Implement physical security constraints to hinder physical access to critical resources such as servers.
Monitor system activity logs carefully
Security Design Strategies
Develop a simple, effective, and enforceable security policy and monitor its implementatio. Consider installing a proxy server or
applications layer firewall applications layer firewall.
Block incoming DNS queries and requests for zone transfers.
Don’t publish the corporation’s complete DNS map on DNS servers that are outside the firewall.
Disable all non essential TCP ports and services
RADIUS Architecture
RADIUS allows network managers to centrally manage remote access users, access methods, and logon restrictions.Tunneling Protocols and VPN
To provide VPN capabilities using the Internet as an enterprise network backbone, specialized tunneling protocols were developed that could establish private, secure channels between connected systems.
Government Impact
Government agencies play a major role in the area of network security.
The two primary functions of these various government agencies are:
government agencies are:
Standards-making organizations that set standards
for the design, implementation, and certification of security technology and systems.
Regulatory agencies that control the export of
security technology to a company’s international locations
Orange Book Certification
The primary focus of the Orange Book is to provide confidential protection of sensitive information based on these requirements:
Security policy Marking Identification Accountability Assurance Continuous protection:
