• No results found

Network Security Management

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Network Security Management"

Copied!
6
0
0

Loading.... (view fulltext now)

Download now ( 6 Page )

Full text

(1)

NETWORK SECURITY MANAGEMENT

Daniel COSTIN Politehnica University of Bucharest, Romania

The ISO/IEC 27001:2005 standard provides direction on how to establish a management system that superimposes a discipline over how to select controls and how to establish good practices to apply the security controls, including when dealing with network security management.

Any organization that is pursuing ISO/IEC 27001:2005 certification is likely to be a reasonably complex one, with one or more networks of computers, usually across a number of geographic locations. Effective network management is essential to the stability of its operations, and therefore this is a key area for control.

Network security management objective is to ensure the protection of information in networks and the protection of the supporting infrastructure. The secure management of networks, which may span organizational boundaries, requires careful consideration to dataflow, legal implications, monitoring, and protection. Additional controls may also be required to protect sensitive information passing over public networks.

The control “Network controls” of ISO/IEC 27001:2005 standard requires the organization to implement a range of controls to achieve and maintain security in its networks, particularly in those that exceed organizational boundaries. This is also designed to protect the supporting infrastructure and to protect connected services from unauthorized access. Four controls are recommended for consideration by the standard:

ABSTRACT

Any organization that is pursuing ISO27001 certifiaction is likely to be a reasonably complex one, with one or more networks of computers, usually across a number of geographic locations. Effective network management is essential to the stability of its operations, and therefore this is a key area for control. ISO/IEC 27001:2005 standard for Information Security Management System (ISMS) requires the organization to implement a range of controls to achieve and maintain security in its networks, particularly in those that span organizational boundaries. This is also designed to protect the supporting infrastructure and to protect connected services from unauthorized access. Network security management is one of the most critical roles within the organization, and how it is to be carried out does depend very much on the type of network that is installed.

CORE Metadata, citation and similar papers at core.ac.uk

(2)

1. Following the principle of segregation of duties operational responsibility for networks should be separated from computer operations.

2. There should be clear responsibilities and procedures for the management of remote equipment, including in remote user areas. 3. Special controls are necessary to protect data passing over wireless and

public networks. These could include cryptographic techniques, controls to protect the network from access and controls to maintain the availability of computers connected to the network.

4. Close coordination of management activity.

Network management is one of the most critical roles within the organization, and how it is carried out does depend very much on the type of network that is installed. The architecture of the network should reflect the organization’s needs and resources, and expert assistance may be required to design and implement it.

Figure1 Network security management: security controls

Control “Security of network services” of the standard requires the organization to provide a clear description in its ISMS and in the network services agreement of the security attributes of all the network services that it uses. This is referring to the wide range of public or private network services available, which may have simple or complex security characteristics. A clear description of these

(3)

characteristics should be provided so that appropriate risk assessments can be carried out. When security incidents involving these services take place, adequate information is available to deal with them.

The most common source of network service is the internet, and its security characteristics are non-existent. In addition, as organizations outsource technology these control requirements become more important. Internet service providers (ISPs), hosting services, etc. can all be critical to the security of the organization. It is therefore necessary to identify and document their security characteristics.

The characteristics in which the organization should be interested include:  security technology, such as encryption, authentication and network

connection controls;

 the technical parameters for connecting with the service provider securely;

 procedures for restricting access to the services, where necessary. The objective “Network access control” of the standard is to control access to both internal and external networked services so that users who have access do not compromise the security of those services. This means that there need to be appropriate interfaces between the organization’s network and other networks, particularly the internet, that there are appropriate authentication mechanisms for users and equipment, and that user access to information services is controlled.

Control “Policy on use of network services” of the standard requires the organization to design and implement a policy, within its ISMS, that ensures that users have access only to the services that they have been specifically authorized to use.

The policy should identify:

 which networks and network services are allowed to be accessed;

 the authorization procedures necessary prior to any such access;

 the controls necessary to protect access to network connections and network services;

 how the means of accessing these networks are controlled.

Users should see on their desktops only icons for those services that they are authorized to access, no information should be provided about other services that are on the network, attempts to access them should not be encouraged.

Control “User authentication for external connections” of the standard ISO/IEC 27001:2005 requires the organization to ensure that access to the network by remote users is subject to authentication.

Authentication of remote users can be achieved using, for example, a cryptographic based technique, hardware tokens, or a challenge/response protocol. Possible implementations of such techniques can be found in various virtual private network (VPN) solutions.

Node authentication can serve as an alternative means of authenticating groups of remote users where they are connected to a secure, shared computer

(4)

facility. Cryptographic techniques, e.g. based on machine certificates, can be used for node authentication. This is part of several VPN based solutions.

Additional authentication controls should be implemented to control access to wireless networks. In particular, special care is needed in the selection of controls for wireless networks due to the greater opportunities for undetected interception and insertion of network traffic.

Control “Equipment identification in the network” of the standard requires the organization to deploy automatic equipment identification to authenticate connections from specific locations and portable equipment. Automatic equipment identification is a technique that is used where the risk assessment has indicated that it will be important to ensure that a session can only be initiated from a particular location or computer workstation. .

The “Remote diagnostic and configuration port protection” control requires the organization securely to control access to diagnostic and configuration ports.

Ports, services, and similar facilities installed on a computer or network facility, which is not specifically required for business functionality, should be disabled or removed. When the port is required, the ISMS procedure can allow the maintenance engineer, after appropriate authentication, to access the port for a specific period to carry out the agreed maintenance work. Use of diagnostic ports must be logged and monitored for suspicious activity.

The “Segregation in networks” control requires the organization to introduce controls into its networks to segregate groups of information services, users and information systems. As organizations extend their information services beyond the traditional boundaries of the fixed LAN or WAN, so they increasingly need to share information processing and networking facilities. These sorts of extensions increase the risk of an attacker finding a way of accessing facilities or information that is confidential, and therefore some components of networks need protection from other network users.

A full risk assessment and cost–benefit analysis should be carried out to ensure that the choice of technologies and architecture is appropriate to the organization’s needs. The existing organizational policies on access control, access requirements and information classification should be cross-referenced in segregating networks.

The creation of demilitarized zones (DMZs) or extranets reflects exactly these needs. Servers operating on the DMZ, outside the corporate firewall, should themselves be configured so that they do not help an attacker find a way past the firewall. DMZ servers should be precisely configured for their desired role, and no additional services should run.

Consideration should be given to the segregation of wireless networks from internal and private networks. As the perimeters of wireless networks are not well defined, a risk assessment should be carried out in such cases to identify controls (e.g. strong authentication, cryptographic methods, and frequency selection) to maintain network segregation.

(5)

Network architecture of larger, more complex networks might divide the network into a number of logical network domains, each protected by a defined logical security perimeter. Network perimeter security controls access to the network so that only authorized users can access applications, data and services running on the network. Firewalls are generally the first security product that organizations deploy to protect their network perimeters. A firewall provides a barrier to traffic seeking to cross the perimeter and permits only authorized traffic to pass, in line with a predetermined access policy. Firewalls will also usually provide some level of network address translation (NAT) services, denial-ofservice (DoS) attack protection, IPSec VPN services and intrusion detection services. A perimeter firewall may also need to integrate with device-level firewalls on mobile laptops and PDAs. In addition, larger organizations should consider deploying intrusion detection systems (IDSs) that can monitor and reactively respond to intrusions as they occur, and network vulnerability scanners that proactively identify areas of weakness. These are important because while firewalls provide an enforced path control for external users, they do not actively analyses the traffic for attacks or search the network for vulnerabilities. In particular, firewalls do not address the threats posed by insiders.

A network intrusion detection system (NIDS) is a hardware or software that automates the process of monitoring events in systems or networks to detect intrusions. An intrusion is an attempt to break into or misuse an information system, or bypass its security controls, in order to compromise the confidentiality, integrity and availability of information stored on it. A system integrity verifier (SIV) monitors system files to find when an intruder changes them so as to set up a back door. Log file monitors (LFM) monitor log files generated by network services. In a similar manner to NIDS, these systems look for patterns in the log files that suggest that an intruder is attacking.

The “Network connection control” of the standard requires the organization to restrict the connection capability of users on shared networks in accordance with the access control policy. The firewalls segregating networks should filter traffic between the networks in accordance with predefined rules that are based on the access control policy and the risk assessment. Routers should be used to control specific transaction flows (eg e-mails, file transfers, application access). The firewall and router rules should be regularly reviewed and updated. The types of application to which these restrictions should apply include e-mail, all file transfers, interactive access and any other form of network access, and there might useful to link access rights to specific times of day (or night) or days of the week, etc.

The “Network Routing controls” should be implemented for networks to ensure that computer connections and information flows do not breach the access control policy of the business applications. Routing controls should be based on positive source and destination address checking mechanisms. Proxy and/or network address translation technologies can be used to secure gateways for the networks.

(6)

Most security experts would agree with the view that perfect network security is impossible to achieve and that any single defense can always be overcome by an attacker with sufficient resources and motivation.

The basic idea behind the defense-in-depth strategy is to use as possible multiple layers of defense, even though each layer might be surmountable. More valuable assets are protected behind more layers of defense. The combination of multiple layers increases the cost for the attacker to be successful, and the cost is proportional to the value of the protected assets. Moreover, a combination of multiple layers will be more effective against unpredictable attacks than will a single defense optimized for a particular type of attack. The cost for the attacker could be in terms of additional time, effort, or equipment. For instance, by delaying an attacker, an organization would increase the chances of detecting and reacting to an attack in progress. A variety of technological measures can be used for layers of protection, including firewalls, IDS (intrusion detection systems), DMZ (demilitarized zones), routers, VPN (virtual private networks), antivirus software, access control, spam filters, Packet filters, etc.

Bibliography

1. ISO/IEC 27001:2005 Information technology - Security techniques - Information Security Management Systems - Requirements

2. Coyne, Edward J.: Role Engineering for Enterprise Security Management. Artech House, Inc., 2008, ISBN: 978-1-59693-218-0

3. Jatinder N.D. Gupta: Handbook of Research on Information Security and

Assurance, Information Science Reference, Hershey, New York, 2009 ISBN

978-1-59904-855-0

4. Khadraoui, Djamel; Francine, Herrmann: Advances in Enterprise Information

Technology Security Information, Science Reference (IGI Global), New York

2007, ISBN 978-1-59904-090-5

5. Lech Janczewski: Internet and Intranet Security Management: Risks and

Solutions, Idea Group Publishing, 2000, ISBN 1-878289-71-3

6. Tulloch, Mitch: Microsoft Encyclopedia of Security. Microsoft Press, Redmond, WA, 2003 ISBN0-7356-1877-1

References

Download now ( PDF - 6 Page - 366.82 KB )

Related documents

Enterprise Network Solution

IT Application Service VoIP Service Manage&Control Plane Network Resource Management Network Device Management Security Policy Management User Access Management TCP/IP Network

the concept of network within

As said above, in our opinion, a network-based approach like Actor Network Theory permits us to account for the emergence of innovation, including its relationship with the

Neonatal hearing screening services at primary health care clinics in Gauteng.

The aim of the research project is to identify the current hearing screening practices as conducted by nurses at primary health care clinics in Gauteng; and to review the

Information Security Management System (ISMS) Policy

Information Technology Services Page 15 of 37 <TRIM Doc No.> Secretary Executive Committee Information Security Forum ITS Staff (Directors, Managers, Staff) Internal

Information Security Specialist Training on the Basis of ISO/IEC 27002

This standard forms the basis of an assessment of the ISMS of the whole, or part of an organization and covers the eleven clauses of good IS practice: Security Policy;

Penetration Testing //Vulnerability Assessment //Remedy

⁞ We audit, design and implement solutions in the areas of IP networking, firewalls, network monitoring, high availability, vulnerability management, security policy

GT27R1A1 Ventilation of Underground Works During Construction

3.2 - General ventilation system concepts Ventilation systems installed underground are linked to a small number of basic operating principles, irrespective of the tunnel excavation

Laser processing of non-linear incline cutting

4.2 Experimental Results for Laser Process Kerf Width Non-Linear 48 Incline Cutting and Reading Measured Specified Three of. Bottom Area X~, X 2, And X 3 at Bevel