2007 - CIS

grrrgrapeInternet and Web Development

Oct 31, 2013 (3 years and 7 months ago)

47 views

Chapter 12

Network Security


Security Policy Life Cycle


A method for the development of a
comprehensive network security policy is
known as the security policy development life
cycle (SPDLC).


Network Security


A successful network security implementation
requires a marriage of technology and process.


Roles and responsibilities and corporate standards for
business processes and acceptable network
-
related
behavior must be clearly defined, effectively shared,
universally understood, and vigorously enforced for
implemented network security technology to be
effective.


Process definition and setting of corporate security
standards must precede technology evaluation and
implementation.


Security vs. Productivity Balance


The optimal balance
point that is sought is
the proper amount of
implemented security
process and technology
that will adequately
protect corporate
information resources
while optimizing user
productivity.

Network Security Policy

Assets, Risks, Protection


multiple protective
measures may need
to be established
between given
threat/asset
combinations


Protective Measures


The major categories of potential
protective measures are:



Virus protection


Firewalls


Authentication


Encryption


Intrusion detection


Threats and Protective Measures


Once policies have been developed, it is
up to everyone to support those policies
in their own way.


Having been included in the policy
development process, users should also
be expected to actively support the
implemented acceptable use policies.


Executive’s Responsibilities

Management's Responsibilities

Acceptable Use Policy Development


User’s Responsibilities

Security Architecture


A representative
example of a security
architecture that clearly
maps business and
technical drivers through
security policy and
processes to
implemented security
technology.

CSF for Network Security Policy

Virus Protection


Virus protection is often the first area of
network security addressed by
individuals or corporations.


A comprehensive virus protection plan
must combine policy, people, processes,
and technology to be effective.


Too often, virus protection is thought to
be a technology
-
based quick fix.

Virus Infection

Virus Re
-
infection

Virus Points of Attack


The typical
points of attack
for virus
infection and
potential
protective
measures to
the combat
those attacks.


Anti
-
virus Strategies

Firewalls


When a company links to the Internet, a two
-
way access point out of as well as
into
that
company’s confidential information systems is
created.


Firewall software usually runs on a dedicated
server that is connected to, but outside of,
the corporate network.


All network packets entering the firewall are
filtered or examined

Firewalls


Firewalls provide a layer of isolation between
the inside network and the outside network.


The underlying assumption in such a design
scenario is that all of the threats come from
the outside network.


Incorrectly implemented firewalls can actually
exacerbate the situation by creating new, and
sometimes undetected, security holes.



There are a number of Firewall types…

Packet Filter Firewall

Application Gateway

Trusted Gateway

Dual
-
homed Gateway

Firewalls

Firewall


Behind DMZ

Firewall


in front of DMZ

Firewall


Multi
-
tiered

Authentication and Access Control



The purpose of
authentication
is to ensure
that users attempting to gain access to
networks are really who they claim to be.


Password protection was the traditional
means to ensure authentication.


Password protection by itself is no longer
sufficient to ensure authentication.


A wide variety of technology has been
developed to ensure that users really are who
they say they are.

Challenge
-
Response Authentication

Time
-
Synchronous Token Authentication


Kerberos Architecture


Kerberos
architecture
consists of three
key components:


client software


authentication
server software


application
server software


Encryption


Encryption involves the changing of data into
an indecipherable form before transmission.


If the transmitted data are somehow
intercepted, they cannot be interpreted.


The changed, unmeaningful data is known as
ciphertext.


Encryption must be accompanied by
decryption, or changing the unreadable text
back into its original form.


Encryption Standards

Private Key Encryption

Public Key Encryption

Digital Signature Encryption


Security Design Strategies


Make sure that router operating system
software has been patched


Identify those information assets that are
most critical to the corporation, and protect
those servers first.


Implement physical security constraints to
hinder physical access to critical resources
such as servers.


Monitor system activity logs carefully

Security Design Strategies


Develop a simple, effective, and enforceable
security policy and monitor its implementatio.


Consider installing a proxy server or
applications layer firewall.


Block incoming DNS queries and requests for
zone transfers.


Don’t publish the corporation’s complete DNS
map on DNS servers that are outside the
firewall.


Disable all non essential TCP ports and services


Security Design Strategies


Install only software and hardware that you
really need on the network.


Allow only essential traffic into and out of the
corporate network and elimi
nate all other
types by blocking with routers or firewalls.


Investigate the business case for outsourcing
Web
-
hosting services so that the corporate
Web server is not physically on the same
network as the rest of the corporate
information assets.


Use routers to filter traffic by IP address.

RADIUS Architecture


RADIUS allows
network
managers to
centrally
manage remote
access users,
access methods,
and logon
restrictions
.

Tunneling Protocols and VPN


To provide VPN capabilities using the Internet as an
enterprise network backbone, specialized tunneling
protocols

were developed that could establish
private, secure channels between connected
systems.

IP Packet and Security Headers

Government Impact


Government agencies play a major role in the
area of network security.


The two primary functions of these various
government agencies are:


Standards
-
making organizations that set standards
for the design, implementation, and certification of
security technology and systems.


Regulatory agencies that control the export of
security technology to a company’s international
locations


Orange Book Certification


The primary focus of the Orange Book is to
provide confidential protection of sensitive
information based on these requirements:




Security policy


Marking


Identification


Accountability


Assurance


Continuous protection
:

Orange Book Certification Criteria