Transcript 2003 - CIS

Chapter 12
Network Security
Security Policy Life Cycle

A method for the development of a
comprehensive network security policy is
known as the security policy development life
cycle (SPDLC).
Network Security



A successful network security implementation
requires a marriage of technology and process.
Roles and responsibilities and corporate standards for
business processes and acceptable network-related
behavior must be clearly defined, effectively shared,
universally understood, and vigorously enforced for
implemented network security technology to be
effective.
Process definition and setting of corporate security
standards must precede technology evaluation and
implementation.
Security vs. Productivity Balance

The optimal balance
point that is sought is
the proper amount of
implemented security
process and technology
that will adequately
protect corporate
information resources
while optimizing user
productivity.
Network Security Policy
Assets, Risks, Protection

multiple protective
measures may need
to be established
between given
threat/asset
combinations
Protective Measures

The major categories of potential
protective measures are:





Virus protection
Firewalls
Authentication
Encryption
Intrusion detection
Threats and Protective Measures


Once policies have been developed, it is
up to everyone to support those policies
in their own way.
Having been included in the policy
development process, users should also
be expected to actively support the
implemented acceptable use policies.
Executive’s Responsibilities
Management's Responsibilities
Acceptable Use Policy Development
User’s Responsibilities
Security Architecture

A representative
example of a security
architecture that clearly
maps business and
technical drivers through
security policy and
processes to
implemented security
technology.
CSF for Network Security Policy
Virus Protection



Virus protection is often the first area of
network security addressed by
individuals or corporations.
A comprehensive virus protection plan
must combine policy, people, processes,
and technology to be effective.
Too often, virus protection is thought to
be a technology-based quick fix.
Virus Infection
Virus Re-infection
Virus Points of Attack

The typical
points of attack
for virus
infection and
potential
protective
measures to
the combat
those attacks.
Anti-virus Strategies
Firewalls



When a company links to the Internet, a twoway access point out of as well as into that
company’s confidential information systems is
created.
Firewall software usually runs on a dedicated
server that is connected to, but outside of,
the corporate network.
All network packets entering the firewall are
filtered or examined
Firewalls




Firewalls provide a layer of isolation between
the inside network and the outside network.
The underlying assumption in such a design
scenario is that all of the threats come from
the outside network.
Incorrectly implemented firewalls can actually
exacerbate the situation by creating new, and
sometimes undetected, security holes.
There are a number of Firewall types…
Packet Filter Firewall
Application Gateway
Trusted Gateway
Dual-homed Gateway
Firewalls
Firewall – Behind DMZ
Firewall – in front of DMZ
Firewall – Multi-tiered
Authentication and Access Control




The purpose of authentication is to ensure
that users attempting to gain access to
networks are really who they claim to be.
Password protection was the traditional
means to ensure authentication.
Password protection by itself is no longer
sufficient to ensure authentication.
A wide variety of technology has been
developed to ensure that users really are who
they say they are.
Challenge-Response Authentication
Time-Synchronous Token Authentication
Kerberos Architecture

Kerberos
architecture
consists of three
key components:



client software
authentication
server software
application
server software
Encryption




Encryption involves the changing of data into
an indecipherable form before transmission.
If the transmitted data are somehow
intercepted, they cannot be interpreted.
The changed, unmeaningful data is known as
ciphertext.
Encryption must be accompanied by
decryption, or changing the unreadable text
back into its original form.
Encryption Standards
Private Key Encryption
Public Key Encryption
Digital Signature Encryption
Security Design Strategies




Make sure that router operating system
software has been patched
Identify those information assets that are
most critical to the corporation, and protect
those servers first.
Implement physical security constraints to
hinder physical access to critical resources
such as servers.
Monitor system activity logs carefully
Security Design Strategies





Develop a simple, effective, and enforceable
security policy and monitor its implementatio.
Consider installing a proxy server or
applications layer firewall.
Block incoming DNS queries and requests for
zone transfers.
Don’t publish the corporation’s complete DNS
map on DNS servers that are outside the
firewall.
Disable all non essential TCP ports and services
Security Design Strategies




Install only software and hardware that you
really need on the network.
Allow only essential traffic into and out of the
corporate network and eliminate all other
types by blocking with routers or firewalls.
Investigate the business case for outsourcing
Web-hosting services so that the corporate
Web server is not physically on the same
network as the rest of the corporate
information assets.
Use routers to filter traffic by IP address.
RADIUS Architecture

RADIUS allows
network
managers to
centrally
manage remote
access users,
access methods,
and logon
restrictions.
Tunneling Protocols and VPN

To provide VPN capabilities using the Internet as an
enterprise network backbone, specialized tunneling
protocols were developed that could establish
private, secure channels between connected
systems.
IP Packet and Security Headers
Government Impact


Government agencies play a major role in the
area of network security.
The two primary functions of these various
government agencies are:


Standards-making organizations that set standards
for the design, implementation, and certification of
security technology and systems.
Regulatory agencies that control the export of
security technology to a company’s international
locations
Orange Book Certification

The primary focus of the Orange Book is to
provide confidential protection of sensitive
information based on these requirements:






Security policy
Marking
Identification
Accountability
Assurance
Continuous protection:
Orange Book Certification Criteria