“Copyright © 2001 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976

“Copyright © 2001 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976 United States Copyright Act without the express written permission of the copyright

owner is unlawful. Request for further information should be addressed to the Permissions Department, John Wiley & Sons, Inc. The purchaser may make back-up copies for his/her own

use only and not for distribution or resale. The Publisher assumes no responsibility for errors, omissions, or damages caused by the use of these programs or from the use of the

information contained herein”

Figure 13-1 The Security Policy Development Life Cycle

Identify business related security issues

Analyze security risks, threats, and

vulnerabilities

Design the security architecture and the

associated processes

Implement security technology and

processes

Audit impact of security technology and

processes

Evaluate effectiveness of current architectures

and policies

GOLDMAN & RAWLES: ADC3e FIG. 13-01

Figure 13-4 Security vs. Productivity Balance

High risk Low cost Open access No productivity loss Open access may lead to data loss or data integrity problems which may lead to productivity loss.

High cost Low risk Restrictive access Productivity loss Overly restrictive security may lead to noncompliance with security processes which may lead to loss of security

Balanced risk and costs Restrictiveness of security policy balanced by people's acceptance of those policies

Lack of security may ultimately have

negative impact on productivity

No productivity loss occurs from access

restrictions

SECURITYPRODUCTIVITY


Overly restrictive security casues

productivity decline

Security needs take priority over user

access


Minimize negative impact on

productivity

Maximize security processes

BALANCE

Optimal Balance of Security and Productivity

Overly Restrictive Security

Lack of Security


Figure 13-7 Assests, Threats, Vulnerabilities, Risks, and Protective Measures

ASSET THREAT

VULNERABILITY

RISK

PROTECTIVE MEASURES


Figure 13-13 Representative Security ArchitectureGOLDMAN & RAWLES: ADC 3e FIG: 13-13

Security Mission

Security Management

Security Policies and Procedures

Secure Infrastructure

Computing Platforms and Networks

Security Technology

Business Drivers

Technical Drivers

Input Assumptions for Secure Infrastructure

Figure 13-18 Collaborative Software Infection/Reinfection Cycle

Client PC ServerHub

Router

INFECTION

Infected file is spread through database replication

and/or Infected file is spread by being attached to multiclient conference

Infected

Client PC ServerHub

Router

RE-INFECTION

Modification of infected document on any client or server will cause replication and reinfection of other servers Inclusion of infected documents in multiclient conference will reinfect all clients

Disinfected

Client PC with original infected

document

re-infection


Figure 13-19 Virus Infection Points of Attack and Protective Measures

Router

Point of Attack: Client PC Vulnerabilities

Infected diskettes Groupware conferences with infected documents

Protective Measures Strict diskette scanning policy Autoscan at system start-up

Point of Attack: Internet Access Vulnerabilities

Downloaded viruses Downloaded hostile agents

Protective Measures Firewalls User education about the dangers of downloading

Point of Attack: Server Vulnerabilities

Infected documents stored by attached clients Infected documents replicated from other groupware servers

Protective Measures Autoscan run at least once a day Consider active monitoring virus checking before allowing programs to be loaded onto server Rigorous backup in case of major outbreak Audit logs to track down sources

Point of Attack: Remote Access Users Vulnerabilities

Frequent up/downloading of data and use of diskettes increase risk Linking to customer sites increases risk

Protective Measures Strict diskette scanning policy Strict policy about the connection to corporate networks after linking to other sites.

INTERNET

hub

Client PC

Remote Access Users

Server


Figure 13-20(a) Packet Filters and Application Gateways

INTERNET or nonsecure

network

Protected Network

Packet-filtering firewall (router)

Incoming IP packets examined Incoming IP source and destination addresses compared to filter tables Outgoing packets have direct access to Internet

Packet Filter Firewall


network

Protected Network

Trusted Gateway

Proxy application 2

Client Server


Trusted applications establish connections directly Applications gateway is single-homed

Information servers WWW servers

Proxy application 1

Client Server

Application Gateway

trusted application


network

Protected Network

Application Gateway

Proxy application: FTP

Proxy FTP

Client

Proxy FTP

Server

Proxy application: TELNET

Proxy TELNET Server

Proxy TELNET

Client

Other proxy applicationsclient

server

server

client


network

Protected Network

Dual-Homed Gateway

Proxy application 2

Client Server


All traffic goes through application gateway


Proxy application 1

ClientServer

Dual-Homed Application

Gateway

WWW requestScreened

Subnet


Figure 13-20(b) Proxies, Trusted Gateways, and Dual-Homed Gateways


network

Protected Network


Incoming IP packets examined Incoming IP source and destination addresses compared to filter tables Outgoing packets have direct access to Internet

Packet Filter Firewall


network

Protected Network

Trusted Gateway

Proxy application 2

Client Server


Trusted applications establish connections directly Applications gateway is single-homed


Proxy application 1

Client Server

Application Gateway

trusted application


network

Protected Network

Application Gateway

Proxy application: FTP

Proxy FTP

Client

Proxy FTP

Server

Proxy application: TELNET

Proxy TELNET Server

Proxy TELNET

Client

Other proxy applicationsclient

server

server

client


network

Protected Network

Dual-Homed Gateway

Proxy application 2

Client Server


All traffic goes through application gateway


Proxy application 1

ClientServer

Dual-Homed Application

Gateway

WWW requestScreened

Subnet


GOLDMAN & RAWLES: ADC 3e FIG: 13-21

Web Server

E-Mail Server

Firewall Firewall

DMZ

hub -or-

switch

Internet

Internal Private Network

hub -or-

switch Good Guys

Bad Guys

Dual or Multi-Tier Firewall

Web Server

E-Mail Server

Firewall

DMZ

Internet


hub -or-

switch

Good Guys

Bad Guys

Single Firewall, In Front of DMZ

Web Server

E-Mail Server

FirewallRouter

DMZ

hub -or-

switch

Internet


hub -or-

switch Good Guys

Bad Guys

Single Firewall, Behind DMZ

Figure 13-21 Enterprise Firewall Architecture

Figure 13-24 Challange-Response vs. Time-Synchronous Token Authentication

Smart Card

76731270

Client

PSTN

Authentication Server

Personal ID and smart card display are entered

into client PC

Authentication server compares received smart card generated

number to current time-synchronous server-generated number. If they match, the user is authenticated.

Personal ID and current number displayed on smart card (ie. 76731270)

Time Synchronous

Smart Card

11266542

Client

PSTN


Response number from smart card display is entered into client PC and transmitted to authentication server

Authentication server compares received response number to

expected response number. If they match, the user is authenticated.

Response number displayed on smart card (ie. 11266542)

Challenge - Response

Smart Card

76731270

Client

PSTN


Smart card ID is entered into

client PC

User ID and personal smart card ID number (ie. 76731270)

modem modem

Challenge number is returned to client (ie. 65490873)

Smart Card

65490873 Returned challenge number is entered into

smart card keypad


Figure 13-25 Kerberos Architecture

Personal computers running Kerberos client

software

Applications servers with at least one running Kerberos server software

Kerberos Server

Kerberos Realm A

router

Kerberos Realm C

Kerberos Realm DKerberos Realm B


Ticket-Granting Server

Kerberos Database


software


Kerberos server

router



Kerberos Database


software


Kerberos server

router



Kerberos Database


software


Kerberos server

router



Kerberos Database

Enterprise Network


Figure 13-26 Private Key Encryption, Public Key Encryption, and Digital Signature Encryption

Company A client

INTERNET -or-

nonsecure network

Company B client

The private key must be distributed across nonsecure network.

Private Key -or- Symmetric

Original document

Private key

Encrypted document

Original documentPrivate

key

Encryption Decryption

Private key

Company A client

INTERNET -or-

nonsecure network

Company B client

Company B gets Company A's public key from Company A or from certificate authority.

Public Key

Original document

Private key

Encrypted document

Original document

encryption Decryption

Public key

A B+

Public key

Private key

A B+

Company A gets Company B's public key from Company B or from certificate authority.

Company A client

INTERNET -or-

nonsecure network

Company B client

Digital Signature

Original document

Private key

Encrypted document

Original document

Encryption decryption

Public key

A B+

Public key

Private key

A B+

Locally regenerated digital signature is compared to original

transmitted digital signature

A private

Digital signature encrypted OriginalA

publicdigital signature digital signatures

Regenerated

=


Figure 13-28 Remote Authentication Dial-In User Services (RADIUS) Architecture

Remote access server BRAND B

Remote access server BRAND A

Remote access server BRAND C

RADIUS server

RADIUS management

console

Remote user

Remote user

Modem

Modem

INTERNET or nonsecure network users

PC

PC Modem

Modem

modem

User authentication

database

Accounting and authentication

information

Secure network

Firewall

A wide variety of remote access servers and firewalls from numerous vendors can all be managed by RADIUS Large numbers of remote access users accessing the network from numerous different points and using different authentication techniques can all be managed by RADIUS


Figure 13-29 Tunneling Protocols Enable Virtual Private Networks

VIRTUAL PRIVATE NETWORK

INTERNET

Tunneling protocol:PPTP L2F L2TP

CORPORATE HEADQUARTERS

REMOTE CLIENT

ADSL, ISDN, or modem connection

ROUTER at corporate headquarters strips off tunneling protocols and forwards transmission to corporate LAN

Local Internet Service Provider creates a virtual private tunnel using tunneling protocol.


Figure 13-30 IP Packet Plus Authentication and Encryption Headers

New IP header added if tunnel mode

ESP is chosen

ESP header

Original IP header

Authentication header

Upper level protocols encapsulated in transport

layer segment (TCP, UDP)

ESP trailer

bit 0

This header contains an unencrypted

destination address and routing information

Only a portion of the ESP header is encrypted

Original IP Packet

Encrypted

Next header type

Length of authentication data field in 32-bit words

Reserved

Security parameters index

Authentication data

bit 0

32 bits


Documents

“Copyright © 2001 John Wiley & Sons, Inc. All rights reserved. Reproduction or translation of this work beyond that permitted in Section 117 of the 1976