Implementing network security within an I.T network company

Developing Security Polices and ControlsA company's security plan consists of security policies. Security policies give specific guidelines for areas of responsibility, and consist of plans that provide steps to take and rules to follow to implement the policies.Policies should define what you consider valuable, and should specify what steps should be taken to safeguard those assets. Policies can be drafted in many ways. One example is a general policy of only a few pages that covers most possibilities. Another example is a draft policy for different sets of assets, including e-mail policies, password policies, Internet access policies, and remote access policies.

Two common problems with organizational policies are:1. The policy is a platitude rather than a decision or direction.2. The policy is not really used by the organization. Instead it is a piece of paper to

show to auditors, lawyers, other organizational components, or customers, but it does not affect behaviour.

A good risk assessment will determine whether good security policies and controls are implemented. Vulnerabilities and weaknesses exist in security policies because of poor security policies and the human factor, as shown in the following diagram. Security policies that are too stringent are often bypassed because people get tired of adhering to them (the human factor), which creates vulnerabilities for security breaches and attacks.

Types of Security PoliciesPolicies can be defined for any area of security. It is up to the security administrator and IT manager to classify what policies need to be defined and who should plan the policies. There could be policies for the whole company or policies for various sections within the company. The various types of policies that could be included are:

Password policieso Administrative Responsibilitieso User Responsibilities

E-mail policies Internet policies Backup and restore policies

Password PoliciesThe security provided by a password system depends on the passwords being kept secret at all times. Thus, a password is vulnerable to compromise whenever it is used, stored, or even known. In a password-based authentication mechanism implemented on a system, passwords are vulnerable to compromise due to five essential aspects of the password system:

A password must be initially assigned to a user when enrolled on the system. A user's password must be changed periodically.

The system must maintain a "password database." Users must remember their passwords. Users must enter their passwords into the system at authentication time. Employees may not disclose their passwords to anyone. This includes administrators

and IT managers.Password policies can be set depending on the needs of the organization. For example, it is possible to specify minimum password length, no blank passwords, and maximum and minimum password age. It is also possible to prevent users from reusing passwords and ensure that users use specific characters in their passwords making passwords more difficult to crack

Administrative ResponsibilitiesMany systems come from the vendor with a few standard user logins already enrolled in the system. Change the passwords for all standard user logins before allowing the general user population to access the system. For example, change administrator password when installing the system.The administrator is responsible for generating and assigning the initial password for each user login. The user must then be informed of this password. In some areas, it may be necessary to prevent exposure of the password to the administrator. In other cases, the user can easily nullify this exposure. To prevent the exposure of a password, it is possible to use smart card encryption in conjunction with the user's username and password. Even if the administrator knows the password, he or she will be unable to use it without the smart card. When a user's initial password must be exposed to the administrator, this exposure may be nullified by having the user immediately change the password by the normal procedure.Occasionally, a user will forget the password or the administrator may determine that a user's password may have been compromised. To be able to correct these problems, it is recommended that the administrator be permitted to change the password of any user by generating a new one. The administrator should not have to know the user's password in order to do this, but should follow the same rules for distributing the new password that apply to initial password assignment. Positive identification of the user by the administrator is required when a forgotten password must be replaced.

User ResponsibilitiesUsers should understand their responsibility to keep passwords private and to report changes in their user status, suspected security violations, and so forth. To assure security awareness among the user population, we recommend that each user be required to sign a statement to acknowledge understanding these responsibilities.The simplest way to recover from the compromise of a password is to change it. Therefore, passwords should be changed on a periodic basis to counter the possibility of undetected password compromise. They should be changed often enough so that there is an acceptably low probability of compromise during a password's lifetime. To avoid needless exposure of users' passwords to the administrator, users should be able to change their passwords without intervention by the administrator.

Technologies to Secure Network ConnectivityBusinesses and other organizations use the Internet because it provides useful services. Organization could choose to support or not support Internet-based services based on a business plan or an information technology strategic plan. In other words, organizations should analyze their business needs, identify potential methods of meeting the needs, and consider the security ramifications of the methods along with cost and other factors.Most organizations use Internet-based services to provide enhanced communications between business units, or between the business and its customers, or provide a cost-savings means of automating business processes. Security is a key consideration—a single security incident can wipe out any cost savings or revenue provided by Internet connectivity.Some of the ways to protect the organization from outside intrusions include firewalls and virtual private networks (VPN).

FirewallsMany organizations have connected or want to connect their private LANs to the Internet so that their users can have convenient access to Internet services. Since the Internet as a whole is not trustworthy, their private systems are vulnerable to misuse and attack. A firewall is a safeguard that one can use to control access between a trusted network and a less trusted one. A firewall is not a single component; it is a strategy for protecting an organization's Internet-reachable resources. A firewall serves as the gatekeeper between the untrustworthy Internet and the more trustworthy internal networks.

The main function of a firewall is to centralize access control. If outsiders or remote users can access the internal networks without going through the firewall, its effectiveness is diluted. For example, if a traveling manager has a modem connected to his office computer that he or she can dial into while traveling, and that computer is also on the protected internal network, an attacker who can dial into that computer has circumvented the firewall. If a user has a dial-up Internet account with a commercial ISP, and sometimes connects to the Internet from his or her office computer via modem, he or she is opening an unsecured connection to the Internet that circumvents the firewall. Firewalls provide several types of protection:

They can block unwanted traffic. They can direct incoming traffic to more trustworthy internal systems. They hide vulnerable systems that cannot easily be secured from the Internet. They can log traffic to and from the private network. They can hide information such as system names, network topology, network device

types, and internal user IDs from the Internet. They can provide more robust authentication than standard applications might be

able to do.

As with any safeguard, there are trade-offs between convenience and security. Transparency is the visibility of the firewall to both inside users and outsiders going through a firewall. A firewall is transparent to users if they do not notice or stop at the firewall in

order to access a network. Firewalls are typically configured to be transparent to internal network users (while going outside the firewall); on the other hand, firewalls are configured to be non-transparent for outside network coming through the firewall. This generally provides the highest level of security without placing an undue burden on internal users.Types of firewalls include packet filtering gateways, application gateways, and hybrid or complex gateways.

Virtual Private Networks and Wide Area NetworksMany organizations have local area networks and information servers spread across multiple locations. When organization-wide access to information or other LAN-based resources is required, leased lines are often used to connect the LANs into a Wide Area Network. Leased lines are relatively expensive to set up and maintain, making the Internet an attractive alternative for connecting physically separate LANs.

The major shortcoming to using the Internet for this purpose is the lack of confidentiality of the data flowing over the Internet between the LANs, as well as the vulnerability to spoofing and other attacks. Virtual private networks use encryption to provide the required security services. Typically encryption is performed between firewalls, and secure connectivity is limited to a small number of sites.One important consideration when creating virtual private networks is that the security policies in use at each site must be equivalent. A VPN essentially creates one large network out of what were previously multiple independent networks. The security of the VPN will essentially fall to that of the lowest common denominator—if one LAN allows unprotected dial-up access, all resources on the VPN are potentially at risk.

Intrusion Detection ToolsIntrusion detection is the process of detecting unauthorized use of, or attack upon, a computer or network. Intrusion Detection Systems (IDSs) are software or hardware systems that detect such misuse. IDSs can detect attempts to compromise the confidentiality, integrity, and availability of a computer or network. The attacks can come from attackers on the Internet, authorized insiders who misuse the privileges given them, and unauthorized insiders who attempt to gain unauthorized privileges.Intrusion detection capabilities are rapidly becoming necessary additions to every large organization's security infrastructure. The question for security professionals should not be whether to use intrusion detection, but which features and capabilities to use. However, one must still justify the purchase of an IDS. There are at least three good reasons to justify the acquisition of IDSs: to detect attacks and other security violations that cannot be

prevented, to prevent attackers from probing a network, and to document the intrusion threat to an organization.

Virus DetectionAnti-virus tools perform three basic functions. Tools may be used to detect, identify, or remove viruses. Detection tools perform proactive detection, active detection, or reactive detection. That is, they detect a virus before it executes, during execution, or after execution. Identification and removal tools are more straightforward in their application; neither is of use until a virus has been detected.Detection tools detect the existence of a virus on a system. These tools perform detection at a variety of points in the system. The virus may be actively executing, residing in memory, or being stored in executable code. The virus may be detected before execution, during execution, or after execution and replication. There are three categories of analysis detection tools:

Static Detection. Static analysis detection tools examine executables without executing them. They can be used to detect infected code before it is introduced to a system.

Detection by Interception. To propagate, a virus must infect other host programs. Some detection tools are intended to intercept attempts to perform such activities. These tools halt the execution of virus-infected programs as the virus attempts to replicate or become resident.

Detection of Modification. All viruses cause modification of executables in their replication process. As a result, the presence of viruses can also be detected by searching for the unexpected modification of executables. This process is sometimes called integrity checking. Note that this type of detection tool works only after infected executables have been introduced to the system and the virus has replicated.

Remote AccessIncreasingly, businesses require remote access to their information systems. This may be driven by the need for traveling employees to access e-mail, sales people to remotely enter orders, or as a business decision to promote telecommuting. By its very nature, remote access to computer systems adds vulnerabilities by increasing the number of access points.