General description
These are the top 5 security groups to consider with any business security model. These include security policy, perimeter, network, transactions, and monitoring security. All of these are part of any effective business security strategy. Any business network has a perimeter that represents all the equipment and circuits that connect to external networks, both public and private. The internal network is made up of all the servers, applications, data, and devices used for company operations. The demilitarized zone (DMZ) represents a location between the internal network and the perimeter made up of firewalls and public servers. This allows some access for external users to those network servers and denies traffic that would reach internal servers. That does not mean that all external users will be denied access to internal networks. Rather, a proper security strategy specifies who can access what and from where. For example, remote workers will use VPN concentrators at the edge to access Windows and Unix servers. In addition, trading partners could use a VPN Extranet connection to access the company’s S/390 mainframe. Define what security is required on all servers to protect company applications and files. Identify the transaction protocols required to protect data as it travels across secure and unsecured network segments. Monitoring activities that examine packets in real time should then be defined as a defensive and proactive strategy to protect against internal and external attacks. A recent survey revealed that insider attacks by disgruntled employees and consultants are more frequent than hacker attacks. Virus scanning needs to be addressed, as allowed sessions could have an application layer virus with an email or file transfer.
Security Policy Document
The security policy document outlines various policies for all employees using the corporate network. Specifies what an employee is allowed to do and with what resources. The policy includes non-employees, as well as consultants, business partners, customers, and laid-off employees. In addition, security policies for Internet email and virus detection are defined. Defines which cyclic process, if any, is used to examine and improve security.
security perimeter
This describes a first line of defense that external users must deal with before authenticating to the network. It is security for traffic whose origin and destination is an external network. Many components are used to protect the perimeter of a network. The assessment reviews all currently used edge devices. Typical edge devices are firewalls, external routers, TACACS servers, RADIUS servers, dial-up servers, VPN concentrators, and modems.
network security
This is defined as all legacy host and server security that is implemented to authenticate and authorize internal and external employees. When a user has been authenticated through perimeter security, it is security that needs to be addressed before launching any application. The network exists to carry traffic between workstations and network applications. Network applications are deployed on a shared server that could run an operating system such as Windows, Unix, or Mainframe MVS. It is the responsibility of the operating system to store data, respond to requests for data, and maintain the security of that data. Once a user authenticates to a Windows ADS domain with a specific user account, they have privileges that have been granted to that account. Such privileges would be to access specific directories on one or more servers, launch applications, and manage some or all of the Windows servers. When the user authenticates to distributed Windows Active Directory services, it is not against any specific server. There are tremendous administration and availability advantages as all accounts are managed from a centralized perspective and backup database copies are maintained on multiple servers across the network. Unix and Mainframe hosts will generally require logging into a specific system; however, network rights could be distributed to many hosts.
Network operating system domain authentication and authorization
Windows Active Directory Services Authentication and Authorization
Unix and Mainframe Host Authentication and Authorization
Authorization of applications per server
Authorization of files and data
Transaction security
Transaction security works from a dynamic perspective. Try to secure each session with five main activities. They are non-repudiation, integrity, authentication, confidentiality and virus detection. Transaction security ensures that session data is secure before it is transported across the enterprise or the Internet. This is important when it comes to the internet, as the data is vulnerable to those who would use the valuable information without permission. Electronic commerce employs some industry standards, such as SET and SSL, which describe a set of protocols that provide non-repudiation, integrity, authentication, and confidentiality. In addition, virus scanning provides transaction security by examining data files for signs of virus infection before they are transported to an internal user or sent over the Internet. Industry standard transaction security protocols are described below.
Non-repudiation – RSA digital signatures
Integrity: MD5 route authentication
Authentication – Digital Certificates
Privacy – IPSec/IKE/3DES
Virus detection: McAfee/Norton antivirus software
Security Monitoring
Monitoring network traffic for security attacks, vulnerabilities, and unusual events is essential to any security strategy. This evaluation identifies which strategies and applications are being employed. The following is a list that describes some typical monitoring solutions. Intrusion detection sensors are available to monitor traffic in real time as it reaches your perimeter. IBM Internet Security Scanner is an excellent vulnerability assessment testing tool to consider for your organization. Syslog server messaging is a standard Unix program found in many companies that writes security events to a log file for examination. It is important to have audit trails to record network changes and help isolate security issues. Large companies that use many analog dial lines for modems sometimes employ dial scanners to determine open lines that security hackers could exploit. Facility security is typical card access to computers and servers that house mission-critical data. Badge access systems record the date and time each specific employee entered the telecommunications room and left. The cameras sometimes also record what specific activities took place.
Intrusion Prevention Sensors (IPS)
Cisco markets intrusion prevention sensors (IPS) to enterprise customers to improve the security posture of the enterprise network. The Cisco IPS 4200 Series uses sensors at strategic locations on the internal and external network to protect switches, routers, and servers from hackers. IPS sensors will examine network traffic in real time or online, comparing packets with predefined signatures. If the sensor detects suspicious behavior, it will send an alarm, drop the packet, and take some evasive action to counter the attack. The IPS sensor can be deployed inline IPS, IDS where traffic does not flow through the device, or a hybrid device. Most sensors within the data center network will be designated as IPS mode with its dynamic security features that thwart attacks as soon as they occur. Note that IOS intrusion prevention software is available today with routers as an option.
Vulnerability Assessment Tests (VAST)
IBM Internet Security Scanner (ISS) is a vulnerability assessment scanner focused on enterprise customers to assess network vulnerabilities from an external and internal perspective. The software runs on agents and scans various network devices and servers for known security holes and potential vulnerabilities. The process consists of network discovery, data collection, analysis, and reporting. Data is collected from routers, switches, servers, firewalls, workstations, operating systems, and network services. Potential vulnerabilities are verified through non-destructive testing and recommendations are made to correct any security issues. There is a reporting function available with the scanner that presents the results of the information to company personnel.
Syslog server messaging
Cisco IOS has a Unix program called Syslog that reports a variety of device activities and error conditions. Most routers and switches generate syslog messages, which are sent to a designated Unix workstation for review. If your Network Management Console (NMS) uses the Windows platform, there are utilities that allow you to view log files and send Syslog files between Unix and Windows NMS.
Copyright 2006 Shaun Hummel All Rights Reserved
