Network security model: defining a business security strategy
These are the top 5 security groups that should be considered with any business security model. These include security policy, perimeter, network, transactions, and monitoring security. They are all part of any effective business security strategy. Every business network has a perimeter that represents all the equipment and circuits that are connected to external networks, both public and private. The internal network is made up of all the servers, applications, data and devices used for the operations of the company. The demilitarized zone (DMZ) represents a location between the internal network and the perimeter made up of firewalls and public servers. That allows some external user access to those network servers and denies the traffic that would reach the internal servers. This does not mean that all external users will be denied access to internal networks. Rather, a proper security strategy specifies who can access what and from where. For example, telecommuters will use VPN concentrators at the edge to access Windows and Unix servers. Additionally, business partners could use a VPN Extranet connection to access the company’s S / 390 Mainframe. Define what security is required on all servers to protect company files and applications. Identify the transaction protocols necessary to protect data as it travels through secure and insecure network segments. Then, monitoring activities that examine packets in real time should be defined as a defensive and proactive strategy to protect against internal and external attacks. A recent survey revealed that insider attacks by disgruntled employees and consultants are more frequent than hacker attacks. Next, virus detection should be addressed as allowed sessions could carry an application layer virus with an email or file transfer.
Security policy document
The security policy document describes various policies for all employees using the corporate network. Specify what an employee can do and with what resources. The policy includes non-employees, as well as consultants, business partners, clients, and laid off employees. In addition, security policies are defined for Internet e-mail and virus detection. Defines what cyclical process, if any, is used to examine and improve security.
This describes a first line of defense that external users must deal with before authenticating to the network. It is security for traffic whose origin and destination is an external network. Many components are used to protect the perimeter of a network. The assessment reviews all edge devices that are currently in use. Typical edge devices are firewalls, external routers, TACACS servers, RADIUS servers, dial-up servers, VPN concentrators, and modems.
This is defined as all legacy host and server security that is implemented to authenticate and authorize internal and external employees. When a user has been authenticated through perimeter security, it is security that must be addressed before starting any application. The network exists to carry traffic between workstations and network applications. Network applications are deployed on a shared server that could run an operating system such as Windows, Unix, or Mainframe MVS. It is the responsibility of the operating system to store data, respond to requests for data, and maintain the security of that data. Once a user authenticates to a Windows ADS domain with a specific user account, they have privileges that have been granted to that account. Such privileges would be to access specific directories on one or more servers, start applications, and administer some or all of the Windows servers. When the user authenticates to distributed Windows Active Directory Services, it is not a specific server. This has tremendous management and availability benefits, as all accounts are managed from a centralized perspective and backup database copies are maintained on multiple servers on the network. Unix and Mainframe hosts will generally require login to a specific system, however network rights could be distributed to many hosts.
Network operating system domain authentication and authorization
Windows Active Directory Services Authentication and Authorization
Unix and Mainframe host authentication and authorization
Application authorization per server
File and data authorization
Transaction security works from a dynamic perspective. Try to secure each session with five main activities. They are non-repudiation, integrity, authentication, confidentiality, and virus detection. Transaction security ensures that session data is secure before being transported over the company or the Internet. This is important when it comes to the internet, as data is vulnerable to those who would use the valuable information without permission. E-commerce employees some industry standards such as SET and SSL, which describe a set of protocols that provide non-repudiation, integrity, authentication, and confidentiality. Additionally, virus detection provides transaction security by examining data files for signs of virus infection before they are transported to an internal user or before they are sent over the Internet. The following describes the industry standard transaction security protocols.
Non-repudiation: RSA digital signatures
Integrity – MD5 path authentication
Authentication: digital certificates
Confidentiality – IPSec / IKE / 3DES
Virus detection: McAfee / Norton antivirus software
Monitoring network traffic for security attacks, vulnerabilities, and unusual events is essential to any security strategy. This assessment identifies what strategies and applications are being employed. The following is a list that describes some typical monitoring solutions. Intrusion detection sensors are available to monitor real-time traffic as it reaches your perimeter. IBM Internet Security Scanner is an excellent vulnerability assessment testing tool to consider for your organization. Syslog server messaging is a standard Unix program found in many companies that writes security events to a log file for examination. It is important to have audit trails to record changes to the network and to help isolate security problems. Large companies that use many analog dial lines for modems sometimes use dial scanners to determine open lines that could be exploited by security hackers. Premises security is typical credential access to computers and servers that host mission-critical data. Badge access systems record the date and time each specific employee entered and left the telecommunications room. Sometimes the cameras also record what specific activities were carried out.
Intrusion Prevention Sensors (IPS)
Cisco markets Intrusion Prevention Sensors (IPS) to enterprise customers to enhance the security position of the enterprise’s network. The Cisco IPS 4200 Series uses sensors in strategic locations on and off the network to protect switches, routers, and servers from hackers. The IPS sensors will examine network traffic in real time or online, comparing packets with predefined signatures. If the sensor detects suspicious behavior, it will send an alarm, drop the package, and take some evasive action to counter the attack. The IPS sensor can be implemented inline IPS, IDS where traffic does not flow through the device or a hybrid device. Most of the sensors within the data center network will be designated as IPS mode with its dynamic security features that thwart attacks as soon as they occur. Please note that IOS intrusion prevention software is available today with routers as an option.
Vulnerability Assessment Test (VAST)
IBM Internet Security Scanner (ISS) is a vulnerability assessment scanner focused on enterprise customers to assess network vulnerabilities from an external and internal perspective. The software runs on agents and scans various network devices and servers for known security holes and potential vulnerabilities. The process is made up of network discovery, data collection, analysis, and reporting. Data is collected from routers, switches, servers, firewalls, workstations, operating systems, and network services. Potential vulnerabilities are verified through non-destructive testing and recommendations to correct any security issues. There is a reporting function available with the scanner that presents the information findings to company personnel.
Syslog server messaging
Cisco IOS has a Unix program called Syslog that reports on a variety of device activities and error conditions. Most routers and switches generate Syslog messages, which are sent to a designated Unix workstation for review. If your Network Management Console (NMS) uses the Windows platform, there are utilities that allow you to view log files and send syslog files between Unix and Windows NMS.
Copyright 2006 Shaun Hummel All rights reserved