Implementing network security within

an I.T network company

Developing Security Polices and Controls
A company's security plan consists of security policies. Security policies
give specific guidelines for areas of responsibility, and consist of plans
that provide steps to take and rules to follow to implement the policies.
Policies should define what you consider valuable, and should specify
what steps should be taken to safeguard those assets. Policies can be
drafted in many ways. One example is a general policy of only a few
pages that covers most possibilities. Another example is a draft policy for
different sets of assets, including e-mail policies, password policies,
Internet access policies, and remote access policies.

Two common problems with organizational policies are:

1. The policy is a platitude rather than a decision or direction.
2. The policy is not really used by the organization. Instead it is a piece
of paper to show to auditors, lawyers, other organizational
components, or customers, but it does not affect behaviour.

A good risk assessment will determine whether good security policies and
controls are implemented. Vulnerabilities and weaknesses exist in security
policies because of poor security policies and the human factor, as shown
in the following diagram. Security policies that are too stringent are often
bypassed because people get tired of adhering to them (the human
factor), which creates vulnerabilities for security breaches and attacks.

Types of Security Policies

Policies can be defined for any area of security. It is up to the security
administrator and IT manager to classify what policies need to be defined
and who should plan the policies. There could be policies for the whole
company or policies for various sections within the company. The various
types of policies that could be included are:

Password policies

Administrative Responsibilities

User Responsibilities

E-mail policies

Internet policies

Backup and restore policies

Password Policies
The security provided by a password system depends on the passwords
being kept secret at all times. Thus, a password is vulnerable to
compromise whenever it is used, stored, or even known. In a passwordbased authentication mechanism implemented on a system, passwords
are vulnerable to compromise due to five essential aspects of the
password system:

A password must be initially assigned to a user when enrolled on the

system.

A user's password must be changed periodically.

The system must maintain a "password database."

Users must remember their passwords.

Users must enter their passwords into the system at authentication

time.

Employees may not disclose their passwords to anyone. This

includes administrators and IT managers.

Password policies can be set depending on the needs of the organization.

For example, it is possible to specify minimum password length, no blank
passwords, and maximum and minimum password age. It is also possible
to prevent users from reusing passwords and ensure that users use
specific characters in their passwords making passwords more difficult to
crack

Administrative Responsibilities

Many systems come from the vendor with a few standard user logins
already enrolled in the system. Change the passwords for all standard
user logins before allowing the general user population to access the
system. For example, change administrator password when installing the
system.
The administrator is responsible for generating and assigning the initial
password for each user login. The user must then be informed of this
password. In some areas, it may be necessary to prevent exposure of the
password to the administrator. In other cases, the user can easily nullify
this exposure. To prevent the exposure of a password, it is possible to use
smart card encryption in conjunction with the user's username and
password. Even if the administrator knows the password, he or she will be
unable to use it without the smart card. When a user's initial password
must be exposed to the administrator, this exposure may be nullified by
having the user immediately change the password by the normal
procedure.
Occasionally, a user will forget the password or the administrator may
determine that a user's password may have been compromised. To be
able to correct these problems, it is recommended that the administrator
be permitted to change the password of any user by generating a new
one. The administrator should not have to know the user's password in
order to do this, but should follow the same rules for distributing the new
password that apply to initial password assignment. Positive identification
of the user by the administrator is required when a forgotten password
must be replaced.

User Responsibilities
Users should understand their responsibility to keep passwords private
and to report changes in their user status, suspected security violations,
and so forth. To assure security awareness among the user population, we
recommend that each user be required to sign a statement to
acknowledge understanding these responsibilities.
The simplest way to recover from the compromise of a password is to
change it. Therefore, passwords should be changed on a periodic basis to
counter the possibility of undetected password compromise. They should
be changed often enough so that there is an acceptably low probability of
compromise during a password's lifetime. To avoid needless exposure of
users' passwords to the administrator, users should be able to change
their passwords without intervention by the administrator.

Technologies to Secure Network

Connectivity
Businesses and other organizations use the Internet because it provides
useful services. Organization could choose to support or not support
Internet-based services based on a business plan or an information
technology strategic plan. In other words, organizations should analyze
their business needs, identify potential methods of meeting the needs,
and consider the security ramifications of the methods along with cost
and other factors.
Most organizations use Internet-based services to provide enhanced
communications between business units, or between the business and its
customers, or provide a cost-savings means of automating business
processes. Security is a key considerationa single security incident can
wipe out any cost savings or revenue provided by Internet connectivity.
Some of the ways to protect the organization from outside intrusions
include firewalls and virtual private networks (VPN).

Firewalls
Many organizations have connected or want to connect their private LANs
to the Internet so that their users can have convenient access to Internet
services. Since the Internet as a whole is not trustworthy, their private
systems are vulnerable to misuse and attack. A firewall is a safeguard that
one can use to control access between a trusted network and a less
trusted one. A firewall is not a single component; it is a strategy for
protecting an organization's Internet-reachable resources. A firewall
serves as the gatekeeper between the untrustworthy Internet and the
more trustworthy internal networks.

The main function of a firewall is to centralize access control. If outsiders

or remote users can access the internal networks without going through
the firewall, its effectiveness is diluted. For example, if a traveling
manager has a modem connected to his office computer that he or she
can dial into while traveling, and that computer is also on the protected
internal network, an attacker who can dial into that computer has
circumvented the firewall. If a user has a dial-up Internet account with a
commercial ISP, and sometimes connects to the Internet from his or her
office computer via modem, he or she is opening an unsecured connection
to the Internet that circumvents the firewall. Firewalls provide several
types of protection:

They can block unwanted traffic.

They can direct incoming traffic to more trustworthy internal

systems.
They hide vulnerable systems that cannot easily be secured from
the Internet.
They can log traffic to and from the private network.

They can hide information such as system names, network topology,

network device types, and internal user IDs from the Internet.
They can provide more robust authentication than standard
applications might be able to do.

As with any safeguard, there are trade-offs between convenience and

security. Transparency is the visibility of the firewall to both inside users
and outsiders going through a firewall. A firewall is transparent to users if
they do not notice or stop at the firewall in order to access a network.
Firewalls are typically configured to be transparent to internal network
users (while going outside the firewall); on the other hand, firewalls are
configured to be non-transparent for outside network coming through the
firewall. This generally provides the highest level of security without
placing an undue burden on internal users.
Types of firewalls include packet filtering gateways, application gateways,
and hybrid or complex gateways.

Virtual Private Networks and Wide Area

Networks
Many organizations have local area networks and information servers
spread across multiple locations. When organization-wide access to
information or other LAN-based resources is required, leased lines are
often used to connect the LANs into a Wide Area Network. Leased lines are
relatively expensive to set up and maintain, making the Internet an
attractive alternative for connecting physically separate LANs
.

The major shortcoming to using the Internet for this purpose is the lack of
confidentiality of the data flowing over the Internet between the LANs, as
well as the vulnerability to spoofing and other attacks. Virtual private
networks use encryption to provide the required security services.
Typically encryption is performed between firewalls, and secure
connectivity is limited to a small number of sites.
One important consideration when creating virtual private networks is that
the security policies in use at each site must be equivalent. A VPN
essentially creates one large network out of what were previously multiple
independent networks. The security of the VPN will essentially fall to that
of the lowest common denominatorif one LAN allows unprotected dialup access, all resources on the VPN are potentially at risk.

Intrusion Detection Tools

Intrusion detection is the process of detecting unauthorized use of, or
attack upon, a computer or network. Intrusion Detection Systems (IDSs)
are software or hardware systems that detect such misuse. IDSs can
detect attempts to compromise the confidentiality, integrity, and
availability of a computer or network. The attacks can come from
attackers on the Internet, authorized insiders who misuse the privileges
given them, and unauthorized insiders who attempt to gain unauthorized
privileges.
Intrusion detection capabilities are rapidly becoming necessary additions
to every large organization's security infrastructure. The question for
security professionals should not be whether to use intrusion detection,
but which features and capabilities to use. However, one must still justify
the purchase of an IDS. There are at least three good reasons to justify the
acquisition of IDSs: to detect attacks and other security violations that
cannot be prevented, to prevent attackers from probing a network, and to
document the intrusion threat to an organization.

Virus Detection
Anti-virus tools perform three basic functions. Tools may be used to
detect, identify, or remove viruses. Detection tools perform proactive
detection, active detection, or reactive detection. That is, they detect a
virus before it executes, during execution, or after execution. Identification

and removal tools are more straightforward in their application; neither is

of use until a virus has been detected.
Detection tools detect the existence of a virus on a system. These tools
perform detection at a variety of points in the system. The virus may be
actively executing, residing in memory, or being stored in executable
code. The virus may be detected before execution, during execution, or
after execution and replication. There are three categories of analysis
detection tools:

Static Detection. Static analysis detection tools examine

executables without executing them. They can be used to detect
infected code before it is introduced to a system.

Detection by Interception. To propagate, a virus must infect

other host programs. Some detection tools are intended to intercept
attempts to perform such activities. These tools halt the execution
of virus-infected programs as the virus attempts to replicate or
become resident.

Detection of Modification. All viruses cause modification of

executables in their replication process. As a result, the presence of
viruses can also be detected by searching for the unexpected
modification of executables. This process is sometimes called
integrity checking. Note that this type of detection tool works only
after infected executables have been introduced to the system and
the virus has replicated.

Remote Access
Increasingly, businesses require remote access to their information
systems. This may be driven by the need for traveling employees to
access e-mail, sales people to remotely enter orders, or as a business

decision to promote telecommuting. By its very nature, remote access to

computer systems adds vulnerabilities by increasing the number of access
points.