Chapter Fifteen

Working with Network Security

Objectives• To discover what dangers lurk in that great big world• To examine the basic concepts of security• To find out when you might have too much security• To learn what security features are offered by the NOS• To find out what makes a good password policy• To review data encryption• To learn to block out unwanted visitors• To examine some security protocols

What Are the Dangers?

• Data accessed or destroyed by intruders

• Data accessed or destroyed from the inside

• Physically stolen data or equipment

• Data lost or corrupted due to equipment failure

• Protecting against viruses

Some Security Considerations

• Physical security– Equipment and drives must be protected from

theft.

• Environmental damage

• Levels of risk– Just how sensitive is your data?

Physical Security

• Hard disks are easily removed.– The data can be extracted at leisure in a safe

location.

• A physical disaster can destroy the equipment housing your critical data.

Environmental Damage

• The Tsunami of 2005 showed how much damage nature can wreak.

• Voltage surges and/or static electricity can cause data loss.

Risk Levels• Low risk

– Loss or damage to data will not cause an interruption of business or personal risk to people.

• Medium risk– Loss or damage to data results in noticeable disruption of

workflow and/or involves putting people at noticeable risk.

• High risk– Loss or damage to data could bring the company to a

standstill and/or cause serious harm to people.

Can You Have Too Much Security?

• If files or other resources can’t be accessed by the people who need them…

• If passwords are made too difficult for the average person to remember…

• Three levels of firewalls to protect your saved Redneck Rampage games might be a bit much.

Opening Doors to the Outside

• Internet access and Email are now essential parts of doing business.

• Work at home users need to be able to log in remotely.

• Customer support might require maintaining an accessible intranet.

Guarding the Gates

• Firewalls can limit access from the outside

• Access control lists on a router interface

• Securing remote access services (RAS) connections

Security in the NOS• A network operating system will include a certain

degree of security.– Share level versus security user level (discussed earlier)– User authentication (discussed earlier)– File system security– Securing printing devices– Directory services

• IPSec• Kerberos

File System Security

• The Novell File System and NTFS both provide extensive security barriers.– Each one provides different permissions to

resources.– Each one allows you to monitor users and what

they’re doing on the network.

Windows Permissions

• Full control

• Modify

• Read and execute

• List folder contents

• Read

• Write

Novell Permissions

• Browse

• Create

• Delete

• Inheritance control

• Rename

• Supervisor

A Good Password Policy• Never reveal your password to anyone.• Force periodic password changes.• Do not use common names or words in a password.• Mix alpha and numeric characters with a nice mix of

punctuation.• Mix upper and lower-case letters.• Force a minimum password length.• Don’t allow repeat passwords to be used.

Data Encryption

• NTFS 5.0 provides the Encrypting File System.– Allows users to individually encrypt files or

folders– Provides a recovery agent for getting back lost

data– Uses a 128-bit encryption key

Basic Rules for Using Encryption

• Make sure a recovery agent is assigned and trained.

• Be careful who you choose as a recovery agent.

• Don’t use it if you don’t need it.

Building Barriers

• Firewalls

• Proxy servers

• Access lists

Firewalls• They can be an application gateway or a circuit

gateway.– A circuit gateway directs all outbound traffic to a certain

point.– The source IP address is substituted with that of the

gateway.– Application gateways work on the software level and

mask IP addresses.• All firewalls can filter packets by IP address or protocol;

more advanced firewalls filter by content.

Proxy Servers

• A single machine provides access to the outside world (similar to a circuit gateway).

• Private IP addressing is used inside the network.

• Only the ISP-assigned IP address of the proxy server is visible to the outside world.

• They can cache frequently accessed pages to provide faster Internet browsing for users.

Access Lists

• Configured as either inbound or outbound lists on the interface of a router

• Can filter traffic by IP address, protocol, host name, MAC address, or content

• Outbound traffic can have different rules than inbound traffic

Security Protocols

• Secure Socket Layers

• Transport Layer Security

• Secure Multipurpose Internet Mail Extensions

• IPSec

• Kerberos

Defense Against Viruses

• Viruses and other malevolent code can do any of the following:– Bring performance to a crawl– Destroy or redirect data to unauthorized people– Render a machine unbootable– Turn an otherwise harmless machine into a

SPAM redirector

Types of Malevolent Code

• Viruses

• Worms

• Trojan horses

• Logic bombs

• Trap doors

• Embedded macros

Good Antivirus Procedures

• Install an effective antivirus solution.

• Keep all updates and patches up to date.

• Regularly update signature files.

• Scan all incoming files as though your life depended on it.

The Virtual LAN

• It allows a few devices on a network to communicate as if they are a self-contained network.

• Make use of an intelligent switch configured to create the VLAN.

Static VLANs

• All devices on a single switch are part of the VLAN.

• Data from other parts of the network can’t get in.

• Data from the VLAN doesn’t get out to the rest of the network.

Dynamic VLANs

• It requires a switch with intelligent management capability.

• Switches are configured to group devices together using a list of MAC addresses, by the applications running on systems or by protocol.