Friday, February 09, 2007

Network Security

Security is an essential part of maintaining any network and is the primary focus for a network administrator. While most people think that the main focus of a network administrator is to ensure that users can access data and other resources needed to perform their job functions, they don’t realize the work and attention needed to make certain all data is secure.

End users are happy as long as they get the data they need and don’t have to jump through hoops to get to it. Account names and requiring passwords only serve to keep honest people honest. There are many ways to compromise an account’s security and any decent hacker usually knows more tricks of the trade than the network administrator. The use of authentication services and/or Biometrics can improve security, but only to a certain degree.

If you’re responsible for a small operation, network security cannot be compromised. Hackers don’t discriminate; they’re looking for sensitive corporate or financial data that they can exploit. Customer and clients don’t discriminate; they’re entitled to the same service and reliability that they would get from a large corporation.

When it comes to protecting your network, there is no room for compromise. You must block any and all threats flowing around the Internet. Especially look for viruses and other forms of malware that can compromise your network and end-user systems, which could lead to data loss and expensive downtime. Spam clogs up inboxes and e-mail servers that cost businesses billions of dollars each year. Spyware and network intrusions are designed and targeted to steal valuable information from specific companies which can impact revenue and a company’s reputation. Plishing attacks exploit user habits to steal personal information.

Everyday security threats are being modified and refined, as hackers new conduits such as instant messaging, peer-to-peer connections, and wireless networks to deliver their attacks. In my opinion, the biggest headache for small businesses is the misuse of the Internet by employees. If a user visits an inappropriate site, sends or receives inappropriate content, or worse, violates confidentiality and leaks client information or company secrets, legal liability action is sure to follow. End user education needs to be top priority for all network administrators.

Insiders aren’t the most common security problem, but they can be among the most damaging to a company’s reputation. Insider attacks against IT infrastructure are among the security breaches most feared by both government and corporate security professionals. If an employee is terminated, it’s crucial that all system access be revoked immediately. About half of all insider attacks take place between the time an IT employee is dismissed and their user privileges are taken away. I was in a situation where a co-worker was dismissed because of poor work performance. The IT manager arranged for all user privileges to be terminated immediately after the employee was informed of his termination. He was allowed to remove personal items from his office and computer, but was supervised the entire time. There was a tremendous amount of planning involved to coordinate this, but it work effectively.

When it comes to current employees, IT managers must keep an eye out for insubordination, anger over perceived mistreatment, or resistance to sharing responsibility or training colleagues, which are all signs someone may be capable of system sabotage or data theft. IT managers must be watchful any time someone with access to sensitive systems has a falling out with his or her bosses.

Defending against insiders isn’t easy, but knowing what to look for and understanding who you’re up against certainly helps. Managers must not only monitor system access, but also let employees know their system changes can be tracked. Employers should be wary of people unwilling to share their knowledge about systems or uncomfortable with the fact that their activities accessing systems or data can be tracked.

There are six basic security rules for Windows systems that can apply for all systems. If a network administrator follows the basic principles that will be discussed here, they can feel confident that their systems are protected.

First, the manager should be segment the network into areas of trust and provide specific controls at border areas. A basic firewall can filter access to services, and a more advanced system can inspect traffic and can detect that it is harmful. Things as simple as blocking access to TCP port 1433 and TCP port 1434 at the border firewall, allowing Internet access only to those SQL systems that must be accessed from the Internet, and patching the SQL systems could prevent viruses or worms from infecting a network.

Systems are sometimes left unpatched because there are so many to patch. Focusing efforts on the most vulnerable points will most likely achieve adequate coverage. You can find a list of the most frequently probed ports used by Windows systems at www.sans.org/y2k/ports.htm. Not all of the ports listed are used by Windows but you can make sure they are filtered at the firewall. You can also set a standard to block all ports and then unblock only the ports needed. Another good practice is to determine the open ports to ensure that they are legitimately needed.

Second, moderate the effect of spoofed ports and increasing use of port 80 by new services. The most common open port is of course port 80, so attacks directed at a web server will not be stopped by a common firewall. If a needed port is blocked, applications such as instant messaging, and streaming media will automatically use the open port. Trojans can be designed to listen on any port and can be specially designed to look like web traffic. Preventing overuse and misuse can be accomplished by using an application-layer firewall, ensure that a port is open only for specific servers, and configure systems at the host level with port filtering or IPSec blocking policies that can be set to block known troublesome ports.

Third, everyone agrees that the number one thing that you can do to improve security on a network is to keep patches current. Over ninety percent of systems that have been attacked could have been prevented if known vulnerabilities had been diminished via patches and configuration. Patching plans can be developed and used with enormous benefits. Some ways to mitigate patches are: manually, by downloading the patch, testing and applying it to a system, visiting the Windows Update Site to review the available patches, then deciding to accept or reject any proffered changes. Automatic updates can be configured to periodically connect to Microsoft for inspection and downloading of updates. Software Update Service is a free server application that when configured the system will periodically download patches from Microsoft. Microsoft Systems Management Server with update is purchased separately from Windows operating system and provides multiple management services. And, third-party patching products are available that can provide similar services.

Strengthening authentication processes can also help to secure your network. Authentication can be increased by enforcing a strong password policy. Use some other form of authentication along with this. Use technology and physical security to protect password databases and authentication material. Also you must understand that Windows authentication systems vary, and backward compatibility means less secure authentication may be used even by the most recent version of the operating system. One very important issue is to recognize that your network is only as secure as the least secure part.

Fourth, limit the number of administrators and limiting their privileges can help to secure a network. Don’t automatically give admin rights to the local PC unless there are applications that require it to run needed processes. In most cases administrative rights can be substituted with just elevated or privileged rights. Users with admin rights should be educated about not using that account to read email or surf the Internet. Instead, they should be given an ordinary account for those purposes.

Fifth, protecting systems against known attacks by means of system configurations is not a simple process. It requires knowing about past attacks and current vulnerabilities, and having an extensive knowledge of operating systems. To benefit from your configuration settings, you should not install IIS except to create an intranet or Internet web server. Don’t configure non-file servers to use File and Printer Sharing. Set strong permissions on Windows shares. (Use shares sparingly) Don’t allow anonymous access into your systems. You should also disable any Windows services, such as Telnet, Alerter, and Clipbook, (doe’s anyone use these?) Indexing services, Messenger, and Remote registry, that is not necessary.

Last, but not least I can’t stress enough the importance of developing and enforcing security policies by ways of accountability, technology and user training. The best knowledge anyone can have on security can not protect your systems if it not used. Security policies should be enforced by more than technology and fully supported by management People make security work. People support the development of culture of security, and people follow the rules because they understand them and because they are aware of the consequences. Train your users, let them know the rules, and hold them accountable.

The best laid plans will not stand if you can’t afford the resources or the support of implementing them. A crucial problem a network administrator faces is the cost of security. Security control mechanisms have expenses associated with their purchases. Deployment, maintenance, and implementing these systems in a redundant manner can increase costs significantly. When deciding on redundancy and security controls, it is helpful to create a number of scenarios in which a security breach or and outage occurs to determine the corporation’s cost for each occurrence. This should help management determine the value to the corporation of an assortment of security control mechanisms. (3) End users are that part, so anything done to strengthen it can have a huge effect on the baseline security of your systems.