The Best Damn Firewall Book Period

Other hardware-based components of your network security plan could include devices that provide extra security for authentication, such as:

These devices can be used in environments that require a high level of security for secure and reliable network authentication. Microsoft has acquired Biometric API (BAPI) technology from I/O Software and plans to incorporate support for biometric authentication devices into future versions of its operating systems. Windows 2000 already supports smart card authentication.

Monitoring Activity

As you make efforts to secure your environment, you move into the next phase of information security: establishing better mechanisms for monitoring activity on your network and systems. Adequate monitoring is essential so that you can be alerted, for example, when a security breach has occurred, when internal users are trying to exceed their authority, or when hardware or software failures are having an impact on system availability. Effective monitoring has two components: turning on capabilities already present on your systems and implementing tools for additional visibility. The first component includes use of the auditing function built into:

Most systems have such auditing turned off by default, however, and require you to specifically enable it. Be careful not to turn on too much, since you will be overwhelmed with data and will wind up ignoring it. This "turn on and tune" methodology flows into the second component, which also includes deployment of tools such as IDS on networks and hosts.

In any environment that contains more than a few systems, performing manual reviews of system and audit logs, firewall logs, and IDS logs becomes an impossible and overwhelming task. Various tools (such as Swatch, at www.oit.ucsb.edu/~eta/swatch) can perform log reduction and alert only on important events.

Detecting Internal Breaches

Implementing auditing will help you detect internal breaches of security by recording specified security events. You will be able to track when objects (such as files or folders) are accessed, what user account was used to access them, when users exercise user rights, and when users log on or off the computer or network. Modern network operating systems include built-in auditing functionality.

Preventing Intentional Internal Breaches

Firewalls are helpful in keeping basically compliant employees from accidentally (or out of ignorance of security considerations) visiting dangerous Web sites or sending specific types of packets outside the local network. However, firewalls are of more limited use in preventing intentional internal security breaches. Simply limiting user access to the external network cannot thwart insiders who are determined to destroy, modify, or copy your data. Because they have physical access, they can copy data to removable media or a portable computer (including tiny handheld machines) or perhaps even print it on paper and remove it from the premises that way. They could change the format of the data to disguise it, or they could upload files to Web-based data storage services.

In a high security environment, computers without floppy drives—or even completely diskless workstations—might be warranted. System or group policy can be applied to prevent users from installing software (such as that needed for a desktop computer to communicate with a Pocket PC or Palm Pilot). Cases can be locked; physical access to serial ports, USB ports, and other connection points can be covered so that removable media devices can't be attached.

Intentional internal breaches of security constitute a serious problem, and company policies should treat them as such.

Preventing Unauthorized External Intrusions and Attacks

External intrusions (or "hacking into the system") from outside the LAN have received a good deal of attention in the media and thus are the major concern of many companies when it comes to network security issues. In recent years, there have been a number of high-profile cases in which the Web servers of prominent organizations (such as Yahoo! and Microsoft) have been hacked. Attempts to penetrate sensitive government networks, such as the Pentagon's systems, occur on a regular basis. DDoS attacks—although not technically "intrusions" because only access to the system, not security of data, is affected—are still looked on as hacks by the media and the public, and these events make front-page news when they crash servers and prevent Internet users from accessing popular sites.

Psychological factors are involved as well. Internal breaches are usually seen by companies as personnel problems and are handled administratively. External breaches could seem more like a "violation" and are more often prosecuted in criminal actions. Because the external intruder could come from anywhere at any time, the sense of uncertainty and fear of the unknown could cause organizations to react in a much stronger way to this type of threat.

The good news about external intrusions is that the area(s) that must be controlled are much more focused. There are usually only a limited number of points of entry to the network from the outside. This is where a properly configured firewall can be invaluable, allowing authorized traffic into the network while keeping unauthorized traffic out. On the other hand, the popularity of firewalls ensures that dedicated hackers know how they work and spend a great deal of time and effort devising ways to defeat them.

Never depend on the firewall to provide 100 percent protection, even against outside intruders. Remember that in order to be effective, a security plan must be a multifaceted, multi-layered one. We hope the firewall will keep intruders out of your network completely—but if they do get in, what is your contingency plan? How will you reduce the amount of damage they can do and protect your most sensitive or valuable data?

Категории