Network Security Basics
The basic precepts of network security require you to keep unauthorized people out of your network, to keep unwanted data out as well, and to keep wanted data in.
Creating a secure environment requires you to pay attention to three key areas, or martial canons:
- Understanding the operating system (or systems)
- Controlling physical access to the computer
- Educating human users
These three areas are like legs on a barstool. If any one of these legs is weak, the person on the stool will hit the floor. Nobody wants to be that person.
In this section, we briefly discuss the issues involved with maintaining physical control and educating users. The third leg, the operating system itself, is our subject for the remainder of this tutorial.
Getting physical
Controlling physical access means preventing unauthorized people from coming into close proximity to your computers, network devices, communication pathways, peripherals, and even power sources. A computer system can be compromised in several ways. Physical access is always the first step in breaking into a system. Remember that physical access doesn't always mean a person must be in your office building. If your network has dial-up access, someone can gain access remotely.
Controlling physical access means not only preventing access to keyboards or other input devices but also blocking all other means of transmitting to or extracting signals from your computer system. You want to exercise great care over what goes into and flows out of your network, thereby safeguarding everything within it.
Protecting the computer room and operating environment
Some physical access controls are obvious to everyone:
- Locking doors
- Using security badges
- Employing armed guards
- Using locking cases and racks
If you address only these items, you still leave other access methods wide open. You must think about the architecture, structure, and construction of your building. Can ceiling or floor tiles be removed to gain entry over or under the walls? Do ventilation shafts or windows provide entry into locked rooms?
A person getting into your computer room isn't the only concern you should have. You also must think about the environment in which computers operate. Most computers operate properly across only a limited range of temperatures. Therefore, if intruders can gain access to thermostat controls, your system can become compromised. What is the one thing that all computers need? Electricity. Is your power supply secure? Can it be switched off outside your security barriers? Do you have an uninterruptible power supply (UPS) attached to each critical system? Did you install a backup phone line independent of the regular land line in case of emergency?
Even after preventing entrance into the computer room and protecting the operating environment, you still haven't fully secured your computers physically. You need to think about your trash - yes, the trash! You would be amazed at what private investigators and criminals can learn about you and your network from information discarded in your trash. If you don't shred or incinerate all printouts and handwritten materials, you may be exposing passwords, usernames, computer names, configuration settings, drive paths, or other key data. Trust us, this happens more often than you'd care to know, occasionally with enough oomph to make the nightly news.
Do you think we've covered everything now? Wrong! Ponder these issues:
- Does the nightly cleaning crew vacuum and dust your computer closet?
- Is that crew thoroughly screened and properly bonded?
- How often does the crew unplug computer systems to plug in cleaning machines?
- Is the key that unlocks your front door also the key that unlocks the computer room?
- How do you know that the cleaning crew isn't playing with your computer systems?
- How do you know that the members of the cleaning crew are who you think they are?
- Are floppy drives installed on servers and other critical systems?
- Can systems be rebooted without passwords or other authentication controls (for example, smart cards)?
- Do servers have extra ports ready to accept new attachments?
- Are your backup tapes stacked beside the tape drive?
- Are your backup tapes protected by encryption and passwords?
- Are all backup tapes accounted for? If some are missing, do you know what information was stored on them?
- What really happens in your office building after business hours? Are the doors locked every night?
If you can still sleep at night, you probably have most of these items under control. If you can't answer some of these questions with a solid, reassuring response, you have work to do.
Guarding against notebook theft
So far, physical access issues we've discussed focus on stationary computers. But what about mobile machines? Remember that expensive notebook system you purchased for the boss, that manager, and a system administrator so they could work while traveling and connect to the network over the phone? Should one of those notebooks fall into the wrong hands, somebody might have an open door through which they could access your network and take or ruin whatever they please.
Notebook theft is becoming the number one method for gaining access to company networks. Most notebooks are stolen at the airport. (We bet you could've guessed that one!) Although most travelers are smart enough not to check notebooks as luggage, there's one common location where notebooks and their owners are separated - the metal detector. All it takes is a few moments of delay while waiting to walk through the metal detector after you've placed a notebook on the x-ray conveyer, and poof - the notebook is gone by the time you reach the other end.
And despite all the precautions taken while traveling with notebooks, lapses in routine or procedures can allow opportunistic miscreants to take advantage: leaving one unattended. It may be in the car while retrieving out-of-town mail piling up at the post office, or making a quick stop at a corner store on the way home. In such unguarded moments, notebooks can and will disappear, and their absence may go completely unnoticed until you arrive home to collect your travel gear.
Controlling physical access in the workplace is also important because without access to a computer system, hackers can't break in. If you fail to manage physical access to your network, you're relying on operating-system-supported software security to protect your data. In that case, there's another glaring problem to contend with - if you've failed to properly educate network users, your security may already be compromised.