This is the reading the assignment is based off which I am pasting below:
While reading online forums and frequently asked questions (FAQs) pertaining to network security, inevitably one of the questions asked is "Is my network secure'" The typical answer is that one can never be completely certain that all security measures have been taken to protect a network from intruders. While this may be true, there are ways to increase the confidence of network administrators with regards to protecting the data and resources entrusted to them. This paper will present a strategy that, if implemented, will improve confidence that all necessary precautions in establishing a secure network have been taken.
Keywords: information security; secure network; network security; security principles
While reading online forums and frequently asked questions (FAQs) pertaining to network security, inevitably one of the questions asked is, "Is my network secure'" The typical answer is that one can never be completely certain that all security measures have been taken to protect a network from intruders. While this may be true, there are ways to increase the confidence of network administrators with regards to protecting the data and resources entrusted to them.
This paper will present a strategy that, if implemented, will improve confidence that all necessary precautions in establishing a secure network have been taken.
Mark Ciampa, author of several network security textbooks, states: "Although you need many defenses to withstand attacks, you base these defenses on a few fundamental security principles: protecting systems by layering, limiting, diversity, obscurity, and simplicity" ([5]).
The author of this paper devised the acronym SOLID (Simplicity,Obscurity,Layering,Impeding,Diversity) from those principles to be used as an aid in designing, developing, and deploying a security strategy to confidently build a SOLID, secure network. The definition of the term solid includes "of good substantial quality or kind," "thoroughly dependable," "reliable," and "serious in purpose or character" ([18]). A network security administrator strives for a solid, impenetrable network. The acronym SOLID will serve as a model throughout the analysis, development, and implementation of a security plan. When reviewing the security strategies, the SOLID principles may be used in a checklist to determine the degree to which each principle has been applied in the security plan.
Examining the five network security principles individually will illustrate the importance of each. As each principle is explained throughout this article, the reader should strive to recognize strategies that relate directly to the network system being managed.
Simplicity is representative of how easy, or complex, it is to access the network. From the user's perspective, the internal policies and procedures should not be too difficult to manage, thus preventing users from being productive in their daily tasks. In contrast, the network should be complex enough to ward off intruders. Network administrators must find the correct balance (unique to each situation) between blocking unwanted and unwarranted access to the networkandproviding the resources necessary to the authorized users of the network. "There is no such thing as 'complete security' in a usable system. Consequently, it is important to concentrate on reducing risk, but not waste resources trying to eliminate it completely. Such a pragmatic mindset provides a fighting chance to achieve fairly good security while still allowing productivity" ([2]).
Establishing policies is critical to a secure network. One network security white paper on "best practices" states to create usage policy statements that outline users' roles and responsibilities with regard to security: "This document should provide the general user community with an understanding of the security policy, its purpose, guidelines for improving their security practices, and definitions of their security responsibilities. If your company has identified specific actions that could result in punitive or disciplinary actions against an employee, these actions and how to avoid them should be clearly articulated in this document" (Cisco Systems, 2009). Education on the use of the system is extremely vital to the success of policy implementation. Another best practices article on wireless network security supports the same: "... develop institution-wide policies with detailed procedures ..." and "conduct regular security awareness and training sessions for both systems administrators and users" ([16]).
An additional strategy that must be considered when implementing the simplicity principle pertains to default settings of hardware and software. In this case, the simplest thing to do is apply all of the default settings when installing new equipment or operating system and application software upgrades, but this is not necessarily done in the best interest of developing a secure network. Default settings often include password, encryption, and authorization settings that are known by anyone familiar with the same hardware or software. Therefore, though it takes a great deal of effort on the part of the technician to manage the new or improved system, changing many of those default settings will protect the system from hackers ([16]).
The SOLID principle of simplicity requires a security strategy responsive to all system functions. An unrestricted environment may allow faster processing but is not practical when handling confidential data. Hardening an operating system to the extent that the user is frustrated with each task submitted is also not a practical solution. A checks and balances system must be in place to weigh the simplicity and complexity of the network. Security measures should be taken that will not jeopardize user productivity.
WordNet defines obscurity as "the quality of being unclear or abstruse and hard to understand," "not well known," and "the state of being indistinct or indefinite for lack of adequate illumination" ([7]). Obscurity may also be considered the "hidden" aspects of network security. Security by obscurity ... represents one of the truly controversial aspects of security. You will often see mocking references to people whose efforts are dismissed as 'just security by obscurity'" ( [15]). Obscurity is used to lessen a risk or vulnerability by concealing the attack vector, thereby applying a reinforced measure of security to the system.
Examples of obscurity include renaming the administrator account to deter automated attacks and installing honeypots to act as decoys, enticing hackers away from the systems containing critical data. For a wireless network, changing the default Service Set Identifier (SSID) set by the manufacturer is important. The default SSID for Cisco wireless routers is "tsunami," and the default SSID for Linksys wireless routers is "linksys." A complex SSID naming convention should be defined and implemented to avoid easy access by an automated attack or an unauthorized user. The serious hacker may still be able to find a way around these security measures, but it does make the effort more difficult.
Included in obscurity should also be the avoidance of clear patterns of behavior, even to the point of random time settings for synchronizing systems across the network. Consider a communication strategy used by the military in which a continuous signal of spurious transmissions is used to reduce the enemy's detection of a serious communication when it is transmitted. Though spread spectrum techniques do not directly apply to the commercial domain, the implementation of clear behavioral patterns should be avoided.
The implementation of obscurity into the security plan is only one line of defense — nottheline of defense — and is not to be measured but rather used as an early warning sign of exploitation. When such a barrier is breached, a potential and likelihood of a full-scale attack is amplified. This strategy may take some effort, but it is a principle that merits thoughtful consideration and periodic review to preserve the integrity and defense of the network.
Building layers of defense to protect digital assets is critical. Layering is implemented in the physical security plan as well as policy and administration. "Protecting your proprietary information does not require dozens of specialized solutions or unlimited funds. With an understanding of the overall problem, creating both a strategic and tactical security plan can be a straightforward exercise" ([1]).
Ashley proposes five layers of security to be implemented in any network: Perimeter, Network, Host, Application, and Data. The layered approach requires a technical strategy to ensure implementation at different entries and levels across the network and an organizational strategy requiring participation of all network constituents (i.e., employees at all levels of the organization) ([1]). Table 1 presents the functioning technologies in each of the security levels.
TABLE 1 Security Layers
Security level |
Applicable security measures |
1. Perimeter |
Firewall |
Network-based anti-virus |
VPN encryption |
2. Network |
Intrusion detection/prevention system (IDS/IPS) |
Vulnerability management system |
Network access control |
Access control/user authentication |
3. Host |
Host IDS |
Host vulnerability assessment (VA) |
Network access control |
Anti-virus |
Access control/user authentication |
4. Application |
Application shield |
Access control/user authentication |
Input validation |
5. Data |
Encryption |
Access control/user authentication |
The physical infrastructure must also be secure. This includes a facility with various and diverse points through which an authorized user will enter. "Physical security should be looked at as a series of concentric perimeters, with each layer more secure than the previous one. What belongs in which circle depends on the value the corporation places on it" ([9]). It also includes employee training. According to a recent CompTIA survey, "companies with 25% or more of their staffs trained on security are 46.3% less likely to suffer a security breach" ([11]). Social engineering is commonly used in attacks; therefore, properly training employees in secure strategies will greatly reduce their vulnerability and reduce the risk of an intrusion.
All aspects of security deployed in Ashley's model, the physical security of the network facilities, and the education provided to the users are forms of layering and are essential to protect the network and the valuable data it houses.
Hindering intrusion of unwanted and unwarranted users into and onto the network is essential to maintaining a secure environment. Impeding such attacks involves creating barriers, blocking unauthorized entry, and establishing boundaries for legitimate users by limiting access to network resources. "Limiting access to an application is generally divided into two topics:authentication, which is how an application identifies who you are, andauthorization, which is how an application identifies what you [have] permission to do" (MSDN, 2009). Not every user should have access to everything. Allowing limited access to resources reduces attacks.
In addition, restricting user activity on the network helps to reduce network traffic. Implementing strategies such as reassigning priorities for print jobs or nonbusiness communications will allow relevant jobs to flow through the network without delay. Jobs with lower priority can wait for an opportune time to travel the network. Usually this is handled in seconds, so the end user is not aware of the holdup, but the network congestion and bottlenecks are greatly reduced ([10]).
Impeding can also be applied to open ports on a system. On a desktop system, Windows File Sharing, Windows Messenger, and Windows Plug-n-Play services are open doors that are vulnerable to attacks. Software firewalls can be used to recognize when an application requests to open access to the system. If that request was not made by the user or a recognized application, the firewall can deny the request ([14]). Software firewall settings may, however, be modified by a user, leading to potential vulnerabilities in the effectiveness of that strategy, so additional measures may be necessary.
"Because attackers can observe Media Access Control (MAC) addresses of stations in use on the network, they can adopt those addresses for malicious transmission ... station addresses, not the users themselves, are identified. That is not a strong authentication technique, and it can be compromised by an unauthorized party" ([16]). Kennedy suggests that by barring access to specific MAC addresses (filtered via a firewall), the overall security strategy of the network is improved. Though this technique is fallible since MAC addresses can be spoofed (or fooled) across the network, it is a common strategy found in network security plans.
Numerous vendors have developed tools to restrict access to systems, applications, and other network resources. HP Visual User Environment (VUE) identifies several techniques to limit access to the display, local file system, and system services. These are all handled through command line utilities. Cisco Systems has developed a method to limit the operating systems that can access the network using NAC Appliance. When users connect to the network, they are redirected to predefined login pages, depending on their operating system. Operating systems not configured for network access are denied.
As with layering, consideration must also be given to the physical security of the network. "No amount of firewalls, encryption or access lists can stop a criminal who gets into a server room" ([9]). Intruders who gain physical access to network resources can remove components quickly. In 2004, Bill Farwell, head of digital forensics at Deloitte Touche, admitted that he could remove a hard drive from a computer in less than five minutes. Since that time, mobile and portable devices are even more common, so the intruder needs only seconds to remove the desired equipment from the facility.
"Diversity creates a natural firebreak for computers. I have never seen a virus that can infect both Linux and Windows boxes, and only a few can cross between Macs and PCs ... diversity in computer platforms can prevent viruses from taking over" ([12]). Integrating various manufacturers, equipment, and security devices with different operating system platforms is an effective implementation of diversity on the network. Single-vendor solutions can create a weakness and points of failure.
Implementing a variety of access and authentication technologies (e.g., biometrics, barcodes, access keys) aids in strengthening security. "The application of security techniques (e.g., technologies, hardware and software manufacturers, passwords, traffic filters) that are different will ensure that intrusion at one layer will not guarantee further access by the same method" ([8]).
Recognizing that not all network environments have the resources to support numerous types of security hardware or network systems, other strategies can be implemented to apply the diversity principle in the security plan. Diversity can include a change in authentication at various levels within the system. It should also be included in the security plan of the physical facility, as simple as a different key used to access each lock-down device.
If hackers do penetrate one layer of the network, the plan is to keep them from proceeding. Diversity strategies impose such actions, discouraging further access. "The best containment strategy to avoid catastrophic failure is diversification" ([12]).
Applying the SOLID principles to a security strategy is not always a clear-cut process. Many of the strategies span more than one principle and, depending upon how detailed each strategy or point is defined, may be categorized differently by other network security administrators. However, the following exercise is intended to demonstrate that all SOLID principles have been covered in the security plan.
Purdue University established a list of common best practices pertaining to system security ([20]). Though some of the points are specific to Purdue students/staff and the network supported for them, Table 2 demonstrates how those points can be implemented using the five security principles of the SOLID model.
TABLE 2 Applying SOLID Model to Purdue University's Security Plan
Points |
Simplicity |
Obscurity |
Layering |
Impeding |
Diversity |
Configure your operating system to automatically download and install the latest updates. |
X |
|
X |
|
|
Ensure all computers you use or control have an up-to-date, supported antivirus software installed. |
|
X |
X |
|
|
Turn on your operating system's firewall. |
|
|
X |
X |
X |
Install and use a reputable anti-spyware program. |
|
X |
X |
|
X |
Ensure that the anti-virus software is running at all times. |
X |
X |
X |
X |
|
Run a complete scan of your system using the anti-virus and anti-spyware software applications (weekly). |
X |
|
|
X |
|
Check your browser history (weekly). |
X |
|
|
X |
|
Check the Website for the latest updates and patches to your anti-virus program (monthly). |
X |
|
X |
|
|
Change your password every 120 days. |
X |
|
X |
X |
X |
Open email attachmentsonlyif you are expecting them from people you know. |
|
|
|
X |
|
Always use strong passwords and keep them secret. |
X |
|
|
X |
X |
Neverclick on links in an email, even if they are from someone you know. Type the address in your browser window instead. |
|
|
|
X |
|
Nevercheck your Purdue email account on a "free" or "public" Internet kiosk or Internet Café. |
|
|
|
X |
|
When off campus, access Purdue directoriesonlythrough VPN. |
|
|
X |
X |
|
Lock your keyboard when you step away from your computer for even a moment. |
|
|
X |
X |
|
If possible, close and lock your office door when leaving your computer. |
|
|
X |
X |
|
Never store sensitive personal information such as your bank account information or Social Security numbers on your computer. |
X |
X |
|
X |
|
Do not open files sent to you in Instant Messaging (IM) or peer-to-peer (P2P) programs. |
|
|
|
X |
|
Do not set your computer to automatically log in. |
X |
|
X |
X |
|
The SOLID security principles can be applied to all types of networks. Andre Muscat, director of engineering at GFI, recommended a list of points to be considered when developing a security plan for a network in which mobile devices are prevalent ([17]). Table 3 shows how those strategies can be implemented using the five security principles of the SOLID model.
TABLE 3 Applying SOLID Model to Security Plan for Mobile Devices
Points |
Simplicity |
Obscurity |
Layering |
Impeding |
Diversity |
Establish who should be allowed to use mobile and portable devices in the company. |
|
|
X |
X |
|
Create security policies that all employees can implement and understand. |
X |
|
X |
X |
|
Ban the use of non–authorized hardware. |
|
|
|
X |
|
Implement software to manage and control all devices on the network. |
X |
X |
X |
X |
X |
Use the concept of least privilege to limit data transfers to and from the network and monitor such data transfers if they occur. |
|
X |
|
X |
|
Ensure users of mobile hardware implement security best practices. |
X |
|
X |
X |
|
Lock down systems through OS privileges to prevent installation of unauthorized software. |
|
|
X |
X |
X |
Use hardware that comes with security features such as encryption or biometric authentication methods. |
X |
X |
X |
X |
X |
Maintain an audit of all devices in use, their users, and what data they have access to. |
|
X |
|
X |
|
Educate employees (including management) about security issues on a regular basis. |
X |
|
X |
|
|
The implementation of the five security principles (Simplicity,Obscurity,Layering,Impeding, andDiversity) into any network will improve confidence that all reasonable measures have been taken to protect the network. Frequent review of the security plan is necessary to ensure the efficiency and effectiveness of the plan. The more frequent the application of each of the five principles defined in the SOLID model, the more reliable and solid the security of the system.
The author acknowledges the assistance of the following: Carolyn Carvalho, assistant professor, Technology, Kent State University; Christine Naylor, assistant professor, Technology, Kent State University; Stephen Oeffner, adjunct faculty, Computer Technology, Kent State University; and Sanjay Anand, chairperson, SOX Institute, GRC Group.
REFERENCES
1Ashley, M. (2006). "Layered Network Security 2006: A Best-practices Approach." StillSecure, January. Available fromhttp://www.stillsecure.com
2Avolio, F.M. (2000). "Best Practices in Network Security." Network Computing, March 20. Available fromhttp://www.networkcomputing.com
3Beale, J. (2000). "'Security Through Obscurity.' Ain't What They Think It Is." Bastille Linux Project. Available fromhttp://www.bastille-linux.org
4Chee, R. (2008). "Limiting Operating Systems Allowed Through Cisco NAC Appliance." Network Security, September 21. Available fromhttp://blog.netcraftsmen.net
5Ciampa, M.2005. Security+ guide to network security fundamentals, 2nded. MA: Course Technology
6Cisco Systems (2005, October 4). "Network Security Policy: Best Practices White Paper." Available fromhttp://www.cisco.com
7Princeton (2006). "WordNet: A Lexical Database for the English Language." Princeton University. Available fromhttp://wordnet.princeton.edu
8Edge, I.E. (2008). "Building a SOLID, Secure Network." AITP, Information Executive, June 11. Available fromhttp://www.aitp.org
9Greene, T. (2004). "Let's Get Physical: IT Security Must Include Locked Doors and Premises Protection, Not Just Firewalls." Network World, January 12. Available fromhttp://www.networkworld.com
Hakala, D. (2008). "Eliminate Network Congestion by Limiting User Activity. IT Management, January 3. Available fromhttp://www.itmanagement.com
Higbie, C. (2006). "Why Seven-layer Security Is Crucial for Networks." ComputerWorld, February 1. Available fromhttp://www.computerworld.com.au.ezproxy.snhu.edu
Holtzman, D. (2003). "Diversity Training: When Systems Are Homogenized, Security Suffers." CSO Online, June 1. Available fromhttp://www.csoonline.com
HP (1998, April 7). "HP Visual User Environment User's Guide." Hewlett Packard. Available fromhttp://docs.hp.com
JMU (2009). "Personal Firewalls." Computing Security, April 18. Available fromhttp://www.jmu.edu
Johansson, J.M. and Grimes, R. (2008). "The Great Debate: Security by Obscurity." Microsoft TechNet, June. Available fromhttp://technet.microsoft.com
Kennedy, S. (2003). "Best Practices for Wireless Network Security." Computerworld, November 24. Available fromhttp://www.computerworld.com
MacKinnon, C. (2008). "Off-network security best practices: How SMEs can protect mobile Devices," Processor, May 9http://www.processor.com
Merriam-Webster. 2004. The Merriam-Webster dictionary, MA: Merriam-Webster Inc.
Microsoft. (2008). "Limiting Access to ASP.NET Web Sites." Microsoft Corporation. Available fromhttp://msdn.microsoft.com
SecurePurdue. (2005). "Common Best Practices." Purdue University. Available fromhttp://www.purdue.edu
Yahoo. (2008). "How Do I Make Sure My Wireless Network Is Secure'" Yahoo! Answers (UK and Ireland). Available fromhttp://uk.answers. yahoo.com
~~~~~~~~
By IreneE. Edge
Reported by Author
Irene E. Edge is a tenured, assistant professor of Computer Technology at Kent State University, Ashtabula, Ohio. She holds an A.A.B. in Computer Technology and a B.S.T. and M.T. in Technology from Kent State University. She teaches undergraduate courses primarily in computer hardware and networking, network security, operating systems, and computer programming. She has been teaching full-time for nearly ten years; prior to that, she was network systems manager at the Ashtabula Campus of Kent State University for 17 years.
Copyright of Information Security Journal: A Global Perspective is the property of Taylor & Francis Ltd and its content may not be copied or emailed to multiple sites or posted to a listserv without the copyright holder's express written permission. However, users may print, download, or email articles for individual use.