Chapter 11. Network Security Concepts Today, information comes in many forms, and consequently, methods of securing it vary. Instead of dividing information into categories based on content, threat analysis and its protection should be based on methods of processing and storage. These methods can be divided into three general categories: Physical Traditionally, information is "physically recorded" (say, in the form of ink-and-paper or electronically in bits-and-bytes) and stored somewhere (for example, in a box, safe, diskette, or hard drive). Therefore, classical security generally focuses on physical protection, such as access control to buildings, server rooms, wiring closets, and so on. Social/Personal Many organizations understand the value of their employees, especially the knowledge they hold in their heads and their capability to use that knowledge to corporate advantage. Networks Because paper records are bulky, are harder to search for specific data, and have limited a life span, many corporations store much of their information on computers and make it accessible over networks. Documents are stored "somewhere on the net," and users access them through URLs or some specific application (such as a database).
No matter what type of security, it involves prevention, detection, responding to incidents, and monitoring and reviewing measures to reduce perceived risks to acceptable levels. In terms of information security, these measures need to be uniformly applied; they cover various areas such as social/personal (that is, employees), workstations/laptops and the network, and physical access. THERE'S NO SUCH THING AS COMPLETE SECURITY Having complete security is virtually impossible. If you want something to be totally secured, do not permit access to it at all. The weakest link in any security implementation is the users. Your network may be totally isolated from the outside world, but a user can easily make an unauthorized copy of a document by either saving a copy of it or by printing out a hard copy. In the movie Recruit, top secret data was copied to a USB thumb drive using a laptop, and then the thumb drive, hidden in a coffee thermos, was smuggled out of the CIA compound. This scenario may sound like Hollywood fantasy, but all the technologies employed in the movie exist: You can purchase a 128MB USB thumb drive the size of a coin for less than $50. Unless your security procedure includes body searches for people entering and leaving the premises, confidential data can be compromised. Even if data access is not electronic, you cannot stop someone who has a good or photographic memory from reading a confidential document, leaving the building, and re-creating it later! Therefore, the effort you spend on security measures should correctly reflect the value of the data you're protecting. There is no point in implementing a $50,000 security solution if the information you're trying to protect is worth only $5,000. Similarly, if the data is worth millions to your competitor, spending a few hundred thousand dollars on security measures may be duly justified. |
Because this is a book about servers, we do not cover the security aspects of "people"; in some respects, a company's Human Resources (HR) department should handle staff. Instead, this chapter covers the policies ("rules") that you should have in place to protect your network and to limit physical access to the related equipment. Actual implementations of these rules are discussed in the remaining chapters of this book. |
