Network Security Basics

Getting physical

Controlling physical access means preventing unauthorized people from coming into close proximity of your computers, network devices, communication pathways , peripherals, and even power sources. A computer system can be compromised in several ways. Physical access is always the first step in breaking into a system. Remember that physical access does not always mean a person must be physically present in your office building. If your network has dial-up access, someone can gain access remotely.

Controlling physical access means not only preventing access to keyboards or other input devices but also blocking all other means of transmitting to or extracting signals from your computer system.

Some physical access controls are obvious to everyone:

• Locking doors

• Using security badges

• Employing armed guards

• Using locking cases and racks

If you address just these items, you leave several other access methods wide open . You need to think about the architecture, structure, and construction of your building. Can ceiling or floor tiles be removed so access can be gained over or under walls? Do ventilation shafts or windows allow entrance into locked rooms? Paranoid yet?

A person getting into your computer room is not the only concern you should have. You also need to think about the environment in which the computers operate . Most computers have a limited range of temperatures within which they operate properly. Therefore, if intruders can gain access to thermostat controls, your system is compromised. What is the one thing that all computers need? Electricity. Is your power supply secure? Can it be switched off outside your security barriers? Do you have an uninterruptible power supply (UPS) attached to each critical system?

Even after preventing entrance into the computer room and protecting the operating environment, you still haven't fully secured your computers physically. You need to think about your trash - yes, the trash! You would be amazed at what private investigators and criminals can learn about you and your network from the information discarded in your trash. If you don't shred or incinerate all printouts and handwritten materials, you may be offering passwords, usernames, computer names , configuration settings, drive paths, and other key information.

Do you think we've covered everything now? Wrong! Ponder the following issues:

• Does the nightly cleaning crew vacuum and dust your computer closet?

• Is that crew bonded?

• How often does the crew unplug computer systems to plug in cleaning machines?

• Is the key that unlocks your front door also the key that unlocks the computer room?

• How do you know that the cleaning crew is not playing with your computer system?

• How do you know that the members of the cleaning crew are who you think they are?

• Are floppy drives installed on servers and other critical systems?

• Can systems be rebooted without passwords or other authentication controls (for example, smart cards)?

• Do servers have extra ports ready to accept new attachments?

• Are your backup tapes stacked beside the tape drive?

• Are your backup tapes protected by encryption and passwords?

• Are all backup tapes accounted for? If some are missing, do you know what information was stored on them?

• What really happens in your office building after business hours? Are the doors locked every night?

If you can still sleep at night, you probably have most of these items under control. If you can't answer some of these questions with a solid and reassuring response, you have some work to do.

So far, the physical access issues we've discussed have dealt with stationary computer systems. But what about mobile workstations? Remember that expensive notebook system you purchased for the boss, that manager, and that system administrator so they could work while traveling and connect to the network over the phone line? Well, if one of those notebooks were to fall into the wrong hands, someone would have an open door to walk right into your network and take or destroy whatever he or she pleased.

Notebook theft is becoming the number one method of gaining access to a company's network. Most notebooks are stolen at the airport. (We bet you could have guessed that one!) Although most travelers are smart enough not to check their notebooks as luggage, there's a common location where a notebook and its owner are often separated - the metal detector. All it takes is a few moments of delay while waiting to walk through the metal detector after you've placed the notebook on the x-ray treadmill, and poof - the notebook is gone by the time you reach the other end.

Controlling physical access is important because without interaction with a computer system, a hacker can't break in. If you fail to prevent physical access to your network, you're relying on your operating-system-supported software security to protect your data. However, there's one problem - if you've failed to properly educate network users, your security may already be compromised.

Informing the masses

The most secure network environment is useless if users don't respect the need for security. In fact, if left to their own druthers, most humans will find the path of least resistance when performing regular activities. In other words, your users will do anything to make traversing the security simple - such as automating the entry of passwords, writing down passwords in plain view, mapping unauthorized drives, installing unapproved software, transferring data to and from work and home on floppies, and attaching modems to bypass the firewall or proxy servers. If you put a software-based or operating-system-based security measure in place, a human can often find a way to get around it or at least reduce its effectiveness.

User education is a two-fold process. First, the users of your network must be thoroughly taught what security is, why it's important, and what security measures are in place on your network. Second, violations of the security system must be dealt with swiftly and strictly .

In most cases, educating your network users requires that an official organization document detailing the security restrictions, requirements, and punishments be created. This document, called a security policy , serves as your network's constitution. It's the governing body of regulations. This document allows your network security to remain intact while violators of the law are terminated .

So, what does a user need to know about the security imposed on the organization's network? Here's a brief list of the highlights:

• Use passwords properly and choose them wisely. (Don't use an obvious name or number, such as a pet's name or your birth date.)

• Never write down or share passwords.

• Never share security badges and smart cards or leave them unattended.

• Restrict network access to authorized employees only.

• Do not share user accounts with other employees or with anyone outside the organization.

• Do not distribute data from the network in any form outside the organization.

• Users should not step away from their workstations while they're logged on to the system.

• Understand the various levels of security in place on the network and the purpose of the stratification.

• Do not install unapproved software.

• Make it clear to all employees that tampering, subverting, or bypassing security measures is grounds for termination of employment.

• Respect the privacy of the organization and other users.

• Deal with violations of the security policy in a swift and severe manner without reservation or exemption.

This brings up the issue of punishment . If a user violates a significant issue in the security policy, a severe punishment must be applied. In most cases, firing the individual is the only form of punishment that will effectively control the situation and prevent other users from making the same mistake. The repercussions of violating the security policy must be detailed in the policy itself. And if you spell out the punishment, you must follow through. Even if your top programmer is the culprit, he or she must receive the same severity of punishment as the temporary mail person.

Most analysts have discovered that the deployment of a severe security policy results in a common occurrence - a short- term improvement in security, followed by a brief period of laxness, which results in violations, causing several users to be fired , which immediately results in an overall sustained improvement in security. Companies have reported that the loss of manpower because of violations was negligible in comparison to the prevention of security breaches.

You should create your own security policy that includes details about physical control, user education, and operating-system-level security measures. Remember the adage about the ounce of prevention.