Implementing security measures can have a significant impact on the network. How much of an impact it has depends on which security measures are implemented and the habits of the network users. Several security measures are used on networks including port blocking, authentication schemes, encryption, and so on. While in today's world we may have no choice but to implement these measures, as a network administrator, you'll need to be aware how they impact the overall network. The following sections help you prepare for this part of the exam. Blocking Port NumbersPort blocking is one of the most widely used security methods on networks. Port blocking is associated with firewalls and proxy servers, although it can be implemented on any system that provides a means to manage network data flow, according to data type. Essentially, when you block a port, you disable the ability for traffic to pass through that port, thereby filtering the traffic. Port blocking is typically implemented to prevent users on a public network from accessing systems on a private network, although it is equally possible to block internal users from external services, and internal users from other internal users, by using the same procedure. Depending on the type of firewall system in use on a network, you might find that all the ports are disabled (blocked) and that the ones you need traffic to flow through must be opened. The benefit of this strategy is that it forces the administrator to choose the ports that should be unblocked rather than specify those that need to be blocked. This ensures that you allow only those services that are absolutely necessary into the network. What ports remain open largely depends on the needs of the organization. For example, the ports associated with the services listed in Table 8.1 are commonly left open.
These are, of course, only a few of the services you might need on a network, and allowing traffic from other services to traverse a firewall is as easy as opening the port. Keep in mind, though, that the more ports that are open, the more vulnerable you become to outside attacks. You should never open a port on a firewall unless you are absolutely sure that you need to.
Port Blocking and Network UsersBefore you implement port blocking, you should have a very good idea of what the port is used for. Although it is true that blocking unused ports does not have any impact on internal network users, if the wrong port is blocked, you can create connectivity issues for users on the network. For instance, imagine that a network administrator was given the task of reducing the amount of spam emails received by his company. He decided to block port 25, the port used by the Simple Mail Transfer Protocol (SMTP). He may have succeeded in blocking the spam email, but in the process, he also prevented users from sending email. AuthenticationAs a security mechanism, authentication is provided by every major network operating system and is implemented in all but the most insecure networks. Its 'impact on network functionality,' as stated in item 3.7 of the Network+ objectives, is that it will require users to identify themselves to the network. This process provides two benefits. It secures the network from unauthorized access and provides a degree of accountability for users once they are logged on. There are three basic categories of authentication used on modern networks:
Passwords and Password PoliciesAlthough biometrics and smartcards are becoming more common, they still have a very long way to go before they attain the level of popularity that username and password combinations enjoy. Apart from the fact that usernames and passwords do not require any additional equipment, which practically every other method of authentication does, the username and password process is familiar to users, easy to implement, and relatively secure. For that reason, they are worthy of more detailed coverage than the other authentication systems already discussed. Passwords are a relatively simple form of authentication in that only a string of characters can be used to authenticate the user. However, how the string of characters is used and which policies you can put in place to govern them make usernames and passwords an excellent form of authentication. Password PoliciesAll popular network operating systems include password policy systems that allow the network administrator to control how passwords are used on the system. The exact capabilities vary between network operating systems. However, generally they allow the following:
Password StrengthNo matter how good a company's password policy, it is only as effective as the passwords that are created within it. A password that is hard to guess, or strong, is more likely to protect the data on a system than one that is easy to guess, or weak. To understand the difference between a strong password and a weak one, consider this: A password of six characters that uses only numbers and letters and is not case sensitive has 10,314,424,798,490,535,546,171,949,056 possible combinations. That might seem like a lot, but to a password-cracking program, it's really not much security. A password that uses eight case-sensitive characters, with letters, numbers, and special characters has so many possible combinations that a standard calculator is not capable of displaying the actual number. There has always been debate over how long a password should be. It should be sufficiently long that it is hard to break but sufficiently short that the user is able to easily remember it (and type it). In a normal working environment, passwords of 8 characters are sufficient. Certainly, they should be no fewer than 6 characters. In environments where security is a concern, passwords should be 10 characters or more. Users should be encouraged to use a password that is considered strong. A strong password has at least eight characters; has a combination of letters, numbers, and special characters; uses mixed case; and does not form a proper word. Examples might include 3Ecc5T0h and e1oXPn3r. Such passwords might be secure, but users are likely to have problems remembering them. For that reason, a popular strategy is to use a combination of letters and numbers to form phrases or long words. Examples include d1eTc0La and tAb1eT0p. These passwords might not be quite as secure as the preceding examples, but they are still very strong and a whole lot better than the name of the user's household pet.
EncryptionEncryption is the process of encoding data so that, without the appropriate unlocking code, the encrypted data can't be read. Encryption is used as a means of protecting data from being viewed by unauthorized users. If you have ever used a secure website, you have used encryption. On private networks, encryption is generally not a very big issue. Modern network operating systems often invisibly implement encryption so that passwords are not transmitted openly throughout the network. On the other hand, normal network transmissions are not usually encrypted, although they can be if the need arises. A far more common use for encryption is for data that is sent across a public network such as the Internet or across wireless networks where outside users might be able to gain access to the data. In both of these cases, there is plenty of opportunity for someone to take the data from the network and then read the contents of the packets. This process is often referred to as packet sniffing. By sniffing packets from the network and reading their contents, unauthorized users can gain access to private information. They can also alter the information in the packet. Therefore, the stronger the encryption method that is used, the better protected the data is. A number of encryption methods are commonly used, including
For more information on the characteristics of common encryption protocols, refer to Chapter 6, "WAN Technologies, Internet Access, and Security Protocols." Implementing EncryptionIrrespective of which encryption method or protocol is used, network administrators must be aware that providing encryption for network traffic is not without its considerations. These include
Another key consideration when using encryption, particularly from a connectivity perspective, is that some operating systems can be configured to deny requests from clients that are not using encryption. This configuration should be implemented only after it has been confirmed that all the client systems can also use encryption. Otherwise, they will not be able to connect to the server.
|