Chapter 2. Security Model

   

Before a security policy can be put into place, the first step is to choose a security model. The security model is the framework within which you develop a security policy that is unique to your company. At its most basic level a security model acts as a checklist, ensuring that there are not gaping holes in your security policy.

But a security model is much more than that. It is a philosophy that guides the way your company approaches security. While most security models cover the same topics, the approaches can vary, as shown in the next section, so it is important to choose one that meshes well with your corporate philosophy.

Before proceeding, it is a good idea to define terms that will be used in this chapter, and throughout the book. These are words you may have heard used without being clear on their definition. It is important to understand these terms, because they will have to be communicated to your senior management ”and all employees ”if you are responsible for developing a network security policy.

For our definitions, we'll focus on:

  • Security model

  • Security policy

  • Standards

  • Guidelines

The security model is simply, as already mentioned, a framework. It is within this framework that security policies are developed. Different security models will lead to slightly different security policies.

Which brings up security policy. The security policy is a published, and communicated, set of "rules" that all employees, customers, or vendors are required to adhere to and observe. The security policy, or policies, are not optional. For example, if you determine that only laptops and workstations running Windows 2000 are allowed to plug into the network, that is a policy. If someone plugs a laptop with Windows 98 into the network, he or she is in violation of that policy.

Of course, for a network policy to be effective it has to be communicated and enforced. If no one knows about a policy, it is not going to be followed. Conversely, if the policy has been published, but no one enforces it, it is equally ineffective .

The security model you choose should allow you flexibility in developing and evaluating policies. If you are very concerned about password sniffing on the network, you may create a policy that requires all passwords be at least 10 characters , have at least two capital letters , two numbers , and two nonstandard characters ($, @, #, etc.), and be changed on a weekly basis. At first blush this seems very secure until you walk around and see little Post-It notes, on which passwords are written, attached to everyone's monitor. In your effort to create a secure password policy, you have actually made it less secure.

Two other definitions that are integral to this chapter are standards and guidelines. Standards are system- or purpose-specific requirements. Standards provide guidance when choosing new equipment, or installing a new piece of hardware or software. An example of standards would be a set of requirements developed for switches. You may require that switches have to allow MAC addresses to be mapped to a specific port, or that all switches have to allow SNMP polling. A standard is not necessarily system specific, although it can be. Instead the goal is to set requirements that all equipment deployed on a network must meet; each type of network device will have different standards. More specifically you can also develop standards for specific devices or operating systems. If you deploy Cisco routers, you may outline specific services that have to be disabled, complete with step-by-step documentation.

Guidelines are similar to standards, but they are not required. Instead, they are strongly encouraged. A guideline might be that all switches allow remote access through SSH, and Telnet has to be disabled. While this is an excellent security precaution it may not be practical, as many switches simply do not support this capability. Of course, as more switches begin to allow SSH access, you may decide to make SSH-only access a standard.

Your network security policy will use policies, standards, and guidelines. Being as thorough as possible will prevent confusion in the implementation of the policy, and make it easier to follow.

The focus of this book is network security. Therefore when discussing security models, the focus will be on implementing a security model for your corporate network. Obviously, a network has to be integrated into a larger corporate security policy. In fact your company undoubtedly has a preferred security model, in which case, it may make more sense to use the company-wide security model as your network security model. [1]

[1] Of course if your company has a security model, steps to secure your network should have been taken when that model was first implemented.

Even if your company does not have a well-defined security model, you will still need to work with counterparts in other departments when developing a network security model, just as senior management will have to work with other members of senior management before determining which model will be used.

   


The Practice of Network Security. Deployment Strategies for Production Environments
The Practice of Network Security: Deployment Strategies for Production Environments
ISBN: 0130462233
EAN: 2147483647
Year: 2002
Pages: 131
Authors: Allan Liska

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net