The Role of EFS in a Network Security Plan

Previous page
Table of content
Next page

A good network security plan is multilayered, just as a good physical security plan includes perimeter control (fencing), external security (guard dogs and security cameras), barriers (locks on doors), internal security (motion detectors and indoor cameras), and object-specific security (safes for valuables). In a network security plan, if your ISA server (or black-box firewall) is analogous to a high, strong fence sitting on the perimeter of the network, you might think of file encryption as a "safe" into which you put specific objects (such as files and folders) to protect them in case someone breaks through all the outer obstacles.

An important part of security planning is determining which assets need the most protection. You'll want to assess the sensitivity and importance of data on a case-by-case basis to decide which files and folders to encrypt. Why not just encrypt the entire contents of the disk and be done with it? Well, that is not the best solution, for several reasons:

  • Operating system files that must be accessed to use the system cannot be encrypted.

  • Data that needs to be compressed cannot be encrypted.

  • The encryption/decryption process slows performance somewhat, so taking the performance hit for data that has no need to be encrypted doesn't make sense.

  • Encrypted files can only be accessed by the person who encrypted them (in Windows 2000) or persons explicitly added to the access list (in Windows XP/.NET). So files that need to be accessible to many people cannot be encrypted in Windows 2000 and can only be encrypted in Windows XP/.NET with a great deal of work because you'll have to add everyone to the access list.

Another consideration is the fact that encrypting data might in some cases be like putting a red flag on it that announces to the world, "This data is sensitive and important!" If only one file on an entire disk is encrypted, that file will instantly become interesting to any intruder. For this reason, encrypting a number of files instead of only one or two is a good idea. That way, highly sensitive files won't stand out quite so much.

Remember that EFS fills only part of a network's encryption needs. EFS does not encrypt data sent across a network. If you attempt to send an EFS encrypted file across a network, someone who intercepts the packet with a protocol analyzer (called a sniffer) will be able to read the data. EFS is only intended to protect data on a disk. You should use IPSec to encrypt data to be sent across the network. If data is sensitive enough to be protected while it's stored on disk, it's sensitive enough to be protected when it's transmitted on a network.


Previous page
Table of content
Next page
MCSE. MCSA Implementing & Administering Security in a Windows 2000 Network Study Guide Exam 70-214
MCSE/MCSA Implementing and Administering Security in a Windows 2000 Network: Study Guide and DVD Training System (Exam 70-214)
ISBN: 1931836841
EAN: 2147483647
Year: 2003
Pages: 162
Authors: Will Schmied, Thomas W. Shinder
BUY ON AMAZON
Cisco IP Telephony (CIPT) (Authorized Self-Study) (2nd Edition)
PostgreSQL(c) The comprehensive guide to building, programming, and administering PostgreSQL databases
Cisco CallManager Fundamentals (2nd Edition)
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Sap Bw: a Step By Step Guide for Bw 2.0
Telecommunications Essentials, Second Edition: The Complete Global Source (2nd Edition)
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy