| < Day Day Up > |
|
Unfortunately, organizations are not homogenous when it comes to the technology that they implement. You will discover a variety of equipment and operating systems in your organization. The capabilities of the equipment, operating systems, and applications might limit your security options. You will need to evaluate the current network technologies used in your organization because they will affect what you can and cannot do with your security policies. If a risk is great and it is likely to occur, you might even need to change the existing infrastructure to accommodate a policy. Suppose, for example, that you would like to enforce software policies through Group Policy. This is most effectively accomplished through combining Group Policy and Active Directory. If you don’t have Active Directory, it would be difficult. A short list of the technologies on your network that you need to evaluate follows:
Authentication infrastructure
World Wide Web service
File sharing infrastructure
Naming services
Firewall/proxy services
Custom software and services
Remote access services
PKI infrastructure
Bandwidth
CPU power of the servers (particularly with regard to encryption because it puts a heavy burden on processor power)
Note | The means for securing each of the technologies in the preceding list will be discussed in greater detail in the appropriate chapter in this book. |
You do not want technological limitations to guide your security policies. You should design security policies that would be theoretically best for the organization. You will need to identify areas where the security policies may not be consistent with the network’s current technology. The organization can then decide whether it is cost effective to change or update the technology or whether to change the policy. Implementing a security policy that is not consistent with the network’s technology puts an additional burden on the user by introducing interoperability constraints.
Interoperability constraints are restrictions brought on when two applications cannot communicate with each other and therefore cannot support the security protocols used to authenticate users on a network. Applications that have interoperability constraints could not support the necessary security
Real World Scenario: Exchange 2000 and Active Directory Distribution List
One situation in which you’ll encounter technical constraints (and more specifically, interoperability constraints) is when you’re trying to secure distribution group membership on an Exchange 2000 Server machine. If you need to support earlier versions of Windows than 2000 in Active Directory, then you’ll need to enable the access group that’s compatible with pre–Windows 2000 access groups to simulate the Everyone group in previous versions of Windows. This will allow down-level clients to enumerate the list of users in a distribution list. Unfortunately, it also means that everyone has permissions to view group membership, which leads to a problem with Exchange Server 2000. Because it relies on Windows 2000 Server security and distribution groups for its distribution lists, you will not be able to hide a distribution group’s membership as long as you have earlier versions of Windows. You can either upgrade all the clients to Windows 2000 or greater and disable the group that’s compatible with earlier versions or live without the ability to hide distribution group membership. You will need to decide, based on the security policy and cost, what you are prepared to do.
In the following Design Scenario, you will analyze the technical constraints that will impact the security of Infinite Horizons.
Design Scenario: Technical Constraints when Designing Security
Infinite Horizons has an outsourcing program for HR departments of client companies and needs to securely share information contained in its databases with customers. It also has some applications that the customers need to use to enroll employees in their benefits programs. They can also check on the status and current benefits of each employee. Infinite Horizons customers don’t always use Windows-based computers, and those that do could be using any version from Windows 3.1 to Windows XP.
Question: What are the technical limitations to Infi nite Horizons’s security policy? Answer: The client operating systems vary widely in capabilities. The client operating systems vary widely in capabilities, so use will not use the same ways of protecting them. For example, you might want to enforce a password policy that includes strong passwords, passwords longer than 8 characters, and a minimum of 4 days for the password. However, you may find that one of the operating systems that you are using does not support one of these features or you have to purchase a separate package.
Question: What kind of interoperability issues might arise when clients connect to Infinite Horizons’ network? Answer: Clients might not support the more secure version of authentication protocols or encryption technology that would be preferred for the sensitive data.
| < Day Day Up > |
|