13.4 Securing the Network

To thwart intrusion attempts from the public network, a number of mechanisms can be employed to provide multiple levels of security.

13.4.1 User Names and Passwords

The security features of a network operating system are the first line of defense. Usually this entails the user having to enter a logon ID and password to access the network. Most passwords identify the user and associate the user with a specific workstation and perhaps a designated shift, workgroup, or department. However, reliance on these mechanisms has drawbacks; chief among them is that users are notorious for their seeming inability to maintain password confidentiality.

Passwords should have a minimum of six or seven characters—anything less and they can be too easily broken by brute-force guessing. Worth noting is that plaintext passwords are especially vulnerable on LANs, since each guess increases the chance of unauthorized entry by a factor of 1 × N, where N equals the number of passwords on the LAN. To decrease the chances of a good guess, users should not be allowed to make up their own passwords. Random password generators can be used for this purpose. A user ID should be suspended after a certain number of passwords have been entered, further reducing the chance of a trial-and-error procedure accessing the operating system. In addition, changing passwords frequently can help to enforce tight security. If users are allowed to choose their own passwords, the selected passwords should be filtered through a dictionary to eliminate guessable words from being used, to eliminate already-used passwords, and to make sure the passwords meet minimum length requirements. When passwords expire, users should be prevented from using any expired passwords as the new password.

There are two systems of password protection that companies can employ to maintain security: hierarchical or specific. Using hierarchical passwords, users can employ a defined password to gain access to a designated security level, as well as all lower levels. With specific passwords, on the other hand, users can access only the intended level and not the others above or below. Although specific-level passwords offer more security, they require that a senior, trusted employee have many passwords in order to work with the many databases and associated levels used throughout the day. Password levels, especially specific levels, also complicate the task of security administration.

Once an administrator implements a particular password security method, he or she should ensure that the connected workstations play an active role in supporting password usage. For example, as a user enters the characters of the password, the monitor screen should automatically blank out all key entries to minimize the risk of exposing the password to casual observers. Administrators can also install password routines that do not display any information on the screen or that sound an audible alarm while locking the keyboard after a specified number of failed entry attempts.

Administrators also should periodically survey the password master file, change or retire any infrequently used passwords, keep the updated file on removable disk, and store it in a secure area. Risks should be reassessed whenever a breach of security occurs or is even suspected. In addition, when personnel leave the company, their user ID and password should be rendered inoperable. In the case of corporate layoffs, where hundreds or even thousands of people leave the company at once, some preplanning is necessary to ensure that corporate resources are protected. Such events constitute a window of vulnerability that may require close monitoring of the network to detect potential intrusions that may masquerade as normal activity.

13.4.2 Single-Point Logon

Distributed systems enable processing, data, and applications to be shared throughout the organization for the benefit of all users. However, the security features of a network should not impose limitations on the ability of users and network administrators to do their jobs. A capability called single-point logon or sign-on enhances network security by simplifying access, regardless of the user’s location. Using the same user ID and password, single-point logon provides controlled access to applications and services residing on a local disk or file server, as well as to host-based applications, anywhere on the network. A desktop window provides the user with a set of icons that invoke access to enterprise applications and services. The single-point logon software does the work of controlling and managing all of the procedures that are required to access and execute the applications, regardless of their location on the network. In addition to user IDs and passwords, the software provides emulator selection, network navigation, and application subsystem selection. All of this takes place automatically and transparently, while ensuring security.

The single-point logon software permits the storage of remote logon information and passwords in encrypted form, so that even the administrator does not know user passwords. The administrator can also establish customized password-aging policies of any length of time, setting up passwords to expire in a day—or to never expire. The administrator can control access to only the enterprise applications and services that are authorized for each user. When the administrator adds a service or application for a group, all users in that group have instant access to it. This ensures the administrator’s ability to consistently provide the information that end users need while preventing inappropriate access to information that should remain secure.

13.4.3 Key and Card Systems

Among the simplest security systems are those that require users to insert a key in a lock in order to turn on the computer. Some vendors also market external hard disks, keyboards, and modem switches that incorporate key locks. With lock-and-key systems, however, intruders can pick the lock or duplicate the keys. To help minimize this possibility, the network administrator should keep keys in a secure cabinet where they can be checked out and their use can be monitored.

Alternatively, magnetic card-reading systems can be used to control access to workstations. Card systems offer more flexibility than simple key systems in that they allow users to access data from any available workstation they are authorized to access simply by inserting a card into a reader attached to the workstation; most banking automatic teller machines (ATMs) use this type of security, combined with a system of user IDs and passwords. This card-key system allows access-level definition for each user, rather than for each workstation. If users take the cards out of the building, the cards should not contain a company logo, street address, or anything that could identify the company. A simple printed statement as to where to mail the card if it is found by someone is sufficient. Administrators should reserve a box at a commercial mail drop for this purpose, listing it under a fictitious person to maintain complete security.

Although cards with magnetic stripes are the most popular, other types, such as barcode, plastic, and proximity cards, are also available. Some companies favor plastic cards with embedded magnetic stripes containing authentication information, which can provide for employee-entrance control as well as workstation control. Cards encoded with barcodes for optical readers can also be used, but this type can be relatively easy to duplicate. Proximity cards, which can be read by radio frequency at distances of a few inches to 10 feet, may be unsuitable for offices in which the workstations may be too close together. Administrators should not issue the same card for both workstation identification and access to other areas of the company. The workstation deserves a higher level of security and a closer control of card distribution than company-access cards.

Network administrators can also consider so-called “smart” cards as possible security alternatives. These devices, which contain embedded microprocessors, can accommodate a range of security tasks, such as performing on-line encryption, recording a time-on/time-off log, and providing password and biometric identification. Such devices offer a feasible security option for local and remote access control.

Some smart keys can provide very complex security solutions. For example, one of these products, used in conjunction with system software that generates a flashing pattern on a monitor, optically scans the pattern. The key device interprets the coded pattern and displays a remote access code on its LCD. The user can then enter the code on a keyboard. This new generation of handheld smart security systems offers a wide variety of options, including cards (with synchronized host software) that internally generate new access codes every minute and devices that optically read user fingerprints to permit system entry. Most of these devices target organizations requiring a high degree of information security.

13.4.4 Biometrics

The one drawback with both key and card systems is that access control can, willingly or unwillingly, transfer to someone other than the authorized user. Biometric devices, on the other hand, use an individual’s unique physical attributes for identification, thereby providing a higher level of security. These devices can identify an individual based on characteristics that cannot be duplicated or forged, such as a fingerprint, voice quality, or pattern of capillary blood vessels in the retina of the eye.

Fingerprint recognition is the most developed of the biometric technologies for mainstream use. Some fingerprint scanners can be added to desktop computers via a universal serial bus (USB) connection, and more computer makers are offering notebook computers with built-in fingerprint scanners. There are even fingerprint scanners that are integrated into a standard two-button mouse. The functionality of these scanners is continually being expanded. Users can program in several or all of their fingerprints, for example, so that if one finger or hand is injured, or one fingerprint is especially hard to read, the user can switch to alternate fingers. Multiple users can have their fingerprints read as well, providing shared access to the computer.

One fingerprint reader, the FIU-710 from Sony (see Figure 13.1), connects to the client via a USB cable and scans the fingerprint by means of measuring the difference in capacitance between the ridges and valleys of the fingerprint and the sensor itself. But the device is not just a fingerprint reader; it supports other authentication methods as well. The device can securely generate and store up to 1,024-bit RSA keys and perform 56-bit data encryption standard (DES) and 3DES encryption (see Section 13.5.2), allowing it to substitute as a smart card for many applications, particularly those involving digital certificates (see Figure 13.2).