Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next EXTERNAL CONNECTIONS To compete effectively, organizations must be able to respond quickly to changes in customer demand, technology, and competition, and to respond in a manner unhampered by time, distance, or organizational structure. To accomplish this, organizations must interconnect, not only internally within a company, but also externally with partners, competitors, customers, and suppliers. The Internet provides that ability to connect to the world. The Internet is a worldwide conglomerate of networks whose host computers employ the Transmission Control Protocol/Internet Protocol (TCP/IP) suite for communications. Thousands of academic, government, and commercial organizations are connected to the Internet. Electronic communications among organizations increases productivity but raises a number of security concerns. The Internet’s philosophy has traditionally been one of open exchange of communication and free flow of information. Unfortunately, the easy access to information using TCP/IP combined with the security weaknesses common to TCP/IP services and UNIX-based systems have created a multitude of opportunities for compromise. Organizations typically address these risks by creating a buffer between their network and the Internet. These buffers, commonly known as firewalls, are composed of one or more computer systems (e.g., a router or application gateway, physically located on the organization’s network, which is designed specifically to filter access to the organization’s internal resources). These systems are designed to force all traffic through the firewall; the software determines what traffic is allowed to pass through and what traffic is denied. For example, the software might intercept all traffic from the outside world and force additional authentication prior to allowing traffic to flow to the internal network; alternatively, it might allow only certain TCP/IP services to access the internal network. Additionally, the more intelligent application firewalls filter by unique identifier and IP address and provide audit logs so that an organization has the ability to trace legitimate and illegitimate system attempts. An organization’s communications policy should dictate the level of filtering that is appropriate given the organization’s strategic goals and objectives. For example, the policy might allow all traffic outbound but deny all access inbound. Or the policy might be scoped to only allow mail but deny all other TCP/IP services. Exhibit 8-2-2 shows a sample network security policy that addresses the Internet. Exhibit 8-2-2.  Policy for External Access to the X Company Network The communications policy should ensure that a proper business justification exists for an external network connection and that the appropriate organizations are informed of the connection. The request for connection, described by the employee or function sponsoring the connection, should be reviewed by the security and communications functions prior to installation. Additionally, the external connection should be reviewed at least semiannually to verify that it is needed. The request for connection should detail the duration of the connection, the expected start and end dates, and the security precautions to be taken, if any. A network connection request form can be designed as shown in Exhibit 8-2-3. Exhibit 8-2-3.  Network Connection Request Form REMOTE NETWORK ACCESS CONTROLS Remote access security requires the control of a variety of access types and devices, including dial-up access by means of modems, and remote access by means of fax and private branch exchange (PBX) devices. The network policy needs to explicitly address all potential remote access mechanisms. Dial-Up Access. Dial-up access creates the potential for uncontrolled gateways into the network. A modem attached to a PC can become a node on an enterprisewide network without anyone’s knowledge. The communications policy should establish controls that address these risks. For example, modems should be prohibited on individual workstations connected to company-owned networks or computing resources unless strict measures are in place to prevent unauthorized inbound dial-up access to such workstations. Real-Time Diagnostics. Many vendors offer remotely scheduled maintenance and real-time diagnostics. To alleviate any risks that this remote access poses, the policy should require that the number of vendors authorized for dial-in be limited and controlled. Real-time diagnostics should not be performed unless the systems administrator is informed of the activity each time. Activity logs should be maintained and the system administrator should compare logs with the vendor periodically. Further, company proprietary data should be adequately secured prior to allowing a vendor to perform real-time diagnostics. Facsimile Machines. Fax machines are often located in open areas where few if any controls are imposed. The confidentiality and integrity of data can be compromised if fax transmissions are read by unauthorized persons or if they are inadvertently misrouted to an incorrect number. Employees may inadvertently transmit sensitive data by fax, and intruders may tap into a fax line and create a shadow version of every fax sent and received. Policy and administrative procedures can address some of these risks by requiring that fax machines be physically secured and monitored routinely. For example, a fax machine employed to send and receive sensitive executive correspondence can be located in an area that is accessible only by the executive administrative staff. Isolating the machine in this manner would help guarantee the security of this information. PBX Security Guidelines. A comprehensive communications security policy must include adequate controls for voice systems. PBX systems are favorite targets of hackers who use high-speed telephone dialing equipment to obtain local and toll-free telephone numbers. Hackers post corporate 800 numbers on underground bulletin board services, often with accompanying authorization codes. Criminals monitor airports, hotels, and businesses to acquire 800 numbers and valid authorization codes. Unsecure PBX systems can also provide a useful gateway to an organization’s other computer resources. The communications policy should clearly define the communications function’s role as information owner. Their responsibilities should include such preventive activities as: •  Ensuring that voice mail passwords are changed frequently. •  Monitoring for unauthorized mailboxes. •  Routine review of call detail reporting. •  Implementing controls over direct inward systems access (DISA) and the maintenance ports. •  Regular auditing of hardware/software configuration. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.