Tools to protect your enterprise network have been evolving for the last two decades, roughly the same amount of time that people have been trying to break into computer networks. These tools can protect your computer network at many levels, and a well-guarded enterprise deploys many different types of security technologies.
The most obvious element of security is often times the most easily overlooked: physical security, or controlling access to the most sensitive components in your computer network, such as a network administration station or the server room. Since network and data access is controlled from these places, it is essential that physical security be considered when creating a site security policy. No amount of planning or expensive equipment will keep your network secure if unauthorized personnel can have access to central administration consoles. Even if a user does not have evil intent, an untrained user may unknowingly provide unauthorized outside access or override certain protective configurations.
The next level of computer security is operating system security. The guidelines for operating system security have been generally established by the U. S. Department of Defense, and other countries around the world (as well as other federal organizations) have set their standards as well. In the past few years, certified (tested and approved) secure OSs have been introduced in commercial operating systems like UNIX® and Microsoft Windows NT. These are at the C2 level, which provides discretionary access control - file and directory read and write permissions - and auditing and authentication controls.
A firewall is the point at which your private company network and a public network, such as the Internet, connect. A firewall system is a hardware/software configuration that sits at this perimeter, controlling access into and out of your company's network. While in theory firewalls allow only authorized communications between the internal and external networks, new ways are constantly being developed to compromise these systems. However, properly implemented they are very effective at keeping out unauthorized users and stopping unwanted activities on an internal network.
Firewall systems protect and facilitate your network at a number of levels:
They allow e-mail, and other applications such as ftp and remote login as desired, to take place while otherwise limiting access to the internal network.
They provide an authorization mechanism that provides a level of assurance that only specified users or applications can gain access through the firewall.
They typically provide a logging and alerting feature, which tracks designated usage and signals at specified events.
They offer address translation, which masks the actual name and address of any machine communicating through the firewall. For example, all messages for anyone in the technical support department would have their address translated to firstname.lastname@example.org, effectively hiding the name of an actual user and network address.
They are adding new functionality, such as encryption and virtual private networks capabilities. Encryption is the coding, or scrambling, of data and keeps unintended users from reading the information. Virtual Private Networks employ encryption to provide secure transmissions over public networks such as the Internet.
Firewall systems can also be deployed within an enterprise network to compartmentalize different servers and networks, in effect controlling access within the network. For example, an enterprise may want to separate the accounting and payroll server from the rest of the network and only allow certain individuals to access the information.
Finally, you should consider that all firewall systems have some performance degradation. As a system is busy checking or re-routing data communications packets, they do not flow through the system as efficiently as they would if the system were not in place.
Passwords are the way of identifying and authenticating users as they access the computer system. Generally, they provide verification that a user is who they say they are. Unfortunately, there are a number of ways in which a password can be compromised:
Someone wanting to gain access can "listen" for a username and password as an authorized user gains access over a public network.
Someone wanting to gain access can mount an attack on your access gateway, entering an entire dictionary of words (or license plates, or any other list) against a password field.
Users may loan their password to a co-worker, or may leave out in a public place a list of system passwords.
Fortunately, there are password technologies and tools that can assist making your network more secure:
Useful in ad hoc remote access situations, one-time password generation assumes that a password will be compromised. Before leaving the internal network, a list of passwords that will work only one time against a given username is generated. When logging into the system remotely, a password is used once and then will no longer be valid.
Operating system features such as password aging and password policy enforcement. Password aging is a feature that requires users to create new passwords every so often. Good password policy dictates that they be a minimum number of characters and a mix of letters and numbers. The operating system will not accept a password that does not meet these rules.
Smart cards provide extremely secure password protection. Unique passwords, based on a challenge-response scheme, are created on a small credit-card device. The password is then entered as part of the logon process and validated against a password server, which logs all access to the system. As might be expected, these systems can be expensive to implement.
Single sign-on overcomes what can only be the ultimate irony in system security: as a user gains more passwords, these passwords become less secure, not more, and the system opens itself up for unauthorized access. Many enterprise computer networks are designed to require users to have different password to access different parts of the system. As users acquire more passwords - some people have more than 50 - they cannot help but write them down, or create easy-to-remember passwords. A single sign-on system is essentially a centralized access control list which determines who is authorized to access different areas of the computer network, and a mechanism for providing the expected password. A user need only remember a single password to sign onto the system.
A consultant from Carroll Communications can discuss a unique security program with you. Click here to schedule to a free security assessment.
Avaya Telephone Systems
Avaya Business Partner