The Five-Access Point Security Plan
April 25, 2001
By Elizabeth M. Ferrarini
An attack on your computer network can result in denial of service from an overloaded router, corrupted data transmitted across the network, unauthorized access to PCs, or the data centers themselves.
Keeping the network safe requires that you minimize an attacker's entry to each identified access point in the network. The five access points you need to be concerned with are:
- Physical Protection
- User Authentication
- Access Control
- Encryption
- Security Management
Physical Protection
On the front line, you can begin by protecting back door access to workstation and to media as follows:
- Train staff to log off the network during breaks, meal times, and at the end of the work shift.
- Provide employees with access to a secure bin for depositing unused sensitive media, such as disks, and sensitive paper files, that need to be destroyed. You might want to investigate a refuse service that specializes in destroying sensitive media. Some services will destroy your documents on-site, while other will provide a sealed bin for depositing media.
- Use smart cards, not disks, to store digital keys.
- Don't write down passwords and then send them via e-mail, especially if the message is going to get archived onto a server.
- Refrain from writing personal identification codes on identification cards. Put locking devices on portable equipment, such as laptops, external disk drives and tape backup systems.
Proof of who you are provides the only way to distinguish authorized users from possible intruders. To this end, an authentication system can determine what information the requester can access. For example, each sales representative can access records for his or her customers, not the entire customer database.
An authentication system usually includes what the user has or possesses, such as a smart card or certification; what the users knows, such as a password; or a physical attribute, such as a fingerprint or other biometric attribute. The most common authentication systems include a password, digital certificates, and digital digest or digital signatures.
- Passwords generated by a software agent pose the most common type of security breach, especially when they aren't carefully chosen or maintained. An intrusion detection system, on the other hand, can protect against unauthorized access to sensitive information by correlating and reporting on suspect activity, and creating complete logs of all information transactions. This type of system can link audit trails from disparate systems, such as firewalls and system event logs.
- Digital certificates, a technology that began as privacy enhanced mail, has become an essential part of public key infrastructure or PKI, a security system consisting of protocols, services, and standards to support public key cryptography applications. Public key cryptography validates digitally signed messages, which can be a simple e-mail message or protocol to establish a secure communications session. The sender of the authenticated message signs it with a private key. The recipient validates the message using the sender's corresponding key, contained in the sender's digital certificate. The certificate can be sent with the message or obtained form a certificate repository.
- A digital digest enables you to authenticate the digital signature and to check on the message's validity. Applying a one-way hash function to a message creates a message digest, which can't be re-created from the digest. A digital signature uses the individual's private key to encrypt the message digest. Decrypting the message occurs as follows: the receiving message text recreates the digest, the public key decrypts the digest from the digital signature. If the two messages match, the messages are probably the same.
The first step in governing an employee's access to a specific network, workstation, or application should begin with a well-defined corporate security policy. You can use various forms of access control technology to enforce the corporate security policy.
A firewall -- a system that protects an internal trusted system from an external untrusted system -- can prevent external intruders from getting to your network. The firewall determines which inside services outsiders can access, which outsiders have access to the permitted inside services, and which outside services insiders can access. A secure firewall basically does two things: Inspects all traffic that tries to pass to and from the network, and permits only authorized traffic to pass.
Encryption
Encryption -- making data unreadable to anyone who doesn't have the key to decrypt the data -- provides a way to protect data traveling over the network from the prying eyes of eavesdroppers. You can use encryption for data traveling over any type of a network - within the corporate network, between the corporate network and customers' networks, over the Internet to carry data to a virtual private network.
An attack on your computer network can result in denial of service from an overloaded router, corrupted data transmitted across the network, unauthorized access to PCs, or the data centers themselves.
Keeping the network safe requires that you minimize an attacker's entry to each identified access point in the network. The five access points you need to be concerned with are:
- Physical Protection
- User Authentication
- Access Control
- Encryption
- Security Management
Physical Protection
On the front line, you can begin by protecting back door access to workstation and to media as follows:
- Train staff to log off the network during breaks, meal times, and at the end of the work shift.
- Provide employees with access to a secure bin for depositing unused sensitive media, such as disks, and sensitive paper files, that need to be destroyed. You might want to investigate a refuse service that specializes in destroying sensitive media. Some services will destroy your documents on-site, while other will provide a sealed bin for depositing media.
- Use smart cards, not disks, to store digital keys.
- Don't write down passwords and then send them via e-mail, especially if the message is going to get archived onto a server.
- Refrain from writing personal identification codes on identification cards. Put locking devices on portable equipment, such as laptops, external disk drives and tape backup systems.
Proof of who you are provides the only way to distinguish authorized users from possible intruders. To this end, an authentication system can determine what information the requester can access. For example, each sales representative can access records for his or her customers, not the entire customer database.
An authentication system usually includes what the user has or possesses, such as a smart card or certification; what the users knows, such as a password; or a physical attribute, such as a fingerprint or other biometric attribute. The most common authentication systems include a password, digital certificates, and digital digest or digital signatures.
- Passwords generated by a software agent pose the most common type of security breach, especially when they aren't carefully chosen or maintained. An intrusion detection system, on the other hand, can protect against unauthorized access to sensitive information by correlating and reporting on suspect activity, and creating complete logs of all information transactions. This type of system can link audit trails from disparate systems, such as firewalls and system event logs.