Download Develop Security Framework - NSW Department of Education

Develop security framework
1
2004
Overview
Image: Overview
In this topic we will look at how to develop a security framework in an
information technology environment.
In this topic you will learn how to:

determine level of required security

identify and document security threats

prepare protection plans and determine impact appraisals/costs

review firewall features

identify security perimeters within client server system

evaluate intrusion detection system (IDS)

investigate framework for secure electronic communication
infrastructure (SECI)

investigate the use of virtual private network (VPN)

determine hardware and software needs according to security plan

prepare cost benefit analysis for proposed security shield and finalise
framework

develop related policies and procedures.
This topic contains:

reading notes

activities

references

a topic quiz.
As you work through the reading notes you will be directed to activities
that will help you practise what you are learning. The topic also includes
references to aid further learning and a topic quiz to check your
understanding.
2
2004
Download a print version of this whole topic: Develop security framework
(953 KB 2817.doc)
3
2004
Reading notes
Image: Reading notes
Determine security level
According to the 2006 computer crimes and security survey, published by
AusCERT at http://www.auscert.org.au/, about twenty five percent of
respondents had experienced some type of security breach.
Network security focuses on three key principles: confidentiality, integrity
and availability (C-I-A):

confidentiality – prevent unauthorised disclosure of sensitive
information

integrity – prevent information from being modified by
unauthorised users and prevent information from being
unintentionally modified by authorised users

availability – provide timely and uninterrupted access to the
system; ’five nines’ are typically used to measure availability,
99.999% system uptime allows for five minutes of downtime per
year.
The following terms are also important to network security:

identification – such as using a login id or smart card

authentication – such as using a password

authorisation – system resources that an authenticated user is
allowed to access

accountability – ensuring that each user is responsible for
authorised interactions with the system

access control – limiting information only to authorised persons or
systems in the network.
4
2004
Organisations will require varying levels of these principles. For instance,
an online auction site might consider availability to be most important,
whereas an online bank might choose integrity instead.
The following graph shows why security is important to businesses:
Image: Bar chart showing 71% Damage to a company image after a security
breach; 70% Legal liabilities resulting from a security breach; 60% Lost revenues
from security breaches; 57% Need for customer/supplier confidence in e-business;
45% Fear of theft; 37% Fear of fraud; 21% Loss of employee morale; 21%
Wireless connectivity; 8% Other
Figure 1: Security drivers
While security risks cannot be completely eliminated, effective risk
management through proactive preparedness can minimise the impact of a
security breach. It is up to each organisation to implement a security plan
that can support its business needs. Before a security plan is deployed, the
following information must be identified:

current business requirements

future business requirements

business strategic plan

client expectations.
In this part of the reading, we saw the importance of security within an
organisation. TCP/IP remains the most popular protocol for the Internet and
is used by most organisations. Later you will learn about the inherent
weakness of TCP/IP’s and how hackers use these known vulnerabilities and
weaknesses. We will also look at methods for protecting your organisation’s
system.
5
2004
Identify security threats
Security threats
To develop an effective security plan you need to understand the various
types of security threats. A security plan is a vital part of improving the
organisation’s security defence by recording vulnerabilities and identifying
threats.
The four classes of security threats are:

unstructured threats – typically from inexperienced individuals
using hacking tools that are freely available on the Internet

structured threats – typically from highly competent individuals or
groups who can develop and use sophisticated hacking tools to
penetrate systems, usually for fraud or theft

external threats – individuals, external to the organisation, using
the Internet or dialup to access system resources

internal threats – individuals internal to the organisation causing
damage.
Security attack methods
The three methods of security attack are

reconnaissance

access

denial of service.
Reconnaissance
Reconnaissance is where a potential threat checks out a system for
vulnerable points to enter. If successful, denial of service or data
manipulation can result. Reconnaissance is also known as information
gathering. The intruder may ping sweep the target network for live IP
addresses. Next, a port scanner will determine which IP ports are active.
Gathering IP port numbers helps in identifying application type, versions
and operating systems information. The attacker can then search for known
application or operating system problems and launch an attack.
How is reconnaissance done? By using ping sweep to identify IP addresses
that return successful ICMP replies. You can use port scanners (Nmap,
nslookup, ping, netcat, telnet, finger, rpcinfo, Fine Explorer, srvinfo,
dumpacl, SATAN (Security Administrator Tool for Analysing Networks),
6
2004
Nessus, custom scripts, etc.)) to record a response from the target. Also, you
can implement other attack methods using whois, DNS and Web pages.
Following the attack, the hacker can collect information on the following:

TCP/IP address ranges

host names

DNS (domain name service)

SMTP (simple mail transfer protocol)

HTTP (hypertext transfer protocol)

HTTPS/SSL (HTTP secure over secure socket layer)

possible presence of firewalls.
Eavesdropping is an example of reconnaissance. It is also called network
snooping or packet sniffing. For example, a TCP/IP vulnerability exists
with SNMP version 1 where community strings are sent in clear text.
Eavesdropping can produce information on network devices and how they
are configured.
Another example is to capture usernames and passwords as they traverse a
network by using a protocol analyser tool. A protocol analyser tool
intercepts data streams and decodes the contents. Password authentication
protocol (PAP) is susceptible to this type of threat because it doesn’t use
encryption.
You can minimise the risk of eavesdropping by:

implementing a security policy that prevents the use of vulnerable
protocols

using data encryption that is sufficient to deter attacks without
overburdening the system or authorised users; since UDP (user
datagram protocol) and TCP (transmission control protocol) data
packets must traverse networks using header information, encryption
is performed only on the payload or where the actual data content
resides

detecting and removing sniffer programs on the internal network.
Activity 1
To practise eavesdropping, complete Activity 1 – Packet sniffing, located in
the Activities section of the Topic menu.
Access
Access is where the intruder attempts to penetrate an unauthorised system.
The following are considered to be access threats:
7
2004
Password attack
Passwords are easily cracked by using software that can use a dictionary of
commonly known words (not just those found in a dictionary – for example,
words like SK8, ICQ and so on) or brute-force computation.

Dictionary cracking is a broad term to crack passwords that contain
words found in a dictionary and may also include well-known names
of countries, brands, people, music bands, slang and so on. The
following sample passwords can give the intruder a starting point:
o John123
o 4australia44

Brute-force computation occurs where specialised programs are
used to produce countless variations of potential passwords to crack
just one password.
You can create better passwords by:

applying user creativity to form more secure passwords

using acronyms for passwords; for example, start with a sentence
like ‘I want to use this password for all my Internet logons’, use the
first letter of each word to create a secure password that you can use
by remembering the sentence you have created: ‘Iw2utp4amil’

Note that the password becomes even more difficult to crack when
we combine capital letters and symbols, for example,
‘T@qEZa$5w0bd$’.
Man-in-the-middle attack
Man-in-the-middle attacks allow a threat to read, insert and change the
communication between two parties without their consent or knowledge.
The security risks involve theft of information, hijack of a live session,
corrupting transmitted data, introducing new information, etc.
8
2004
Image: Unsuspecting user on a computer in a house connects to a bank via the
internet. The communication path is not encrypted, represented by the open
padlock. A thief intercepts the communication between the user and bank and
steals important information.
Figure 2: Man in the middle
Trust exploitation
Various servers on a network provide multiple services like DNS, SMTP,
HTTP and FTP. For these services to run effectively, there must be a type of
trust between each computer. This allows a computer from one domain to
use the services of a server in another domain. A trust relationship allows a
user to log on in one domain and then use services on another domain
without having to be authenticated again. This trust relationship is
exploitable. For example, a public web server that is operating outside a
corporate firewall may have a trust relationship with a system that is inside
the firewall. By compromising security on the outside server, the intruder
can use the trust relationship to access the inside system.
Privilege escalation refers to authorised users who may have been given
additional but unnecessary access rights by their network administrators.
The intruder tries to assume the identity of such users to install network
sniffers, delete log files, create backdoor accounts, etc.
Social engineering
Social engineering is where an intruder can trick a user to reveal sensitive
information such as usernames, passwords, location of files, server names,
gateway IP addresses, etc. Social engineering is probably the easiest method
for a threat to use since it does not require a high level of technical
knowledge. The Security Focus website at http://www.securityfocus.com/
9
2004
has an interesting article which demonstrates an example of social
engineering.
Session replay
Session replay is where an intruder captures a stream of data packets that
contain sensitive information. Following manipulation, the intruder then
resends or replays the packets to gain access.
Auto rooters
Auto rooters are sophisticated programs used to automate the entire hacking
process. Typically, a Rootkit is installed on a compromised computer, which
in turn begins the automated hacking process. A successful intruder can scan
hundreds of thousands of systems within a short period. To learn more about
rootkits, go to http://www.rootkit.com/.
Data manipulation
Data manipulation is where an intruder can capture, manipulate and replay
data transmission. Two types are:

graffiti - where website pages may be altered

data alteration - where files such as password files may be altered.
Spoofing
Spoofing is where an intruder manipulates packets by spoofing. This injects
a false source IP address so that it appears to be a valid address to the
recipient. This is called a one-way masquerade since the intruder can inject
information into the system but not receive any replies. To receive replies a two-way masquerade - the intruder must change all routing tables to direct
all replies to the spoofed IP address. Tools that may be used for spoofing are
1664, Hunt and rbone.
Back doors
Back doors are undetected access points into a computer system. A common
method of creating a back door is by using a back-door Trojan. An example
of a back-door Trojan is Backdoor.Dvldr. A back door allows a remote
hacker to take control of the computer without the knowledge of the user.
Back doors are used in denial and distributed denial of service (DoS and
DDoS) attacks. You can read more about this at
http://www.symantec.com/security_response/writeup.jsp?docid=2003031016-5849-99.
Denial of service
Denial of service (DoS) is probably the most feared of all attacks. It occurs
where a system is prevented from providing critical services. There are
many different types of DoS threats, including:
10
2004

CPU hogging - Trojan horses or viruses are typically used to keep
the CPU busy, hence preventing it from performing critical
operations

email bombs monopolise email services to send out bulk emails to
users, lists, domains, etc

land.c confuses the target system by sending TCP SYN packets that
use the target address as being both the source and destination; the
same port, either 113 or 139, may be used to create further confusion
to freeze the target system

malicious applets destroy or tie up system resources using Java,
JavaScript, ActiveX, etc., that act as Trojan horses or viruses

out-of-band attacks send out-of-band data to port 139, especially to
Win98 or WinNT systems; WinNuke has been the most common
tool for this type of attack

packet fragmentation and reassembly - buffer-overrun bugs in hosts
and networking devices provide the basis of this type of attack

ping of death causes the receiving system to crash when it receives
data packets with altered IP headers; basically, the altered data
packet carries less data than what is indicated in the IP header

reconfiguring routers - web traffic may be disabled when routers are
reconfigured by an intruder

SYN flood attack - occurs where the target computer is kept busy
trying to respond to numerous bogus requests; by opening many
TCP ports, the target computer is made to wait for responses that
will never come

targa.c - simultaneous attacks to include land, nestea, bonk, syndrop,
jolt, netear, WinNuke

teardrop.c - where target systems crash when trying to reassemble
specially fragmented IP packets.
Distributed denial of service (DDoS)
Instead of targeting individual computers, whole networks can be
overwhelmed in a DDoS attack. There are three types of DDoS attacks:
Smurf, Tribe flood network (TFN) and Stacheldraht.

Smurf - this is where a single attacker sends out numerous spoofed
ICMP (Internet control message protocol) echo requests to
broadcast addresses. Each receiving host responds by replying and
this can overload the network. One way to deter this type of attack is
to turn off directed broadcasts.

Tribe flood network - the intruder successfully creates a TFN
network complete with a TFN master, TFN servers/daemons, and
TFN agents. As instructed by the TFN master, coordinated attacks
are launched to target IP addresses.
11
2004

Stacheldraht - meaning barbed wire in German, is a form of TFN
attack except that communication between TFN members and the
attacker are encrypted.
Prepare a security plan
A security plan is an action document that states what will be done and
when.
Three key areas need to be considered: services, usability and cost.

services - each service carries its own security risk. There are
instances when it may be better to eliminate the service than try and
secure it.

usability - too much security can make the system cumbersome to
access and use.

cost - security can be expensive depending on the level an
organisation wants to achieve. However, risk of loss must also be
considered. Revenue-generating systems such as web servers may
not be able to operate after a security breach. Therefore, the loss of
this revenue must be considered against the cost of implementing
security measures.
What are the steps?
There are five steps in preparing a security plan:

inventory

risk assessment

evaluation

finalise

sign off.
Inventory
In this step, the physical and information assets are identified. This can be
done by creating a spreadsheet or diagram that will document the individual
items you want to protect. There are also software products that can scan the
network and create an inventory list automatically:

hardware: name the item.

software: name the applications, provide licensed quantities

system interfaces: internal and external connectivity, RAS, VPNs,
ISDN, VOIP, etc.
12
2004

type of information: accounting data, production designs, client
information, etc.

critical/confidential information: degree of importance to maintain
security

owner: Who can claim ownership?
Click here to see a pdf version of the image below (390 KB 2817_f04.pdf)
Image: Logical network diagram displaying multiple servers. Each server shows its
IP address, network name and server function.
Figure 3: Diagrammatic inventory
Image: Excel spread sheet show in columns Network Name, Product Description,
IP Address, Administrator, Operating System, Manufacturer,CPU,RAM,db-sales01, Database server,10.1.1.23,Rani Contra, Redhat Linux,EBM,2 x Dual Core
Opteron 2.6Ghz,2048,db-sales-02,Database server,10.1.1.24,Rani Contra, Redhat
Linux,EBM,2 x Dual Core Opteron 2.6Ghz,2048,,db-sales-03,Database
server,10.1.1.25,Rani Contra, Redhat Linux,EBM,4 x Dual Core Opteron
2.6Ghz,4096,web-sales-01,Web server,10.1.1.26,Juan Cruz, Redhat Linux,IPS,1 x
Pentium D 1.8 Ghz,1024.
13
2004
Figure 4: Spreadsheet inventory
Risk assessment
Risk assessment is evaluating each risk and determining the risk priority
levels. The risk priority level is determined by how often a threat occurs
(probability) and the consequence of that threat on the organisation
(impact). To determine the probability of a threat occurring, you need to
know how the threat can occur and the current controls in place. The
probability of a threat occurring can be classed as

low – not probable, may occur every three or more years

medium – probable, may occur every two to three years

high – highly likely, may occur more than once a year.
The impact of the threat occurring has financial and non-financial cost. The
impact of a threat can be classed as

low – little or no impact on the operation of a business; users are
inconvenienced and little financial cost associated to the impact

medium – IT services not easily recoverable, impact on users and
other areas of the business, financial losses experienced.

high – severe impact on services, heavy financial losses
experienced.
Therefore, if we draw up a matrix of probability and impact we can get the
following security levels:
Image: Matrix of security levels with Probability on the left axis and Security level
on the top and Impact on the bottom axis. Columns fro left to right read High
Medium Low, Medium, Medium, Low, Low, High Medium Medium Medium, High
High Medium High.
Figure 5: Security levels matrix
14
2004
When conducting a risk assessment, three areas to assess are

information confidentiality

information integrity

information availability.
Information confidentiality refers to the impact of intrusion on
information assets, such as client information, passwords, databases, etc.
Information integrity refers to what the impact might be if inaccurate data
is used to make business or management decisions. The release of
inaccurate data to clients, regulators, shareholders or the public could lead to
a loss of business, possible legal action or public embarrassment.
Information availability also refers to business disruption risk. What
would the probability and impact be if a system was rendered inoperable
following a security attack?
Review the following simple scenario:
The accounting department performs a full data backup of the payroll
system onto tapes. These tapes are then stored in a locked, fireproof safe
next to the payroll server.
Probability level: What is the likelihood that the server and the fireproof
safe could be stolen or destroyed at the same time? Low, medium or high?
Impact level: What will be the cost of replacing the financial information
and how will it affect business continuity and employee morale? Low,
medium or high?
Evaluation
An actual security plan will endeavour to cover all risk areas, not only those
associated with computer technologies. Use the Evaluation checklist located
at http://rusecure.rutgers.edu/sec_plan/checklist.php as a guide to
developing a security plan. Review each of the major headings in the
checklist.
The checklist provides the opportunity to respond with a positive or a
negative answer. You will need to evaluate the responses and divide them
into positive and negative responses. The positive responses are used to
create an evaluation report. The negative responses are collated and will
need to be addressed by the security plan. Review the example given at
http://rusecure.rutgers.edu/sec_plan/eval_sample.php.
Typically, evaluation is performed by the relevant department head or by a
Security Committee. Individual security items are reviewed and action plans
are developed. Action plans are then matched with target dates and included
into a security plan document.
15
2004
Finalise and sign-off
The security plan should be accepted and signed off by the appropriate
persons. It is recommended that the security plan be signed off by senior
management and the security officer. Also, system specific documentation
should be approved by the owner of the system. They need to check for
currency and correctness.
Maintenance
The security plan will need to be reviewed periodically for currency. Create
a schedule for reviewing the security plan at regular intervals. The intervals
should not be greater than yearly. A review should also take place if a major
security incident occurs or there have been changes to the information
system or business environment.
Third-party organisations may be employed to conduct security audits on a
regular basis. Audit results are then compared to the security plan to either
confirm the successful completion of an action or to modify the action.
In order to effectively protect itself against internal and external threats to
security, an organisation must have a comprehensive security policy that
addresses all of the threats you have identified in your risk analysis. It
provides a framework around which you can implement your security
measures. This will be particularly important when we look at firewall
functionality.
Activity 2
To practise preparing for a security plan, complete Activity 2 – Identify IT
assets and document threats, located in the Activities section of the Topic
menu.
Review firewall features
What is a network firewall?
A firewall is designed to protect a network from untrustworthy networks,
intruders or even trusted users. A firewall exists to block or permit data
traffic. Firewalls often employ greater emphasis to either block or permit
data traffic.
16
2004
Why are firewalls needed?
The Internet is basically a group of users. However, it is also plagued with
people who enjoy the electronic equivalent of painting graffiti on other
people's property. Some people work on the Internet, while others need to
share sensitive or proprietary data on the Internet. A firewall's main purpose
is to keep data transmissions secured against intrusion.
Many organisations enforce computing security policies and procedures that
must be adhered to. Firewalls are used to support these policies and
procedures.
Firewalls are also installed at servers that share public or private information
about corporate products and services, files to download or bug fixes.
What can a firewall protect against?
Some firewalls permit only email traffic to protect the network against
attacks that might use non-email traffic. Other firewalls provide less strict
protections and block services that are known to be problems.
Firewalls are configured to protect against unauthenticated logins from the
external world. More sophisticated firewalls block incoming traffic, but
permit users on the inside to communicate with the external world.
Firewalls also provide a single point where security and audit can be
imposed.
What can't a firewall protect against?
Firewalls can't protect against attacks that bypass the firewall. Organisations
that connect to the Internet are extremely concerned about proprietary data
leaking out. Unfortunately, a magnetic tape can be used to export
proprietary data. Firewall policies must be realistic and reflect the level of
security in the entire network. For example, a site with highly confidential
or classified data should not be connected to the external world in the first
place. Hence, this will negate the need for a firewall.
Firewalls cannot prevent incoming viruses. There are too many ways to
encode binary files for transfer over networks. There are also too many
different architectures and viruses to implement search and destroy
mechanisms. Firewalls cannot protect against data-driven attacks where
internal hosts are used to execute malicious programs that were emailed in.
17
2004
Basic design decisions in a firewall
Many factors affect how firewalls should be configured. The most basic
method is to deny all services except mission-critical services such as
connecting to the Internet for email and http services.
Use the firewall to monitor traffic and provide logs and reports on network
activity.
Security benchmarks need to be established to specify acceptable risk levels.
The Center for Internet Security publishes security benchmarks tools for
operating systems, network devices and applications. Use the link below to
download any of the security benchmark tools on offer:
http://www.cisecurity.org/index.html
Financial decisions need to be made to determine investment levels for
security. Firewalls range from being free to upwards of $100,000. Ongoing
support costs need to be addressed as well.
A decision could be made to position a server outside the corporate network.
This server will not be connected to the corporate network. In this scenario,
the server can provide services for Telnet, FTP, News, etc., without the need
for a firewall.
In most cases, hardware firewalls are used to provide routing services
between the internal and external environments. Costs will escalate as more
stringent demands are made to configure such devices.
Firewall-related terms

Host-based firewall - a firewall where the security is implemented
in software running on a general-purpose computer of some sort.
Security in host-based firewalls is generally at the application level
rather than at a network level.

Router-based firewall - a firewall where the security is
implemented using screening routers as the primary means of
protecting the network.

Screening route - a router that is used to implement part of the
security of a firewall by configuring it to selectively permit or deny
traffic at a network level.

Bastion host - a host system that is a ‘strong point’ in the network's
security perimeter. Bastion hosts should be configured to be
particularly resistant to attack. In a host-based firewall, the bastion
host is the platform on which the firewall software is run. Bastion
hosts are also referred to as ‘gateway hosts’.

Dual-homed gateway - a firewall consisting of a bastion host with
two network interfaces, one of which is connected to the protected
18
2004
network, the other to the Internet. IP traffic forwarding is usually
disabled, restricting all traffic between the two networks to whatever
passes through some kind of application proxy.

Application proxy - an application that forwards application traffic
through a firewall. Proxies tend to be specific to the protocol they
are designed to forward and may provide increased access control or
audit.

Screened subnet - a firewall architecture in which a ‘sandbox’ or
‘de-militarised zone’ network is set up between the protected
network and the Internet, with traffic between the protected network
and the Internet blocked. Conceptually, this is similar to a dualhomed gateway except that an entire network rather than a single
host is reachable from the outside.
Image: Network diagram showing a network segmented into three subnets. The
Internet service provider (ISP), demilitarised zone (DMZ) and local area network
(LAN). The ISP is connected to the internet and also to the clients demilitarised
zone via an internet gateway. The DMZ has internet accessible server like http,
smtp, dns. The LAN is connected to the DMZ by internet gateway.
Figure 6: Network diagram
19
2004
A network security policy identifies a network's resources and threats,
defines network use and responsibilities, and details action plans for when
the security policy is violated. When you deploy a network security policy,
you want it to be strategically enforced at defensible boundaries within your
network. These strategic boundaries are known as security perimeters.
Security perimeters
To establish your security perimeters, you must designate networks and
systems that you wish to protect and define the security mechanisms to
protect them. To have a successful security perimeter, firstly a welldesigned and secure network topology must exist. Secondly, a firewall
server must be the gateway for all communications between trusted
networks and untrustworthy or unknown networks.
Each network can contain multiple security perimeters. Three types of
security perimeters are often used. They are the outermost perimeter, the
internal perimeters and the innermost perimeter. The following illustration
shows the security perimeters. Click here to watch a demonstration about
multiple perimeters using the diagram below (1 KB 2817_f07_flash.html).
Image: Three layers of network defence protecting a computer. The outer
perimeter is the first line of defence. It is represented by a sharpened staked fence.
The internal perimeter, the second line of defence, is represented by a high
20
2004
corrugated fence. The innermost perimeter, the third line of defence, is represented
by a brick wall.
Figure 7: Security perimeters
The outermost perimeter is the separation point between the assets that you
control and the assets that you do not control. Typically, this point is the
gateway that you use to separate your network from the Internet. The
outermost perimeter is the most insecure area of your network. Normally,
this area will contain routers, firewall servers and public Internet servers and
front-end mail servers. This area of the network is the easiest area to gain
access to and therefore is the most frequently attacked, usually in an attempt
to gain access to the internal networks.
By taking a layered approach to securing the perimeter, you will harden the
perimeter and limit the damage of a breach when an attack is successful. A
layered approach to security, or as it is commonly known defence in depth,
focuses on securing people, technology and polices. For more information
on defence in depth visit some of the following websites:
http://www.nsa.gov/snac/support/defenseindepth.pdf
https://www.microsoftelearning.com/catalog/security.aspx
http://www128.ibm.com/developerworks/views/global/tutorials.jsp?topic_by=Security
Internal perimeter networks represent additional boundaries where you have
other security mechanisms in place, such as intranet firewalls and filtering
routers, domain separation, authentication, and so on.
The following diagram shows two security perimeters (an outermost
perimeter and an internal perimeter) defined by the placement of the internal
and external routers and the firewall server. Placing your firewall between
an internal and external router provides little additional protection from
attack, but it reduces the amount of traffic the firewall must evaluate.
21
2004
Image: Two security perimeters (an outermost perimeter and an internal perimeter)
defined by the placement of the internal and external routers and the firewall
server. Placing your firewall between an internal and external router provides little
additional protection from attack, but it reduces the amount of traffic the firewall
must evaluate.
Figure 8: Network security perimeters
This is not the only type of networking topology that you should consider.
The systems and service that are running will determine how many layers of
security is needed. At the following site there is a multi-tier approach to
securing the system: http://www.isaserver.org/tutorials/Creating-MultipleSecurity-Perimeters-Multihomed-ISA-Firewall-Part1.html
Installing a firewall between an internal and external router provides little
protection from attacks on either side. However, it greatly reduces the
amount of traffic that the firewall server must evaluate. From the
perspective of external users, the firewall server represents all accessible
computers on the trusted network. It defines a choke point through which all
communications must pass.
Intrusion detection system
An intrusion detection system (IDS) identifies inappropriate, incorrect or
unusual activities on the network and can alert the appropriate person about
the activities. An IDS is either host-based or network-based.
22
2004
Host-based IDS
Host-based IDS typically involves a computer that needs to be monitored.
Relevant programs are installed to use log files or the system's auditing
agents as sources of data. The person responsible for monitoring the IDS
needs to be a competent system administrator who is familiar with the host
machine, network connections, users and their habits and all software
installed on the machine. Many intrusions have been contained by attentive
system administrators who have noticed something unusual about their
machines or noticed a logged-on user at a time when the user should not be
on the system.
The host-based IDS monitors incoming and outgoing communications,
checks the integrity of system files and watches for suspicious processes.
You need to install the host-based IDS software on each computer to get
complete coverage at your site.
There are two primary classes of host-based IDS:

host wrappers/personal firewalls - host-based IDS is more effective
at detecting trusted-insider attacks, also known as anomalous
activities

agent-based software.
Both host-based and network-based IDSs are effective for detecting
externally sourced attacks.
Host wrappers or personal firewalls can be configured to monitor all
network packets, connection attempts or login attempts. This can also
include dial-in attempts or other non-network-related communication ports.
The best-known examples of wrapper packages are TCPWrappers for Unix
and Nuke Nabber for Windows. Personal firewalls can also detect software
on the host attempting to connect to the network, such as WRQ's AtGuard.
Host-based agents monitor access, changes to critical system files and
changes in user privileges. Well-known commercial versions include
products from AXENT, CyberSafe, ISS and Tripwire.
UNIX has numerous software tools to perform intrusion detection. Since no
single package will do everything, each software package could be tailored
to each computer that is to be monitored. Monitoring software includes
system and user log files (syslog), connectivity monitoring (TCPwrappers,
lastlog), process monitoring (lsof), process accounting, disk usage
monitoring (quotas), session monitoring (options to ftpd to log all file
transfers, process accounting) and system auditing (audit). UNIX host-based
intrusion detection is only as good as the logging that's done. Scripts can be
written to analyse log files and alert the system administrator via email or
text messaging when something is unusual. Click here to watch a
demonstration about host-based IDS using the diagram below (1 KB
23
2004
2817_f09_flash.html). Click here to read a text version of the demonstration
(79 KB 2817_f09.doc).
Image: Diagram with Internet outside the firewall and the switch on the other side
of the firewall connecting to hosts which have individual IDS’ on each. As normal
packets from the internet enter through the firewall and arrive at the destination, no
alarm is given. As soon as the IDS detects an abnormal packet, the IDS sends out
an alarm.
Figure 9: Intrusion detection system
Network-based IDS
Network-based IDS uses traffic on its network segment as a data source.
This is done by placing the network interface card in promiscuous mode to
capture all network traffic that crosses its network segment. Network traffic
on other segments and traffic on other means of communication (like phone
lines) needs to be monitored by other means. Both network-based and hostbased ID sensors have pros and cons.
Network-based IDS involves monitoring data packets on the network.
Packets are considered interesting if they match a signature.
Three primary types of signatures are:

string signatures

port signatures

header condition signatures.
24
2004
Click here to see an animated version of the illustration below (2 KB
2817_f10_flash.htm). Click here to read a text version of the demonstration
(79 KB 2817_f10.doc).
Image: Diagram with Internet outside the firewall NIDS on the other side of the
firewall connected to a switch which connects to the computers in the network.
Network-based IDS has one IDS for the network which sends out an alarm to hosts
when abnormal packets come through the firewall
Figure 10: Network-based IDS
String signatures
String signatures look for a text string that indicates a possible attack. An
example string signature for UNIX might be "cat "+ +" > /.rhosts", which if successful - might cause a UNIX system to become extremely vulnerable
to network attack. To refine the string signature to reduce the number of
false positives, it may be necessary to use a compound string signature. A
compound string signature for a common web server attack might be "cgibin" AND "aglimpse" AND "IFS".
Port signatures
Port signatures watch for connection attempts to well-known, frequently
attacked ports. Examples of these ports include telnet (TCP port 23), FTP
(TCP port 21/20), SUNRPC (TCP/UDP port 111) and IMAP (TCP port
143). If any of these ports aren’t used by the site, then incoming packets to
these ports are considered suspicious.
25
2004
Header signatures
Header signatures watch for dangerous or illogical combinations in packet
headers. The most famous example is WinNuke, where a packet is destined
for a NetBIOS port and the Urgent pointer or Out Of Band pointer is set.
This results in the ‘blue screen of death’ for Windows systems. Another
well-known header signature is a TCP packet with both the SYN and FIN
flags set, signifying that the requestor wishes to start and stop a connection
at the same time.
Well-known, network-based intrusion detection systems include AXENT,
Cisco, CyberSafe, ISS and Shadow.
Two types of intrusion detection tools are knowledge-based and behaviourbased intrusion detection.
Knowledge-based intrusion detection
Almost all IDS tools today are knowledge-based.
Knowledge-based intrusion detection techniques apply the knowledge
accumulated about specific attacks and system vulnerabilities. The intrusion
detection system contains information about these vulnerabilities and looks
for attempts to exploit these vulnerabilities. When such an attempt is
detected, an alarm is triggered. Any action that is not explicitly recognised
as an attack is considered acceptable. As such, regular updates of knowledge
about attacks are required.
Advantages of the knowledge-based approaches are that they offer lower
false-alarm rates. Furthermore, the contextual analysis proposed by the IDS
is more detailed and makes it easier for the security officer to take
preventative or corrective action.
Weaknesses lie in the need to keep up-to-date with new vulnerabilities and
environments. The knowledge base requires a time-consuming analysis of
each vulnerability.
Knowledge about attacks is highly specific, dependent on the operating
system, version, platform and application. The resulting intrusion detection
tool is therefore customised for a given environment.
Behaviour-based intrusion detection
Few tools today implement this approach even though the founding paper
by Denning (D Denning, ‘An intrusion detection model: IEEE transactions
on software engineering’) recognises this as a requirement for IDSs.
26
2004
Behaviour-based intrusion detection techniques assume that an intrusion
can be detected by observing a deviation from normal or expected behaviour
of the system or the users.
The model for normal or acceptable behaviour is extracted from reference
information collected by various means. The intrusion detection system later
compares this model with the current activity. An alarm is generated when a
deviation is observed. The intrusion detection system might be too complete
to the point that numerous false alarms are also captured.
Advantages of behaviour-based approaches are that they can detect attempts
to exploit new and unforeseen vulnerabilities. They can even discover new
attacks. They are less dependent on operating system-specific environments.
They can also detect 'abuse of privileges' types of attacks that do not
actually involve exploiting any security vulnerability. This paranoid
approach assumes that any new activity is considered potentially dangerous.
The high false-alarm rate makes this approach undesirable. Furthermore,
behaviour can change over time. This introduces the need for periodic
online retraining of the behaviour profile. This can cause the intrusion
detection system to be periodically unavailable.
You can read more about host-based IDS vs. Network-based IDS at
http://www.windowsecurity.com/articles/Hids_vs_Nids_Part1.html
Secure electronic communication
infrastructure (SECI)
Understanding SECI can be daunting since our use of electronic
communication is growing exponentially. A good way to understand SECI
is to review a sample Email Policy. We will focus on one highly important
aspect of SECI, that is, emails in the corporate world. Review the 4phones
email policy.
Secure electronic communication protects the integrity of information and
maintains the privacy of end users.
To ensure the security of communication such as e-mail and Instant
Messaging (IM), organisations must have an electronic messaging
infrastructure with extensive security and privacy features. They are:

User authentication: Ensures that users are who they say they are.
This is fundamental to secure communication using e-mail or IM.

Message and session encryption: Encryption is used to maintain
privacy of e-mails and IMs, as well as private information and
sensitive data that is associated with users.
27
2004

Virus and spam protection: Since e-mails and IMs are notoriously
vulnerable to the effects of viruses and spam, the electronic
messaging infrastructure must include robust protection against these
intrusions.

E-mail and IM archiving: Many governmental regulations require
organisations to store and provide access to electronic records. As
such, organisational policies must address the retention of electronic
communication for compliance. Integrity of the communication data
must be protected whilst maintaining the privacy of the
communicator.

Privacy options: Privacy of communication has become an
important requirement for messaging over public networks. Users
want to be able to control who can see their online status for
subsequent communication.

Secure access: Identity management infrastructure is used to secure
electronic communication. Identity-based access policy, centralised
user management, and single sign-on (SSO) across messaging are
used to provide secure access. Virtual Private Network (VPN) on
demand may be used to provide convenient access without
compromising security.
Listed below is a link that provides more information about secure
electronic communication:
http://www.sun.com/software/products/communications/wp_secure_electro
nic_comm.pdf
Virtual private network (VPN)
VPN (Virtual private network) represents an IP connection between two
sites over a public IP network such as the Internet. Virtual networks imply
that the data paths between the source and destination are shared by other
transmissions. You can read more about VPN at this website:
http://computer.howstuffworks.com/vpn.htm
One way to better understand VPNs is to see how telephones work. When
you telephone a friend, your private conversation is actually transmitted
over a public telephone network. VPNs are similar except that computers
use the Internet to make the private connections.
An advantage of VPN is that companies do not have to pay for dedicated
private lines of communication. In this reading you will see how
communicating over public lines can still be kept secure.
28
2004
VPN tunnels
A VPN maintains privacy by using tunnels. A VPN tunnel establishes an
end-to-end connection and encapsulates the data with new packet headers to
be delivered to the specified destination. The connection is considered
private because network traffic can only enter the tunnel at an endpoint.
This restriction is maintained by adhering to specific user groups. A site-tosite intranet VPN (say between Microsoft-Australia and Microsoft-USA), an
extranet VPN (say between BHP Australia and Toyota Australia) and a
remote-access VPN can be established by creating tunnels between each
site’s access point and service provider and then between the service
providers.
VPN tunnels are not concerned with making the transmissions secure.
Rather, confidentiality is maintained by data encryption. Some protocols
that implement encryption techniques are point-to-point tunnelling protocol,
layer 2 forwarding, layer 2 tunnelling protocol and IP security.
Image: Diagram showing unsecured data going through a VPN gateway, on the left
and on the right, where it is encrypted and transferred as secured data
Figure 11: VPN tunnels
Point-to-point tunnelling protocol (PPTP)
This was developed by Internet Engineering Task Force (IETF), Microsoft,
and US Robotics (now part of 3COM).
29
2004
It uses Microsoft’s proprietary point-to-point encryption algorithm to
provide encryption and authentication for remote dialup and LAN-to-LAN
connections.
For dialup users, PPTP is either provided directly by the client or indirectly
by the ISP. A control session establishes and maintains a secure tunnel from
sender to receiver and a data session provides data transmission.
In LAN-to-LAN applications, a tunnel is established between servers.
PPTP supports several protocols such as IP, IPX, NetBEUI and NetBIOS.
Layer 2 forwarding (L2F)
L2F is a Cisco proprietary protocol and provides tunnelling between the ISP
dialup server and the public network.
Once a user establishes a dialup point-to-point (PPP) connection to the
ISP’s server, this server wraps PPP frames inside an L2F frame and
forwards to a layer-3 device (a router) for network transmission. The router
is responsible for providing user authentication and network addressing.
L2F does not provide any data encryption, and its user authentication is
weak. It relies on participating routers for these functions.
Layer 2 tunnelling protocol (L2TP)
L2TP basically defines a method for tunnelling layer-two circuits across a
packet network (IP). It is common for PPP to use L2TP for tunnelling. L2TP
typically depends on IPSec for encryption. You can read more about this at
http://rfc.net/rfc3931.html. See the next point as well.
IP security (IPSec)
IPSec is a suite of protocols developed by IETF. IPSec operates at layer 3 of
the OSI model and is the most popular encryption technique in use. You can
read more about this at http://rfc.net/rfc4301.html.
Among the previously mentioned protocols, only IPSec creates encrypted
tunnels. As such, the VPN Consortium supports only IPSec, PPTP with RC4
encryption and L2TP under IPSec as acceptable VPN security strategies.
The suite includes Authentication Header (AH), Encapsulating Security
Payload (ESP), and Internet Key Exchange (IKE). The AH protocol
provides address authentication and protection against replays. AH relies on
ESP to provide data encryption. IKE provides automated key exchanges
between sender and receiver nodes.
For more information on IPSec visit the following websites:
30
2004
http://technet2.microsoft.com/WindowsServer/en/Library/fa2c6e21-a6934a7c-bc0f-c171477928de1033.mspx?mfr=true (Microsoft Technet - IPSec
technical reference)
http://rfc.net/rfc4301.html (IPSec)
http://rfc.net/rfc4302.html (Authentication Header (AH))
http://rfc.net/rfc4303.html (Encapsulating Security Payload (ESP))
http://rfc.net/rfc4306.html (Internet Key Exchange IKE))
VPN costs
A VPN strategy can offer companies considerable savings when compared
to competing technologies that cost between 30 to 70 per cent more. Site
savings can be as much as 70 per cent when compared to private-line
solutions. A VPN strategy also provides the best worldwide access.
Typical VPN configurations
Based on need and financial resources, there are numerous possibilities.
Some of the more popular VPN configurations are:

router-to-router VPN-on-demand tunnel connections between
sites; as the name suggests, routers provide VPN services. Between
two VPN-capable routers, an encrypted link is established for all
traffic. Also called an encrypted tunnel facility, a tunnel is created
when the user connects and the tunnel remains available until the
user disconnects. Highly vendor-specific, routers at both ends must
be VPN compatible to provide services such as key exchange and
cryptographic support.

router-to-router VPN-on-demand multiprotocol tunnel
connections between sites over an IP network; this is similar to
the previous example except that routed protocols other than IP are
supported, such as IPX or AppleTalk. With the dominance of the IP
protocol, it is expected that this configuration may not be popular
soon.

router-to-router VPN-on-demand encrypted session connections
between sites; in this case, routers are not expected to be VPN
compatible. Therefore, each session is encrypted and match paired
on the periphery of the public network. While this is simpler to
manage session-wise than a tunnel, greater overhead may be
required for highly connected applications between the peripheral
sites.

firewall-to-firewall VPN-on-demand tunnel connections between
sites; this is where firewalls are configured to set the VPN rules,
31
2004
instead of routers whilst offering more features. This includes traffic
management, auditing, authentication, data encryption and so on.
IPSec can provide these features; however, it is important to note
that some vendors offering IPSec do not interoperate with other
vendors and may only support their own firewall configurations.

firewall-to-firewall VPN-on-demand multiprotocol connections
between sites over an IP network; this is similar to the router
approach, but the firewall must be capable of handling multipleprotocol filtering and security.

client-to-firewall IP tunnel VPN facilities; this is where a client
system, such as a laptop, is installed with VPN tunnel manager and
encryptor software package. The firewall on the server end
implements a proxy facility to provide access to the client system.
When connected, the client system will negotiate a VPN tunnel
using the VPN client software. An example is the V-One
implementation called SmartGate, which implements a proxy on the
firewall side and either a soft-token or hard-token software package
on the client side to connect.

client-to-server IP tunnel VPN facilities; companies like Microsoft
are implementing a VPN tunnelling facility to allow client software
to connect a VPN tunnel to a local or a remote server. This method
uses PPTP and IP.

client and server firewall implementation with full VPN
capabilities; this method is probably the most complex to implement
but is also the most secure. Full firewall facilities are implemented
on every system on the network. An example is the client and server
versions of Network-1 Security Solutions’ FireWall/Plus.

dedicated VPN box; these are dedicated systems that can connect
whether in front or behind a router to implement VPN features
between a company and a public network like the Internet. They are
simpler to implement and typically provide higher performance than
software-based solutions. This solution is best suited for site-to-site
access.
Determine hardware and software
needs
Securing a network relies on people, process and information technology.
The organisation’s security plan will have outlined the weakest points on the
network. It is now important to identify technologies that can harden those
weakest points. Unfortunately, most organisations do not have enough funds
to implement all capital works projects, so it is vital that you select the
technology that will mitigate the highest risks. This is done by referring to
the security plan and identifying the risks with a high probability and a
severe impact. Research what technologies are available to mitigate the
32
2004
risks. When reviewing technologies, remember to build multiple layers of
security as this will make it much harder to compromise and will afford the
most protection.
Hardware and software needs
Click here to see an animated version of the illustration below (2 KB
2817_f12_flash.htm). Click here to read a text version of the demonstration
(79 KB 2817_f12.doc).
Image: Diagram showing multiple hardware devices such as servers, routers and
hosts protected by firewalls.
Figure 12: Multiple hardware devices
Multiple hardware and software devices will need to be installed and
configured to safeguard your network. One of the most common hardware
and software devices is a firewall. An individual firewall will not guarantee
a secure network – the firewall will need to work in conjunction with other
devices to provide a secure environment. Many factors will influence how
well the device provides a secure environment, including

placement – a poorly placed device is virtually useless in stopping
security threats

configuration – poor configuration or no configuration will render
the device virtually useless

patch management – software vulnerabilities are discovered daily;
therefore, a device is only as effective as the last software update.
33
2004
Some of the hardware, software and services that an organisation needs to
secure the network are

proxy servers

NAT

certificate authorities

VPN server

encryption services

firewall

routers

switch

virus server

workstation

IDS

software update server.
An organisation will purchase hardware and software based on their
business needs. In other words, they do not begin by deciding which
operating system to use and then proceed to purchase related equipment.
They determine what the opportunity or need is, then use technology, people
and processes to achieve better productivity.
A large organisation may decide on an accounting application system first.
This application system will then mandate which hardware platform it must
operate on. The hardware platform may then mandate which operating
system is required.
Servers:

Intel/AMD-based hardware, typically for MS-Windows or UNIX
and Apple Macintosh

RISC-based hardware, typically for UNIX

IBM or Motorola-based hardware, typically for Apple systems

Mainframe hardware, typically sourced from IBM.
Workstations:

Intel/AMD-based hardware, RISC-based hardware, data terminal
hardware
Networking devices:

routers, switches, firewalls, gateways, concentrators
Software:
34
2004

operating system software: MS Windows, UNIX, Linux, Novell
Netware, Apple OSX, IBM OS/400, Sun Solaris, etc.

application software: high number of choices to support business
operations

database software: Oracle, PeopleSoft, JD Edwards, MS-SQL, MySQL, Informix, etc

networking software: Cisco IOS, also provided by operating systems
Biometrics
In biometrics, the physical characteristics of a person are used to identify
authorised personnel. This includes the use of any or a combination of the
outline of a hand, scanned fingerprint, scanned retina and facial photos.
Organisations that use biometric devices in their security plan will have
additional hardware and software requirements for these specialised devices
Once hardware and software needs have been identified, action plans and
target dates are developed. Action plans with their target dates are then
compiled into the Security Plan. In some instances, changing circumstances
might prevent the successful completion of an action as specified in the
Security Plan. Should this happen, hardware and software needs may need
to be re-assessed and the Security Plan updated.
Prepare cost-benefit analysis
It should not be surprising that - like all business projects - the cost to
implement security must be weighed against the benefits.
Following the identification of security risks, the organisation must take
appropriate actions to minimise those risks. Though selecting and
implementing appropriate security controls in a live production environment
can be a daunting task, security is one area that must not be ignored,
especially for organisations that use the Internet as part of their business
operations. In today’s world, it is difficult to imagine any organisation that
does not depend on the Internet. Due to the technical complexities of
security, an organisation’s security effort can easily turn into a spending
spree.
The cost-benefit analyses for security investment reaches far beyond
whether an organisation should invest in security or not. Security
compliance boosts and attracts investors to buy a company’s shares.
Security compliance can also encourage customer spending on their
products or services. Internet-based revenue-generating companies can
benefit from security compliance.
35
2004
The first step in performing a cost benefit analysis is to estimate

the costs of the solution

the benefits or savings that the solution will provide to the company.
Estimating costs
The costs of the solution can be broken down into two main divisions:

development costs

operating costs.
Development costs include all of the costs associated with developing a
system to secure the system and, for that reason, occur once only. These are
sometimes called one-off costs.
Operating costs include all of the costs involved in running the system on
an ongoing basis, and are often referred to as recurring costs or life cycle
costs, since they occur throughout the life of the system. They are usually
defined on an annual basis.
For an IT solution, to estimate the development costs of the new system you
must include

the costs associated with obtaining the additional equipment that is
needed

the costs of developing or purchasing any necessary software.
Development costs
These include all of the costs of developing and implementing the new
solution and - for an IT solution - can be broken down into capital costs,
software development costs and conversion costs.
Capital costs are the costs of purchasing the necessary equipment to
implement the new system and will include

computer hardware

computer software

office equipment.
Once you have determined what equipment is needed, these capital costs
can be estimated by contacting potential suppliers.
Software development costs are the costs associated with developing the
new system and include things like
36
2004

computer charges, e.g. costs of running the computer to develop the
system

personnel charges, e.g. salaries of staff employed just for this project

training of computer personnel to use any new software development
tools

office supplies, e.g. stationery

work lost due to disruption, e.g. time spent by the users in
interviews, etc.

communication charges, e.g. telephone costs

travel, e.g. costs of staff travelling to JAD sessions

contingency costs—an allowance added to the estimate to cover any
unexpected costs that may arise.
Conversion costs are the costs associated with converting the existing
system to the new system and may include

training of the employees to understand and use the new system

parallel running – if the old system is going to continue to operate at
the same time as the new system for a period to ensure that there are
no problems in the changeover, then there will be extra costs
associated with running two systems to achieve the same outcome.
Development costs may be difficult to determine. It is not easy to anticipate
what problems may occur during the development that could affect the cost.
Operating costs
Operating costs are the costs of running the new system and are usually
calculated for a one year period. These annual operating costs may be either

fixed costs or

variable costs.
Fixed costs are things like

administrative costs

salaries for the permanent staff

hardware and software maintenance

licensing and leasing fees, for hardware and software.
Variable costs are those that may vary each year, such as

depreciation of hardware – there are depreciation scales set by the
tax department which allow different percentages of deductions for
depreciation each year for several years.
37
2004

supplies – the volume of supplies you use each year will vary
depending on the volume of business that the company does.

wages for temporary staff – if you need to employ temporary staff,
the number of these staff and the time periods that you employ them
for may vary each year depending on the workload on your
permanent staff.
Intangible benefits
Intangible benefits are those that cannot be measured or cannot have a
dollar value put on them but are nevertheless important to the success of the
business, such as

goodwill

increased customer satisfaction

public image

improved employee morale

improved environmental conditions.
Estimate the costs of doing nothing
Keep in mind that in some circumstances there may be costs associated with
doing nothing and you should take these into account where they occur.
Do the costs outweigh the benefits?
Now that you have identified and estimated all of the costs and benefits of
the security solutions, you will be able to work out if the benefits will
outweigh the costs of implementation. If they do not, then it is highly
unlikely that you will be given the go-ahead to continue with this solution.
When you start to examine the costs and benefits, you will see that the costs
are incurred during the period of development, whereas the benefits occur
over the following, say, one or five years.
Finalise security framework
components
We are now in a position to finalise security framework components having
the done the following:
38
2004

determined the level and nature of security required for the
organisation based on current and future needs

identified and documented various types of security threats

prepared a security plan

reviewed firewall features

identified security perimeters within client/server systems

evaluated IDS methods

investigated a framework for SECI

investigated the use of VPNs

determined hardware and software needs

reviewed a cost-benefit analysis.
Our final step will be to develop related policies and procedures.
When finalising the security framework components, it is important to
ensure that all possible areas are covered. From an organisational point of
view, security is not limited just to information technology but to all other
areas as well. As such, it is imperative to get as many of the staff involved
as possible.
Traditionally, security framework components are circulated as hard-copies,
whether as a whole document or in parts. As you can imagine, it may be a
long and daunting document to read as a whole. Specific parts may be sent
off to each department to be reviewed and signed off. Nowadays, an e-mail
with the document attached tends to be more popular.
Third-party security consultants may be employed to review and
recommend additional components that may have been missed.
Here is an example:
Through a collaborative effort, a bank has developed security framework
components and had all department heads sign off on the document. A
third-party security review has discovered that - in the event of a power
failure - the security screen in front of the tellers will not operate. It was
therefore recommended that an independent power source be made
available.
Note: due to constantly changing business environments, security
frameworks should be regularly reviewed and updated.
The Chief Executive Officer (CEO) or a Security Committee may sign off
on the latest version of the document.
39
2004
Develop related policies and
procedures
There are a number of security issues that a security policy should address,
including

acceptable use

information protection

user account

remote access

network connection

firewall management.
You can develop individual policies or include all of the above within the
one security policy.
The following steps are involved in developing a security policy:
Create a policy development team
A policy development team should consist of

IT security specialist(s)

management representatives

end users.
Management will be at the forefront to ensure compliance with the security
policy. However, it is critical to involve users. End users often complain that
they do not have access to the services they require to do their jobs and/or
that the organisation is monitoring their every move. So their understanding
of security issues and their input to the process is crucial for its success.
Determine specific details of each policy
The specifics of what employees can and cannot do on the network should
be determined in specific detail for the following:

internal systems

Internet use

email use.
It is also important to determine how compliance will be monitored and the
penalties for non-compliance.
40
2004
Write the policy
Once the policy team have agreed on the details of the policy, it needs to be
written. Generally, the IT security specialist(s) will write the policy.
For an example of a security policy, have a look at the 4phones Security
Policy.
Review the policy
The first draft of the security policy will be reviewed by the policy team.
Once the final draft is complete, the policy will need to be signed off by the
IT Manager and other designated managers before it can be implemented.
Implement the policy
Any changes required to IT software and/or systems need to be made to
reflect policy changes. Every member of staff within the organisation must
be advised of the existence of the security policy and must read it. They
must also be advised of their responsibilities and the penalties should they
not comply with the security policy.
Making changes
Security policies should be changed whenever there is a change in the
security measures adopted by the organisation. Changes to the security
measures used by an organisation will generally be made in response to a
newly-identified threat.
The same steps listed above should be followed to update existing security
policies.
The disaster recovery plan
If network security is breached and a disaster occurs, you need to have
documented strategies to address the immediate threat to the network. These
strategies should be part of the disaster recovery plan.
Think for a moment: what would be the main disaster recovery strategies for
an organisation’s network security?
Strategies may include the following:

virus-checking software should always be used to eradicate viruses

audit trails and logs should be used to trace the source of security
breaches
41
2004

the damage to the network should be identified - i.e. files that have
been stolen or corrupted or accessed - and then appropriate action
taken to minimise the loss or leaking of confidential information

where there has been external unauthorised access to the network,
the firewall should be audited to determine how the network was
accessed and appropriate action should be taken to 'plug' the security
gap in the network

where email security policy has been breached, the individual’s
email should be audited and stored for future reference

where Internet security policy has been breached, the individual’s
Internet logs should be audited and stored for future reference

where there has been unauthorised access to an application and fraud
or sabotage has occurred, the application code should be audited to
determine how security was breached and immediate action should
be taken to alter the application code

where unauthorised access has been internal to the organisation,
logon and logoff audit reports should be examined including
historical audit reports to determine the extent of the unauthorised
access. How the staff member was able to obtain access to the
network or application should be determined and rectified
immediately.
Activity 3
To practise developing a security plan complete Activity 3 – Security plan
development, located in the Activities section of the Topic menu.
42
2004
Activities
Image: Activities
Activity 1 – Packet sniffing
In this activity, you will download two programs to help you sniff your
network. You will need a computer running MS-Windows XP Professional
or MS-Windows 2000 Professional with administrative rights to install
programs.
Step 1
Get WinPcap 3.1:
Go to http://www.winpcap.org/install/default.htm and click on the link to
WinPcap auto-installer (driver +DLLs)

Install the program
Step 2
Get Wireshark 0.10.14:
Go to http://www.wireshark.org/download.html and install the program.
Launch wireshark:

click on Capture menu option

click on Options drop-down menu

select the network interface to capture data packets

in the Stop Capture section, tick and select …after 1 minute/s

click on Start
43
2004

generate some traffic by doing the following:
o open your browser and go to http://www.microsoft.com/

after 1 minute, Ethereal will report data captured packets

Top section:
o examine the IP addresses of the Source and Destination
o examine the protocol used
o examine the Info columns to view activities

Middle section:
o select one line in the top section
o expand the lines in this section

Bottom section:
o select one line in the middle section
o view the packet details as shown in hexadecimal numbers.

Repeat this activity using:
o longer capture time periods
o perform more meaningful traffic generating actions:
Step 3
Download a small file from http://www.tucows.com/
Visit a website known for giving out cookies, such as, http://www.mp3.com/

perform a Ping test in your DOS window
Ping http://www.cisco.com/

perform Trace Route tests in your DOD window
Tracert http://www.google.com/

log in to your Internet-based website account

Can you identify your logon username?

Though encrypted, can you identify the password portion in the data
packet?
Activity 2 – Identify IT assets and
document threats
For this activity, you will need access to a LAN/WAN diagram from your
organisation or review the CME network diagram (739 KB
2817_activity2.pdf) or a network diagram will be provided by your teacher.
44
2004
The three major network areas are the

core layer

distribution layer

access layer.
Document the possible threats and list the attack methods.
Feedback
The four classes of security threats are

unstructured threats – typically from inexperienced individuals
using hacking tools that are freely available on the Internet

structured threats – typically from highly competent individuals or
groups who can develop and use sophisticated hacking tools to
penetrate systems, usually for fraud or theft

external threats – individuals, external to the organisation, using
the Internet or dialup to access system resources

internal threats – individuals internal to the organisation causing
damage.
Attack methods include

reconnaissance

access

denial of service.
Activity 3 – Security plan development
In this activity, you will develop a security plan. Review the section in the
Reading notes on Prepare Security Plan to develop your own. Use materials
and documentation available within your organisation.
You may modify the sample security plan to suit your organisation.
45
2004
References
Image: References
Print
Gallo MA and Hancock WM Networking Explained (2nd ed), Digital Press.
Fundamentals of Network Security, Cisco Press.
Northcutt S and Novak J Network Intrusion Detection: An analyst’s
handbook (2nd ed), New Riders Publishing.
Cole E, Krutz R and Conley JW Network Security Bible, Wiley Publishing.
ISBN: 0-7645-7397-7
Morrison M and Morrison J Database-Driven Web Sites (2nd ed), Course
Technology.
Andrews J i-Net+ Guide to the Internet (2nd ed), Course Technology.
Flynn N E-Policy Best Practices, St Bernard Software, The ePolicy Institute
Gordan ME The Joy of SOX, Cybertrust, Regulatory Affairs
Internet
DoS attacks:
http://www.dcita.gov.au/__data/assets/pdf_file/41314/DoS_CIO_Executive
_Summary.pdf
Developing security plan:
http://csrc.nist.gov/publications/nistpubs/800-18-Rev1/sp800-18-Rev1final.pdf
46
2004
Topic quiz
Image: Topic quiz
This quiz will help you review the content you have learned in this topic.
Answer the questions, check the feedback at the end of each question and
take note of the areas you need to review.
1. Which of the following is NOT a security attack method?
man-in-the-middle
access control
trust exploitation
session replay
Feedback
Correct! Access control is NOT a security attack method.
Incorrect. Go to the Reading notes and review the section on Identify
security threats.
2. A protocol analyser is used to do what?
rearrange the sequence numbers
determine the layers of the OSI model
determine the contents of a packet
analyse the switch operating system
Feedback
Correct! A protocol analyser is used to determine the contents of a packet.
47
2004
Incorrect. Go to the Reading notes and review the section on Security attack
methods.
3. A network-based denial-of-service attack can best be achieved by which of the
following?
SYN flood
power outage
access violation
social engineering
Feedback
Correct! A network-based denial-of-service attack can best be achieved by
SYN flood.
Incorrect. Go to the Reading notes and review the section on Security attack
methods.
4. Which VPN protocol creates encrypted tunnels?
IPSec
PPTP
L2FTP
L2TP
Feedback
Correct! IPSec protocol creates encrypted tunnels.
Incorrect. Go to the Reading notes and review the section on Virtual Private
Network tunnels.
5. Payload typically refers to
source address
destination address
data
none of the above
Feedback
48
2004
Correct! Payload typically refers to data.
Incorrect. Go to the Reading notes and review the section on Identify
security threats.
6. CPU hogging is most often caused by
Trojan horses
email bombs
host-based IDS
network-based IDS
Feedback
Correct! CPU hogging is most often caused by Trojan horses.
Incorrect. Go to the Reading notes and review the section on Security attack
methods.
7. Which security level is required for high-probability and medium-impact risk?
high
medium
low
none of the above
Feedback
Correct! High security level is required for high-probability and mediumimpact risk.
Incorrect. Go to the Reading notes and review the section on Determine
hardware and software needs.
49
2004