Network Security: The Basics
New to network security? Before you get lost in the bits and bytes, Stephen Northcutt of SANS provides a look at the essential concepts.
By Stephen Northcutt
April 29, 2008 — CSO — There are exactly two keys to information security or information assurance: first, configure the system and network correctly and keep it that way. Because this is impossible to do perfectly, the second key to information assurance is to know the traffic coming into and out of your network. That way, if something terrible is happening you can detect it. Therefore, all the tasks that have to be done in network security break down into three phases or classes:
- Protection, where we configure our systems and networks as correctly as possible
- Detection, where we identify the configuration has changed or that some network traffic indicates a problem
- Reaction, after identifying quickly, we respond to any problem and return to a safe state as rapidly as possible
Defense in Depth
Because we cannot achieve perfect security we have to accept a certain level of risk. Risk is defined as the probability a threat will cross vulnerability. Risk is hard to calculate, but we get a rough idea by considering our attack surface, the exposure, and the reachable and exploitable vulnerabilities that we have. A vulnerability scanner or penetration test helps us measure or define our attack surface. One thing we do to lower our risk and improve our odds of survival is to use multiple defenses. There are five basic architectures to develop defense in depth.
- The uniform method of protection for defense-in-depth generally involves a firewall separating the internal trusted zone from the Internet, most implementations have anti-virus in the mail store and forward on the servers and desktops. It generally means that all internal hosts receive the same level of protection from attack by the computer network infrastructure. It is the most commonly and easily implemented architecture and least effective in terms of achieving a high degree of information assurance unless all IT contained information assets are of equal importance to the organization.
- Protected enclaves simply means subdividing the internal network so that it is not one large zone without internal protections. This can be done with firewalls, VPNs, VLANS and Network Access Control.
- Information Centric. Adm. Grace Hopper, a famous early researcher in computing said, "Some day, on the corporate balance sheet, there will be an entry which reads, 'Information'; for in most cases, the information is more valuable than the hardware which processes it." it is critical to understand and to be able to help others understand the value of information. In addition to richly valuable information such as intellectual property (patents, trademarks, copyrights, know how, data schema), there is also data including the increasingly important business record. To build an information centric defense-in-depth architecture, we must locate our critical and valuable information and ensure the proper protections are in place. This used to be very costly and was avoided, but due to changes in the Federal Rules of Discovery, many organizations have to build process to locate all information and tag it, so this becomes much easier.
- Threat Vector Analysis defense-in-depth is similar to information centric; it requires us to identify the assets we want to protect in order of priority, perform an analysis to determine the paths the threat could use to reach the vulnerability and figure out how to place controls on the vectors to prevent the threat from crossing the vulnerability.
- Role-based access control (RBAC) is an access control method that organizations implement to ensure that access to data is performed by authorized users. Unlike other access control methods, role-based access control assigns users to specific roles, and permissions are granted to each role based on the user's job requirements. Users can be assigned any number of roles in order to conduct day-to-day tasks. For example, a user may need to have a developer role, as well as an analyst role. Each role would define the permissions that are needed to access different objects. With Network Access Control we can extend this from groups on systems to the entire enterprise. It requires more configuration than protected enclaves, but it yields more protection.