|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Written by: Christopher Benson, Inobits Consulting (Pty) Ltd
Contributors: Denis Bensch, Dawie Human, Louis De Klerk, and Johan Grobler, all of Inobits Consulting (Pty) Ltd
Reviewed by: Glenn Berg
Microsoft Solutions Framework
Best Practices for Enterprise Security
Note: This white paper is one of a series. Best Practices for Enterprise Security (http://www.microsoft.com/technet/archive/security/bestprac/bpent/bpentsec.mspx) contains a complete list of all the articles in this series. See also the Security Entities Building Block Architecture (http://www.microsoft.com/technet/archive/security/bestprac/bpent/sec2/secentbb.mspx).
On This Page
The Focus of This Paper
Basic Risk Assessment
Proactive Security Planning
Reactive Security Planning
The Focus of This Paper
The most important part of deployment is planning. It is not possible to plan for security, however, until a full risk assessment has been performed. Security planning involves developing security policies and implementing controls to prevent computer risks from becoming reality.
The policies outlined in this paper are merely guidelines. Each organization is different and will need to plan and create policies based upon its individual security goals and needs.
The discussion of tools and technologies in this paper is focused on features rather than technology. This emphasis allows security officials and IT managers to choose which tools and techniques are best suited to their organizations' security needs.
Basic Risk Assessment
Risk assessment is a very important part of computer security planning. No plan of action can be put into place before a risk assessment has been performed. The risk assessment provides a baseline for implementing security plans to protect assets against various threats. There are three basic questions one needs to ask in order to improve the security of a system:
What assets within the organization need protection?
What are the risks to each of these assets?
How much time, effort, and money is the organization willing to expend to upgrade or obtain new adequate protection against these threats?
You cannot protect your assets if you do not know what to protect against. Computers need protection against risks, but what are risks? In simple terms, a risk is realized when a threat takes advantage of a vulnerability to cause harm to your system. After you know your risks, you can then create policies and plans to reduce those risks.
There are many ways to go about identifying all the risks to your assets. One way is to gather personnel from within your organization and have a brainstorming session where you list the various assets and the risks to those assets. This will also help to increase security awareness within your organization.
Risks can come from three sources: natural disaster risks, intentional risks, and unintentional risks. These sources are illustrated in the following figure.
In Security Strategies, another paper in the Best Practices for Enterprise Security white paper series, a methodology to define security strategies is outlined in the following flowchart. The first step in the flowchart is assessing risk.
The risk assessment step in the Security Strategy flowchart can be divided further into the following steps.
Identify the assets you want to protect and the value of these assets.
Identify the risks to each asset.
Determine the category of the cause of the risk (natural disaster risk, intentional risk, or unintentional risk).
Identify the methods, tools, or techniques the threats use.
Once these steps have been completed, it is possible to plan security policies and controls to minimize the realization of risks. In this paper, we will discuss primarily the first two steps. For information about steps three and four, please see the Security Strategies paper.
Companies are dynamic, and your security plan must be too. Update your risk assessment periodically. In addition, redo the risk assessment whenever you have a significant change in operation or structure. Thus, if you reorganize, move to a new building, switch vendors, or undergo other major changes, you should reassess the risks and potential losses.
Identifying the Assets
One important step toward determining the risks to assets is performing an information asset inventory by identify the various items you need to protect within your organization. The inventory should be based on your business plan and the sensitivity of those items. Consider, for example, a server versus a workstation. A server has a higher level of sensitivity than a typical user's workstation. Organizations should store the inventory online and categorize each item by its importance. The inventory should include everything that the organization would consider to be valuable. To determine if something is valuable, consider what the loss or damage of the item might be in terms of lost revenue, lost time, or the cost of repair or replacement. Some of the items that should be on your item inventory are:
Sensitive data and other information
Computers, laptops, palmtops, etc.
Backups and archives
Manuals, books, and guides
Communications equipment and wiring
Commercial software distribution media
Public image and reputation
Processing availability and continuity of operations
Confidentiality of information
For each asset, the following information should be defined:
Type: hardware, software, data
General support system or a critical application system
Designated owner of the information
Physical or logical location
Inventory item number where applicable
Service levels, warranties, key contacts, where it fits in to supplying availability and or security, and replacement process
Identifying Risks to the Assets
After identifying the assets, it is necessary to determine all the risks that can affect each asset. One way of doing this is by identifying all the different ways an asset can be damaged, altered, stolen, or destroyed. For example:
- Financial information stored on a database system
Misuse of software and hardware
Viruses, Trojan horses, or worms
Unauthorized deletion or modification
Unauthorized disclosure of information
Penetration ("hackers" getting into your machines)
Software bugs and flaws
Fires, floods, or earthquakes
In order to develop an effective information security policy, the information produced or processed during the risk analysis should be categorized according to its sensitivity to loss or disclosure. Most organizations use some set of information categories, such as Proprietary, For Internal Use Only, or Organization Sensitive. The categories used in the security policy should be consistent with any existing categories. Data should be broken into four sensitivity classifications with separate handling requirements: sensitive, confidential, private, and public. This standard data sensitivity classification system should be used throughout the organization. These classifications are defined as follows:
Sensitive. This classification applies to information that needs protection from unauthorized modification or deletion to assure its integrity. It is information that requires a higher than normal assurance of accuracy and completeness. Examples of sensitive information include organizational financial transactions and regulatory actions.
Confidential. This classification applies to the most sensitive business information that is intended strictly for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization, its stockholders, its business partners, and/or its customers. Health care-related information should be considered at least confidential.
Private. This classification applies to personal information that is intended for use within the organization. Its unauthorized disclosure could seriously and adversely impact the organization and/or its employees.
Public. This classification applies to all other information that does not clearly fit into any of the above three classifications. While its unauthorized disclosure is against policy, it is not expected to impact seriously or adversely affect the organization, its employees, and/or its customers.
After identifying the risks and the sensitivity of data, estimate the likelihood of each risk occurring. Quantifying the threat of a risk is hard work. Some ways to estimate risk include:
Obtaining estimates from third parties, such as insurance companies.
Basing estimates on your records, if the event happens on a regular basis.
Investigating collected statistics or published reports from industry organizations.
Basing estimates on educated guesses extrapolated from past experience. For instance:
Your power company can provide an official estimate of the likelihood that your building will experience a power outage in the next year.
Past experience and best guess can be used to estimate the probability of a serious bug being discovered in your vendor software.
Once all the risks have been realized for each asset, it is necessary to identify whether the damage caused will be intentional or accidental.
Identifying Type of Threat and Method of Attack
A threat is any action or incident with the potential to cause harm to an organization through the disclosure, modification, or destruction of information, or by the denial of critical services. Security threats can be divided into human threats and natural disaster threats, as the following picture illustrates.
Human threats can be further divided into malicious (intentional) threats and non-malicious (unintentional) threats. A malicious threat exploits vulnerabilities in security policies and controls to launch an attack. Malicious threats can range from opportunistic attacks to well-planned attacks.
Non-malicious human threats can occur through employee error or ignorance. These employees may accidentally cause data corruption, deletion, or modification while trying to capture data or change information. (Hardware or software failures, while not a human threat, are other non-malicious threats.)
In understanding these various threats, it is possible to determine which vulnerabilities may be exploited and which assets are targeted during an attack. Some methods of attack include:
Viruses, worms, and Trojan horses
Denial of service attack tools
Proactive Security Planning
After assessing your risk, the next step is proactive planning. Proactive planning involves developing security policies and controls and implementing tools and techniques to aid in security.
As with security strategies, it is necessary to define a plan for proactive and reactive security planning. The proactive plan is developed to protect assets by preventing attacks and employee mistakes. The reactive plan is a contingency plan to implement when proactive plans have failed.
Developing Security Polices and Controls
A company's security plan consists of security policies. Security policies give specific guidelines for areas of responsibility, and consist of plans that provide steps to take and rules to follow to implement the policies.
Policies should define what you consider valuable, and should specify what steps should be taken to safeguard those assets. Policies can be drafted in many ways. One example is a general policy of only a few pages that covers most possibilities. Another example is a draft policy for different sets of assets, including e-mail policies, password policies, Internet access policies, and remote access policies.
Two common problems with organizational policies are:
The policy is a platitude rather than a decision or direction.
The policy is not really used by the organization. Instead it is a piece of paper to show to auditors, lawyers, other organizational components, or customers, but it does not affect behavior.
A good risk assessment will determine whether good security policies and controls are implemented. Vulnerabilities and weaknesses exist in security policies because of poor security policies and the human factor, as shown in the following diagram. Security policies that are too stringent are often bypassed because people get tired of adhering to them (the human factor), which creates vulnerabilities for security breaches and attacks.
For example, specifying a restrictive account lockout policy increases the potential for denial of service attacks. Another example is implementing a security keypad on the server room door. Administrators may get tired of entering the security PIN number and stop the door from closing by using a book or broom, thereby bypassing the security control. Specifying restrictive password policy can actually reduce the security of the network. For example, if you require passwords longer than seven characters, most users have difficulty remembering them. They might write their passwords down and leave them where an intruder can find them.
The following diagram illustrates the relationships between a good risk assessment and good security polices and controls.
To be effective, policy requires visibility. Visibility aids implementation of policy by helping to ensure policy is fully communicated throughout the organization. This is achieved through the plan of each policy that is a written set of steps and rules. The plan defines when, how, and by whom the steps and rules are implemented. Management presentations, videos, panel discussions, guest speakers, question/answer forums, and newsletters increase visibility. If the organization has computer security training and awareness, it is possible to effectively notify users of new policies. It also can be used to familiarize new employees with the organization's policies.
Computer security policies should be introduced in a manner that ensures that management's unqualified support is clear, especially in environments where employees feel inundated with policies, directives, guidelines, and procedures. The organization's policy is the vehicle for emphasizing management's commitment to computer security and making clear their expectations for employee performance, behavior, and accountability.
Types of Security Policies
Policies can be defined for any area of security. It is up to the security administrator and IT manager to classify what policies need to be defined and who should plan the policies. There could be policies for the whole company or policies for various sections within the company. The various types of policies that could be included are:
Backup and restore policies
The security provided by a password system depends on the passwords being kept secret at all times. Thus, a password is vulnerable to compromise whenever it is used, stored, or even known. In a password-based authentication mechanism implemented on a system, passwords are vulnerable to compromise due to five essential aspects of the password system:
A password must be initially assigned to a user when enrolled on the system.
A user's password must be changed periodically.
The system must maintain a "password database."
Users must remember their passwords.
Users must enter their passwords into the system at authentication time.
Employees may not disclose their passwords to anyone. This includes administrators and IT managers.
Password policies can be set depending on the needs of the organization. For example, it is possible to specify minimum password length, no blank passwords, and maximum and minimum password age. It is also possible to prevent users from reusing passwords and ensure that users use specific characters in their passwords making passwords more difficult to crack. This can be set through Windows 2000 account policies discussed later in the paper.
Many systems come from the vendor with a few standard user logins already enrolled in the system. Change the passwords for all standard user logins before allowing the general user population to access the system. For example, change administrator password when installing the system.
The administrator is responsible for generating and assigning the initial password for each user login. The user must then be informed of this password. In some areas, it may be necessary to prevent exposure of the password to the administrator. In other cases, the user can easily nullify this exposure. To prevent the exposure of a password, it is possible to use smart card encryption in conjunction with the user's username and password. Even if the administrator knows the password, he or she will be unable to use it without the smart card. When a user's initial password must be exposed to the administrator, this exposure may be nullified by having the user immediately change the password by the normal procedure.
Occasionally, a user will forget the password or the administrator may determine that a user's password may have been compromised. To be able to correct these problems, it is recommended that the administrator be permitted to change the password of any user by generating a new one. The administrator should not have to know the user's password in order to do this, but should follow the same rules for distributing the new password that apply to initial password assignment. Positive identification of the user by the administrator is required when a forgotten password must be replaced.
Users should understand their responsibility to keep passwords private and to report changes in their user status, suspected security violations, and so forth. To assure security awareness among the user population, we recommend that each user be required to sign a statement to acknowledge understanding these responsibilities.
The simplest way to recover from the compromise of a password is to change it. Therefore, passwords should be changed on a periodic basis to counter the possibility of undetected password compromise. They should be changed often enough so that there is an acceptably low probability of compromise during a password's lifetime. To avoid needless exposure of users' passwords to the administrator, users should be able to change their passwords without intervention by the administrator.
E-mail is increasingly critical to the normal conduct of business. Organizations need policies for e-mail to help employees use e-mail properly, to reduce the risk of intentional or inadvertent misuse, and to assure that official records transferred via e-mail are properly handled. Similar to policies for appropriate use of the telephone, organizations need to define appropriate use of e-mail. Organizational polices are needed to establish general guidance in such areas as:
The use of e-mail to conduct official business
The use of e-mail for personal business
Access control and confidential protection of messages
The management and retention of e-mail messages
It is easy to have e-mail accidents. E-mail folders can grow until the e-mail system crashes. Badly configured discussion group software can send messages to the wrong groups. Errors in e-mail lists can flood the subscribers with hundreds of error messages. Sometime errors messages will bounce back and forth between e-mail servers. Some ways to prevent accidents are to:
Train users what to do when things go wrong, as well as how to do it right.
Configure e-mail software so that the default behavior is the safest behavior.
Use software that follows Internet e-mail protocols and conventions religiously. Every time an online service gateways its proprietary e-mail system to the Internet, there are howls of protest because of the flood of error messages that result from the online service's misbehaving e-mail servers.
Using encryption algorithms to digitally sign the e-mail message can prevent impersonation. Encrypting the contents of the message or the channel that it's transmitted over can prevent eavesdropping. E-mail encryption is discussed later in this paper under "Public Key Infrastructures."
Using public locations like Internet cafes and chat rooms to access e-mail can lead to the user leaving valuable information cached or downloaded on to internet computers. Users need to clean up the computer after they use it, so no important documents are left behind. This is often a problem in places like airport lounges.
The World Wide Web has a body of software and a set of protocols and conventions used to traverse and find information over the Internet. Through the use hypertext and multimedia techniques, the Web is easy for anyone to roam, browse, and contribute to.
Web clients, also known as Web browsers, provide a user interface to navigate through information by pointing and clicking. Browsers also introduce vulnerabilities to an organization, although generally less severe than the threat posed by servers. Various settings can set on Internet Explorer browsers by using Group Policy in Windows 2000.
Web servers can be attacked directly, or used as jumping off points to attack an organization's internal networks. There are many areas of Web servers to secure: the underlying operating system, the Web server software, server scripts and other software, and so forth. Firewalls and proper configuration of routers and the IP protocol can help to fend off denial of service attacks.
Backup and Restore Policies
Backups are important only if the information stored on the system is of value and importance. Backups are important for a number of reasons:
Computer hardware failure. In case certain hardware devices such as hard drives or RAID systems fail.
Software Failure. Some software applications could have flaws in them whereby information is interpreted or stored incorrectly.
User Error. Users often delete or modify files accidentally. Making regular backups can help restore deleted or modified files.
Administrator Error. Sometimes administrators also make mistakes such as accidentally deleting active user accounts.
Hacking and vandalism. Computer hackers sometimes alter or delete data.
Theft. Computers are expensive and usually easily to sell. Sometimes a thief will steal just the hardware inside the computer, such as hard drives, video cards, and sound drivers.
Natural disasters. Floods, earthquakes, fires, and hurricanes can cause disastrous effects on computer systems. Building can be demolished or washed away.
Other disasters. Unforeseeable accidents can cause damage. Some examples are if a plane crashes into buildings or if gas pipes leak and cause explosions.
When doing hardware and software upgrades:
Never upgrade without backing data files that you must have.
Be sure to back up system information such as registries, master boot records, and the partition boot sector.
In operating systems such as Microsoft Windows 2000 and Microsoft Windows NT, make sure that an up-to-date emergency repair disk exists.
Information that should be backed up includes:
Important information that is sensitive to the organization and to the continuity of operations. This includes databases, mail servers, and any user files.
System databases, such as registries and user account databases.
The backup polices should include plans for:
Regularly scheduled backups.
Types of backups. Most backup systems support, normal backups, incremental backups, and differential backups.
A schedule for backups. The schedule should normally be during the night when the company has the least amount of users.
The information to be backed up.
Type of media used for backups. Tapes, CD-ROMs, other hard drives, and so forth.
The type of backup devices: Tape devices, CD writers, other hard drives, swappable hard drives, and maybe to a network share. Devices also come in various speeds, normally measured in the amount of megabytes backed up per minute. Depending on the system requirements, the amount of time it takes to perform backups.
Onsite and offsite storage of backups.
Onsite Storage: Store backups in a fireproof safe. Backups should not be stored in the drawer of the table on which the computer sits. Secure storage protects against natural disaster, theft, and sabotage of critical data. All software including operating system software, service packs, and other critical application software should also be safely stored.
Offsite storage: Important data should also be stored offsite. Certain companies specialize in storing data. An alternative solution could be using a safe deposit box and a bank.
Emergency Repair Disks
In Microsoft Windows 2000 and Microsoft Windows NT, there is an option to create an emergency repair disk (ERD). The ERD contains certain registry information and other system files to help recover or repair a corrupted Windows installation. The repair disk should be updated periodically or every time new users or system configuration changes, such as adding or deleting disk partitions. ERDs should be stored with backups both onsite and offsite if possible.
Windows 2000 Software Policies
In Windows 2000, account policies are the first subcategory of Security Settings. Account policies include:
Password Policy. Password policies can be set depending on the needs of the organization. For example, it is possible to specify minimum password length, no blank passwords, and maximum and minimum password age. It is also possible to prevent users from reusing passwords and ensure that users use specific characters in their passwords making passwords more difficult to crack.
Account Lockout Policy. With this policy, it is possible to determine what happens when users fail to enter the correct password for an account. Users can be locked out after a specified number of failed logon attempts and the period of time that accounts are locked out for.
Kerberos Authentication Policy. You can modify the default Kerberos settings for each domain. For example, you can set the maximum lifetime of a user ticket.
Group Policy is a way of forcing rules about computer configuration and user behavior. It is possible to have different policies throughout the company. As a user connects to a Windows 2000 domain controller that has Group Policy settings enabled, the policies are automatically downloaded to the user's computer and stored in the registry. Some of the settings include:
Addition or removal of items from the desktop and control panel.
Automatically installing software on users' computers without user interaction.
Configuring Internet Explorer options for users including security zones.
Configuring network settings such as mapped network drives and permissions to view computer browse list.
Configuring system settings such as disabling computer shutdown options and the ability to run task manager.
IP Security Policies
The Internet Protocol (IP) underlies the majority of corporate networks as well as the Internet. It has worked well for decades. It is powerful, highly efficient, and cost-effective. Its strength lies in its flexibly routed packets, in which data is broken up into manageable pieces for transmission over networks. And it can be used by any operating system.
In spite of its strengths, IP was never designed to be secure. Due to its method of routing packets, IP-based networks are vulnerable to spoofing, sniffing, session hijacking, and man-in-the-middle attacks—threats that were unheard of when IP was first introduced.
The initial attempts to provide security over the Internet have been application-level protocols and software, such as Secure Sockets Layer (SSL) for securing Web traffic and Pretty Good Privacy (PGP) for securing e-mail. These applications, however, are limited to specific applications.
Using IP security it is possible to secure and encrypt all IP traffic. It is possible to make use of IP security policies in Windows 2000 to control how, when, and on whom IP security works. The IP security policy can define many rules, such as:
What IP addresses to scan for
How to encrypt packets
Setting filters to take a look at all IP traffic passing through the object on which the IP security policy is applied
Tools and Techniques to Aid in Security
There are various technologies, tools, and techniques to help aid in securing networks and computers. This section deals with some of those technologies, outlining the features and uses more than providing an in-depth technical evaluation. The idea is to allow security officials and IT managers to gain an overall impression of these techniques and then to decide what techniques and tools will best suit the organization. In-depth technical studies of some of the concepts discussed can be found on the Windows 2000 resource kit and in the links to various sites in the References section at the end of the chapter.
Secure Access, Secure Data, Secure Code
People like confidentiality and privacy, however attackers can eavesdrop or steal information that is sensitive to a person or organization. If a company comes up with a new innovative product and would like to store the ideas on a computer system, it is going to want protection for that the data on the system and the transferring of data from one system to another. Networks and data communication channels are often insecure, subjecting messages transmitted over the channels to passive and active threats. With a passive threat, an intruder intercepts messages to view the data. This intrusion is also known as eavesdropping. With an active threat, the intruder modifies the intercepted messages. An effective tool for protecting messages against the active and passive threats inherent in data communications is cryptography.
Cryptography is the science of mapping readable text, called plaintext, into an unreadable format, called ciphertext, and vice versa. The mapping process is a sequence of mathematical computations. The computations affect the appearance of the data, without changing its meaning.
To protect a message, an originator transforms a plaintext message into ciphertext. This process is called encryption as shown in following flow diagram. The ciphertext is transmitted over a network or data communications channel. If the message is intercepted, the intruder only has access to the unreadable ciphertext. Upon receipt, the message recipient transforms the ciphertext into its original plaintext format. This process is called decryption.
The mathematical operations used to map between plaintext and ciphertext are cryptographic algorithms. Cryptographic algorithms require the text to be mapped, and at a minimum, require some value that controls the mapping process. This value is called a key. Given the same text and the same algorithm, different keys produce different mappings.
Cryptography is used to provide the following services: authentication, integrity, non-repudiation, and secrecy. In an e-mail message, for example, cryptography provides:
Authentication. Allows the recipient of a message to validate its origin. It prevents an imposter from masquerading as the sender of the message.
Integrity. Assures the recipient that the message was not modified en route. Note that the integrity service allows the recipient to detect message modification, but not to prevent it.
Non-repudiation. There are two types of non-repudiation service. Non-repudiation with proof of origin provides the recipient assurance of the identity of the sender. Non-repudiation with proof of delivery provides the sender assurance of message delivery.
Secrecy. Also known as confidentiality, prevents disclosure of the message to unauthorized users.
Public Key Infrastructures
Public key cryptography can play an important role in helping provide the needed security services including confidentiality, authentication, digital signatures, and integrity. Public key cryptography uses two electronic keys: a public key and a private key. These keys are mathematically related, but the private key cannot be determined from the public key. The public key can be known by anyone while the owner keeps the private key secret.
A Public Key Infrastructure (PKI) provides the means to bind public keys to their owners and helps in the distribution of reliable public keys in large heterogeneous networks. Public keys are bound to their owners by public key certificates. These certificates contain information such as the owner's name and the associated public key and are issued by a reliable certification authority (CA). Digital certificates, also called Digital IDs, are the electronic counterparts to driver licenses, passports, or membership cards. A digital certificate can be presented electronically to prove your identity or your right to access information or services online. Digital certificates are used not only to identify people, but also to identify Web sites (crucial to e-business) and software that is being sent over the Web. Digital certificates bring trust and security when you are communicating or doing business on the Internet.
A PKI is often composed of many CAs linked by trust paths. The CAs may be linked in several ways. They may be arranged hierarchically under a "root CA" that issues certificates to subordinate CAs. The CAs can also be arranged independently in a network. This makes up the PKI architecture.
Electronic transactions are becoming increasingly important. Many companies offering online services and e-commerce would like to have mechanisms in place to increase confidence in electronic transactions. When a buyer buying a product from a seller hands a bank check (bill of exchange) to the seller he or she has to sign the check verifying his or her identity and making the transaction legal.
The widespread use of PKI technology to support digital signatures can help increase confidence in electronic transactions. For example, the use of a digital signature allows a seller to prove that goods or services were requested by a buyer and therefore demand payment. The use of a PKI allows parties without prior knowledge of each other to engage in verifiable transactions.
For example, a buyer interested in purchasing goods electronically would need to obtain a public key certificate from a CA. The process of obtaining a certificate from a CA is to generate a public-private key pair. The buyer sends the public key with valid information about the company to a registration authority (RA), and asks for a certificate. The RA verifies the buyer's identity based on the information provided and vouches for the identity of the buyer to a CA, who would then issue the certificate.
The newly certified buyer can now sign electronic purchase orders for the goods. The goods vendor receiving the purchase order can obtain the buyer's certificate and the certificate revocation list (CRL) for the CA that issued the buyer's certificate, check that the certificate has not been revoked, and verify the buyer's signature. By verifying the validity of the certificate, the vendor ensures receipt of a valid public key for the buyer; by verifying the signature on the purchase order, the vendor ensures the order was not altered after the buyer issued it.
Once the validity of the certificate and the signature are established, the vendor can ship the requested goods to the buyer with the knowledge that the buyer ordered the goods. This transaction can occur without any prior business relationships between the buyer and the seller.
Secure Sockets Layer
Secure Sockets Layer (SSL) is a protocol that protects data sent between Web browsers and Web servers. SSL also ensures that the data came from the Web site it is supposed to have originated from and that no one tampered with the data while it was being sent. Any Web site address that starts with "https" has been SSL-enabled.
SSL provides a level of security and privacy for those wishing to conduct secure transactions over the Internet. SSL protocol protects HTTP transmissions over the Internet by adding a layer of encryption. This ensures that your transactions are not subject to "sniffing" by a third party.
SSL provides visitors to your Web site with the confidence to communicate securely via an encrypted session. For companies wishing to conduct serious e-commerce, such as receiving credit card numbers or other sensitive information, SSL is a must. Web users can tell when they've reached an SSL-protected site by the "https" designation at the start of the Web page's address. The "s" added to the familiar HTTP—the Hypertext Transfer Protocol—stands for secure.
Companies that want to conduct business via the Internet through and using the capabilities of SSL need to contact a certificate authority, such as VeriSign Inc., which is a third-party organization that confirms a company is indeed what it claims to be. Once that is complete, the company can set up its Web servers for SSL connections. Users don't have to do anything to trigger an SSL connection. The client portion of SSL is built into the Web browser.
Standard Internet e-mail is usually sent as plaintext over networks. Intruders can monitor mail servers and network traffic to obtain sensitive information.
There are currently two actively proposed methods for providing secure e-mail security services: Pretty Good Privacy (PGP) and Secure/Multipurpose Internet Mail Extensions (S/MIME). These services typically include authentication of the originator and privacy for the data. They can also provide a signed receipt from the recipient. At the core of these capabilities is the use of public key technology and large-scale use of public keys requires a method of certifying that a given key belongs to a given user.
PGP is a military grade encryption scheme available to all computer users. It works using paired sets of keys. The public key can be used to encode a message that can only be decoded with the matching private key. Likewise, e-mail "signed" with a private key can be verified as authentic with its matching public key.
S/MIME is the same cryptographic method used for secure e-mail, adopted by every major e-mail vendor in the industry. S/MIME uses public key cryptography to digitally sign and encrypt each message sent between trading partners. This ensures that not only can the message not be read, but also that the message came only from the sender and was not altered in transport.
Encryption File System
Data encryption has become an increasingly important factor in everyday work. Users seek a method of securing their data with maximum comfort and minimum additional requirements on their part. They want a security system that protects any files used by any of their applications, without resorting to application-specific encryption methods.
In today's world of advanced technology, your electronic records are your business. Previously, using networked computers or remote laptops meant either sacrificing productivity or risking loss. Traveling with copies of important business databases was out of the question, but not anymore.
Today, critical enterprise information no longer resides solely on mainframe computers or central servers. Strategic planning, research, product development, marketing data, third-party information, and other corporate secrets are widely distributed on individual computers throughout an enterprise. These workstations, regular desktop computers, individual computers in home offices, and notebook computers are the most numerous, most vulnerable entry points to any enterprise, and they're all open to intrusion and theft. Even if an enterprise uses advanced network access security, an unattended workstation offers instant access to files on the hard drive and also the network. Similarly, a stolen notebook computer offers easy access to critical data by competitors, unauthorized employees, and others whose knowledge of such information can profit at the expense of the victimized organization.
To solve the problem of attackers being able to read the files on the disks, you can use Encrypting File System (EFS). EFS is a new feature in Microsoft Windows 2000 that allows the protection and confidentiality of sensitive data by using symmetric key encryption in conjunction with public key technology. Only the owner of the protected file can open it and read just like a normal document. EFS is integrated into the NT file system (NTFS). You can set the encryption attribute for folders and files just as you would for other attributes.
EFS provides users with privacy. Besides the user who encrypts the file, only a designated administrator can decrypt the file in cases of emergency recovery. EFS is a transparent operation in which file encryption does not require the user to encrypt and decrypt the file.
Modern computer systems provide a service to multiple users and require the ability to accurately identify the user making a request. In traditional systems, the user's identity is verified by checking a password typed during login; the system records the identity and uses it to determine what operations may be performed. The process of verifying the user's identity is called authentication. Password-based authentication is not suitable for use on computer networks. Passwords sent across the network can be intercepted and subsequently used by eavesdroppers to impersonate the user.
Verifying the identity of someone or something is important. Administrators do not want unauthorized users or imposters to impersonate users. Administrators want to be able to verify that whoever is logging on to a system is who they say they are. Microsoft Windows 2000 supports two types of authentication protocols: Kerberos authentication protocol and NTLM authentication protocol. Kerberos authentication protocol is the default authentication protocol for computers running Windows 2000. NTLM authentication protocol is provided for backward compatibility with other Microsoft operating systems. In this section we are going to outline the various features of each protocol and the application of each protocol.
Kerberos is designed to provide strong authentication for client/server applications by using secret-key cryptography. The Kerberos protocol uses strong cryptography so that a client can prove its identity to a server (and vice versa) across an insecure network connection. Kerberos is a trusted third-party authentication system, whose main purpose is to allow people and processes (known to Kerberos as principals) to prove their identity in a reliable manner over an insecure network. Instead of transmitting secret passwords in the clear, where they may be intercepted and read by unauthorized parties, principals obtain special Kerberos vouchers (known as session tickets) from Kerberos, which they can use to authenticate themselves to each other. The session ticket lasts only for the session while a user is logged on.
Kerberos authentication requires the existence of a trusted network entity that acts as an authentication server for clients and servers requesting authentication information. This authentication server is known the key distribution center (KDC). It has access to a database consisting of a list of users and client services, their default authentication parameters, their secret encryption keys, and other data. Authentication is typically a one-way process. This is the process by which a service authenticates the client. An advantage of Kerberos over NTLM is that it allows for mutual authentication, where the client authenticates the service.
Kerberos authentication occurs when special authentication model messages, session tickets, are passed among client applications, server applications, and one or more KDCs. Client processes acting on behalf of users authenticate themselves to servers by means of the session ticket. The KDC generates tickets, which are sent to the requesting client processes. Kerberos maintains a set of secret keys, one for every entity to be authenticated within a particular realm (a realm is the Protocols equivalent of a Windows 2000 domain) or domain. A client presents a ticket to the server as evidence that the principal is who it claims to be. The ticket presented to the server "proves" that a KDC authenticated the client.
Kerberos streamlines the process of logging on and accessing resources as opposed to NTLM. In Kerberos authentication, the computer first contacts the KDC for authentication to the network. Then, when the user is ready to access a resource for the first time, the computer contacts the KDC for a session ticket to access the resource. On each subsequent attempt, the computer can simply contact the resource directly, using the same ticket, without having to go to a domain controller first. In this way unnecessary communication with the domain controller is eliminated. This new process allows users to log on faster and gain access to network resources more quickly.
In NTLM authentication, to avoid revealing passwords directly over an untrusted network, a challenge-response system is used. At its simplest, the server sends the user some sort of challenge, which would typically be some sort of random string. The user would then compute a response, usually some function based on both the challenge and the password. This way, even if an intruder captures a valid challenge-response pair, it will not help the intruder gain access to the system since future challenges are likely to be different and thus require different responses.
In Microsoft Windows NT, the client contacts a primary domain controller (PDC) or a backup domain controller (BDC) to log on to the domain. Then, when the client is ready to establish a session with a particular resource, such as a printer share, it will contact server that maintains the resource. The server, in turn, will contact the domain controller that maintains the resource in order to give it the client's required credentials or access token. NTLM is used in Windows 2000 for backward compatibility with other Windows products such as Windows NT. NTLM is also used with the Telnet service in Windows 2000 so users do not transmit their passwords in clear text to the Telnet service. The Telnet service is only implemented on Windows 2000 when Services for Unix is installed.
Smart Cards are typically credit card type cards that contain a small amount of memory and sometimes a processor. Since smart cards contain more memory than a typical magnetic stripe and can process information, they are being used in security situations where these features are a necessity. They can be used to hold system logon information such as the user's private key along with other personal information on the user including passwords. In a typical smart card logon environment, the user is required to insert his or her smart card into a reader device connected to the computer. Then, the software uses the information stored on the smart card for authentication. When paired with a password and/or a biometric identifier, the level of security is increased. For example, requiring the user to simply enter a password for logon is less secure than having them insert a smart card and enter a password. File encryption utilities which use the smart card as the key to the electronic lock is another security use of smart cards.
Electronic software distribution over any network involves potential security problems. Software can contain programs such as viruses and Trojan horses. To help address some of these problems, you can associate digital signatures with the files. A digital certificate is a means of establishing identity via public key cryptography; code signed with a digital certificate verifies the identity of the publisher and ensures that the code has not been tampered with after it was signed. Certificates and object signing establish identity and let the user make decisions about the validity of a person's identity. When the user executes the code for the first time, a dialog box comes up. The dialog box provides information on the certificate and a link to the certificate authority.
Microsoft developed the Microsoft Authenticode technology, which enables developers and programmers to digitally sign software. Before software is released to the public or internal to the organization, developers can digitally sign the code. If the software is modified after digitally signing the software, the digital signature becomes invalid. In Internet Explorer, you can specify security settings that prevent users form downloading and running unsigned software from any security zone. Internet Explorer can be configured to automatically trust certain software vendors and authorities so that software and other information is automatically accepted.
Technologies to Secure Network Connectivity
Businesses and other organizations use the Internet because it provides useful services. Organization could choose to support or not support Internet-based services based on a business plan or an information technology strategic plan. In other words, organizations should analyze their business needs, identify potential methods of meeting the needs, and consider the security ramifications of the methods along with cost and other factors.
Most organizations use Internet-based services to provide enhanced communications between business units, or between the business and its customers, or provide a cost-savings means of automating business processes. Security is a key consideration—a single security incident can wipe out any cost savings or revenue provided by Internet connectivity.
Some of the ways to protect the organization from outside intrusions include firewalls and virtual private networks (VPN).
Many organizations have connected or want to connect their private LANs to the Internet so that their users can have convenient access to Internet services. Since the Internet as a whole is not trustworthy, their private systems are vulnerable to misuse and attack. A firewall is a safeguard that one can use to control access between a trusted network and a less trusted one. A firewall is not a single component; it is a strategy for protecting an organization's Internet-reachable resources. A firewall serves as the gatekeeper between the untrustworthy Internet and the more trustworthy internal networks.
The main function of a firewall is to centralize access control. If outsiders or remote users can access the internal networks without going through the firewall, its effectiveness is diluted. For example, if a traveling manager has a modem connected to his office computer that he or she can dial into while traveling, and that computer is also on the protected internal network, an attacker who can dial into that computer has circumvented the firewall. If a user has a dial-up Internet account with a commercial ISP, and sometimes connects to the Internet from his or her office computer via modem, he or she is opening an unsecured connection to the Internet that circumvents the firewall. Firewalls provide several types of protection:
They can block unwanted traffic.
They can direct incoming traffic to more trustworthy internal systems.
They hide vulnerable systems that cannot easily be secured from the Internet.
They can log traffic to and from the private network.
They can hide information such as system names, network topology, network device types, and internal user IDs from the Internet.
They can provide more robust authentication than standard applications might be able to do.
As with any safeguard, there are trade-offs between convenience and security. Transparency is the visibility of the firewall to both inside users and outsiders going through a firewall. A firewall is transparent to users if they do not notice or stop at the firewall in order to access a network. Firewalls are typically configured to be transparent to internal network users (while going outside the firewall); on the other hand, firewalls are configured to be non-transparent for outside network coming through the firewall. This generally provides the highest level of security without placing an undue burden on internal users.
Types of firewalls include packet filtering gateways, application gateways, and hybrid or complex gateways.
Packet Filtering Gateways
Packet filtering firewalls use routers with packet filtering rules to grant or deny access based on source address, destination address, and port. They offer minimum security but at a very low cost, and can be an appropriate choice for a low-risk environment. They are fast, flexible, and transparent. Filtering rules are not often easily maintained on a router, but there are tools available to simplify the tasks of creating and maintaining the rules.
Filtering gateways do have inherent risks, including:
The source and destination addresses and ports contained in the IP packet header are the only information that is available to the router in making decision whether or not to permit traffic access to an internal network.
They do not protect against IP or DNS address spoofing.
An attacker will have a direct access to any host on the internal network once access has been granted by the firewall.
Strong user authentication isn't supported with some packet filtering gateways.
They provide little or no useful logging.
An application gateway uses server programs (called proxies) that run on the firewall. These proxies take external requests, examine them, and forward legitimate requests to the internal host that provides the appropriate service. Application gateways can support functions such as user authentication and logging.
Because an application gateway is considered as the most secure type of firewall, this configuration provides a number of advantages to the medium-high risk site:
The firewall can be configured as the only host address that is visible to the outside network, requiring all connections to and from the internal network to go through the firewall.
The use of proxies for different services prevents direct access to services on the internal network, protecting the enterprise against insecure or badly configured internal hosts.
Strong user authentication can be enforced with application gateways.
Proxies can provide detailed logging at the application level.
Hybrid or Complex Gateways
Hybrid gateways combine two or more of the above firewall types and implement them in series rather than in parallel. If they are connected in series, then the overall security is enhanced; on the other hand, if they are connected in parallel, then the network security perimeter will be only as secure as the least secure of all methods used. In medium to high-risk environments, a hybrid gateway may be the ideal firewall implementation.
Virtual Private Networks and Wide Area Networks
Many organizations have local area networks and information servers spread across multiple locations. When organization-wide access to information or other LAN-based resources is required, leased lines are often used to connect the LANs into a Wide Area Network. Leased lines are relatively expensive to set up and maintain, making the Internet an attractive alternative for connecting physically separate LANs.
The major shortcoming to using the Internet for this purpose is the lack of confidentiality of the data flowing over the Internet between the LANs, as well as the vulnerability to spoofing and other attacks. Virtual private networks use encryption to provide the required security services. Typically encryption is performed between firewalls, and secure connectivity is limited to a small number of sites.
One important consideration when creating virtual private networks is that the security policies in use at each site must be equivalent. A VPN essentially creates one large network out of what were previously multiple independent networks. The security of the VPN will essentially fall to that of the lowest common denominator—if one LAN allows unprotected dial-up access, all resources on the VPN are potentially at risk.
Increasingly, businesses require remote access to their information systems. This may be driven by the need for traveling employees to access e-mail, sales people to remotely enter orders, or as a business decision to promote telecommuting. By its very nature, remote access to computer systems adds vulnerabilities by increasing the number of access points.
Typically the remote computer uses an analog modem to dial an auto answer modem at the corporate location. Security methods for protecting this connection include:
Controlling knowledge of the dial-in access numbers. This approach is vulnerable to automated attacks by "war dialers," simple pieces of software that use auto-dial modems to scan blocks of telephone numbers and locate and log modems.
Username/password pairs. Since an attacker would need to be tapping the telephone line, dial-in connections are less vulnerable to password sniffer attacks that have made reusable passwords almost useless over public networks. However, the use of network sniffers on internal networks, the lack of password discipline, and social engineering make obtaining or guessing passwords easy.
Advanced authentication. There are many methods that can be used to supplement or replace traditional passwords. A few examples are:
Dial-back modems. These devices require the user to enter a username/password upon initial connection. The corporate modem then disconnects and looks up the authorized remote telephone number for the connecting user. The corporate modem then dials the remote modem and establishes a connection.
Public key certificates. The use of public key certificates described earlier when logging on.
Microsoft Challenge Handshake Authentication Protocol (MS-CHAP). This is a variant of CHAP that does not require a plaintext version of the password on the authenticating server.
Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAP v2). This provides mutual authentication, stronger initial data encryption keys, and different encryption keys for sending and receiving.
Extensible Authentication Protocol (EAP). This is an extension to the Point-to-Point protocol (PPP) that works with dial-up clients.
The organization's ability to monitor the use of remote access capabilities can also become an issue. The most effective approach is to centralize the modems into remote access servers or modem pools. There should be control in allowing users to connect their own modems to their work computers. In most cases, this should not be allowed due to the fact that it becomes difficult to monitor modems that are not accessed through the firewall and are distributed throughout the organization. They are potential security risks.
Information regarding access to company computer and communication systems, such as dial-up modem phone numbers, should be considered confidential. This information should not be posted on electronic bulletin boards, listed in telephone directories, placed on business cards, or made available. The Network Services Manager should periodically scan direct dial-in lines to monitor compliance with policies and should periodically change the telephone numbers to make it more difficult for unauthorized parties to locate company communications numbers.
Intrusion Detection Tools
Intrusion detection is the process of detecting unauthorized use of, or attack upon, a computer or network. Intrusion Detection Systems (IDSs) are software or hardware systems that detect such misuse. IDSs can detect attempts to compromise the confidentiality, integrity, and availability of a computer or network. The attacks can come from attackers on the Internet, authorized insiders who misuse the privileges given them, and unauthorized insiders who attempt to gain unauthorized privileges.
Intrusion detection capabilities are rapidly becoming necessary additions to every large organization's security infrastructure. The question for security professionals should not be whether to use intrusion detection, but which features and capabilities to use. However, one must still justify the purchase of an IDS. There are at least three good reasons to justify the acquisition of IDSs: to detect attacks and other security violations that cannot be prevented, to prevent attackers from probing a network, and to document the intrusion threat to an organization.
There are several types of IDSs available today, characterized by different monitoring and analysis approaches. Each has distinct uses, advantages, and disadvantages. IDSs can monitor events at three different levels: network, host, and application. IDSs can analyze these events using two techniques: signature detection and anomaly detection. Some IDSs also have the ability to automatically respond to the detected attacks. These variations are discussed in the following sections.
Anti-virus tools perform three basic functions. Tools may be used to detect, identify, or remove viruses. Detection tools perform proactive detection, active detection, or reactive detection. That is, they detect a virus before it executes, during execution, or after execution. Identification and removal tools are more straightforward in their application; neither is of use until a virus has been detected.
Detection tools detect the existence of a virus on a system. These tools perform detection at a variety of points in the system. The virus may be actively executing, residing in memory, or being stored in executable code. The virus may be detected before execution, during execution, or after execution and replication. There are three categories of analysis detection tools:
Static Detection. Static analysis detection tools examine executables without executing them. They can be used to detect infected code before it is introduced to a system.
Detection by Interception. To propagate, a virus must infect other host programs. Some detection tools are intended to intercept attempts to perform such activities. These tools halt the execution of virus-infected programs as the virus attempts to replicate or become resident.
Detection of Modification. All viruses cause modification of executables in their replication process. As a result, the presence of viruses can also be detected by searching for the unexpected modification of executables. This process is sometimes called integrity checking. Note that this type of detection tool works only after infected executables have been introduced to the system and the virus has replicated.
Identification tools are used to identify which virus has infected a particular executable. This allows the user to obtain additional information about the virus. This is a useful practice, since it may provide clues about other types of damage incurred and appropriate clean-up procedures.
Removal tools attempt to efficiently restore the system to its uninfected state by removing the virus code from the infected executable. In many cases, once a virus has been detected, it is found on numerous systems or in numerous executables on a single system. Recovery from original diskettes or clean backups can be a tedious process.
There are many third-party vendors developing the previously mentioned tools and releasing updates on viruses. Acquiring the correct type of tool will depend on the organization's needs for virus scanning and removal.
After you have established the protection mechanisms on your system, you will need to monitor them. You want to be sure that your protection mechanisms actually work. You will also want to observe any indications of misbehavior or other problems. This process of monitoring the behavior of the system is known as auditing.
Various operating systems maintain a number of log files that keep track of what has been happening to the computer. Log files are an important building block of a secure system: they form a recorded history, or audit trail, of your computer past, making it easier to track down intermittent problems or attacks. By using log files, you may be able to piece together enough information to discover the cause of a bug, the source of a break-in, and the scope of the damage involved. In cases where you cannot stop damage from occurring, at least you will have some record of it. Those logs could be exactly what you need to build your system, conduct an investigation, give testimony, recover insurance money, or get accurate field service performed.
Log files also have a fundamental vulnerability: because they are often recorded on the system itself, they are subject to alteration or deletion.
Events to Audit
Careful consideration should be taken when looking at which events to audit. Auditing can cause potential performance loss. If all events are audited on a system, the performance of a system will degrade substantially. The events to be audited are to be chosen carefully depending on what you want to audit. Operating systems audit a variety of events:
Logon and logoff information
System shutdown and restart information
File and folder access
Most audit logs are able to keep a history or backlog of events. Log files can be set up in various ways. Some of these ways include:
Setting the log file to a certain size and then overwriting the events as needed when the log file fills up. They use the concept of first in-first out.
Setting the log file to fill up for a certain amount of days.
Setting the log file to specified size. Once the log file fills up, the log file needs to be cleared manually.
Technologies to Keep the System Running in the Event of a Failure
Computers are not failure proof; you can only make computers more failure resistant. Faulty hardware, attackers, natural disasters, power failures, and errors from users can corrupt, damage, or delete data from a system. In the likely event that any of these threats do occur, a disaster recovery plan needs to be in place.
To prevent these disasters from becoming a financial burden on the organization, you should develop plans for the recovery and restoration of data. There are several questions one needs to ask in order to establish what plans and recovery systems are currently in use:
What information needs to be backed up and what backup strategies and plans need to be considered?
Are backups stored onsite and offsite? If onsite, are the backups stored in fireproof safes? If offsite, how readily are the backups available in case of emergencies? Are backups tested regularly?
Are technologies such as Microsoft Cluster Server in place?
What Redundant Array of Inline Disks (RAID) system implementations are in place?
Is there a record of critical systems hardware and software configurations?
What training is required so operators and administrators can respond in a timely and professional manner?
What records need to be maintained in order to recover from a failure or disaster?
Is there an incident response team available to in case of emergency?
Where are licensed software packages kept and what onsite support is there from vendors?
Have fire drills been practiced by the incident response team and security officials?
Other components and procedures could be included also; this is just a guideline on how to start going about setting up a disaster recovery plan. One important step to take is to always try to test what plans you have implemented. Most administrators know that it takes money, equipment, and time to test recovery procedures. If plans and procedures are structured and tested correctly, recovery will become easier. Here is a general list of some things that can make it easier to recover from disasters:
Plans and procedures should already be developed before a failure occurs. Most the time when a failure occurs and continuity of operations is halted for a prolonged period of time is because procedures and plans have not been developed correctly.
The software configuration of systems should be maintained. This includes operating system versions, service pack updates, and any other software.
You should keep track of hardware configurations such as disks and partitions; peripheral devices installed; and IRQ, DMA, and I/O addresses.
Always ensure that backups are current and up to date. If possible, perform trial restore operations to test backups.
Implement new technologies such as Microsoft Cluster Server. Microsoft cluster server technology will be discussed later in the paper.
Implement RAID technologies. These are also discussed later in the paper.
It is also possible in some cases to implement standby servers. Backed up information is restored on a computer that is purely for redundant purposes.
It's always a good idea to have spares readily available in case of emergency. This includes both hardware and software spares. The following is a basic inventory that lists the hardware and software components that should be stored as emergency spares:
Motherboards, CPUs, memory modules, video cards and screens, and power supplies
Hard drives, floppy drives, tape drives, CD ROM readers, etc.
Network interface cards and modems
Network cables, hubs, switches, bridges, routers, and other networking hardware
Original copies of currently installed software and service packs
Original copies of currently installed operating systems and service packs
Any additional hardware cards like serial cards and printer port cards
Any peripheral components like printers, scanners, and multimedia devices
Once you decide which hardware and software components to have spares of, general maintenance and record keeping will help you discover impending errors. Many organizations keep a configuration management database or record book for each critical system. Configuration databases help to track when patches and changes are made to a system, or hardware or software changes. Included in the database should be general system information such as:
Software configuration including operating system versions, service packs applied, software packages installed, and disk configurations such as partition information
Network configuration such as network cards, protocols, and any physical and logical addresses
Errors and failures should also be logged in the database. This creates a history and often certain patterns and events appear.
Maintenance schedules should be set up to check general systems. Audit logs and general system and application logs should be checked on a regular basis. If possible, run defragmentation utilities on disks and partitions where general data is stored. Run integrity checking utilities on databases like Microsoft SQL Server and Exchange Server. Run registry-monitoring utilities like Regmon to track registry changes and file monitoring utilities like Filemon. You can find Regmon and Filemon utilities at see http://www.sysinternals.com/.
Develop an Incident Response Team
Develop an incident response team to help control and recover systems in the event of a disaster. The incident response team should document:
Notification plan of who to contact for which kinds of problems or emergencies, and how to notify them
Contact information for administrators that need to be notified
Contact information on certain vendors and consultants support
Management personnel that need to be notified
Any other critical users
To minimize the loss of data and allow for the continuity of operations, you can use technologies such as Redundant Array of Inline Disks (RAID) and Microsoft Cluster Technology. In this section we are going to concentrate on RAID technologies. RAID is a fault tolerant disk configuration in which part of the physical storage capacity contains redundant information about data stored on the disks. Redundant information that is stored on the disks helps to keep the system running in the event of a single disk failure.
RAID technology is either implemented through software or hardware systems. Hardware implementations of RAID are more expensive than software, but faster. Some hardware implementations of RAID support hot swapping of disks, which enables administrators to swap failed hard disks while the computer is running. Software fault tolerant RAID systems are cheaper and are only available on Microsoft Windows NT and Microsoft Windows 2000. Both hardware and software fault tolerant RAID systems regenerate data when a drive fails and reconstructs the data onto the new disk when the failed disk is replaced.
There are various types of RAID techniques used. For simplicity's sake we are only going to discuss the two most common techniques: Disk mirroring and disk striping with parity.
In disk mirroring only two disks are used. Information on one disk is duplicated onto the other disk. When data is written to one disk, it is duplicated on the other disk. This could cause a slight loss in write performance. A variation of mirroring is disk duplexing, where each disk has its own controller. This helps to increase write operations and provide redundancy incase a controller fails. Read operations on disk duplexing and mirroring.
Advantages of using mirror sets are:
Read operations are fast.
Recovery from failure is rapid.
In software implantations of mirror sets, the system and boot partitions can be mirrored.
Disadvantages of mirror sets are:
There is a slight loss in performance during write operations.
Only fifty percent of the total storage space can be used to store data. For example, two 1GB hard drives. One drive is used as a backup; the other stores the data.
If you use software mirror sets, you will be required to create a fault tolerant boot disk.
Disk Striping with Parity
Strips of equal size on each disk in the volume make up a stripe set. A stripe set with parity adds parity to a stripe set configuration.
Data is written across two or more hard drives, while another hard drive holds the parity information. The data and parity information is written in such a way on the volume so that they are always on different disks.
This way, if one of the hard drives fails, the two remaining drives can recalculate the lost information using the parity information from other disks. When the faulty hard drive is replaced, information can be regenerated back onto a newly installed working hard drive by using the parity information. The minimum number of hard drives involved in disk striping with parity is 3, and the maximum number is 32 hard drives.
A stripe set with parity works well when large databases are implemented on a system and read operations are performed more often than write operations. This is because a stripe set with parity has excellent read operations. Stripe sets with parity should be avoided in situations where applications require high-speed data collection from a process or database applications, where records are continually being updated. In write operations, performance degrades as the percentage of write operations increases.
Advantages of using stripe set with parity are:
Read operations are faster than using a single disk drive. The more drives you put into the system the faster the read operations.
Stripe set with parity uses only one disk for parity information. The more disks you insert the more space there is for data.
There is not a lot of administrative effort in replacing a faulty disk.
In software implementations of stripe sets with parity, neither the boot nor the system partition can be on the strip set.
Write operations are slower because of the parity information that needs to be generated.
When a hard disk fails in the stripe set the performance of the system degrades. This is due to the information having to be recalculated when requests for information occurs.
Stripe sets with parity consume more memory than mirror sets because of the parity information that needs to be generated.
Cluster Server Technology
Certain organizations would like to keep computer systems operational continuously, 24 hours a day, 7 days a week, 365 days a year. One way to do this is by implementing cluster server technology. A cluster is an interconnected group of servers that act as a single unit in sharing some resource or responsibility. Cluster server technology allows users to view a group of clustered computers as one entity. Both cables and cluster server software connect the computers in into a cluster. Microsoft Windows 2000 advanced server has cluster software readily available that will allow you to manage clustering. Microsoft cluster service and network load balancing offer availability and scalability to organizations that build applications using a multi-tier model.
Cluster server technology allows features such as:
Fault tolerance. In the event of a computer or node failure in a cluster, the other computers keep running. Fault-tolerant systems employ redundant hardware and operating systems that work together at every level in exact synchronization across two server units. Think of a fault-tolerant system as a failover cluster with very high responsiveness (often on the order of milliseconds).
High availability. This focuses on maximizing uptime by implementing automated response to failure and failover systems. To enhance availability, you add on more servers and backup systems to the cluster in order to take over responsibility in the event of a failure. The servers need to keep monitoring each other's activities, and must maintain consistency every few milliseconds. This is usually implemented by a high-speed interconnect directly between the servers.
Resource sharing. Resource sharing involves making server components, such as disk storage and printers, available across all the nodes in the cluster. This is especially important for database servers, which need to share large volumes between machines while maintaining consistency of data.
Load sharing. Load sharing involves balancing application processing across the various nodes in the cluster. This can be implemented by distributing new logins to different servers, based on their load at the moment. It could also involve directly moving a running application from one server to another
High throughput. High throughput focuses on the ability to process network requests or packets quickly. This becomes most important in applications like Web or FTP servers, whose primary job is to push out data. This kind of clustering focuses on improving the network interfaces and the routing of network requests to servers. It can be built into the cluster nodes themselves, or may be a property of an external balancing device.
Using a two-node cluster, Microsoft cluster service empowers reliable application, transactional, and file and print services. To create reliable database and messaging services combine Microsoft cluster service with Microsoft SQL server and Exchange Server.
In multitier applications designed for the Internet, Network Load Balancing can extend the functionality of IIS 5.0 by supplying load balancing and high availability to the first tier—the user interface. Up to 32 servers can be used in a Web cluster.
Organizations can combine both cluster service and network load balancing to provide comprehensive enterprise e-commerce solutions. An example on an e-commerce Web site is to cluster your front-end Web servers running IIS 5.0 with network load balancing, and have them accessing a back-end cluster running SQL Server Enterprise Edition.
It is possible to set up a standby server in case the production server fails. The standby server should mirror the production server. You can use the standby server to replace the production server in the event of a failure or as a read-only server.
Create the standby server by loading the same operating system and applications as on the production server. Make backups of the data on the production server and restore these backups on the standby server. This also helps to verify backups that are performed. The standby server will have a different IP address and name if it is connected to the network. You will have to change the IP address and name of the standby server if the production server fails and the standby server needs to become the production server.
To maintain the standby server, regular backups and restorations need to be performed. For example, let's say you make a full backup on Mondays and incremental backups every other day of the week. You would restore the full backup on the standby server and subsequent incremental backups thereafter on the days that the backups are performed.
Reactive Security Planning
In reactive planning the goal is to get the business back to normal operations as fast as possible in the event of a disaster. By having efficient and well thought out contingency plans, this goal can be achieved.
A contingency plan is an alternative plan that should be developed in case an attack causes damage to data or any other assets, stopping normal business operations and productivity, and requiring time to restore them. The ultimate goal of the contingency plan is to maintain the availability, integrity, and confidentiality of data. It is the proverbial "Plan B." There should be a plan per type of attack and/or per type of threat. A contingency plan is a set of steps that should be taken in case an attack breaks through the security policies and controls. The plan should address who must do what, when, and where to keep the organization functional.
Moving productivity to another location or site
Implementing disaster recovery plans.
Contacting vendors and consultants
Rehearsed the plan periodically to keep staff up to date with current contingency steps.
The following points outline the various tasks to develop a contingency plan:
Address the organization's current emergency plan and procedures and how they are integrated into the contingency plan.
The current emergency response procedures should be evaluated and their effect on continuous operation of business.
Planned responses to attacks and whether they are adequate to limit damage and minimize the impact on data processing operations should be developed and integrated into the contingency plan.
Backup procedures, including the most recent documentation and disaster recovery tests.
Disaster recovery plans should be added to provide a temporary or longer operating environment. Disaster recovery plans should cover the required levels of security to see if they continue to enforce security throughout the process of recovery, temporary operations, and when the organization moves back to its original processing site or to the new processing site.
Draw up a detailed document outlining the various findings in the above tasks. The document should list:
Any scenarios to test the contingency plan.
The impact that any dependencies, assistance outside the organization, and difficulties in obtaining essential resources will have on the plan.
A list of priorities observed in the recovery operations and the rationale in establishing those priorities.
A contingency plan should be tested and revised by someone other than the person who created and wrote it. This should be done to test whether the contingency plan is clearly outlined so that anybody who reads it can implement the plan.
Microsoft Windows 2000 Resource Kit
Microsoft Windows NT 4.0 Server Resource Kit
Microsoft Windows NT 4.0 Workstation Resource Kit
Practical Unix and Internet Security by Simon Garfinkel and Gene Spafford
Computer Security by Dieter Gollmann
An Intro to Computer Security by Del Armstrong - John Simonson
Internet Hoaxes: http://ciac.llnl.gov
Automated Security By Donn Parker: http://www.infosecurity.com/
Distributed Denial Of Service Attacks: http://www.icsa.net/
Trojan Horses http://www.cert.org
Electronic Sabotage by Carol E. Brown and Alan Sangster http://www.bus.orst.edu/
Special Report: DDOS wreaks havoc on the Internet: http://www.infosecurity.com/
Have Script will Destroy (Lessons In DoS) by Brian Martin: http://www.attrition.org/
Back-End System issues for online financial sites: http://www.incurrent.com/
Internet Security Policy: A Technical Guide by Barbara Guttman and Robert Bagwill: National Institute of Standards and Technology Computer Security Division http://csrc.nist.gov/
Threat Assessment of Malicious Code and Human Threats by Lawrence E. Bassham & W. Timothy Polk: National Institute of Standards and Technology Computer security Division http://csrc.nist.gov/
Pretty Good Privacy: http://www.pgp.com
A false sense of security by Julie Bort: Lantimes http://www.lantimes.com
Is the hacker threat real? By Christopher Null: Lantimes http://www.lantimes.com
The Latest in Denial of Service Attacks: "Smurfing" http://www.pentics.net/denial-of-service/white-papers/smurf.cgi
Things that Go Bump in the Net by David Chess http://www.research.ibm.com
Trusted Computer Security Evaluation Criteria (Orange Book): National Computer Security Center
The Trusted Network Interpretation ('Red Book'): National Computer Security Center
Macintosh is a registered trademark of Apple Computer, Inc.