Home • About • Contact
Login • Page Content • Site Map

Search
GH.com   GH.com dir
Wikipedia   Web

Security is the set of preventative and reactive measures taken to minimize harm, whether intentional or not. Depending on your need for security, there are different measures that can be taken.

The basic implementations of security are as follows:

Physical Security

Physical security means to control the physical and electrical means by which access is gained to a system.

Physical security includes the following:

• Locking doors to sensitive systems.
• Strict policies on who has access to sensitive areas.
• Not allowing sensitive computers to be connected to outside systems.

Fault Tolerance

Fault tolerance is the ability to recover from hardware failure or mistakes with little or no interruption.

• Eliminate single points of failure. That is if something fails, a replacement should be take over automatically.
• The need for fault tolerance of a point is determined by the number of users that would be hampered if that point failed.
• Points include the following: 
  • Electrical disaster prevention equipment (surge protectors, UPSs, etc.)
  • Data protection and recovery (backup data, RAID, roll back transactions, etc.)
  • Software and hardware components that are redundant, parallel, and replaceable, including the following:
    • operating system software, application software, storage (disks), power supply (usu. a transformer in a machine), network connectors, network card, processor chip, RAM, etc.

Secured Transmissions

Secure transmission ensures that communications are only between the appropriate parties.

Secure transmission includes the following:

• Data encryption. Public keys (like PGP), symmetric keys (like DES), SSL, etc.
• Data compression. WinZip for PCs, StuffIt for Macs, gzip for UNIX, etc.
• Digital certificates. Clients and servers can acquire certificates of identification by registering with a certificate authority (like www.VeriSign.com). This is usually used for data encryption when accessing pages via https://, ie via SSL. See also my article on Encryption.

Audits

Audits involve logging activity for the purposes of determining what occurred.

Audits include the following:

• Network operating system logs.
• Operating system logs. Like Event Viewer for Windows NT.
• Database logs.
• Specialty server logs, eg MS IIS, MS VSS.
• Logs kept by applications and business objects.

Access Authentication

Control which accounts are created and what those accounts have access to.

Access to network resources is ultimately controlled on a per user basis. However there are two ways to do this:

• Share-Level Security. In this case each resource must be designated as shared and will ask for a password from each user that tries to use it.
• User-Level Security. In this case each resource must be designated as shared and must assign which users and groups have what permissions to the resource. Access can be granted to individual user accounts but it is usually easier to to control access of groups and just change group membership as needed.

A user account is usually a member of multiple groups. When a user is trying to access a resource and is a member of multiple groups that have different levels of access to that resource, then the permissions of the least restrictive group takes precedence unless the user is a member of a group that is specifically given "No Access" to that resource.

Here are some terms used in entity authentication:

• Entities include computers, individual users, and groups of users.
• Authenticating is ensuring that an entity is who he, she, or it claims to be. Usually an entity passes along a name and password.
• Resources include other entities, domains, directories, files, portions of applications, and specialty resources (eg web sites on a web server). 
• Permissions (aka rights) are what an entity can do with resources.
  • Permissions can vary with different software but these are the four most common permissions:
    • Read, aka R.
    • Write, aka W.
    • Delete, aka D.
    • Execute. One of the following
      • Scripts, aka S.
      • Executables & scripts, aka X.
      • Neither.
    • Control permissions, aka P.
    • Take ownership, aka O.
  • It is common to use 3 or 5 character short hand for permissions. EG:
    • R-X permissions to read and execute but not write.
    • R-- permissions to read but not write or execute.
    • RWS-- permissions to read, write, and run scripts but not to run executables or to set permissions.
    • RWSXP permissions to read, write, run scripts, run executables, and to change permission of the resource. This entity is said to have "Full Control".

Access authentication includes the following:

• Network security. Portal devices can protect networks by identifying entities and controlling who has access to portions of the network. This includes repeaters, hubs, bridges, routers, brouters, gateways, dial back modems, firewalls, and proxy servers.
• Network operating system security. This includes identifying domains, users, groups, and computers, and using domain controllers. This is where user-level security is typically applied.
• Operating system security. This is where share-level security is typically applied.
• Database security, eg SQL Server Security.
• Specialty server security, eg MS IIS, MS VSS.
• Application security. Custom security can be placed in apps and web apps. Usually these authenticate a user's input against a database.

Network Access

• Network. LAN/WAN (Local Area Network and Wide Area Network) access is usually done via the network operating systems control over access authentication. 
• Intranet. An intranet is a portion of a LAN/WAN that is connected via TCP/IP and is protected from the Internet.
• Extranet. Two intranets connected together. This may also cover an intranet accessed via VPN (Virtual Private Network) through PPTP (Point-to-Point Tunneling Protocol).
• Internet. LANs/WANs, intranets, and extranets must be protected from the Internet and yet, if possible, have access to the Internet.

A firewall is usually hardware (eg a screening router), software (eg a proxy server), or both. Most firewall systems use one or more of the following methods:

• Packet filtering: A hardware method that utilizes a SR (screening router) to check incoming and outgoing packets and then either allows or rejects the packet based on security parameters such as whether the IP address is preauthorized, or based upon the TCP and UDP port numbers, thus enabling certain types of connections such as telnet or FTP. This method if effective, but is difficult to configure and may still be surpassed by IP spoofing. Packet filtering operates at the Network layer of the OSI Reference Model.
• Proxy server: A software version of a router. It also intercepts messages to and from the network. It hides the true network address (thus making it spoof proof) and can perform function beyond just security. A proxy server may be an application-specific proxy. EG: A server may proxy HTTP for Web pages, FTP, RealAudio/Video, SMTP/POP for e-mail, NNTP for newsgroups, nearly any MIME type etc. Proxy servers work at the Application layer of the OSI Reference Model.
• Application gateway: A software method that only allows applications like FTP or telnet servers to connect. This method is effective but has connection limitations.
• Circuit level gateway: A hardware methods that only allows certain circuits to connect.

Here is a belt & suspenders firewall, a typical enterprise level setup for network access security:

The SRs are screening routers, ie packet filters. The BHs (Bastion Hosts) are servers such as IIS, RAS, and Exchange. The DMZ (De-Militarized Zone) demarcate machines that have more exposure to the Internet than the LAN does.

Links

Here are links that lead to off-site pages about security.

Antivirus (AV)

• [icsalabs.com]. "For over a decade, ICSA Labs, an independent division of Verizon Business, has been the security industry's central authority for research, intelligence, and certification testing of products. ICSA Labs sets standards for information security products and certifies over 95% of the installed base of anti-virus, firewall, IPSec VPN, cryptography, SSL VPN, network IPS, anti-spyware and PC firewall products commonly deployed in the world today."
• Virus Bulletin [virusbtn.com]. Compares AV software. " Virus Bulletin started in 1989 as a magazine dedicated to providing PC users with a regular source of intelligence about computer viruses, their prevention, detection and removal, and how to recover programs and data following an attack. Virus Bulletin quickly became the leading specialist publication in the field of viruses and related malware."
• Virus Information [http://csrc.nist.gov/archive/virus/]
• Antivirus software [W] and
• Antivirus software
  • Computer Associates [cai.com] . Usu. product: InoculateIT.
  • F-Secure [f-secure.com] (formerly Data Fellows). Usu. product: F-Secure Anti-Virus.
  • Kaspersky [http://usa.kaspersky.com]. Usu. product: Anti-Virus; Internet Security.
  • McAfee [mcafee.com (aka Network Associates). Usu. product: VirusScan.
  • Panda Software [pandasoftware.com] . Usu. product: Panda Antivirus.
  • Sophos Plc [sophos.com] . Usu. product: Sophos Anti-Virus.
  • Symantec Corporation [symantec.com] (aka Norton). Usu. product: AntiVirus.
  • Trend Micro, Inc [trendmicro.com] . Usu. product: PC-cillin.

Wikipedia

Wikipedia has many articles related to security. Here are just a few.

• Access control [W]
• Audit trail [W]
• Authentication [W]
• Authorization [W]
• Computer insecurity [W]
• Computer security [W]
• Enterprise Information Security Architecture [W]
• Identity management [W]
• Information security [W]
• Principle of least privilege [W]
• Two-factor authentication [W]

Miscellany

• CAPTCHA.com. "Completely Automatic Public Turing Test to tell Computers and Humans Apart". The current CAPTCHA programs generate and grade tests that involve distorted text that humans can make out but computers have difficulty with.
• Computer Security Resource Center [csrc.nist.gov]. Part of the Computer Security Division of the National Institute of Standards and Technology (NIST).
• EMC [emc.com] and its subsidiary RSA [rsa.com].
  • "RSA Adaptive Authentication"
• "Governing for Enterprise Security" [http://www.cert.org/governance/]
  • Home Computer Security [http://www.cert.org/homeusers/HomeComputerSecurity/]. A cool list of the primary tasks to secure a home computer.
• Halock [halock.com].
• National Security Agency [NSA.gov]
  • Operating System Guides
• PreEmptive.com. "products and services help businesses reduce risk by helping them protect their intellectual property against hackers and thieves." Particularly in obfuscation of Java and .NET code.
• SysAdmin, Audit, Network, Security (SANS) [sans.org]. 'the most trusted and by far the largest source for information security training and certification in the world. It also develops, maintains, and makes available at no cost, the largest collection of research documents about various aspects of information security, and it operates the Internet's early warning system - Internet Storm Center.'
• SecurityFocus.com.
  • "Auditing Web Site Authentication, Part One" and Part Two. By Mark Burnett.
• Web App Security Consortium [webappsec.org]

Page Modified: (Hand noted: 2007-08-31 10:33:15Z) (Auto noted: 2008-05-04 16:15:46Z)