Securing the network

Oct 1, 1998 12:00 PM, JOEL KONICEK and KAREN LITTLE

A new layer of information technology (IT) is gradually being added to physical security's list of things to interface. This layer involves the integration of electronic access control, CCTV and intrusion detection systems into corporate-wide computer networks. The advice and insights of experts in network and physical security are woven into this article, the first part of which was published in the September 1998 issue.

Using Microsoft's operating systems Most access control, badging and CCTV systems were developed for the DOS/Windows/Windows 95 operating platforms. Most are being updated to Windows NT as a practical choice because, in the near future, the likelihood is high of having an access control system interface with a Windows NT network server. The good news is that people already comfortable with MS-DOS and/ or Windows will be able to relate to the new system, even if they do not at first understand the issues.

File and folder (directory) management principles Before attempting to understand network security issues, it is important to understand what a computer file is, what it can do and how it is stored, moved, copied, deleted and modified. In addition, you must understand file directories, how they are structured and how to navigate through them. Finally, understand what drive letters represent and the meaning of phrases such as "mounting" or "mapping drives."

Most software training programs concentrate on applications, assuming that users already know the basics. Unfortunately, a user's knowledge is often limited. To get the basics quickly, try frequent, one-on-one training sessions with friends and co-workers. Consider taping the session for use in frequent review.

Understanding network security Most corporations and network managers look to the United States Department of Defense (DOD) to set security standards. While the DOD requires that its vendors meet these standards, many non-vendor companies follow the standards because they emphasize reliability.

The DOD created computer network security requirements, called C2-level security, which are spelled out in the Department of Defense Trusted Computer System Evaluation Criteria, commonly referred to as the "Orange Book." All major systems reflect these standards. Requirements of C2-level security include: - ability to control access to the file; - protection of objects (such as files or file fragments formerly in memory, or deleted files) so that other processes cannot reuse them randomly; - requirement of a unique log-on name and password for each user before being allowed access to the system; - ability to identify, track and log user activities; - limit on the number of authorized people able to audit events; and - ability to protect itself from tampering, such as altering the operating system and related system files (also called services).

Using the network's security capability To enable the features of C2-level security, know what they are. Lack of knowledge or failure to double-check procedures mean needed security settings can fall through the cracks. A new network may be unsecure, with everyone having access to everything, because an unsecure system is easier to set up. An unsecured network can also be a sign that no one organized the network's access control policies and procedures prior to hooking it up. Windows NT must use the NT file system, which enables all C2-level features. Computers running Windows 95 can be tied into a secure network, but the computers will not be secure because they are confined to the file allocation table protocol (FAT), which does not offer the proper security options. Windows NT supplies a resource kit that contains a configuration tool to determine how close a system complies with C2 requirements. All systems on the network should be at least C2-level secure. Make no assumptions.

Deploying security features If you understand physical access control concepts, you will be a whiz at understanding computer access control. First, you need to understand file management - what must be controlled and how. Create a list of every possible file security feature available on the network and determine whether or not they are deployed. These include: - access control procedures (a highly detailed subject); - password use and protection procedures; - workstation lockup procedures; - restrictions on computer booting from a floppy disk; - use of physical access devices, such as fingerprint readers, prior to log-on; - backup procedures (a highly detailed subject); - system auditing and alarm reporting procedures, such as automatic e-mail and/or pager notification to appropriate managers when things go wrong. (This only works, however, when auditing is enabled.); and - activation and deactivation of floppy, CD-ROM and other removable media drives.

Look for information on access control and administrator privileges in the networking system's documentation. You do not need to remember menu picks, but you should be able to list available security features. Also, check sections on C2-level security and follow references. After you do your homework, attend an entry-level network system administration class. There you will see how computer access control is implemented and will be able to ask questions. Also check to see what already exists as formal corporate policy. Understanding the issues will increase your professional stature, your ability to communicate and your ability to set security-related policies.

How computer access control works Computer access control is like physical access control, except there are more doors. The independent hard drives on networked computers require control as do the folders on those drives and even files within the folders. Unless planned in advance, network administration can be confusing, and worse, the system will not be secured properly. Always know how many people have complete access to the network (called administrative privilege). You want it as restricted as possible.

It is also reasonable for security management to have an audited, verified list of network users and their privileges. Equally important for security management is knowing what procedures are in place for granting network privileges, from limited to full. To avoid duplication and increase information accuracy, the trend is toward merging data whenever possible. Records describing one person may be related to physical access control cards, computer access control authorization lists, personnel records and payroll records. When someone has his or her status changed, all departments are notified instantly.

The impact of administrative privileges and passwords Sadly, it is not uncommon to find that 80 percent of the staff in MIS departments have complete administrative privileges. The practice is not wise for network administration and will cause a problem if physical security applications are routed through the network. Better to limit administrative privileges. Under all circumstances, administrator passwords should be under physical lock and key and not stored in a computer file. Many organizations also have a secret administrative user name and password known only by the MIS director and security director. This information should be kept in a physical safe.

Keep a watchful eye on network servers Without compromising work flow, strive to restrict the physical accessibility of your computers. Obviously, computers in a security room or guard station are in good hands. Remember: Once security systems are on a network, it is up to you to pinpoint where servers are located and then assess whether they are subject to vulnerability.

You do not want people to casually copy files, insert unwanted material (such as viruses) into the system, delete or overwrite files, bypass security passwords, or even carry off the equipment. Here are some additional considerations: - Disable the ability to boot computers with a floppy disk. Failure to do so means people can start a secure computer without a password. - Remove all unneeded floppy disk drives. - Keep computer cases locked with a physical key. If possible, place those cases in a secure area, well away from their monitors and keyboards. - Remove from the network computers that have no reason to communicate. - Protect power switches and plugs. Keep them under lock and key if possible. - Establish a power-on password, which enables only the user to turn the network on or off. - Route your printing through physically secured servers. - Pay attention to backup procedures, including where backup devices are and where the resulting backup media is stored. - Make sure virus protection is running on all servers and workstations.

Redundant systems Most people familiar with military security know the value of redundant systems. The same is true for LANs and WANs. If redundancy is not currently built into your plan, examine the vulnerability of your systems and determine if it is needed. Government contracts often require this level of security be in place before they consider a proposal.

Implementing policies Policies involving such issues as data backup and media storage, access privileges and warning procedures are a matter of common sense, but it is common sense born of discussion among interested parties. Do not assume that MIS has covered all the bases just because they know a bit from a byte. Set up small committees charged with understanding aspects of the technologies involved and pinpointing needs. Topics will include subjects provided throughout this article; do not be surprised if committee members initially lack understanding. The idea is that committee work educates its members, with the resulting policy being a well-thought-out plan.

Written policies have the power to change attitudes about, and to increase compliance with, security issues throughout an organization. Many users are unaware of the extent of the risks they face until issues are brought up among peers for review.

Proper backup procedures Everyone knows that backing up data is important. In a global network, the creation of backup policies is crucial. Here are some considerations: - Is the backup media kept off-site? - Do system administrators keep a set of backup media in their homes for safekeeping (a common practice)? If so, can a more secure off-site location be established? - What happens if someone steals, then restores, a backup tape outside of your facility? - Is backup media password-protected? Is the backup/restore process itself protected by a password? - Who is doing the backup and from what equipment? Are your backups local or are they performed regularly over the network? - Is the backup media stored within the facility under lock and key? - Are your backup systems periodically checked so you know you can retrieve data when you need it?

System auditing and alerting services Computer hacking is detected through system auditing, which monitors unusual usage, failed password attempts and other problems. Make sure that auditing is enabled and that it works in conjunction with alerting services. As these are both options, do not assume either has been automatically put into use. When enabled, auditing will record transaction information in files. These files must be periodically reviewed or they are useless. Alerting services notify you when something appears to be wrong, but you still need to review audit files to make sure nothing slips by.

Alerts can be sent via pager, network broadcast, or e-mail, with the pager usually reserved for serious problems. A redundant e-mail alerting procedure can inform key people, including the physical security manager, reducing the likelihood that problems are missed. As with physical access control, you have the ability to lock a computer account after so many failed log-ins. But you must first be aware of the problem. An excellent way to stay up-to-date is to visit Web sites that report problems as well as provide fixes.

How to get IT without being buried The Internet offers many resources, including articles and a direct link to people who can give you additional tips. The authors' Web site, for example, is designed to help you find what you need, including links recommended by a panel of experts. Contact the authors at: www.access-control-experts.com Also, be bold and start reading information targeted at IT professionals. You may not understand everything, but just like learning a foreign language, you will be surprised at your ability to catch on once you are immersed in the subject.

Want to use this article? Click here for options!
© 2008 Penton Media Inc.

This month in Access Control

• Opening Up About Door Closers
• An Enterprise Approach
• The Framework For Open Systems
• On A Higher Plane
• More from April's issue