09-05-2012, 12:38 PM
Network Security: 30 Questions
comp.doc (Size: 713 KB / Downloads: 41)
What does your network/security architecture diagram look like?
The first thing you need to know to protect your network and systems is
what you are protecting. You must know:
• The physical topologies
• Logical topologies (Ethernet, ATM, 802.11, VoIP, etc.)
• Types of operating systems
• Perimeter protection measures (firewall and IDS placement, etc.)
• Types of devices used (routers, switches, etc.)
• Location of DMZs
• IP address ranges and subnets
• Use of NAT
In addition, you must know where the diagram is stored and that it is
regularly updated as changes are made.
What resources are located on your DMZ?
Only systems that are semi-public should be kept on the DMZ. This
includes external web servers, external mail servers, and external DNS.
A split-architecture may be used where internal web, mail, and DNS are
also located on the internal network.
What resources are located on your internal network?
In addition to internal web, mail, and DNS servers, your internal network
could also include databases, application servers, and test and
development servers.
Where is your organization’s security policy posted and what is in it?
There should be an overall policy that establishes the direction of the
organization and its security mission as well as roles and
responsibilities. There can also be system-specific policies to address
for individual systems. Most importantly, the policies should address the
appropriate use of computing resources. In addition, policies can
address a number of security controls from passwords and backups
to proprietary information. There should be clear procedures and
processes to follow for each policy. These policies should be included in
the employee handbook and posted on a readily accessible intranet site.
What type of remote access is allowed?
Remote access should be tightly controlled, monitored, and audited. It
should only be provided over a secure communication channel that uses
encryption and strong authentication, such as an IPSEC VPN. Desktop
modems (including applications such as PCAnywhere), unsecured
wireless access points, and other vulnerable methods of remote access
should be prohibited.
What is your wireless infrastructure?
Part of knowing your network architecture includes knowing the location
of wireless networks since they create another possible entry point for
an attacker. You must also confirm whether they are being used for
sensitive data and are they secured as best as possible.
How is your wireless infrastructure secured?
Wireless access must at least use WEP with 128-bit encryption.
Although this provides some security, it is not very robust, which is why
your wireless network should not be used for sensitive data. Consider
moving to the 802.11i standard with AES encryption when it is finalized.
What desktop protections are used?
Desktops should have a combination of anti-virus software, personal
firewall, and host-based intrusion detection. Each of these software
packages must be regularly updated as new signatures are deployed.
They must also be centrally managed and controlled.
Where, when, and what type of encryption is used?
VPNs should be used for remote access and other sensitive
communication. IPSEC is a great choice for this purpose. Strong
encryption protocols such as 3DES and AES should be used whenever
possible. Web access to sensitive or proprietary information should be
protected with 128-bit SSL. Remote system administration should use
SSH. Sometimes file system encryption is also used to protect stored
data.
What is your backup policy?
A good backup policy includes weekly full backups with incremental
backups performed daily. This includes all critical systems. In addition,
the backups should be stored at an offsite location. Since backups
include very valuable, easily accessible information, only trusted
individuals should be performing them and have access to them. An
organization should also encourage users to perform local backups as
well.
comp.doc (Size: 713 KB / Downloads: 41)
What does your network/security architecture diagram look like?
The first thing you need to know to protect your network and systems is
what you are protecting. You must know:
• The physical topologies
• Logical topologies (Ethernet, ATM, 802.11, VoIP, etc.)
• Types of operating systems
• Perimeter protection measures (firewall and IDS placement, etc.)
• Types of devices used (routers, switches, etc.)
• Location of DMZs
• IP address ranges and subnets
• Use of NAT
In addition, you must know where the diagram is stored and that it is
regularly updated as changes are made.
What resources are located on your DMZ?
Only systems that are semi-public should be kept on the DMZ. This
includes external web servers, external mail servers, and external DNS.
A split-architecture may be used where internal web, mail, and DNS are
also located on the internal network.
What resources are located on your internal network?
In addition to internal web, mail, and DNS servers, your internal network
could also include databases, application servers, and test and
development servers.
Where is your organization’s security policy posted and what is in it?
There should be an overall policy that establishes the direction of the
organization and its security mission as well as roles and
responsibilities. There can also be system-specific policies to address
for individual systems. Most importantly, the policies should address the
appropriate use of computing resources. In addition, policies can
address a number of security controls from passwords and backups
to proprietary information. There should be clear procedures and
processes to follow for each policy. These policies should be included in
the employee handbook and posted on a readily accessible intranet site.
What type of remote access is allowed?
Remote access should be tightly controlled, monitored, and audited. It
should only be provided over a secure communication channel that uses
encryption and strong authentication, such as an IPSEC VPN. Desktop
modems (including applications such as PCAnywhere), unsecured
wireless access points, and other vulnerable methods of remote access
should be prohibited.
What is your wireless infrastructure?
Part of knowing your network architecture includes knowing the location
of wireless networks since they create another possible entry point for
an attacker. You must also confirm whether they are being used for
sensitive data and are they secured as best as possible.
How is your wireless infrastructure secured?
Wireless access must at least use WEP with 128-bit encryption.
Although this provides some security, it is not very robust, which is why
your wireless network should not be used for sensitive data. Consider
moving to the 802.11i standard with AES encryption when it is finalized.
What desktop protections are used?
Desktops should have a combination of anti-virus software, personal
firewall, and host-based intrusion detection. Each of these software
packages must be regularly updated as new signatures are deployed.
They must also be centrally managed and controlled.
Where, when, and what type of encryption is used?
VPNs should be used for remote access and other sensitive
communication. IPSEC is a great choice for this purpose. Strong
encryption protocols such as 3DES and AES should be used whenever
possible. Web access to sensitive or proprietary information should be
protected with 128-bit SSL. Remote system administration should use
SSH. Sometimes file system encryption is also used to protect stored
data.
What is your backup policy?
A good backup policy includes weekly full backups with incremental
backups performed daily. This includes all critical systems. In addition,
the backups should be stored at an offsite location. Since backups
include very valuable, easily accessible information, only trusted
individuals should be performing them and have access to them. An
organization should also encourage users to perform local backups as
well.