Ramesh Kumar Thiagarajan asked:




Network Security – The road ahead

Introduction What is Network Security? “Network Security” -Monitoring “Network Security” -Forensics “Network Security” -Compliance HIPAA SOX GLBA
Conclusion

Introduction

Network Security is the next wave which is bound to sweep the software
market. Increase in offshore projects and transfer of information
across the wire has added fuel to the burning urge to secure the
network. As the famous adage goes, the most safest computer is
one which has been unplugged from the network(making it almost
useless). Network security
is becoming more of a necessity. Interestingly the type of security
required across different enterprises depends on the nature of its
business. Offlate some laws & acts have been defined to
identify security breaches, which is a very good move to prevent
fradulent use/access of information. There are two types of softwares
for Network security, one which prevents it and one which does the
forensic analysis. The main focus of this article would be
the forensics of network security.

What is Network Security?

network security: the
protection of a computer network and its services from unauthorized
modification, destruction, or
disclosure

Network security is a self-contradicting philosophy where you need to
give absolute access and at the same time provide absolute security.
Any enterprise needs to secure itself from two different access of
information/transaction for that matter(ex:ftp,http etc.), internal
access and external access. Securing the access of information or
resources from the external world(WWW) is quite a task to master, that
is where the firewalls pitch in. The firewalls act as gatekeepers who
seggregate the intrusive and non-intrusive requests and allow access.
Configuring & maintaining a firewall is by itself a task which
needs experience and knowledge. There are no hard and fast rules
to instruct the firewalls, it depends on where the firewall is
installed and how the enterprise intends to provide access to
information/resources. So, the effectivity of any firewall depends on
how well or how bad you configure it. Please be informed many firewalls
come with pre-configured rules, which intend to make the job of
securing the information access from external sources. In short
firewall gives you information about attacks happenning from the
external world.

The toughest job is to secure information from the internal sources.
More than securing it, managers need to track the information flow, to
identify possible casuatives. The tracking of information flow will
come in handy in case of legal situations. Because what seemingly to be
a sharing of information could be held against you in the court of
law. To enforce this, acts such as HIPAA, GLBA, SOX have been
putforth, to ensure that the scam(s) like that of “Enron” does
not happen. In short the tracking of information and audit gives you
information abouot security breaches and possible internal attacks.

There are a variety of network security attacks/ breaches:

Denial of Service Virus attacks Unauthorized Access Confidentiality breaches Destruction of information Data manipulation

Interestingly , all these information are available across the
enterprise in the form of log files. But to read it through
and making sense out of it, will take a life time. That is where the
“Network Security” monitoring also known as “Log Monitoring” softwares
pitch in. They do a beautiful
job of making sense out of the information spread across various
locations and offer the system administrators a holistic view of what
is happening in their network, in terms of Network Security. In short they
collect,collate,analyze & produce reports which help the
system administrator to keep tabs on Network Security.

“Network Security” -Monitoring

No matter how fine your defense systems are, you need to have someone
to make sense out of the huge amount of data churned out of a edge
device like firewall and the system logs. The typical enterprise logs
about 2-3GB/day depending upon the enterprise the size might vary. The
main goal of the forensic software is to mine through the vast amount
of information and pull out events that need attention. The
“Network security” softwares play a major role in identifying the
causatives and security breaches that are happenning in the
enterprise.

Some of the major areas that needed to be addressed by any network
security product is to provide a collective virus attacks across
different edge devices in the network. What this offers for an
enterprise is a holistic view, of the attacks happening across the
enterprise. It offers a detailed overview of the bandwidth
usage, it should also provide user based access reports. The
product has to highlight sescurity breaches and misuse of internet
access, this will enable the administrator to take the necessary
steps. The edge devices monitoring product has to provide other
stuffs like Traffic trends,insight into capacity planning and Live
traffic monitoring, which will help the administrator to find causes
for network congestion.

The internal monitoring product has to offer the audit information of
users, system security breaches and activity audit trails (ex: remote
access) As most of the administrators are ignorant of the requirements
for the
compliance acts, it is better to cross reference which acts apply to
their enterprise and ensure that the product supports reporting for the
compliance acts(please refer here
for details on compliance)

In altoghether they will have to support archiving, scheduling of
reports and a comprehensive list of reports. please follow the next
section for more details.

“Network Security” -Forensics

The most important features you need to
lookout,when you short list a network security forensic product is the
ability
to archive the raw records. This is a major factor when it comes to
acts and laws. So in the court of law, the original record has to be
produced as proof and not the custom format of the vendor. The
next one to lookout for is the ability to create alerts, i.e the
ability to notify whenever some criteria happens ex: when 3
unsuccessfull login attempts mail me kind of stuff, or better still if
there is a virus attack for from the same host more than once, notify
me etc. This will reduce the lot of manual intervention needed in
keeping the network secure. Moreover the ability to schedule
reports is a big plus. You don’t have to check the reports daily. Once
you have done your ground work as to configure some basic alerts and
some scheduled reports. It should be a cakewalk from then on. All
you need to do is check out the information(alerts/reports) you get in
your inbox. It is recommended that you configure reports on a weekly
basis. So that it is never too late to react to a potential threat.
And finally a comprehensive list of reports is a vital feature to
lookout for. Here is a list of reports that might come in handy
for any enterprise:

Reports to expect from edge devices such as a firewall:

Live monitoring Security reports Virus reports Attack reports Traffic reports Protocol usage reports Web usage reports Mail usage reports FTP usage reports Telnet usage reports VPN reports Inbound/Outbound traffic reports Intranet reports Internet reports Trend reports

Reports to expect from compliance and internal monitoring:
( see compliance sub-heading for reports on compliance)

User Audit reports (successfull/unsuccessful login attempts) Audit policy changes (ex: change in privileges etc) Password changes Account Lockout User account changes IIS reports DHCP reports MSI reports( lists the products installed/uninstalled) Group policy changes RPC reports DNS reports Active directory reports
The gating factor for choosing a monitoring product is to cross verify
whether the devices you have in your network are supported by the
vendor you choose. There are quite a number of products which
address this market, you might want to search for “firewall analyzer”
and “eventlog analyzer” in google.

“Network Security” -Compliance

Most of the industries such as health care and financial
institutions are mandated to be compliant with HIPAA and SOX acts.
These acts enforce stringent rules in all aspects of the enterprise
including the physical access of information. (This section
concetrates on the software requirement of the acts) There are quite a
number of agencies that offer the compliance as a service for an
enterprise. But it all depends on whether you want to handle compliance
yourself or employ a third party vendor to ensure compliance to the
acts.

HIPAA Compliance:

HIPAA defines the Security Standards for monitoring and auditing system
activity. HIPAA regulations mandate analysis of all logs,
including OS
and application logs including both perimeter devices, such as IDSs, as
well as insider activity. Here are some of the important reports that
need to be in place:

User Logon report: HIPAA requirements (164.308 (a)(5) – log-in/log-out monitoring) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot. User Logoff report: HIPAA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot. Logon Failure report: The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report. Audit Logs access report: HIPAA requirements (164.308 (a)(3) – review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.
SOX Compliance:

Sarbanes-Oxlet defines the collection,retention and review of audit
trail log data from all sources under section 404’s IT process
controls. These logs form the basis of the internal controls that
provide corporations with the assurance that financial and business
information is factual and accurate. Here are some of the important
reports to look for:

User Logon report:SOX requirements (Sec 302 (a)(4)(C) and (D) – log-in/log-out monitoring) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot. User Logoff report:SOX requirements (Sec 302 (a)(4)(C) and (D) clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot. Logon Failure reportThe security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report. Audit Logs access report:SOX requirements (Sec 302 (a)(4)(C) and (D) – review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs. Track Account management changes:Significant changes in the internal controls sec 302 (a)(6). Changes in the security configuration settings such as adding or removing a user account to a admistrative group. These changes can be tracked by analyzing event logs. Track Audit policy changes:Internal controls sec 302 (a)(5) by tracking the event logs for any changes in the security audit policy. Track individual user actions:Internal controls sec 302 (a)(5) by auditing user activity. Track application access:Internal controls sec 302 (a)(5) by tracking application process. Track directory / file access:Internal controls sec 302 (a)(5) for any access violation.
GLBA Compliance:

The Financial Services Modernization Act (FMA99) was signed into law in
January 1999 (PL 106-102). Commonly referred to as the
Gramm-Leach-Bliley Act or GLBA, Title V of the Act governs the steps
that financial institutions and financial service companies must
undertake to ensure the security and confidentiality of customer
information. The Act asserts that financial services companies
routinely collect Non-Public Personal Information (NPI) from
individuals, and must notify those individuals when sharing information
outside of the company (or affiliate structure) and, in some cases,
when using such information in situations not related to the
furtherance of a specific financial transaction.

User Logon report:GLBA Compliance requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot. User Logoff report:GLBA requirements clearly state that user accesses to the system be recorded and monitored for possible abuse. Remember, this intent is not just to catch hackers but also to document the accesses to medical details by legitimate users. In most cases, the very fact that the access is recorded is deterrent enough for malicious activity, much like the presence of a surveillance camera in a parking lot. Logon Failure report:The security logon feature includes logging all unsuccessful login attempts. The user name, date and time are included in this report. Audit Logs access report:GLAB requirements (review and audit access logs) calls for procedures to regularly review records of information system activity such as audit logs. Security Log Archiving Utility:Periodically, the system administrator will be able to back up encrypted copies of the log data and restart the logs.
Conclusion

“Network Security” has to be done both internally as well as
externally, the job of nailing the problem is a huge task
which needs expertise and mostly help from softwares such as EventLog Analyzers(compliance and internal monitoring of internal machines) and Firewall Analyzer(virus,attacks
and traffic monitoring of edge devices).

Bibliography

http://www.interhack.net/pubs/network-security/

http://www.hipaa.org/

http://www.sarbanes-oxley.com/

http://www.senate.gov/~banking/conf/

mina m asked:


please give me some useful information about the effect of servers in security of computer networks.
what kind of program the server send to provide this security and code our security information ?

bradfordnetworks asked:

Your campus network is strategic to your institutions success. Do you have a strategy for securing it? You need to protect the systems and information on your network, while still making them accessible to authorized users. Theres a lot to consider. So where do you start?

gelic asked:


I enabled the security password on my wireless network, but it did not ask me to create on, it created it on its own (10-character key). I want my neighbor to be able to connect to my network, but the problem is that I don’t know what is the key… Any tips are helpful, thank you!

Aioeri O asked:


Ive had quite a bit of training from my previously job on how to break into places. I could easily become a thief, but i morally cant justify stealing, so i was wondering if there is any type of job out there that pays someone to tell business’ that already have security systems (such as museums) how a thief could still get in. I know that there is a job called a security analyst for computer wizes. They get paid to hack into business online and tell the company how they did it and how to fix their security. I was just wondering if there is a job like this only for physical security, not network security.

Arin asked:


Hi.I wanted to know about the persons who are called security expert or working to protect the network or data from the hackers.What are the courses available to know all these about network security?What are the qualifications needed to work as a security expert in a company?Thanks to all for your important suggestions?