Fundamental Principles of Network Security

Fund amental Principles
of Network Security




By Christopher Leidigh
White Paper #101


Executive Summary
Security incidents are rising at an alarming rate every year. As the complexity of the threats
increases, so do the security measures required to protect networks. Data center
operators, network administrators, and other data center professionals need to comprehend
the basics of security in order to safely deploy and manage networks today. This paper
covers the fundamentals of secure networking systems, including firewalls, network
topology and secure protocols. Best practices are also given that introduce the reader to
some of the more critical aspects of securing a network.
?2005 American Power Conversion. All rights reserved. No part of this publication may be used, reproduced, photocopied, transmitted, or stored in any retrieval system of any nature, without the written permission of the copyright owner. www.apc.com Rev 2005-0 2Introduction
Securing the modern business network and IT infrastructure demands an end-to-end approach and a firm grasp of vulnerabilities and associated protective measures. While such knowledge cannot thwart all attempts at network incursion or system attack, it can empower network engineers to eliminate certain general problems, greatly reduce potential damages, and quickly detect breaches. With the ever-increasing number and complexity of attacks, vigilant approaches to security in both large and small enterprises are a must. Figure 1 illustrates the steep rise in security incidents occurring each year, as reported to the CERT® Coordination Center (a center of Internet security expertise). Figure 1 - Security incidents by year - CERT.ORG 100,00095,00090,00085,000 82,09480,000det 75,000ro 70,000pe 65,000R 60,000st 55,100n 55,000edi 50,000c 45,000nI f 40,000o r 35,000eb 30,000m 25,000u 21,756N 20,00015,00010,000 9,8595,000 3,7342,340 2,412 2,573 2,1340 1995 1996 1997 1998 1999 2000 2001 2002 2003Year© 1998-2003 by Carnegie Mellon University This paper presents security fundamentals as well as some best practices regarding the network, computer hosts and infrastructure network elements. Since there is no such thing as "the only way to approach security", it is left up to the reader / implementer to best judge what measures are appropriate. The people problem People are truly the weakest link in any security schema. Most people are not careful about keeping secrets such as passwords and access codes that form the basis for most secure systems. All security systems rely on a set of measures employed to control access, verify identity and protect disclosure of sensitive information. These measures usually involve one or more "secrets". Should a secret be revealed or stolen
?2005 American Power Conversion. All rights reserved. No part of this publication may be used, reproduced, photocopied, transmitted, or stored in any retrieval system of any nature, without the written permission of the copyright owner. www.apc.com Rev 2005-0 3then the systems that are protected by these secrets can be compromised. It may seem like a terribly obvious statement, but most systems are compromised in very basic ways. Leaving a Post-It note with a system password stuck to the side of a computer monitor may seem foolish, but many people in fact do such things. Another example, which is only slightly less obvious, is the tendency to leave factory default passwords in certain network devices. One such device might be a network management interface to a UPS. UPS systems, whether small in capacity or large enough to power 100 servers, are often overlooked in a security scheme. If such devices are left with default usernames and passwords, it could just be a matter of time before someone gains access knowing nothing more than the device type and its published default credentials. Imagine a server bank with rock solid security protocols on each web and mail server crashed by a simple power cycle on an unprotected UPS! Security, the big picture A secure "enterprise", big or small, should have an approach to security that is comprehensive and end-to-end if it is to be effective. Most organizations do not have such policies and practices... [download for more]