1 deployment of computer security in an organization ce-408 sir syed university of engineering &...
TRANSCRIPT
1
Deployment ofComputer Security in an Organization
CE-408Sir Syed University of Engineering & Technology99-CE-282, 257 & 260
22299-CE-257, 260 & 282
Agenda
• Network & Security
• Why Network must be secured?
• Designing the Security Infrastructure
1.Security Policy
2.Security Architecture
3.Security Technologies
• Concluding Annotations
33399-CE-257, 260 & 282
Network & Security
• Presently, Business without networks are not survives
• And, if networks are not secure then Business can't survives
• So, when Organization designing a Network, Security Infrastructure is crucial
44499-CE-257, 260 & 282
Network Security ( cont. )
• Networks enable more and more applications are available to more and more users
• These more and more users more vulnerable to a wider range of security threats
55599-CE-257, 260 & 282
Network Security ( cont. )
To combat those threats and ensure that e-business transactions are not compromised, security technology must play a major role in today's networks
66699-CE-257, 260 & 282
Why Network must be secured?
• According to the 2001 Computer Security Institute (CSI) and FBI "Computer Crime and Security Survey," 38 percent of respondents detected DoS attacks, compared with 11 percent in 2000.
• In December of 2000, a hacker stole user passwords from the University of Washington Medical Center in Seattle and gained access to files containing confidential information regarding approximately 5000 patients.
77799-CE-257, 260 & 282
Why Network must be secured? ( cont. )
Result:
Organization's infrastructure can
lead to serious financial losses or
legal liabilities
88899-CE-257, 260 & 282
Network Must be
Secured ...
99999-CE-257, 260 & 282
But How ?
10101099-CE-257, 260 & 282
Designing the Security Infrastructure
Objective
“The objective of network security is to protect networks and their applications against attacks, ensuring information availability, confidentiality and integrity”
11111199-CE-257, 260 & 282
Designing the Security Infrastructure (cont.)
• Different Organizations have different Threats
• Security Model build on Organization
– Objective ( various factors )
– Different Risks of attacks or possible costs of repairing attack damages
12121299-CE-257, 260 & 282
Designing the Security Infrastructure (cont.)
“Therefore, companies must perform cost-benefit analyses to evaluate
- The potential returns on investment for various network security technologies
- Components versus the opportunity costs of not implementing those items”
13131399-CE-257, 260 & 282
Designing the Security Infrastructure (cont.)
Building Blocks are:
• Security Policy
• Security Architecture
• Security Technologies
14141499-CE-257, 260 & 282
1. Security Policy
A security policy is a formal statement, supported by a company's highest levels of management, regarding the rules by which employees who have access to any corporate resource abide
15151599-CE-257, 260 & 282
1. Security Policy (cont.)
• Its the primary prerequisite for implementing network security
• Its the driver for the security design process
16161699-CE-257, 260 & 282
1. Security Policy (cont.)
• Two main issues:
- The security requirements as driven by the business needs of the organization
- The implementation guidelines regarding the available technology
17171799-CE-257, 260 & 282
1. Security Policy (cont.)
• For example, an authentication policy that defines the levels of passwords and rights required for each type of user (corporate, remote, dial-in, VPN, administrators, and so forth), length of password etc.
18181899-CE-257, 260 & 282
2. Security Architecture
• The security architecture should be developed by both the network design and the IT security teams
• It is typically integrated into the existing enterprise network and is dependent on the IT services that are offered through the network infrastructure
19191999-CE-257, 260 & 282
2. Security Architecture (cont.)
Steps are:
• The access and security requirements of each IT service should be defined before the network is divided into modules with clearly identified trust levels
• Each module can be treated separately and assigned a different security model
• The goal is to have layers of security so that a "successful" intruder's access is constrained to a limited part of the network e.g. Ship Design contains a leak so that the entire ship does not sink
20202099-CE-257, 260 & 282
2. Security Architecture (cont.)
• Layered Security Design limits the damage a security breach has on the health of the entire network.
• In addition, the architecture should define common security services to be implemented across the network.
21212199-CE-257, 260 & 282
2. Security Architecture (cont.)
Typical services include:
• Password authentication, authorization, and accounting (AAA)
• Confidentiality provided by virtual private networks (VPNs)
• Access (trust model)
• Security monitoring by intrusion detection systems (IDSs)
22222299-CE-257, 260 & 282
2. Security Architecture (cont.)
After the key decisions have been made, the security architecture should be deployed in a phased format, addressing the most critical areas first
23232399-CE-257, 260 & 282
3. Security Technologies
• Selection of Security Technologies, which technology benefits organization
• Every network should include security components that address the following five aspects of network security are:
24242499-CE-257, 260 & 282
3. Security Technologies (cont.)
1. Identity
2. Perimeter Security
3. Secure Connectivity
4. Security Monitoring
5. Security Policy Management
25252599-CE-257, 260 & 282
1. Identity
• Identity is the accurate and positive identification of network users, hosts, applications, services and resources
• They ensure that authorized users gain access to the enterprise computing resources they need, while unauthorized users are denied access
• Radius, RAS, Cisco Secure Access Control Server
26262699-CE-257, 260 & 282
2. Perimeter Security
• Perimeter security solutions control access to critical network applications, data, and services
• This access control is handled by routers and switches with access control lists (ACLs) and by dedicated firewall appliances
• A firewall provides a barrier to traffic crossing a network's "perimeter" and permits only authorized traffic to pass, according to a predefined security policy
• Cisco PIX® Firewall
27272799-CE-257, 260 & 282
3. Secure Connectivity
• Companies must protect confidential information from eavesdropping during transmission
• By implementing Virtual Private Networks (VPNs) enterprises can establish private, secure communications across a public network usually the Internet and extend their corporate networks to remote offices, mobile users, telecommuters, and extranet partners
• Cisco VPN 3000 Concentrator Series and optimized routers
28282899-CE-257, 260 & 282
4. Security Monitoring
• To ensure that their networks remain secure, companies should continuously monitor for attacks and regularly test the state of their security infrastructures
• Network vulnerability scanners can proactively identify areas of weakness, and intrusion detection systems can monitor and reactively respond to security events as they occur
• Its an another layer of security
• Firewalls typically do not address the internal threat presented by insiders
• Cisco Intrusion Detection System (IDS) , Cisco Secure Scanner
29292999-CE-257, 260 & 282
5. Security Policy Management
• As networks grow in size and complexity, the requirement for centralized security policy management tools that can administer security elements is paramount
• Tools needed that can specify, manage, and audit the state of security policy
• CSPM
30303099-CE-257, 260 & 282
Now Relax …
“You did your job – to secure your network”
31313199-CE-257, 260 & 282
Concluding Annotations
• Identify organization critical areas
• Do cost-benefit analysis
• Define Security Policy
• Divide network in layers (modules)
• Design Security Model
• Implements Security Model
• Now, Monitor your Network
32323299-CE-257, 260 & 282
Questions
Comments appreciated!