Copyright 2003 Steps to Help Design a Network with Security Step 1. Identify network assets. Step 2. Analyze security risks. Step 3. Analyze security requirements and trade-offs. Step 4. Develop a security plan. Step 5. Define a security policy. Step 6. Develop procedures for applying security policies. Step 7. Develop a technical implementation strategy. Step 8. Achieve buy-in from users, managers, and technical staff. Step 9. Train users, managers, and technical staff. Step 10. Implement the technical strategy and security procedures. Step 11. Test the security and update it if any problems are found. Step 12. Maintain security by scheduling periodic independent audits, reading audit logs, responding to incidents, reading current literature and agency alerts, continuing to test and train, and updating the security plan and policy.
Copyright 2003 Network Security Design Identifying network assets and analyzing risks Analyzing security requirements and trade- offs Developing a security plan Defining a security policy Components of a security policy Developing security procedures
Copyright 2003 Components of a Security Policy An access policy An accountability policy An authentication policy Computer-technology purchasing guidelines
Copyright 2003 Security Mechanisms Authentication Authorization Accounting (auditing) Data encryption –Encryption algorithm A set of instructions to scramble and unscramble data –Encryption key A code used by an algorithm to scramble and unscramble data Packet filters Firewalls Intrusion detection Physical security
Copyright 2003 Intrusion Detection A good intrusion system has the following characteristics: –It runs continually without human supervision. The system must be reliable enough to allow it to run in the background of the system being observed. –It must be fault tolerant; that is, it must survive a system crash and not require its knowledge base to be rebuilt at restart. –It must resist subversion. The system can monitor itself to ensure that it has not been subverted. –It must impose minimal overhead on the system. A system that slows a computer to a crawl will simply not be used. –It must observe deviations from normal behavior and immediately alert someone if abnormal behavior occurs. –It must cope with changing system behavior over time as new applications are added.
Copyright 2003 Selecting Security Solutions Securing the Internet connection Securing Internet domain name system services Logical network design and the Internet connection The IP security protocol Securing dialup access Securing network services Securing user services
Copyright 2003 The IP Security Protocol The Internet Key Exchange (IKE) protocol provides authentication of IPSec peers. It also negotiates IPSec keys and security associations. IKE uses the following technologies: –DES Encrypts packet data –Diffie-Hellman Establishes a shared, secret session key –Message Digest 5 (MD5) A hash algorithm that authenticates packet data –Secure Hash Algorithm (SHA) A hash algorithm that authenticates packet data –RSA encrypted nonces Provides repudiation –RSA signatures Provides nonrepudiation