STANDALONE COMPUTERS can be very useful, but they are far more effective when they are able to communicate with one another. Computers that can communicate and exchange information have the ability to assume specific roles that make your organization's computing environment more efficient and effective. Unfortunately, connecting computers also makes accessing your organization's information easier for both authorized and unauthorized users. That means you have to be diligent to ensure the availability, integrity, and confidentiality of your data.
In this chapter, you'll learn about techniques many organizations use to ensure information is secure within locally connected computers. The controls and techniques that can help meet compliance requirements are also explained. You'll learn how to connect computers together without risking the organization's information to loss, alteration, or disclosure.
Users generally use their workstations to access other resources that are connected to an organization's local area network (LAN). A LAN is a network that covers a small physical area, such as an office or building. Resources that are connected to a LAN are potentially available to users using workstations also connected to the LAN. Because LANs increase the number of potential users that can access any resource on the LAN, it becomes even more important to control access to resources and monitor LAN activity to ensure controls are doing their job. For example, the Payment Card Industry Data Security Standard (PCI DSS) requires additional controls to protect credit card information. The Health Insurance Portability and Accountability Act (HIPAA) requires controls on personal health information. As LANs become more and more useful to authorized users and attackers, it is more important than ever to ensure compliance within the LAN Domain. Figure 10-1 shows the LAN Domain in the context of the seven domains in the IT infrastructure.
Organizations rely on networked resources more than ever in today's environments. LANs make it possible to share expensive resources, such as color printers and high-performance disk subsystems. In fact, LANs enable more efficiency in critical business functions by supporting faster information transfer and resource sharing. These benefits often result in direct cost reductions and productivity increases. Organizations rely on LAN resources to maintain cost-efficient operations. Protecting the LAN-based services directly affects costs and efficiency. A solid security policy that includes compliance with all appropriate requirements should support efficient and cost-effective operation. Implementing the controls necessary to support your security policy in the LAN Domain makes your organization more secure and more effective.
At this point in the book, you are starting to see how the various domains work together in the IT infrastructure. You learned about the first two domains in Chapters 8 and 9. You learned about the controls that are appropriate when a user in the User Domain logs on to a workstation in the Workstation Domain. Now, you'll continue the model and learn about the user accessing shared resources connected to a LAN. Just because you're accessing multiple domains, you still must consider the security requirements and control needs for each domain independently of other domains. Users still have the responsibility to act in a manner that is acceptable under your organization's security policy, and Workstation Domain controls must still protect local resources. Controls from different domains are distinct but work together to provide a solid defense-in-depth approach to securing your environment.
Now you must consider another domain. Ensuring your organization's private data means designing a layer of controls that protect LAN resources from destruction, alteration, or disclosure by unauthorized users. That means you must define an authorized user in the context of the LAN Domain. A user who is authorized to access local resources might not be authorized to access LAN resources on another computer. Compliance with current legislation, regulations, and other requirements means placing appropriate controls in the LAN Domain to ensure all components are secure.
LAN Domain controls often focus on limiting access to remote resources. A local resource is any resource attached to a local computer—the same computer to which the user has logged on. A remote resource is any resource accessible across the LAN. Of course, the user's computer and the remote resource have to be connected to a network to provide access to the remote resource.
The security controls you'll find in the LAN Domain are similar to controls you'll find in other domains. The main types of security controls in the LAN Domain include:
Access controls for protected resources, such as printers and shared folders
Communication controls to limit the spread of malicious software
Anti-malware software on all computers in the LAN Domain to detect and eradicate malware
Recovery plans, including backups, for all computers and devices in the LAN Domain
Procedures to control configuration changes
Monitoring tools and other detective controls to help detect suspicious LAN Domain activity
Software patch management for all computers and devices in the LAN Domain
Good LAN Domain security controls will directly support one or more of the three pillars of security in the A-I-C triad, while not interfering with your organization's business functions. A secure system that doesn't support your organization's critical business functions isn't of much use. You will always have to balance security with functionality. Search for compensating controls as often as possible to identify the best controls for both security and functionality. Avoid controls that do not balance these two crucial needs.
The LAN Domain's primary responsibility is to provide your users with the ability to connect to, and share, resources. To fulfill this goal, the LAN Domain contains four main types of components. These components work together to allow users to share resources on the network and reduce the need for multiple dedicated resources, such as printers, file storage systems, and backup devices. The four main types of components in the LAN Domain include:
Connection media—The adapters and wires (sometimes) that connect components together in the LAN Domain. Not all connection methods use wires. Wireless devices use radio waves to transmit data instead of wires. So, connection media includes wireless adapters.
Networking devices—The hardware devices that connect other devices and computers using connection media.
Server computers and services devices—The hardware that provides one or more services to users, such as server computers, printers, and network storage devices.
Networking services software—The software that provides connection and communication services for users and devices.
Many physical devices in the LAN Domain are actually combinations of several types of components. These components should work together to provide easy access to desired resources and still maintain the security of your organization's information. Figure 10-2 shows common components you'll find in the LAN Domain.
The purpose of any network is to allow multiple computers or devices to communicate with each other. By definition, networked computers and devices are connected to one another and have the appropriate software to communicate. In the past, networked computers and devices were connected using some type of cable. Many of today's networks contain a mix of cables and wireless connections. The cables or devices you use to connect computers and devices to form a network are collectively called connection media. Although the technical details of network connections are beyond the scope of this discussion, it is important to have a general understanding of a network's components.
Table 10-1. Basic network cabling options.
DESCRIPTION | ADVANTAGES AND DISADVANTAGES | |
|---|---|---|
Unshielded twisted pair (UTP) | The most common type of network cable. UTP generally consists of two or four pairs of wires. Pairs of wires are twisted around each other to reduce interference with other pairs. The most common type of UTP is Category 5 UTP that supports 100 megabits per second (Mbps) for two pairs of wires and 1,000 Mbps for four pairs. | Lowest cost Easy to install Susceptible to interference Limited transmission speeds and distances |
Shielded twisted pair (STP) | Same as UTP, but with foil shielding around each pair and optionally around the entire wire group to protect the cable from external radio and electrical interference. | Low cost Easy to install More resistant to interference than UTP Same speed limitations but supports longer run lengths |
Coaxial | A single copper conductor surrounded with a plastic sheath, then a braided copper shield, and then the external insulation. | Higher cost Difficult to install Very resistant to interference Higher speeds and longer run lengths |
Fiber optic | A glass core surrounded by several layers of protective materials. | Highest cost Easy to run cable, installing end connectors require special tools Immune to radio and electrical interference Extremely high speeds and long run lengths |
There are four basic cabling options for physical network connections. Each option has its own advantages and disadvantages. If you choose to use physical cables for part, or all, of your network, you will have to run cables to each device. Running cables between devices takes careful planning to do it right. Make sure when you explore cabling options that you evaluate the cost of installing all of the cables and connection hardware to support both your current and future needs. Table 10-1 lists the four basic cable options, along with the advantages and disadvantages of each one.
Wireless connections are very popular in today's LAN environments where flexibility is an important design factor. Wireless connections allow devices to connect to your LAN without having to physically connect to a cable. This flexibility makes it easy to connect computers, or devices, in situations where running cables is either difficult or not practical for temporary connections. The Institute of Electrical and Electronics Engineers (IEEE) defines standards for many aspects of computing and communications. The IEEE 802.11 defines standards for wireless local area network (WLAN) communication protocols. A protocol is a set of rules that governs communication.
There are four main protocols currently in the 802.11 standard. As with the discussion of wired LAN connections, the technical details are beyond the scope of this discussion, but it is important to know the basic differences among different wireless protocols. Table 10-2 lists the four most common wireless LAN protocols.
Table 10-2. Common 802.11 wireless LAN standards.
PROTOCOL | MAXIMUM TRANSMISSION SPEED | RANGE (FT) INDOOR/OUTDOOR | FREQUENCY* |
|---|---|---|---|
802.11a | 54 Mbps | 115/390 | 5 GHz |
802.11b | 11 Mbps | 125/460 | 2.4 GHz |
802.11g | 54 Mbps | 125/460 | 2.4 GHz |
802.11n | 150+ Mbps | 230/820 | 2.4 GHz/5 GHz |
Generally, hardware that supports protocols with faster speeds with higher range cost more than slower protocols. Your choice of wireless LAN protocol will likely be based on cost, transmission speed requirements, and other devices that might cause interference in a specific frequency.
Warning
Regardless of the protocol you choose, wireless connections increase the likelihood that unauthorized users will connect to your network. If you choose to implement wireless connections, you must ensure you are using strong access controls and strong wireless encryption.
Once you decide on the types of connections you'll use for your network, you have to decide how your components connect to one another. Few networks have every component connected to every other component. That would make managing your network connections extremely difficult. LANs in today's environments use several types of networking devices to help keep connections manageable. You'll see many different types of networking devices, but the following two sections discuss the ones you'll commonly use in the LAN Domain.
The simplest network device is a hub. A hub is a box with several connectors, or ports, that allows multiple network cables to attach to it. Common hubs have 4, 8, 16, or even 32 ports. A hub is basically a hardware repeater. A hub takes input from any port and repeats the transmission, sending it as output on every port, including the original input port. Hubs make it easy to connect many devices to a network by just connecting each device to a hub. Figure 10-3 shows a simple network created using a single hub.
Hubs are very inexpensive devices you can use to connect many computers and devices to a LAN. One problem with hubs is that they repeat all network traffic to all ports. This can cause message collisions and a frequent need to resend messages. Hubs also tend to contribute to network congestion because everyone gets all network traffic. Networks are designed to handle collisions and congestion but at the cost of slowing down the network. A switch can help avoid many collision and congestion issues and actually speed up networks. A switch is a hardware device that forwards input it receives only to the appropriate output port.
For example, if computer A wants to send a message to computer B, a switch will only send the message from computer A to the port to which computer B is attached. No other computers ever see the message. As an additional benefit, if computer C wants to send a message to computer F at the same time computers A and B are talking, the switch can handle both connections at the same time without causing a collision. Switches are also more secure because the only computers that actually see information exchanged over the network are the computers involved in the transfer. This is more secure than a hub that repeats messages to all connected computers.
A router is another network device that connects two or more separate networks. A router can connect a LAN to another LAN or to devices in another domain in the IT infrastructure. Routers are more intelligent than switches and actually inspect the address portion of the packets on your network. The router examines the destination address and then forwards the packet to the correct outbound port. Routers can be standalone hardware devices or computers with multiple network interfaces running routing software.
Routers also provide an important security capability. You can define rules for each router that tell the router how to filter network traffic. You can restrict which packets you allow to flow through your networks. Routers give you the ability to aggressively control how users and applications use your LANs.
LANs provide easy access to shared resources and shared services. Shared centralized services make it possible for multiple users to share information and physical resources at a lower cost than duplicating information or purchasing devices for every workstation. Shared resources can include both server computers and services devices. Both offer value to a group, rather than as a dedicated resource. Examples of shared resources include:
Shared file storage
Shared printer and print services
Central database and document management systems
One common service present in the earliest LANs is the file-sharing service. A file server is a computer or hardware device that has at least three distinct components:
One or more connected hard disk drives
A network interface
Software to provide network access to files and folders on the attached disks
In the past, most file servers were computers that managed shared folders or file systems. The file server would manage connections and support authorized read/write access to its disks by remote users. Computer-based file servers are still in widespread use, but standalone hardware devices with internal hard disk drives are becoming more popular. Regardless of whether you choose to use a computer or standalone device, a file server's main purpose is to provide secure access to its disk drives for remote users.
A print server provides the interface between the LAN and one or more printers. Like file servers, the actual server can be a computer or a standalone hardware device. In either case, the print server accepts print jobs from authorized users and processes them. That means the print server may contain the intelligence to store multiple print jobs and provide advanced abilities to manage the printing process. Print servers vary widely in capabilities but all generally exist to allow multiple remote users to share printers.
LAN data storage might sound like the service the file server provides but the two services are distinct. A file server just stores files. A data storage server organizes data and attempts to make it more accessible than just a list of files. Data storage software includes database management systems and document management systems. Both types of software provide efficient, effective centralized access to data and documents for remote users.
Another substantial difference you'll notice between file servers and data storage products is that data storage products generally provide far greater control over access authorization. File servers can control access to individual folders and files, but data storage software can control access to the contents of files. Database management systems and document management systems often provide their own features to maintain and authorize users and requests. These systems manage large amounts of data and can grant or deny access to individual pieces of information stored inside very large files. The advantage of data management systems is they can provide fast and efficient access to large amounts of data while maintaining the security of the data down to a very specific level.
The last category of components in the LAN Domain is networking services software. This category consists of components that really aren't connection or hardware components. All of the network computers and components don't do anything without the network software to provide the ability to communicate. The networking services software changes a group of connected devices into a network of devices that communicate to accomplish tasks.
A network operating system (NOS) provides the interface between the hardware and the application layer software. The NOS provides many of the same functions an operating system provides on a standalone computer. In fact, the roles of the operating system and NOS are so similar that nearly all of today's operating systems contain NOS functionality. Today's networking components generally run either a version of Windows or UNIX/Linux operating systems.
NOS products provide extensive support for resource access and management, as well as credential management at various levels. NOSs support low-level authorization as well as higher-level standards such as Kerberos and Active Directory. Choose the NOS that fits in best with your existing IT infrastructure.
Once you start using a LAN to share resources, how do you know if you are upholding your security policy? You'll learn how to use preventive controls in later sections, but you should also use detective controls to validate how your users are using your LAN. Traffic and performance monitoring utilities allow you to watch the traffic flowing across your network. You can watch the traffic in real time or collect it in log files for later analysis.
There are two common types of monitoring tools available for monitoring LANs, packet sniffers and network software log files. A packet sniffer is software that copies specified packets from a network interface to an output device, generally a file. A sniffer may copy all packets or may select certain packets based on a specific filter, such as source, destination, or protocol. Because sniffers copy the actual packets from the network, you get to see all of the addressing and routing information as well as the contents of each message. If the message is encrypted, you won't be able to read the contents but you will see the encrypted data.
The other common option is to change settings in network software to create audit logging entries for certain packets. You can change configuration settings to log all traffic or just certain conditions. You should only log information you must record to avoid slowing down your network.
Once you have a collection of packets, you can use packet analysis software to make sifting through the sniffer output or log files easier. Most analysis software allows you to sort and query data according to your own requirements. You can analyze packets originating from a specific computer, destined for a specific port, or you can analyze queries based on any of the packet's attributes. Using monitoring and analysis tools helps verify appropriate LAN use and identify inappropriate LAN use.
Suppose you found inappropriate network packets during your LAN traffic analysis. Assume your traffic analysis revealed a collection of packets originating from an Internet Protocol address that is not valid for your network. In most cases, LAN controls should only allow traffic originating from, and addressed to, valid addresses. If you initially set up your LAN controls to properly filter network addresses, something is wrong.
One of the first things you should check is the current settings of your routing rules. You should be able to tell if you have defined your routing rules properly. If you find that the rules have changed, determine when the rules changed, who changed them, and why were they changed.
One attack method is to access network devices and change packet filter rules to permit malicious traffic. Another important control in the LAN Domain is network device configuration control and change management. You should implement a formal process to change network configuration settings. A change control board should approve each change and you should only allow a small number of privileged users to access network devices with the authority to change settings. You should also define your network devices to create audit log entries any time you change a configuration setting. A formal change procedure and configuration change audit will limit unexpected changes to your network configuration and provide an audit trail when changes allow unwanted network traffic.
Managing a LAN means ensuring it fulfills the goals for which it was designed. It also means to continually update the LAN's configuration to satisfy new and updated goals. LAN management covers several related activities, including:
Monitoring LAN performance
Changing configuration settings to optimize performance
Changing configuration to support new requirements
Adding necessary controls to address security issues
Maintaining components of a current recovery process
Adding, changing, and removing hardware components as requirements dictate
Mapping LAN components
Although it is possible to manually keep up with the documentation and activities that accompany monitoring and changing your LAN, automated tools can greatly simplify your tasks. In fact, many open source and commercial software packages provide network monitoring and network management functionality. Many networks even have dedicated computers on the LAN running network management software. These dedicated servers are often called network monitoring platforms (NMPs). Because NMP software runs on dedicated servers, it can help manage a LAN by providing monitoring and configuration assistance without having a negative performance impact on other LAN computers and devices. Explore options for network monitoring and management software for your operating system. Software that assists your network administrators will likely simplify managing your LAN and make it easier to validate compliance with your stated security goals.
LAN access controls limit which subjects can access LAN-based objects. There are generally two levels of controls, computers or devices, and users. The first level of control ensures only authorized computers or devices can establish a connection with a target computer or device. The second level of control ensures only authorized subjects can access protected objects.
In the context of networks, any computer or device that is connected to the network is called a node. Switches and LAN routers are common places for the first layer of controls. Because these devices establish the network connection between a source node and a target node, this is a good place to make authorization decisions. Most LAN access controls for nodes look at the identification credentials and compare those with stored authentication information. Identification credentials for nodes can include the interface's Media Access Control (MAC) address, Internet Protocol (IP) address, or even a digital certificate. The idea is to select a method to uniquely identify a specific node.
The software running on your switch or router will examine connection requests and compare identification credentials with its own stored credentials to make an authorization decision. A simple way to identify nodes is to use the MAC and IP address the same way user authentication uses an ID and a password. Although not rock solid, it does help identify unauthorized nodes. If your organization requires stronger node identification and authentication, you can use digital certificates. Digital certificates require more administrative work but provide greater security.
Once your LAN establishes a connection between nodes, the second layer of access controls makes an authorization decision for the target object access request. In other words, just because computer A can connect to computer F doesn't mean that all users on computer A are authorized to access files in any shared folder on computer F. At this point, access controls look very much like object-level access controls in other domains. Your node's operating system grants or denies access to objects according to your organization's access control method. In most cases, organizations use either DAC or MAC to define access controls.
At the object level, operating systems grant access based on the requestor's identity. When moving from a single, standalone computer to a network, the concept of user ID becomes a little less concrete. To authorize an access request, the target operating system needs a user ID. There are two main methods you can use to satisfy this requirement:
Provide identification and authentication with every resource request.
Provide a secure identification object with every request.
The first approach is simpler but requires that the target environment authenticate the user for each request. This also means you have the problem of whether to replicate all authentication credentials to each target node or to develop a central authentication method. The second approach depends on a central authentication method. Each target node just validates the identification object and proceeds with the authorization process. Common central authentication methods include Kerberos, popular in UNIX/Linux environments, and Active Directory domain accounts, which use Kerberos by default. Both options allow a user to only sign in once and use the same credentials for all network resource requests.
From a compliance perspective, it is important to control node connections and object permissions by user or group. You should monitor connections and accesses for any unusual activity and watch for excessive failures in either connection requests or access requests. Carefully design LAN access controls and monitor for both exceptions and any changes to your control's rules. Either type of unusual activity could indicate an attacker is trying to perform unauthorized actions.
One common goal in all domains is the pursuit of the most secure environment possible. Because maximizing the availability, integrity, and confidentiality of your organization's information leads to a secure environment, all of your activities should be to maximize A-I-C.
It is important to develop and maintain a comprehensive recovery plan to replace lost or damaged data. As you use LANs to store more information in central repositories, it becomes more important to ensure the data is available when users request it. A crucial part of your security plan is creating secondary copies, or backups, of your data in case the primary copy is damaged or deleted. Because more users are sharing the same set of data, any loss impacts a larger portion of your organization.
A solid recovery plan contains a schedule for creating backups, as well as the procedures for recovering lost or damaged data. All current NOS products include capable utilities to back up and recover data. Third-party vendors also provide solutions that make enterprise-wide backups easier than managing individual computers. Explore the backup solutions available for your choice of server computers and select the one that meets your security needs with minimal administrative oversight.
Most backup and recovery solutions target networked computers. Don't forget to include any network devices with valuable data in your backup and recovery plan. Some network devices store configuration settings and performance data. Backing up these devices can save valuable log and performance data and make reconfiguring a device after a failure much faster. In nearly all cases, it is faster to load backed-up configuration data than to re-enter it manually. Make sure your backup plan includes any devices with data you'll need if a device fails.
Another important aspect of availability is to ensure your users can access LAN resources in an acceptable time frame. If the network is too slow, users can't get to their requested information and you are not supporting data availability. In some cases, this problem is just due to excessive network use or a lack of network capacity for normal use. In both cases, you must examine the behavior and either reduce the load on your network or increase its capacity, or both.
In other cases, a lack of availability results from an attack. Suppose your organization sells automobile insurance. You attract new customers by offering to analyze their existing coverage and providing a competitive quote showing how your coverage saves them money. You depend on your database of coverage costs to generate the analysis report. You cannot conduct business if you cannot access your database. In this case, an attacker that renders your network unusable effectively stops your ability to conduct business. The type of attack that denies access to a critical resource or service is called a denial of service (DoS) attack.
The best defense from DoS attacks is to aggressively enforce access controls and monitor your network for unusual or excessive traffic. You'll need to provide evidence that you've implemented both preventive and detective controls to combat DoS attacks.
LAN nodes are just as susceptible to malicious software as any other computers. As LAN nodes become more powerful and based more on standard operating systems, they become more attractive targets. A compromised LAN node can be just a starting point. Once an attacker gets a foothold in your network, it becomes far easier to compromise other parts of your infrastructure.
You should use the malicious code policies and procedures from the Workstation Domain in the LAN Domain as well. The issues are the same. Ensure you have anti-malware software installed on every computer in the LAN Domain. Establish procedures to ensure all anti-malware software and data are kept up to date. Because some components in the LAN Domain are devices and not general-purpose computers, you should explore anti-malware features on each device and enable any available features. Your goal is to prevent malicious software from entering your LAN Domain.
Warning
Don't forget that malware can enter your LAN Domain in other ways. Computers and devices in the LAN Domain often have USB ports, CD/DVD drives, and other ports an attacker can use to introduce malware. Just as in the Workstation Domain, ensure you control access to external media. Don't allow external media except when you absolutely need it.
Malware is not the only integrity concern. Users can also violate data integrity. Users can be malicious or unaware of their actions. Either way, it is important to control changes to critical data. Good access controls should stop any data changes by unauthorized users; furthermore, you can also audit changes to critical data by authorized users. Audit data can provide valuable audit trails for later analysis. Good audit trails can help trace unauthorized changes back to their source. Getting to the root of unauthorized changes should provide the input needed to modify or add controls to keep the damage from happening again.
Ensuring confidentiality in the LAN Domain is one of the simpler tasks. There are basically four steps to ensuring only authorized users can see confidential data:
Identify confidential data.
Require positive identification for all access requests and define strict access controls for all confidential data you identified in Step 1.
Use encryption to store all confidential data you identified in Step 1.
Use encryption to transfer all confidential data you identified in Step 1.
You should already be enforcing identification and access controls in the LAN Domain. The new controls involve using encryption. Encryption is the process of scrambling data in such a way that it is unreadable by unauthorized users but can be unscrambled by authorized users to be readable again. Encrypting stored data is easy. Today's operating systems either support encryption directly or through integrated software. You can encrypt individual files, folders, volumes, or entire disk drives. Once you decide how much data you want to encrypt, explore the various encryption options available for your operating system.
Transmission encryption means never sending information across the network in the clear. The term in the clear means in a format anyone can read. You can use encryption at the application level or by only allowing encrypted connections between source and destination nodes. Many database management systems and document management systems can also refuse to transmit confidential data over unencrypted connections. Regardless of how you implement encryption, you should validate your controls to enforce encryption and use a packet analyzer to verify your traffic is actually encrypted.
Attackers never stop exploring new ways to compromise information systems. It is crucial that you constantly make efforts to stay ahead of the attackers. As soon as new attacks surface, most hardware and software developers make changes to their products to address the new attacks. Nearly every hardware and software vendor releases updates to address vulnerabilities in their products. You should establish procedures to ensure all components in the LAN Domain are up to date.
Because operating systems play such a crucial role in granting or denying access to resources, they are a prized target for attackers. If an attacker can compromise the operating system, many attacks are possible. To keep your operating system as secure as possible, you should ensure you acquire and install all security-related patches, updates, and service packs. All current operating systems provide methods for automatically identifying, downloading, and installing updates. Either use your operating system's capability for automatic updates or develop procedures to keep your operating systems as current as possible.
Applications are also prime targets for attackers. Database management systems and document management systems commonly control access to critical data through application access controls. Attackers who compromise applications can often bypass these controls and compromise your data. Just as with your operating systems, you should establish procedures to frequently identify any security updates and install those on your applications to keep your LAN Domain as secure as possible.
Compliance in the LAN Domain depends on implementing the best controls. As with all domains, you can meet some goals using different controls. Don't just accept the common controls. Take the time to explore alternate controls for each security goal. Some controls have more of an impact on your organization than others. If two controls provide the same assurance but have different impacts on your organization, choose the one that has less of an impact.
Table 10-3. Preventive, detective, and corrective controls in the LAN Domain.
TYPE OF CONTROL | DESCRIPTION | |
|---|---|---|
Preventive | Node-based access controls for LAN nodes User-based access controls for LAN resources Configuration change control Encryption | Only allow authorized nodes to establish connections. Only allow authorized users to access resources. Limit changes to network device configuration settings and filtering rules. Enforce encryption for stored data and transmitted data for confidential information. |
Detective | Connection request auditing Object access auditing Performance monitoring Packet analysis Configuration settings monitoring | Log connection failures for all connections and successes for high-value targets. Log access failures for most objects and successes for critical objects. Frequently sample network traffic flow metrics and alert for any unusual activity. Examine packets for known attack signatures and to ensure necessary data is encrypted. Compare LAN device configuration settings with stored baselines to detect any unauthorized changes. |
Corrective | Operating system and application patching Attack intervention | Keep applications and operating systems patched to the latest available level. Automatically modify filtering rules to deny traffic from sources generating known attack signature packets. |
As you analyze controls in the LAN Domain to meet compliance requirements, ensure each control satisfies your security policy. If a control does not support any part of your security policy, you should question its value to your organization. Although different legislation, regulations, and vendor standards have different requirements, Table 10-3 lists some types of controls you'll likely need to ensure components in your LAN Domain are compliant.
Implementing multiple types of controls decreases the likelihood an attack will be successful and makes your LAN Domain more secure.
The LAN Domain for any organization often contains the bulk of an organization's sensitive information. Most organizations want to make their information available to as many users as need it, while still keeping it secure. Protecting information in the LAN Domain focuses on maintaining the balance between easy access and solid security. In reality, solid planning can provide both.
The following best practices represent what many organizations have learned. Plan well and you can enjoy a functional LAN Domain that makes information available for use. Here are general best practices for securing your LAN Domain:
Map your proposed LAN architecture before installing any hardware. Use one of the several available network-mapping software products to make the process easier.
Identify all of the components and connection media you'll need for now and for future growth.
Update the network map any time you make changes to your network.
Implement a single sign-on strategy for your environment to keep users from signing on multiple times as they use network resources.
Identify critical resources and establish detailed access controls.
Develop a backup and recovery plan for each component in the LAN Domain. Include recovery plans for damaged or destroyed connection media.
Don't forget to include configuration settings for network devices in your backup and recovery plan.
Implement frequent update procedures for all operating systems, applications, and network device software and firmware.
Define routing and filtering rules to only allow necessary traffic in the LAN Domain.
Monitor LAN traffic for performance and packets for suspicious content.
Carefully control any configuration setting changes or physical changes to your LAN.
Update your network map after any changes.
Enable connection and object access auditing on items of interest.
Use automated tools whenever possible to map, configure, monitor, and manage the LAN Domain.
If your components support active attack intervention, configure devices to terminate connections when a suspected attack is in progress.
As with all best practices, these are only a starting point. Implement the points that are appropriate for your environment. Doing so will get you started toward establishing and maintaining a secure LAN Domain.
In this chapter, you learned about how important the LAN Domain is to any organization. Because you probably store much of your organization's shared information in the LAN Domain, it is crucial you secure all components in the domain. You learned about the components commonly found in the LAN Domain and the importance of monitoring and configuring components properly. You learned about some of the most important security controls and how to maximize A-I-C in the LAN Domain.
All of the domains in the IT infrastructure are important. Although it might be difficult to highlight any one domain over the others, the LAN Domain does tend to be where much of an organization's critical data resides. Along with securing other domains, your organization's information security depends on securing the LAN Domain.
Connection media
Denial of service (DoS)
Encryption
IEEE 802.11
In the clear
Institute of Electrical and Electronics Engineers (IEEE)
Kerberos
Local resource
Media Access Control (MAC)
Network monitoring platforms (NMPs)
Network operating system (NOS)
Networking devices
Networking services software
Node
Packet sniffer
Protocol
Remote resource
Server computers and services devices
Wireless local area network (WLAN)
A LAN is a network that generally spans several city blocks.
True
False
A local resource is any resource connected to the local LAN.
True
False
Which of the following devices repeats input received to all ports?
Switch
Hub
Gateway
Router
_______ cabling provides excellent protection from interference but can be expensive.
Even the newest wireless protocols are slower than using high-quality physical cable.
True
False
Which LAN device commonly has the ability to filter packets and deny traffic based on the destination address?
Router
Gateway
Hub
Switch
Which of the following would be the best use for a packet sniffer?
To approve or deny traffic based on the destination address
To encrypt confidential data
To analyze packet contents for known inappropriate traffic
To track configuration changes to specific LAN devices
Why is LAN device configuration control important?
Configuration control helps to detect violations of LAN resource access controls.
Configuration control can detect changes an attacker might have made to allow harmful traffic in a LAN.
It reduces the frequency of changes because they are more difficult to implement with configuration control.
Configuration control ensures LAN devices are set up once and never changed.
A(n) _______ is a dedicated computer on a LAN that runs network management software.
Which of the following controls would comply with the directive to limit access to payroll data to computers in the HR department?
User-based authorization
Group-based authorization
Media Access Control-based authorization
Smartcard-based authorization
You should back up LAN device configuration settings as part of a LAN backup.
True
False
A successful DoS attack violates the _______ property of A-I-C.
Where must sensitive information be encrypted to ensure its confidentiality? (Select two.)
While in use on a workstation
During transmission over the network
As it is stored on disk
In memory
Why is mapping a LAN a productive exercise?
Visual maps help to identify unnecessary controls.
Visual maps help in understanding your LAN design.
A LAN map is required before physically installing any hardware or connection media.
A visual map is the only way to define paths between devices.
How can some smart routers attempt to stop a DoS attack in progress?
Alert an attack responder.
Log all traffic coming from the source of the attack.
Terminate any connections with the source of the attack.
Reset all connections.