Chapter 02
This document was uploaded by user and they confirmed that they have the permission to share it. If you are author or own the copyright of this book, please report to us by using this DMCA report form. Report DMCA
Overview
Download & View Chapter 02 as PDF for free.
More details
- Words: 829
- Pages: 28
Developing a Security Policy Chapter 2
Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine the goals of your firewall and incorporate them into a security policy Follow the seven steps to building a security policy Account for situations the firewall can’t handle Define responses to security violations Work with administration to make your security policy work
What Is a Security Policy? A set of organization-level rules governing:
Acceptable use of computing resources Security practices Operational procedures
Example of a Security Policy
Essential Information in a Security Policy Date last updated Name of office that developed the policies Clear list of policy topics Equal emphasis on positive points (access to information) and negative points (unacceptable policies)
Why Is a Security Policy Important? Essential component of a fully functional firewall
Defines what needs to be done when firewall is configured Defines intrusion detection and auditing systems that are needed
Minimizes impact of a “hack attack” on:
Staff time Data loss Productivity
Setting Goals for an Effective Security Policy Describe a clear vision for a secure networked computing environment Be flexible enough to adapt to changes in the organization Be consistently communicated and implemented throughout the organization Specify how employees can and cannot use the Internet Define appropriate and inappropriate behavior as it pertains to privacy and security
Seven Steps to Building a Security Policy
Develop a policy team Determine organization’s overall approach to security Identify assets to be protected Determine what should be audited for security Identify security risks Define acceptable use Provide for remote access
Develop a Policy Team Members (5-10 people)
Senior administrator Member of legal staff Representative from rank-and-file employees Member of IT department Editor or writer who can structure and present the policy coherently
Identify one person to be the official policy interpreter
Determine Overall Approach to Security Two primary activities for overall approach:
Restrictive Permissive
Specific security stances:
Open Optimistic Cautious Strict Paranoid
Identify Assets to Be Protected Physical assets
Actual hardware devices
Logical assets
Digital information that can be viewed and misused
Network assets
Routers, cables, bastion hosts, servers, firewall hardware and software
System assets
Software that runs the system (ie, server software and applications)
Example of Assets to Be Protected
Determine What Should Be Audited for Security Auditing
Process of recording which computers are accessing a network and what resources are being accessed Includes recording the information in a log file
Specify types of communication to be recorded and how long they will be stored Use Tripwire to audit system resources Use a firewall log to audit security events
Auditing with Tripwire
Auditing with a Firewall Log
Determine What Should Be Audited for Security Auditing log files Auditing object access
Identify Security Risks Specify the kinds of attacks the firewall needs to guard against
Denial of service attacks Disclosure of information due to fraud Unauthorized access
Define Acceptable Use Define acceptable computing and communications practices on the part of employees and business partners Aspects
E-mail News
Provide for Remote Access Specify acceptable protocols Determine use of Telnet or Secure Shell (SSH) access to internal network from Internet Describe use of cable modem, VPN, and DSL connections to access internal network through the firewall Require remote users to have a firewall on their computer
Accounting for What the Firewall Cannot Do A firewall sandwich or load balancing switches can be compromised by:
Brute force attack Sending an encrypted e-mail message to someone within the network with a virus attached Employees who give out remote access numbers; unauthorized users can access company network Employees who give out passwords
Other Security Policy Topics Passwords Encryption Restrictions on removable media ASPs Acceptable users
Secure use of office-owned laptop computers Wireless security Use of VPNs Key policy
Defining Responses to Security Violations Gather information on an incident response form Define disciplinary action to be pursued if employees access the Internet improperly Identify who to contact in case of intrusion
Defining Responses to Security Violations
Overcoming Administrative Obstacles
Educating Employees Security User Awareness program Advise workers of expectations and consequences Make policies available on local network
Presenting and Reviewing the Process Keep reports short and concise Give people ample time to respond after policy statement is issued
Amending the Security Policy Change the security policy when:
The organization makes substantial changes in hardware configuration, or The firewall is reconfigured in response to security breaches
Chapter Summary What a security policy is; why they are important Setting goals that govern how a firewall is configured to protect a network Seven steps to building a security policy Defining responses to attacks and other intrusions Guiding your security policy through corporate bureaucracy to gain management support and achieve security policy goals
Learning Objectives Understand why a security policy is an important part of a firewall implementation Determine the goals of your firewall and incorporate them into a security policy Follow the seven steps to building a security policy Account for situations the firewall can’t handle Define responses to security violations Work with administration to make your security policy work
What Is a Security Policy? A set of organization-level rules governing:
Acceptable use of computing resources Security practices Operational procedures
Example of a Security Policy
Essential Information in a Security Policy Date last updated Name of office that developed the policies Clear list of policy topics Equal emphasis on positive points (access to information) and negative points (unacceptable policies)
Why Is a Security Policy Important? Essential component of a fully functional firewall
Defines what needs to be done when firewall is configured Defines intrusion detection and auditing systems that are needed
Minimizes impact of a “hack attack” on:
Staff time Data loss Productivity
Setting Goals for an Effective Security Policy Describe a clear vision for a secure networked computing environment Be flexible enough to adapt to changes in the organization Be consistently communicated and implemented throughout the organization Specify how employees can and cannot use the Internet Define appropriate and inappropriate behavior as it pertains to privacy and security
Seven Steps to Building a Security Policy
Develop a policy team Determine organization’s overall approach to security Identify assets to be protected Determine what should be audited for security Identify security risks Define acceptable use Provide for remote access
Develop a Policy Team Members (5-10 people)
Senior administrator Member of legal staff Representative from rank-and-file employees Member of IT department Editor or writer who can structure and present the policy coherently
Identify one person to be the official policy interpreter
Determine Overall Approach to Security Two primary activities for overall approach:
Restrictive Permissive
Specific security stances:
Open Optimistic Cautious Strict Paranoid
Identify Assets to Be Protected Physical assets
Actual hardware devices
Logical assets
Digital information that can be viewed and misused
Network assets
Routers, cables, bastion hosts, servers, firewall hardware and software
System assets
Software that runs the system (ie, server software and applications)
Example of Assets to Be Protected
Determine What Should Be Audited for Security Auditing
Process of recording which computers are accessing a network and what resources are being accessed Includes recording the information in a log file
Specify types of communication to be recorded and how long they will be stored Use Tripwire to audit system resources Use a firewall log to audit security events
Auditing with Tripwire
Auditing with a Firewall Log
Determine What Should Be Audited for Security Auditing log files Auditing object access
Identify Security Risks Specify the kinds of attacks the firewall needs to guard against
Denial of service attacks Disclosure of information due to fraud Unauthorized access
Define Acceptable Use Define acceptable computing and communications practices on the part of employees and business partners Aspects
E-mail News
Provide for Remote Access Specify acceptable protocols Determine use of Telnet or Secure Shell (SSH) access to internal network from Internet Describe use of cable modem, VPN, and DSL connections to access internal network through the firewall Require remote users to have a firewall on their computer
Accounting for What the Firewall Cannot Do A firewall sandwich or load balancing switches can be compromised by:
Brute force attack Sending an encrypted e-mail message to someone within the network with a virus attached Employees who give out remote access numbers; unauthorized users can access company network Employees who give out passwords
Other Security Policy Topics Passwords Encryption Restrictions on removable media ASPs Acceptable users
Secure use of office-owned laptop computers Wireless security Use of VPNs Key policy
Defining Responses to Security Violations Gather information on an incident response form Define disciplinary action to be pursued if employees access the Internet improperly Identify who to contact in case of intrusion
Defining Responses to Security Violations
Overcoming Administrative Obstacles
Educating Employees Security User Awareness program Advise workers of expectations and consequences Make policies available on local network
Presenting and Reviewing the Process Keep reports short and concise Give people ample time to respond after policy statement is issued
Amending the Security Policy Change the security policy when:
The organization makes substantial changes in hardware configuration, or The firewall is reconfigured in response to security breaches
Chapter Summary What a security policy is; why they are important Setting goals that govern how a firewall is configured to protect a network Seven steps to building a security policy Defining responses to attacks and other intrusions Guiding your security policy through corporate bureaucracy to gain management support and achieve security policy goals
Related Documents
Chapter 02
October 2019 15
Chapter 02
November 2019 18
Chapter 02
November 2019 21
Chapter-02
July 2020 4
Chapter 02
November 2019 21