Brought to you by EarthWeb
IT Library Logo

Click Here!
Click Here!


Search the site:
 
EXPERT SEARCH -----
Programming Languages
Databases
Security
Web Services
Network Services
Middleware
Components
Operating Systems
User Interfaces
Groupware & Collaboration
Content Management
Productivity Applications
Hardware
Fun & Games

EarthWeb Direct EarthWeb Direct Fatbrain Auctions Support Source Answers

EarthWeb sites
Crossnodes
Datamation
Developer.com
DICE
EarthWeb.com
EarthWeb Direct
ERP Hub
Gamelan
GoCertify.com
HTMLGoodies
Intranet Journal
IT Knowledge
IT Library
JavaGoodies
JARS
JavaScripts.com
open source IT
RoadCoders
Y2K Info

Previous Table of Contents Next


Transmission Security

Networks enhance availability by providing a diversity of routing and more widespread interaction among users. However, although such applications as electronic data interchange can specify the address to which a message is to be sent, they do not control the routing used to transmit the message. Therefore, the message may be transmitted across inadequately controlled communications links that expose the message to unauthorized disclosure, modification, or deletion.

Most LANs are configured as Ethernet or Token Ring topologies and run a number of operating systems in multivendor environments. In topologies where all of the work stations are connected to a single cable, commonly referred to as broadcast network technologies, each workstation is always actively listening over the wire for messages sent. Because of this, transmission can easily be captured by someone other than the person for whom the message was originally intended. Even microwave links can be tapped if a person sitting in close proximity to the receiving dish is using the right equipment. And fiber-optic cable, if bent, can be tapped.

Sensitive data, including passwords, is usually transmitted over the network in clear text, which makes this information vulnerable to abuse. One of the most effective tools for preventing such abuse is encryption. Cryptographic software and hardware devices can help provide assurance that sensitive information cannot be read. The communications policy should include requirements to encrypt sensitive information, including password files.

Computer Viruses

Viruses can propagate through a network rapidly and without detection unless specific antivirus strategies are implemented. The network policy should address this threat by including statements of required practices, such as requiring that all new software, including shrink-wrapped, commercial software, be scanned for viruses prior to being installed, and that all diskettes brought in by employees be scanned prior to their use.

The policy may attempt to dissuade employees from carrying disks onto company premises, although enforcement is extremely difficult. If employees need to take work home, the policy should require that they install antiviral software on their PCs.

Backups of network data are essential for recovery from a computer virus incident in which data is deleted or damaged. New viruses surface at an alarming rate, often using new techniques such as self-encryption or polymorphism in an attempt to thwart anti-virus software. Accordingly, the policy should require that antivirus software be updated periodically, and it should require that the contents of file servers be scanned prior to performing backups.

Information Protection

On many networked systems, the password files are stored in clear text, and can therefore be read by any intruder. Traditional methods of hacking networked UNIX systems include obtaining the system password file via an unprotected link or a file transfer mechanism.

Until recently, the password files on all UNIX systems were stored in clear text and were readable by anyone. Even when manufacturers encrypted password files, they were vulnerable to hacker attacks. Hackers would run encryption dictionaries against the entries in the password file to determine the identity of passwords.

Proactive vendors have implemented shadow password files in which the password file is encrypted and segregated so that the encrypted password entry is made inaccessible to all users except the highly privileged root. The communications security policy should recommend that shadow files be implemented wherever possible.

Because of the inherent weaknesses of the fixed password, dynamic password tokens have been increasingly accepted. Authentication by a password that changes every 30 to 60 seconds or is calculated in response to a randomly generated challenge number can provide the most practical and effective solution to this issue. The communications policy should require dynamic password authentication whenever possible.


Previous Table of Contents Next

footer nav
Use of this site is subject certain Terms & Conditions.
Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.