![]() |
|||
![]()
|
![]() |
![]() Click Here! |
![]() |
Transmission Security Networks enhance availability by providing a diversity of routing and more widespread interaction among users. However, although such applications as electronic data interchange can specify the address to which a message is to be sent, they do not control the routing used to transmit the message. Therefore, the message may be transmitted across inadequately controlled communications links that expose the message to unauthorized disclosure, modification, or deletion. Most LANs are configured as Ethernet or Token Ring topologies and run a number of operating systems in multivendor environments. In topologies where all of the work stations are connected to a single cable, commonly referred to as broadcast network technologies, each workstation is always actively listening over the wire for messages sent. Because of this, transmission can easily be captured by someone other than the person for whom the message was originally intended. Even microwave links can be tapped if a person sitting in close proximity to the receiving dish is using the right equipment. And fiber-optic cable, if bent, can be tapped. Sensitive data, including passwords, is usually transmitted over the network in clear text, which makes this information vulnerable to abuse. One of the most effective tools for preventing such abuse is encryption. Cryptographic software and hardware devices can help provide assurance that sensitive information cannot be read. The communications policy should include requirements to encrypt sensitive information, including password files. Computer Viruses Viruses can propagate through a network rapidly and without detection unless specific antivirus strategies are implemented. The network policy should address this threat by including statements of required practices, such as requiring that all new software, including shrink-wrapped, commercial software, be scanned for viruses prior to being installed, and that all diskettes brought in by employees be scanned prior to their use. The policy may attempt to dissuade employees from carrying disks onto company premises, although enforcement is extremely difficult. If employees need to take work home, the policy should require that they install antiviral software on their PCs. Backups of network data are essential for recovery from a computer virus incident in which data is deleted or damaged. New viruses surface at an alarming rate, often using new techniques such as self-encryption or polymorphism in an attempt to thwart anti-virus software. Accordingly, the policy should require that antivirus software be updated periodically, and it should require that the contents of file servers be scanned prior to performing backups. Information Protection On many networked systems, the password files are stored in clear text, and can therefore be read by any intruder. Traditional methods of hacking networked UNIX systems include obtaining the system password file via an unprotected link or a file transfer mechanism. Until recently, the password files on all UNIX systems were stored in clear text and were readable by anyone. Even when manufacturers encrypted password files, they were vulnerable to hacker attacks. Hackers would run encryption dictionaries against the entries in the password file to determine the identity of passwords. Proactive vendors have implemented shadow password files in which the password file is encrypted and segregated so that the encrypted password entry is made inaccessible to all users except the highly privileged root. The communications security policy should recommend that shadow files be implemented wherever possible. Because of the inherent weaknesses of the fixed password, dynamic password tokens have been increasingly accepted. Authentication by a password that changes every 30 to 60 seconds or is calculated in response to a randomly generated challenge number can provide the most practical and effective solution to this issue. The communications policy should require dynamic password authentication whenever possible.
|
![]() |
|
Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details. |