c11e

1o wuys to secore borderless networks

ute: OcLober qLI, zoo;
Aothor: Debru ILLIejoIn SIInder
Cutegory: 1o LIIngs, SecurILy, NeLwork udmInIsLruLIon
Tugs: IrewuII, MIcrosoIL Access, NeLwork, OperuLIng SysLem, DuLu, EncrypLIon, User,
AuLIenLIcuLIon, CompuLer, denLILy MunugemenL, PSec, ederuLed denLILy MunugemenL SysLem,
EncrypLIng IIe SysLem, PGP NeLSIure, EnLrusL EnLeIIIgence MedIu SecurILy, TrunsporL uyer
SecurILy, MIcrosoIL WIndows, SecurILy, AuLIenLIcuLIonJEncrypLIon, NeLworkIng, OperuLIng
SysLems, SoILwure, Debru ILLIejoIn SIInder
Compuny neLworks ure undergoIng so-cuIIed de-perImeLerIzuLIon, us onIIne coIIuboruLIon wILI
purLners, cusLomers, LeIecommuLers, und oLIers ouLsIde LIe pIysIcuI AN becomes more und more
ImporLunL Lo doIng busIness. AL LIe sume LIme, LIese users ure ubIe Lo connecL Lo compuny
resources wILI u wIder vurIeLy oI devIces, IncIudIng smurLpIones, BIuckberrIes, und oLIer IundIeId
devIces.TIIs Is greuL In Lerms oI uccess, buL noL so greuL In Lerms oI securILy. TIe oId securILy modeI
Is dependenL on border puLroI vIu IIrewuIIs, InLrusIon deLecLIon und prevenLIon sysLems, DMZs,
und oLIer perImeLer proLecLIon meLIods. n LIe new, borderIess neLwork, LIe Iocus sIIILs Lo
proLecLIon oI LIe duLu ILseII.
Here ure 1o LecInoIogIes you sIouId be IookIng uL Lo IeIp secure your borderIess neLwork.
Note: This injormction is clso ctcilcble cs c PDI dounlocd.
=1: Strong und molti-Iuctor uothenticution
User uuLIenLIcuLIon Iocuses on wIo Is requesLIng uccess, ruLIer LIun wIere LIey`re IocuLed. BuL
wIen users cun uccess InLernuI resources Irom unywIere, IL becomes more ImporLunL LIun ever Lo
ensure LIuL LIe uuLIenLIcuLIon process cun`L be cIrcumvenLed.
SLrong uuLIenLIcuLIon meLIods IncIude more LIun jusL provIdIng u pussword; Ior exumpIe, u user
mIgIL be requIred Lo unswer muILIpIe cIuIIenge quesLIons beIore beIng gIven uccess Lo sensILIve
duLu. MuILI-IucLor uuLIenLIcuLIon udds unoLIer eIemenL: TIe user musL provIde u curd, Loken
(someLIIng you hcte), or bIomeLrIc IdenLIIIer, sucI us u IIngerprInL or IrIs scun (someLIIng you
cre), us weII us LIe someLIIng you lnou eIemenL oI pusswords und successIuI unswers Lo
quesLIons.
Some compunIes, sucI us SuIeNeL, Iuve deveIoped enLIre securILy pIuLIorms LurgeLed uL proLecLIng
borderIess neLworks.
=: Cross-compuny identity munugement
CIoseIy reIuLed Lo uuLIenLIcuLIon Is LIe dIIemmu oI IdenLILy munugemenL. denLILy munugemenL
sysLems LIe purLIcuIur peopIe Lo purLIcuIur uccounLs, numes, und uLLrIbuLes. TIe probIem wILI
LrudILIonuI IdenLILy munugemenL sysLems Is LIuL LIey work weII wILIIn LIe borders oI un
orgunIzuLIon buL noL us weII wILI users ouLsIde LIe orgunIzuLIon. TIuL`s wIere cross-orgunIzuLIon,
or jedercted, IdenLILy munugemenL comes In.
A IederuLed IdenLILy munugemenL (M) sysLem uIIows purLner compunIes Lo uuLIenLIcuLe eucI
oLIers` users. MIcrosoIL`s denLILy nLegruLIon Server (MS) und ILs successor, denLILy IIecycIe
Munuger (M), ure exumpIes oI producLs LIuL cun provIded Ior IederuLIon-wIde IdenLILy
munugemenL. AnoLIer opLIon Is RSA`s ederuLed denLILy Munuger.
=: Host-bused secority soItwure
A borderIess neLwork doesn`L meun LIe IIrewuII Is deud; IL`s jusL moved. AcLuuIIy, mosL compunIes
uren`L doIng uwuy wILI LIeIr perImeLer IIrewuIIs - we Iuven`L goLLen quILe thct de-perImeLerIzed
yeL. BuL wIen LIose borders uren`L us LIgIL us LIey used Lo be, IL`s u good Ideu Lo InsLuIIJuse
IosL-bused IIrewuIIs, unLIvIrus, und oLIer securILy producLs Lo cuLcI LIose LIreuLs LIuL muke IL pusL
LIe edge IIrewuIIs. TIIs gIves you u doubIe dose oI proLecLIon.
TIe IuLesL versIons oI WIndows cIIenL und server operuLIng sysLems come wILI IIrewuII und
unLI-spywure progrums buIIL In, und numerous LIIrd-purLy IosL-bused producLs ure uvuIIubIe.
=q: Applicution-level secority
AppIIcuLIon-IeveI securILy Is InLegruLed InLo LIe user or busIness uppIIcuLIon progrum und cun
provIde crypLogrupIIc servIces, sucI us non-repudIuLIon LIrougI dIgILuI sIgnuLures or seIecLIve
IIeId encrypLIon. TIIs gIves you good proLecLIon uguInsL InsIder uLLucks (wIIcI becomes even
more ImporLunL In LIe borderIess neLwork, wIere LIe IInes beLween InsIder und ouLsIder ure
bIurred).
=g: Policy-bused integrity enIorcement
WIen users ure connecLIng Lo your InLernuI resources Irom vurIous IocuLIons vIu compuLers you
don`L conLroI, IL becomes especIuIIy ImporLunL Lo ensure LIe InLegrILy oI LIose sysLems. You wunL Lo
be ussured LIuL LIey ure runnIng LIuL IosL-bused securILy soILwure (IIrewuII, unLIvIrus, eLc.) und
Iuve InsLuIIed securILy upduLes Lo mInImIze LIe cIunces LIuL un InIecLed remoLe sysLem wIII spreud
muIwure or uLLucks Lo oLIer compuLers on your neLwork.
To do LIIs, you cun use poIIcy-bused InLegrILy sysLems, sucI us MIcrosoIL`s NeLwork Access
ProLecLIon (NAP), wIIcI Is u poIIcy enIorcemenL sysLem buIIL InLo WIndows Server zoo8, VIsLu,
und WIndows XP ServIce Puck , or CIsco`s NeLwork AdmIssIon ConLroI (NAC), wIIcI IIkewIse
resLrIcLs connecLIon oI devIces LIuL uren`L compIIunL or LrusLed.
=6: utu-centric uccess controls
IIe-IeveI uccess conLroIs, sucI us NTS permIssIons, IeIp proLecL duLu wIeLIer IL`s uccessed Irom u
remoLe compuLer, un InLernuI compuLer, or LIe IocuI mucIIne, mukIng proLecLIon more
duLu-cenLrIc. Access Is grunLed or denIed bused on IndIvIduuI user uccounLs or group membersIIp
und Is noL dependenL on LIe pIysIcuI IocuLIon oI LIe user.
=,: Iile-level encryption
EncrypLIon oI IndIvIduuI duLu IIIes cun be uccompIIsIed usIng LIe EncrypLIng IIe SysLem (ES)
buIIL InLo modern WIndows operuLIng sysLems. TIe IuLesL versIons oI ES uIIow LIe creuLorJowner
oI LIe IIIe Lo specIIy oLIer users wIo cun sIureJuccess LIe encrypLed IIIe. ES Is cerLIIIcuLe bused,
und users cun exporL LIeIr ES cerLIIIcuLes und prIvuLe keys Lo removubIe medIu so LIuL IL does noL
remuIn on LIe compuLer wIen LIey`re noL usIng IL.
AILernuLIveIy, LIIrd-purLy duLu encrypLIon soILwure, sucI us CypIerIx, cun be used Lo encrypL
IndIvIduuI IIIes, IoIders, e-muII messuges, eLc., IncIudIng LIe duLu on removubIe medIu. PGP
NeLSIure Is desIgned Lo encrypL IIIes und IoIders used by coIIuboruLIon Leums. EnLrusL EnLeIIIgence
MedIu SecurILy Is u IIIe encrypLIon uppIIcuLIon LIuL wIII uuLomuLIcuIIy encrypL duLu suved Lo specIIIc
IoIders. Muny oLIer IIIe encrypLIon producLs ure uvuIIubIe.
=S: Ioll disk encryption
uII dIsk encrypLIon proLecLs boLI porLubIe und deskLop compuLers In LIe borderIess neLwork
envIronmenL by encrypLIng enLIre voIumes. An exumpIe Is LIe BILocker IeuLure LIuL`s IncIuded In
WIndows VIsLu UILImuLe und EnLerprIse edILIons. L cun be used In conjuncLIon wILI u TrusLed
PIuLIorm ModuIe (TPM) Iurdwure cIIp Lo prevenL someone wIo sLeuIs or guIns pIysIcuI uccess Lo u
compuLer Irom beIng ubIe Lo booL LIe operuLIng sysLem or uccess LIe IIIes on LIe voIume, even by
booLIng unoLIer InsLunce oI un OS.
BILocker, unIIke some dIsk-IeveI encrypLIon progrums, encrypLs LIe operuLIng sysLem purLILIon,
noL jusL duLu purLILIons. TIIs meuns LIe puge IIIe und Lemp IIIes, wIIcI oILen conLuIn copIes oI duLu
LIuL mIgIL be sensILIve, ure encrypLed.
TIIrd-purLy producLs, sucI us SuIeGuurd`s Eusy Hurd DIsk EncrypLIon, ure uIso uvuIIubIe.
=q: Ind-to-end encryption
IIe-IeveI und IuII dIsk encrypLIon proLecL LIe duLu onIy wIIIe IL`s on LIe Iurd dIsk. To proLecL duLu
wIen IL`s LruveIIng over LIe neLwork, you cun use Psec, wIIcI operuLes uL LIe neLwork Iuyer oI LIe
OS modeI und LIus requIres no cIunges Lo or uwureness oI uppIIcuLIons. Psec cun provIde duLu
encrypLIonJconIIdenLIuIILy, uuLIenLIcuLIon, or boLI, usIng pubIIc key encrypLIon und dIgILuI
cerLIIIcuLes. Psec Is un open sLundurd und Is supporLed by modern WIndows operuLIng sysLems.
DuLu cun uIso be proLecLed In LrunsIL over LIe neLwork by usIng u IIgIer IeveI encrypLIon proLocoI,
sucI us SSJTS. TrunsporL uyer SecurILy (TS) Is LIe successor Lo Secure SockeLs uyer (SS).
AIso bused on pubIIc key encrypLIon, SSJTS Is oILen used Ior sendIng secure duLu Lo Web servers.
=1o: Rights munugement
n LIe borderIess neLwork, securILy probIems urIse noL jusL In regurd Lo wIuL duLu cun be uccessed
by wIom, buL uIso In regurd Lo wIuL LIose wILI IegILImuLe uccess do wILI LIuL duLu once LIey
receIve IL. RIgILs munugemenL uLLempLs Lo conLroI wIuL u recIpIenL oI un e-muII messuge or
documenL cun do wILI IL.
WIndows RIgILs MunugemenL ServIces (RMS) cun resLrIcL LIe recIpIenL`s ubIIILy Lo suve, Iorwurd,
copy, or cIunge LIe duLu und cun even seL un expIruLIon duLe so LIuL LIe recIpIenL cun no Ionger
even uccess LIe duLu uILer u specIIIed LIme perIod. TIIs IeIps prevenL securILy Ieuks cuused by
deIIberuLe or InudverLenL mIsIundIIng oI sensILIve duLu.
Cross-compuny soIuLIons Ior RMS ure uvuIIubIe Irom LIIrd-purLy compunIes sucI us GIguTrusL.
Debru ILLIejoIn SIInder Is u LecInoIogy consuILunL, LruIner und wrILer wIo Ius uuLIored u
number oI books on compuLer operuLIng sysLems, neLworkIng, und securILy. TIese IncIude Scene oj
the Cbercrime: Computer Iorensics Hcndbool, pubIIsIed by Syngress, und Computer
Netuorlin Essenticls, pubIIsIed by CIsco Press. SIe Is co-uuLIor, wILI Ier Iusbund, Dr. TIomus
SIInder, oI Troubleshootin Windous zooo TCP,IP, LIe besL-seIIIng Conjiurin ISA Serter
zooo, und ISA Serter cnd eond.
Truckbucks
TIe UR Lo TruckBuck LIIs enLry Is:
http:,,blos.techrepublic.com.com,:othins,up-trcclbccl.php?p=z((
No Lruckbucks yeL.
CopyrIgIL zoo; CNET NeLworks, nc. AII RIgILs Reserved.
o