Chapter 6 Sccurity-oriented Policy Security policy {Security potiey] [Secunty standard] Security strategy Security system Exiernat link (public) Physical security LJ Use internat oo (nail, WWW) Technical security i) Remote accessing ‘Operation and | [support ——___ | twhouse server . 7 ___2ovess 6. Security-oriented Policy 6.1 Security Policy When disclosing information to two or more users (inside or outside) and having them share the information, it is necessary to protect the information against unauthorized access and falsification. (1) Determining the security policy Establish the security policy and standard and determine the security strategies such as ._ the scope and depth of the information to be disclosed. * Secutity policy The security policy is a representation or the results of structuring the organization's rules on information security. A security poticy is made up primarily of "security policy (in a narrow sensc)" which expresses the organization's approach to security, "standard" which is the codes of conduct set forth for each division, and "procedures" which make up the actual actions. (2) Designing the security Study the security technologies that can be introduced and the placement of servers according to the security policy set forth. Also consider the operation system which involves, for example, log monitoring and application of security patches. 6-1 ANLRights Reserved, Copyright () 2003, Hitch InfounstionChapter 6 Secutity-oriented Policy (vee: Requirement ‘Major Countermeasure Internet ‘Access restrictions Tastailing firewall connection Web filtering software [Intrusion detection Installing IDS Encryption (VPN) IPsec, SSL, SMIME Protection of virus infection | Antivirus software Server Falsification protection Falsification prevention sofiware security ‘Authentication Physical authentication software, SSL, PKL Remote Authentication PAP, CHAP, callback accessing 6-2 “Atl Rights Reserved, Copyright (c) 2003, Hitachi InformationChapter 6 Security-oriented Policy Router firewall + Dual filtering + Third segment Coon) Come) - ge [we ate] is tu Trshouue network _ishouse network 6.2 Internet Connection 6.2.1 Routers and Firewall Take adequate security measures when releasing servers to the Intemet as such servers will be exposed to accesses from general public. Introduce routers or a firewall system to restrict accesses. To make access restriction, it is essential that the communication flow of each job (http, smtp, fip, etc.) be well grasped and only legitimate communications be passed. * Routers (packet filtering) Routers can be used to perform filtering according to the destination’ IP address or port number. « Firewall A firewall can perform filtering according to the contents of the application in addition to the destination's IP address and port number, so that the user can exercise fine contro] of communications flow. The following approaches are used to install routers, firewall, or servers: (1) Dual filtering A firewall (couter) is used to connect to the outside world and a router (firewall) is used for connection within the local network to construct a dual filtering system. In this case, it is desirable that different types of products be used as the two “walls.” (2) Thisd segment In this approach, the firewall system is provided with a DMZ segment so that all communications can be controlied at the firewall. The third segment system cquires a fewer number of devices and therefore can be introduced at low costs. 6-3 Reserved, Copyright(c) 2003, Hituehi nfumationChapter 6 Secutity-oriented Policy @iDS: ‘Examal ao PW, router oMz 7 [Network oe ‘ ? ae r yw Inchowse network 6.2.2 IDS (Intrusion Detection System) An IDS can detect unauthorized accesses by monitoring each incoming packet and preclude unauthorized accesses by cutting off illegal communications, ().Network type ‘A network type IDS monitors packets on the network and, when'a packet maiches an unauthorized access pattern (signature), notifies the console to that effect and cuts off the communication. (2) Host type A host type IDS monitors the network interface, files, and log data on the server to detect unauthorized accesses. Host type IDSs can accommodate to the unique configuration of individual servers but cannot supervise the overall network. 6-4 Reserved, Copyright (c) 2003, Hitachi lofarmationChapter 6 Security-oriented Policy Encryption “VPN(IPSec) yaa me Site ym ma Cama *SSLSSH to server J fant = Cc = z “SMINE cont Client i To] ehenied c = —__. | j 6.2.3 Encryption Since most of Internet. compatible protocols such as HTTP, SMTP, and TELNET conduct communications in the ASCII format, there is always a risk of wiretapping within the LAN or over the Internet. Various forms of encryption are used to protect data from wiretapping. (4) IPSec IPSec is a protocol that is standardized by IETF and used primarily in intersite communication (VPN). IPSec allows the authentication and encryption methods to be selected freely. (2) SSH ‘SSH is-an authentication/encryption system used during remote login sessions of UNIX-derived OSs. (2) SSL SSL (Secure Socket Layer) is an encryption/authentication system proposed by Netscape Corp. It uses the electronic certificate of the server to allow the client and server to share the encryption keys. SSL supports the TCP applications and is used primarily for HTTP communication. (4) S/MIME, S/MIME adds encrypted information to MIME (Multipurpose Internet Mail Extensions). It is used mainly for e-mail communication. The user needs to get electronic certificate to use S/MIME. 6-5 ‘AU Rights Reserved, Copyzight (-) 2003, ict “aformation Academy Co. TedChapter 6 Security-oriented Policy Remote accessing ‘Check sender number <> In-house server (User authentication using ‘CHAP or PAP 6.3 Remote Accessing ‘The network need be managed so that only authorized users can gain access to any dialup (ISDN or subscriber line) calls originated from outside networks or PCs. The caller ID and PPP authentication services must be used in a emote accessing environment. (1) D call service ISDN provides 2 service that notifies the receiver of the caller's 1D. This ID is checked and given access only when it is found to be registered. Any calls whose ID is not registered are rejected. Any spoofing users can be excluded by ‘making a callback to the sender's phone number. (2) PPP authentication A PPP (point-to-point) user authentication facility can be used for the access server that access remote accesses. The available user authentication protocols include PAP (Password Authentication Protoco!) and CHAP (Challenge Handshake Authentication Protocol). In PAP and CHAP, ID and password are exchanged between the user and access server. RADIUS (Remote Authentication Dial-in User Service), TACACS (Terminal Access Controller Access System), and TACACS+ are protocols for communication between the authentication server and access server that Support only the authentication scrvices. Reserved, Copyright () 2003, Machi Rights Inforoaton Academy Co. Lid