Chapter 6 Sccurity-oriented Policy
Security policy
{Security potiey] [Secunty standard]
Security strategy Security system
Exiernat link
(public)
Physical security
LJ Use internat
oo (nail, WWW)
Technical security
i) Remote accessing
‘Operation and |
[support ——___
| twhouse server
. 7 ___2ovess
6. Security-oriented Policy
6.1 Security Policy
When disclosing information to two or more users (inside or outside) and having them
share the information, it is necessary to protect the information against unauthorized
access and falsification.
(1) Determining the security policy
Establish the security policy and standard and determine the security strategies such as
._ the scope and depth of the information to be disclosed.
* Secutity policy
The security policy is a representation or the results of structuring the organization's
rules on information security. A security poticy is made up primarily of "security
policy (in a narrow sensc)" which expresses the organization's approach to security,
"standard" which is the codes of conduct set forth for each division, and "procedures"
which make up the actual actions.
(2) Designing the security
Study the security technologies that can be introduced and the placement of servers
according to the security policy set forth. Also consider the operation system which
involves, for example, log monitoring and application of security patches.
6-1
ANLRights Reserved, Copyright () 2003, Hitch InfounstionChapter 6 Secutity-oriented Policy
(vee: Requirement ‘Major Countermeasure
Internet ‘Access restrictions Tastailing firewall
connection Web filtering software
[Intrusion detection Installing IDS
Encryption (VPN) IPsec, SSL, SMIME
Protection of virus infection | Antivirus software
Server Falsification protection Falsification prevention sofiware
security ‘Authentication Physical authentication software,
SSL, PKL
Remote Authentication PAP, CHAP, callback
accessing
6-2
“Atl Rights Reserved, Copyright (c) 2003, Hitachi InformationChapter 6 Security-oriented Policy
Router firewall
+ Dual filtering + Third segment
Coon) Come)
- ge
[we ate]
is
tu
Trshouue network _ishouse network
6.2 Internet Connection
6.2.1 Routers and Firewall
Take adequate security measures when releasing servers to the Intemet as such servers
will be exposed to accesses from general public. Introduce routers or a firewall system
to restrict accesses. To make access restriction, it is essential that the communication
flow of each job (http, smtp, fip, etc.) be well grasped and only legitimate
communications be passed.
* Routers (packet filtering)
Routers can be used to perform filtering according to the destination’ IP address or
port number.
« Firewall
A firewall can perform filtering according to the contents of the application in
addition to the destination's IP address and port number, so that the user can exercise
fine contro] of communications flow.
The following approaches are used to install routers, firewall, or servers:
(1) Dual filtering
A firewall (couter) is used to connect to the outside world and a router (firewall) is
used for connection within the local network to construct a dual filtering system.
In this case, it is desirable that different types of products be used as the two “walls.”
(2) Thisd segment
In this approach, the firewall system is provided with a DMZ segment so that all
communications can be controlied at the firewall. The third segment system cquires a
fewer number of devices and therefore can be introduced at low costs.
6-3
Reserved, Copyright(c) 2003, Hituehi nfumationChapter 6 Secutity-oriented Policy
@iDS:
‘Examal
ao
PW, router oMz
7
[Network oe ‘ ?
ae
r
yw
Inchowse network
6.2.2 IDS (Intrusion Detection System)
An IDS can detect unauthorized accesses by monitoring each incoming packet and
preclude unauthorized accesses by cutting off illegal communications,
().Network type
‘A network type IDS monitors packets on the network and, when'a packet maiches
an unauthorized access pattern (signature), notifies the console to that effect and
cuts off the communication.
(2) Host type
A host type IDS monitors the network interface, files, and log data on the server to
detect unauthorized accesses. Host type IDSs can accommodate to the unique
configuration of individual servers but cannot supervise the overall network.
6-4
Reserved, Copyright (c) 2003, Hitachi lofarmationChapter 6 Security-oriented Policy
Encryption
“VPN(IPSec)
yaa me Site
ym ma
Cama
*SSLSSH
to server
J fant
= Cc
= z
“SMINE cont Client i
To] ehenied c
= —__.
|
j
6.2.3 Encryption
Since most of Internet. compatible protocols such as HTTP, SMTP, and TELNET
conduct communications in the ASCII format, there is always a risk of wiretapping
within the LAN or over the Internet. Various forms of encryption are used to protect
data from wiretapping.
(4) IPSec
IPSec is a protocol that is standardized by IETF and used primarily in intersite
communication (VPN). IPSec allows the authentication and encryption methods
to be selected freely.
(2) SSH
‘SSH is-an authentication/encryption system used during remote login sessions of
UNIX-derived OSs.
(2) SSL
SSL (Secure Socket Layer) is an encryption/authentication system proposed by
Netscape Corp. It uses the electronic certificate of the server to allow the client
and server to share the encryption keys. SSL supports the TCP applications and
is used primarily for HTTP communication.
(4) S/MIME,
S/MIME adds encrypted information to MIME (Multipurpose Internet Mail
Extensions). It is used mainly for e-mail communication. The user needs to get
electronic certificate to use S/MIME.
6-5
‘AU Rights Reserved, Copyzight (-) 2003, ict
“aformation Academy Co. TedChapter 6 Security-oriented Policy
Remote accessing
‘Check sender number
<> In-house server
(User authentication using
‘CHAP or PAP
6.3 Remote Accessing
‘The network need be managed so that only authorized users can gain access to any
dialup (ISDN or subscriber line) calls originated from outside networks or PCs. The
caller ID and PPP authentication services must be used in a emote accessing
environment.
(1) D call service
ISDN provides 2 service that notifies the receiver of the caller's 1D. This ID is
checked and given access only when it is found to be registered. Any calls
whose ID is not registered are rejected. Any spoofing users can be excluded by
‘making a callback to the sender's phone number.
(2) PPP authentication
A PPP (point-to-point) user authentication facility can be used for the access
server that access remote accesses. The available user authentication protocols
include PAP (Password Authentication Protoco!) and CHAP (Challenge
Handshake Authentication Protocol). In PAP and CHAP, ID and password are
exchanged between the user and access server.
RADIUS (Remote Authentication Dial-in User Service), TACACS (Terminal
Access Controller Access System), and TACACS+ are protocols for
communication between the authentication server and access server that Support
only the authentication scrvices.
Reserved, Copyright () 2003, Machi
Rights
Inforoaton Academy Co. Lid