Building Internet Infrastructure

WOLKITE POLYTECHNIC COLLEGE
Ethiopian TVET-System
HARDWARE AND NETWORK SERVICING
Level - IV
LEARNING GUIDE # 3
Unit of Competence: Build Internet Infrastructure
Module Title : Building Internet Infrastructure
LG Code : ICT HNS4 MO3 LO1-5
TTLM Code : ICT HNS4 TTLM 0214
Prepared by Amaha Alemayehu:- ICT Trainer

1. Plan and organize internet infrastructures

Introduction
The Internet is a global system of interconnected computer networks that use the standard Internet
protocol suite (TCP/IP) to serve several billion users worldwide. It is a network of networks that
consists of millions of private, public, academic, business, and governmentnetworks, of local to
globalscope, that are linked by a broad array of electronic, wireless and
opticalnetworkingtechnologies. The Internet carries an extensive range of information resources and
services, such as the inter-linked hypertext documents of the World Wide Web (WWW) and the
infrastructure to support email.
Most traditional communications media including telephone, music, film, and television are being
reshaped or redefined by the Internet, giving birth to new services such as voice over Internet
Protocol (VoIP) and Internet Protocol television (IPTV). Newspaper, book and other print
publishing are adapting to Web site technology, or are reshaped into blogging and web feeds. The
Internet has enabled and accelerated new forms of human interactions through instant messaging,
Internet forums, and social networking. Online shopping has boomed both for major retail outlets and
small artisans and traders. Business-to-business and financial services on the Internet affect supply
chains across entire industries.
The origins of the Internet reach back to research commissioned by the United States government in the
1960s to build robust, fault-tolerant communication via computer networks. The funding of a new U.S.
backbone by the National Science Foundation in the 1980s, as well as private funding for other
commercial backbones, led to worldwide participation in the development of new networking
technologies, and the merger of many networks. Though the Internet has been widely used by academia
since the 1980s the commercialization of what was by the 1990s an international network resulted in its
popularization and incorporation into virtually every aspect of modern human life. As of June 2012,
more than 2.4 billion people over a third of the world's human population have used the services of the
Internet; approximately 100 times more people than were using it in 1995, when it was mostly used by
tech-savvy middle and upper-class people in the United States and several other countries.

The Internet has no centralized governance in either technological implementation or policies for access
and usage; each constituent network sets its own policies. Only the overreaching definitions of the two
principal name spaces in the Internet, the Internet Protocol address space and the Domain Name
System, are directed by a maintainer organization, the Internet Corporation for Assigned Names and
Numbers (ICANN). The technical underpinning and standardization of the core protocols (IPv4 and
IPv6) is an activity of the Internet Engineering Task Force (IETF), a non-profit organization of loosely
affiliated international participants that anyone may associate with by contributing technical expertise.
The Internet Infrastructure: General perspective
Traditionally, the Internet infrastructure has been divided into backbone and access networks, with the
interface between these two parts of the infrastructure being managed by Internet Service Providers
(ISPs).
The backbone is made of high-speed routers/switches interconnected by large-capacity fiber-optic

links. Backbones can be divided into large national/international backbones and smaller more local
regional/metropolitan backbones. New technologies for backbones are mostly in the area of all-optical
networks. Backbone operators serve mainly ISPs and large or medium companies with complex
communications needs, typically requiring high capacity links to the Internet and the interconnection of
several geographically distant facilities. In terms of industry structure, this is a market with a relatively
small number of operators. There are less than 50 national backbones in the entire North America. The
backbone business requires very large investments and enjoys considerable economies of scale due to
the cost of installing fiber. Small backbone operators do not usually install fiber cables themselves,
preferring to lease dark fibers from others.
The access infrastructure, connecting businesses and households to regional and national backbones, is
currently the most critical aspect of the communications networks that support the Internet. Although
large corporations can afford sophisticated high-capacity access links, the existing access solutions for
residential customers and small businesses rely mostly on the public switched telephone network
(PSTN). This network, which was built to carry voice, is not adequate for data communications. It
suffers from a bandwidth bottleneck in the local loop and network access requires the setup of a
telephone connection that ties up a telephone line from end-to-end for the entire period that the network
link is active.

Several always-on broadband access solutions have been recently developed in response to these
problems, including Digital Subscriber Line (DSL), cable modems, fixed wireless and satellite. The
large number of homes and small business going on-line, together with the increased requirements of
the most recent Internet applications has drawn substantial attention to this market. The rollout of
broadband access network is still in its initial phase and it requires a large investment in the years to
come in order to bring the benefits of the Internet and advanced data services to households and small
businesses.
Internet service providers constitute the Interface between backbones and access networks. Their main
service is to terminate a large number of access connections from their customers and to offer
connectivity to national backbones.
Today, access connections are in their large majority switched telephone circuits using voce-grade
modems. These narrowband access links are terminated at modem banks and statistically multiplexed
into a packet-switched IP network, allowing a large-number of connections to efficiently share a high-
speed pipe to a backbone. The core services offered by ISPs include also administration of IP addresses
for their customers and management of cashing systems, which are used to improve the speed at which
content is delivered. ISPs offer other complementary services as e-mail, web hosting, content filtering,
news boards and chat rooms. Although these services do not have to be necessarily offered by ISP, they
are usually bundled in the Internet access package. Some ISPs further leverage their relation with the
customer by offering portals to content and e-commerce.
When compared to the access or the backbone, the market for ISPs is very competitive with more than
8,000 companies in the US alone. Most ISPs are local, but there are a few large ISPs with Points of
Presence (POPs) all over the country that controls a large share of the market. The high degree of
competition in this market is due to its low barriers to enter. Starting an ISP with a small number of
POPs does not require a large investment and the technology for traditional access based on modems
has already been completely standardized. Many ISPs prefer to outsource the physical access to the
Internet from wholesalers and focus on the business of reselling access and other higher-margin
complementary services to their customers.

With the emergence of broadband access technologies, the interface between the telephone network and
the Internet, which has been the traditional core business of ISPs, disappears. It becomes more difficult
to draw the line dividing the access from the backbone and to define what an ISP is. These technologies
are packet-switched by nature and the concentration of packets from several end-users into high-
bandwidth shared links is performed at the access level, or at least at a level that has been traditionally
been part of the access.
Technology
Protocols
Thecommunications infrastructure of the Internet consists of its hardware components and a system of
software layers that control various aspects of the architecture. While the hardware can often be used to
support other software systems, it is the design and the rigorous standardization process of the software
architecture that characterizes the Internet and provides the foundation for its scalability and success.
The responsibility for the architectural design of the Internet software systems has been delegated to the
Internet Engineering Task Force (IETF). The IETF conducts standard-setting work groups, open to any
individual, about the various aspects of Internet architecture. Resulting discussions and final standards
are published in a series of publications; each called a Request for Comments (RFC), freely available
on the IETF web site. The principal methods of networking that enable the Internet are contained in
specially designated RFCs that constitute the Internet Standards. Other less rigorous documents are
simply informative, experimental, or historical, or document the best current practices (BCP) when
implementing Internet technologies.
The Internet standards describe a framework known as the Internet protocol suite. This is a model
architecture that divides methods into a layered system of protocols. The layers correspond to the
environment or scope in which their services operate. At the top is the application layer, the space for
the application-specific networking methods used in software applications, e.g., a web browser program
uses the client-server application model and many file-sharing systems use a peer-to-peer paradigm.
Below this top layer, the transport layer connects applications on different hosts via the network with
appropriate data exchange methods. Underlying these layers are the core networking technologies,
consisting of two layers. The internet layer enables computers to identify and locate each other via
Internet Protocol (IP) addresses, and allows them to connect to one another via intermediate (transit)

networks. Last, at the bottom of the architecture, is a software layer, the link layer, that provides
connectivity between hosts on the same local network link, such as a local area network (LAN) or a
dial-up connection. The model, also known as TCP/IP, is designed to be independent of the underlying
hardware, which the model therefore does not concern itself with in any detail. Other models have been
developed, such as the Open Systems Interconnection (OSI) model, but they are not compatible in the
details of description or implementation; many similarities exist and the TCP/IP protocols are usually
included in the discussion of OSI networking.
The most prominent component of the Internet model is the Internet Protocol (IP), which provides
addressing systems (IP addresses) for computers on the Internet. IP enables internetworking and in
essence establishes the Internet itself. IP Version 4 (IPv4) is the initial version used on the first
generation of today's Internet and is still in dominant use. It was designed to address up to ~4.3 billion
(109) Internet hosts. However, the explosive growth of the Internet has led to IPv4 address exhaustion,
which entered its final stage in 2011, when the global address allocation pool was exhausted. A new
protocol version, IPv6, was developed in the mid-1990s, which provides vastly larger addressing
capabilities and more efficient routing of Internet traffic. IPv6 is currently in growing deployment
around the world, since Internet address registries (RIRs) began to urge all resource managers to plan
rapid adoption and conversion.
IPv6 is not interoperable with IPv4. In essence, it establishes a parallel version of the Internet not
directly accessible with IPv4 software. This means software upgrades or translator facilities are
necessary for networking devices that need to communicate on both networks. Most modern computer
operating systems already support both versions of the Internet Protocol. Network infrastructures,
however, are still lagging in this development. Aside from the complex array of physical connections
that make up its infrastructure, the Internet is facilitated by bi- or multi-lateral commercial contracts
(e.g., peering agreements), and by technical specifications or protocols that describe how to exchange
data over the network. Indeed, the Internet is defined by its interconnections and routing policies.

Fig 1: TCP/IP protocol layers

Routing
Internet service providers connect customers, which represent the bottom of the routing hierarchy, to
customers of other ISPs via other higher or same-tier networks. At the top of the routing hierarchy are
the Tier 1 networks, large telecommunication companies which exchange traffic directly with all other
Tier 1 networks via peering agreements. Tier 2 networks buy Internet transit from other providers to
reach at least some parties on the global Internet, though they may also engage in peering. An ISP may
use a single upstream provider for connectivity, or implement multihoming to achieve redundancy.
Internet exchange points are major traffic exchanges with physical connections to multiple ISPs.
Computers and routers use routing tables to direct IP packets to the next-hop router or destination.
Routing tables are maintained by manual configuration or by routing protocols. End-nodes typically use
a default route that points toward an ISP providing transit, while ISP routers use the Border Gateway
Protocol to establish the most efficient routing across the complex connections of the global Internet.

Large organizations, such as academic institutions, large enterprises, and governments, may perform
the same function as ISPs, engaging in peering and purchasing transit on behalf of their internal
networks. Research networks tend to interconnect into large subnetworks such as GEANT, GLORIAD,
Internet2, and the UK's national research and education network, JANET.
Fig2. Internet Connectivity Distribution & Core
General structure
The Internet structure and its usage characteristics have been studied extensively. It has been
determined that both the Internet IP routing structure and hypertext links of the World Wide Web are
examples of scale-free networks.
Many computer scientists describe the Internet as a "prime example of a large-scale, highly engineered,
yet highly complex system". The Internet is heterogeneous; for instance, data transfer rates and physical
characteristics of connections vary widely. The Internet exhibits "emergent phenomena" that depend on
its large-scale organization. For example, data transfer rates exhibit temporal self-similarity. The
principles of the routing and addressing methods for traffic in the Internet reach back to their origins in
the 1960s when the eventual scale and popularity of the network could not be anticipated. Thus, the

possibility of developing alternative structures is investigated. The Internet structure was found to be
highly robustto random failures and very vulnerable to high degree attacks.
Governance
The Internet is a globally distributed network comprising many voluntarily interconnected
autonomous networks. It operates without a central governing body. However, to maintain
interoperability, the principal name spaces of the Internet are administered by the Internet
Corporation for Assigned Names and Numbers (ICANN), headquartered in Marina del Rey,
California. ICANN is the authority that coordinates the assignment of unique identifiers for use
on the Internet, including domain names, Internet Protocol (IP) addresses, application port
numbers in the transport protocols, and many other parameters. Globally unified name spaces, in
which names and numbers are uniquely assigned, are essential for maintaining the global reach of the
Internet. ICANN is governed by an international board of directors drawn from across the Internet
technical, business, academic, and other non-commercial communities.
ICANN's role in coordinating the assignment of unique identifiers distinguishes it as perhaps the only
central coordinating body for the global Internet. The government of the United States continues to
have a primary role in approving changes to the DNS root zone that lies at the heart of the domain
name system. On 16 November 2005, the United Nations-sponsored World Summit on the Information
Society, held in Tunis, established the Internet Governance Forum (IGF) to discuss Internet-related
issues.
The technical underpinning and standardization of the Internet's core protocols (IPv4 and IPv6) is an
activity of the Internet Engineering Task Force (IETF), a non-profit organization of loosely affiliated
international participants that anyone may associate with by contributing technical expertise.
Services
x World Wide Web
Many people use the terms Internet and World Wide Web, or just the Web, interchangeably, but the
two terms are not synonymous. The World Wide Web is a global set of documents, images and

other resources, logically interrelated by hyperlinks and referenced with Uniform Resource
Identifiers (URIs). URIs symbolically identifies services, servers, and other databases, and the
documents and resources that they can provide. Hypertext Transfer Protocol (HTTP) is the main
access protocol of the World Wide Web, but it is only one of the hundreds of communication protocols
used on the Internet. Web services also use HTTP to allow software systems to communicate in order
to share and exchange business logic and data.
World Wide Web browser software, such as Microsoft's Internet Explorer, Mozilla Firefox,
Opera, Apple's Safari, and Google Chrome, lets users navigate from one web page to another via
hyperlinks embedded in the documents. These documents may also contain any combination of
computer data, including graphics, sounds, text, video, multimedia and interactive content that
runs while the user is interacting with the page. Client-side software can include animations,
games, office applications and scientific demonstrations. Through keyword-driven Internet research
using search engines like Yahoo! and Google, users worldwide have easy, instant access to a vast and
diverse amount of online information. Compared to printed media, books, encyclopedias and traditional
libraries, the World Wide Web has enabled the decentralization of information on a large scale.
The Web has also enabled individuals and organizations to publish ideas and information to a
potentially large audience online at greatly reduced expense and time delay. Publishing a web
page, a blog, or building a website involves little initial cost and many cost-free services are available.
Publishing and maintaining large, professional web sites with attractive, diverse and up-to-date
information is still a difficult and expensive proposition, however. Many individuals and some
companies and groups use web logs or blogs, which are largely used as easily updatable online diaries.
Some commercial organizations encourage staff to communicate advice in their areas of specialization
in the hope that visitors will be impressed by the expert knowledge and free information, and be
attracted to the corporation as a result. One example of this practice is Microsoft, whose product
developers publish their personal blogs in order to pique the public's interest in their work. Collections
of personal web pages published by large service providers remain popular, and have become
increasingly sophisticated. Whereas operations such as Angelfire and GeoCities have existed since the
early days of the Web, newer offerings from, for example, Facebook and Twitter currently have large

followings. These operations often brand themselves as social network services rather than simply as
web page hosts.
Advertising on popular web pages can be lucrative, and e-commerce or the sale of products and
services directly via the Web continues to grow.
When the Web began in the 1990s, a typical web page was stored in completed form on a web server,
formatted in HTML, ready to be sent to a user's browser in response to a request. Over time, the process
of creating and serving web pages has become more automated and more dynamic. Websites are often
created using content management or wiki software with, initially, very little content. Contributors to
these systems, who may be paid staff, members of a club or other organization or members of the
public, fill underlying databases with content using editing pages designed for that purpose, while
casual visitors view and read this content in its final HTML form. There may or may not be editorial,
approval and security systems built into the process of taking newly entered content and making it
available to the target visitors.
x Communication
Email is an important communications service available on the Internet. The concept of sending
electronic text messages between parties in a way analogous to mailing letters or memos predates
the creation of the Internet. Pictures, documents and other files are sent as email attachments.
Emails can be cc-ed to multiple email addresses.
Internet telephony is another common communications service made possible by the creation of
the Internet. VoIP stands for Voice-over-Internet Protocol, referring to the protocol that underlies
all Internet communication. The idea began in the early 1990s with walkie-talkie-like voice
applications for personal computers. In recent years many VoIP systems have become as easy to use
and as convenient as a normal telephone. The benefit is that, as the Internet carries the voice traffic,
VoIP can be free or cost much less than a traditional telephone call, especially over long distances
and especially for those with always-on Internet connections such as cable or ADSL. VoIP is
maturing into a competitive alternative to traditional telephone service. Interoperability between
different providers has improved and the ability to call or receive a call from a traditional

telephone is available. Simple, inexpensive VoIP network adapters are available that eliminate
the need for a personal computer.
Voice quality can still vary from call to call, but is often equal to and can even exceed that of traditional
calls. Remaining problems for VoIP include emergency telephone number dialing and reliability.
Currently, a few VoIP providers provide an emergency service, but it is not universally available. Older
traditional phones with no "extra features" may be line-powered only and operate during a power
failure; VoIP can never do so without a backup power source for the phone equipment and the Internet
access devices. VoIP has also become increasingly popular for gaming applications, as a form of
communication between players. Popular VoIP clients for gaming include Ventrilo and Teamspeaks.
Wii, PlayStation 3, and Xbox 360 also offer VoIP chat features.
x Data transfer
File sharing is an example of transferring large amounts of data across the Internet. A computer
file can be emailed to customers, colleagues and friends as an attachment. It can be uploaded to a
website or FTP server for easy download by others. It can be put into a "shared location" or onto a
file server for instant use by colleagues. The load of bulk downloads too many users can be eased by
the use of "mirror" servers or peer-to-peer networks. In any of these cases, access to the file may be
controlled by user authentication, the transit of the file over the Internet may be obscured by
encryption, and money may change hands for access to the file. The price can be paid by the remote
charging of funds from, for example, a credit card whose details are also passed – usually fully
encrypted – across the Internet. The origin and authenticity of the file received may be checked by
digital signatures or by MD5 or other message digests. These simple features of the Internet, over a
worldwide basis, are changing the production, sale, and distribution of anything that can be reduced to
a computer file for transmission. This includes all manner of print publications, software products,
news, music, film, video, photography, graphics and the other arts. This in turn has caused seismic
shifts in each of the existing industries that previously controlled the production and distribution of
these products.
Streaming media is the real-time delivery of digital media for the immediate consumption or
enjoyment by end users. Many radio and television broadcasters provide Internet feeds of their
live audio and video productions. They may also allow time-shift viewing or listening such as

Preview, Classic Clips and Listen Again features. These providers have been joined by a range of pure
Internet "broadcasters" who never had on-air licenses. This means that an Internet-connected device,
such as a computer or something more specific, can be used to access on-line media in much the same
way as was previously possible only with a television or radio receiver. The range of available types of
content is much wider, from specialized technical webcasts to on-demand popular multimedia services.
Podcasting is a variation on this theme, where usually audio material is downloaded and played back on
a computer or shifted to a portable media player to be listened to on the move. These techniques using
simple equipment allow anybody, with little censorship or licensing control, to broadcast audio-visual
material worldwide.
Digital media streaming increases the demand for network bandwidth. For example, standard
image quality needs 1 Mbit/s link speed for SD 480p, HD 720p quality requires 2.5 Mbit/s, and the top-
of-the-line HDX quality needs 4.5 Mbit/s for 1080p.
Webcams are a low-cost extension of this phenomenon. While some webcams can give full-frame-
rate video, the picture either is usually small or updates slowly. Internet users can watch animals around
an African waterhole, ships in the Panama Canal, traffic at a local roundabout or monitor their own
premises, live and in real time. Video chat rooms and video conferencing are also popular with many
uses being found for personal webcams, with and without two-way sound. YouTube was founded on 15
February 2005 and is now the leading website for free streaming video with a vast number of users. It
uses a flash-based web player to stream and show video files. Registered users may upload an
unlimited amount of video and build their own personal profile. YouTube claims that its users watch
hundreds of millions, and upload hundreds of thousands of videos daily.
Access
Common methods of Internet access in homes include dial-up, landline broadband (over coaxial
cable, fiber optic or copper wires), Wi-Fi, satellite and 3G/4G technology cell phones. Public
places to use the Internet include libraries and Internet cafes, where computers with Internet
connections are available. There are also Internet access points in many public places such as airport
halls and coffee shops, in some cases just for brief use while standing. Various terms are used, such as
"public Internet kiosk", "public access terminal", and "Web payphone". Many hotels now also have

public terminals, though these are usually fee-based. These terminals are widely accessed for various
usages like ticket booking, bank deposit, online payment etc. Wi-Fi provides wireless access to
computer networks, and therefore can do so to the Internet itself. Hotspots providing such access
include Wi-Fi cafes, where would-be users need to bring their own wireless-enabled devices such as a
laptop or PDA. These services may be free to all, free to customers only, or fee-based. A hotspot need
not be limited to a confined location. A whole campus or park, or even an entire city can be enabled.
Grassroots efforts have led to wireless community networks. Commercial Wi-Fi services covering large
city areas are in place in London, Vienna, Toronto, San Francisco, Philadelphia, Chicago and
Pittsburgh. The Internet can then be accessed from such places as a park bench. Apart from Wi-Fi,
there have been experiments with proprietary mobile wireless networks like Ricochet, various high-
speed data services over cellular phone networks, and fixed wireless services. High-end mobile phones
such as smartphones in general come with Internet access through the phone network. Web browsers
such as Opera are available on these advanced handsets, which can also run a wide variety of other
Internet software. More mobile phones have Internet access than PCs, though this is not as widely used.
An Internet access provider and protocol matrix differentiates the methods used to get online.
An Internet blackout or outage can be caused by local signaling interruptions. Disruptions of submarine
communications cables may cause blackouts or slowdowns to large areas, such as in the 2008
submarine cable disruption. Less-developed countries are more vulnerable due to a small number of
high-capacity links. Land cables are also vulnerable, as in 2011 when a woman digging for scrap metal
severed most connectivity for the nation of Armenia. Internet blackouts affecting almost entire
countries can be achieved by governments as a form of Internet censorship, as in the blockage of the
Internet in Egypt, whereby approximately 93% of networks were without access in 2011 in an attempt
to stop mobilization for anti-government protests.
Users
Overall Internet usage has seen tremendous growth. From 2000 to 2009, the number of Internet
users globally rose from 394 million to 1.858 billion. By 2010, 22 percent of the world's
population had access to computers with 1 billion Google searches every day, 300 million Internet
users reading blogs, and 2 billion videos viewed daily on YouTube.

The prevalent language for communication on the Internet has been English. This may be a result of the
origin of the Internet, as well as the language's role as a lingua franca. Early computer systems were
limited to the characters in the American Standard Code for Information Interchange (ASCII), a subset
of the Latin alphabet.
Fig3.Internet users per 100 inhabitants

After English (27%), the most requested languages on the World Wide Web are Chinese (23%),
Spanish (8%), Japanese (5%), Portuguese and German (4% each), Arabic, French and Russian
(3% each), and Korean (2%). By region, 42% of theworld's Internet usersare based in Asia, 24%
in Europe, 14% in North America, 10% in Latin America and the Caribbean taken together, 6%
in Africa, 3% in the Middle East and 1% in Australia/Oceania. The Internet's technologies
have developed enough in recent years, especially in the use of Unicode, that good
facilities are available for development and communication in the world's widely used
languages. However, some glitches such as mojibake (incorrect display of some
languages' characters) still remain.

Fig4. Internet users by language

In an American study in 2005, the percentage of men using the Internet was very slightly
ahead of the percentage of women, although this difference reversed in those under 30.
Men logged on more often, spent more time online, and were more likely to be
broadband users, whereas women tended to make more use of opportunities to
communicate (such as email). Men were more likely to use the Internet to pay bills,
participate in auctions, and for recreation such as downloading music and videos. Men
and women were equally likely to use the Internet for shopping and banking. More
recent studies indicate that in 2008, women significantly outnumbered men on most
social networking sites, such as Facebook and Myspace, although the ratios varied with
age. In addition, women watched more streaming content, whereas men downloaded
more. In terms of blogs, men were more likely to blog in the first place; among those
who blog, men were more likely to have a professional blog, whereas women were more
likely to have a personal blog.

According to Euromonitor, by 2020 43.7% of the world's population will be users of the
Internet. Splitting by country, in 2011 Iceland, Norway and the Netherlands had the
highest Internet penetration by the number of users, with more than 90% of the
population with access.
Fig5. Website content languages
Social impact
The Internet has enabled entirely new forms of social interaction, activities, and organizing,
thanks to its basic features such as widespread usability and access. In the first decade of the 21st
century, the first generation is raised with widespread availability of Internet connectivity,
bringing consequences and concerns in areas such as personal privacy and identity, and
distribution of copyrighted materials. These "digital natives" face a variety of challenges that
were not present for prior generations.

Social networking and entertainment

Many people use the World Wide Web to access news, weather and sportsreports, to plan and book
vacations and to find out more about their interests. People use chat, messaging and email to make and
stay in touch with friends worldwide, sometimes in the same way as some previously had pen pals. The
Internet has seen a growing number of Web desktops, where users can access their files and settings via
the Internet.
Social networking websites such as Facebook, Twitter, and MySpace have created new ways to
socialize and interact. Users of these sites are able to add a wide variety of information to pages,
to pursue common interests, and to connect with others. It is also possible to find existing
acquaintances, to allow communication among existing groups of people. Sites like LinkedIn
foster commercial and business connections. YouTube and Flickr specialize in users' videos and
photographs.
The Internet has been a major outlet for leisure activity since its inception, with entertaining social
experiments such as MUDs and MOOs being conducted on university servers, and humor-related
Usenet groups receiving much traffic. Today, many Internet forums have sections devoted to games
and funny videos; short cartoons in the form of Flash movies are also popular. Over 6 million people
use blogs or message boards as a means of communication and for the sharing of ideas. The Internet
pornography and online gambling industries have taken advantage of the World Wide Web, and often
provide a significant source of advertising revenue for other websites. Although many governments have
attempted to restrict both industries' use of the Internet, in general this has failed to stop their widespread
popularity.
Another area of leisure activity on the Internet is multiplayer gaming.[61] This form of recreation
creates communities, where people of all ages and origins enjoy the fast-paced world of multiplayer
games. These range from MMORPG to first-person shooters, from role-playing video games to online
gambling. While online gaming has been around since the 1970s, modern modes of online gaming
began with subscription services such as GameSpy and MPlayer.Non-subscribers were limited to
certain types of game play or certain games. Many people use the Internet to access and download
music, movies and other works for their enjoyment and relaxation. Free and fee-based services exist for

all of these activities, using centralized servers and distributed peer-to-peer technologies. Some of these
sources exercise more care with respect to the original artists' copyrights than others.
Internet usage has been correlated to users' loneliness. Lonely people tend to use the Internet as an
outlet for their feelings and to share their stories with others, such as in the "I am lonely will anyone
speak to me" thread.
Cybersectarianism is a new organizational form which involves: "highly dispersed small groups of
practitioners that may remain largely anonymous within the larger social context and operate in relative
secrecy, while still linked remotely to a larger network of believers who share a set of practices and
texts, and often a common devotion to a particular leader. Overseas supporters provide funding and
support; domestic practitioners distribute tracts, participate in acts of resistance, and share information
on the internal situation with outsiders. Collectively, members and practitioners of such sects construct
viable virtual communities of faith, exchanging personal testimonies and engaging in collective study
via email, on-line chat rooms and web-based message boards."
Cyberslacking can become a drain on corporate resources; the average UK employee spent 57 minutes
a day surfing the Web while at work, according to a 2003 study by Peninsula Business Services.
Internet addiction disorder is excessive computer use that interferes with daily life. Psychologist
Nicolas Carr believe that Internet use has other effects on individuals, for instance improving skills of
scan-reading and interfering with the deep thinking that leads to true creativity.
Electronic business
Electronic business (E-business) involves business processes spanning the entire value chain:
electronic purchasing and supply chain management, processing orders electronically, handling
customer service, and cooperating with business partners. E-commerce seeks to add revenue
streams using the Internet to build and enhance relationships with clients and partners.
According to research firm IDC, the size of total worldwide e-commerce, when global business-
to-business and -consumer transactions are added together, will equate to $16 trillion in
2013.IDate, another research firm, estimates the global market for digital products and services at $4.4

trillion in 2013. A report by Oxford Economics adds those two together to estimate the total size of the
digital economy at $20.4 trillion, equivalent to roughly 13.8% of global sales.
While much has been written of the economic advantages of Internet-enabled commerce, there is also
evidence that some aspects of the Internet such as maps and location-aware services may serve to
reinforce economic inequality and the digital divide. Electronic commerce may be responsible for
consolidation and the decline of mom-and-pop, brick and mortar businesses resulting in increases in
income inequality.
Telecommuting
Remote work is facilitated by tools such as groupware, virtual private networks, conference
calling, videoconferencing, and Voice over IP (VOIP).It can be efficient and useful for companies
as it allows workers to communicate over long distances, saving significant amounts of travel
time and cost. As broadband Internet connections become more commonplace, more and more
workers have adequate bandwidth at home to use these tools to link their home to their corporate
intranet and internal phone networks.
Crowdsourcing
Internet provides a particularly good venue for crowdsourcing (outsourcing tasks to a distributed
group of people) since individuals tend to be more open in web-based projects where they are not
being physically judged or scrutinized and thus can feel more comfortable sharing.
Crowdsourcing systems are used to accomplish a variety of tasks. For example, the crowd maybe
invited to develop a new technology, carry out a design task, refine or carry out the steps of an
algorithm (see human-based computation), or help capture, systematize, or analyze large
amounts of data (see also citizen science).
Wikis have also been used in the academic community for sharing and dissemination of information
across institutional and international boundaries. In those settings, they have been found useful for
collaboration on grant writing, strategic planning, departmental documentation, and committee work.
The United States Patent and Trademark Office uses a wiki to allow the public to collaborate on finding
prior art relevant to examination of pending patent applications. Queens, New York has used a wiki to
allow citizens to collaborate on the design and planning of a local park.

The English Wikipedia has the largest user base among wikis on the World Wide Web and ranks in the
top 10 among all Web sites in terms of traffic.
Politics and political revolutions
The Internet has achieved new relevance as a political tool. The presidential campaign of Howard Dean
in 2004 in the United States was notable for its success in soliciting donation via the Internet. Many
political groups use the Internet to achieve a new method of organizing in order to carry out their
mission, having given rise to Internet activism, most notably practiced by rebels in the Arab Spring.
Identify requirements
Computer Hardware Required for Internet & Internet Access Components
x Telephone Modem
A telephone modem is a device that converts the signals from your computer into a series of sounds and
transmits them across the phone line. A telephone modem on the other side of the connection converts
these sounds back to a signal the computer can understand, allowing the computers to communicate.
Dial-up connections are still widely in use despite faster connections being available to 89 percent of
the U.S. population. Referred to as narrowband connections, these connections are slower and usually
do not stay connected at all times.
x Network Interface Card
Broadband connections provide much faster access to the Internet then narrowband connections. There
are multiple types of broadband connections, including DSL, satellite, and cable access. Each of these
types of access involves connecting to an access point using either a wired Ethernet connection or a
wireless connection.
A Network interface card (NIC) allows you to connect an Ethernet cable to your computer from an
access point. Communication to the access point travels through this cable. Connections using a wired

NIC require that an Ethernet cable be connected from the computer to the access point at all times
during Internet use. Network interface cards can be built in to the computer or purchased as an external
device that you plug in to the computer.
x Wired Access Points
Computers using a NIC and Ethernet cable connect through an access point. Access points are
generally either routers, cable modems, or DSL modems that provide a link between the Internet
service provider and your physical computer.
NIC-based connections are widely used in local area networks, such as groups of computers in
businesses. They can be used in homes, but many users prefer to use wireless connections for the added
mobility.
x Wireless Access Points
A wireless access point allows you to connect to an access point without using a physical connection.
Wireless access can be configured in your home using a wireless router and a computer with a wireless
interface. Wireless interfaces can be installed within the computer or purchased separately as a USB or
PCI device that can be plugged in when needed. Many businesses, such as hotels and coffee shops,
provide free wireless access in their buildings for the use of their customers.
Internet Protocol (IP)

Internet Protocol (IP) is a packet-switched protocol that performs addressing and route selection. As a
packet is transmitted, this protocol appends a header to the packet so that it can be routed through the
network using dynamic routing tables. IP is a connectionless protocol and sends packets without
expecting the receiving host to acknowledge receipt. In addition, IP is responsible for packet assembly
and disassembly as required by the physical and data-link layers of the OSI reference model. Each IP
packet is made up of a source and a destination address, protocol identifier, checksum (a calculated
value), and a TTL (which stands for "time to live"). The TTL tells each router on the network between
the source and the destination how long the packet has to remain on the network. It works like a
countdown counter or clock. As the packet passes through the router, the router deducts the larger of
one unit (one second) or the time that the packet was queued for delivery. For example, if a packet has

a TTL of 128, it can stay on the network for 128 seconds or 128 hops (each stop, or router, along the
way), or any combination of the two. The purpose of the TTL is to prevent lost or damaged data
packets (such as missing e-mail messages) from endlessly wandering the network. When the TTL
counts down to zero, the packet is eliminated from the network.
Another method used by the IP to increase the speed of transmission is known as "ANDing." The
purpose of ANDing is to determine whether the address is a local or a remote site. If the address is
local, IP will ask the Address Resolution Protocol (ARP), discussed in the next section, for the
hardware address of the destination machine. If the address is remote, the IP checks its local routing
table for a route to the destination. If a route exists, the packet is sent on its way. If no route exists, the
packet is sent to the local default gateway and then on its way. [An AND is a logical operation that
combines the values of two bits (0, 1) or two Boolean values (false, true) that returns a value of 1 (true)
if both input values are 1 (true) and returns a 0 (false) otherwise].
Install and Configure the Email Server in Windows Server 2003

Introduction
This tutorial will help you to install and set up a few email accounts, by using the built-in POP3
Service in Windows Server 2003. I will assume you have basic knowledge about the Windows Server
family and Mail Servers, but I have tried to make this tutorial as easily comprehensible as possible. The
tutorial has been tested on Windows Server 2003 Enterprise Edition but should also work on Windows
Server 2003 Standard Edition. I will not cover MX records and other similar things in this release.
To follow this tutorial you need a stand-alone server. You can of course use a Domain Controller, but
that assumes you understand when to not follow the tutorial and use other settings (i.e. authentication
method).
LO2
LO3

Internet security policy

Introduction
This is the first in a series of four articles devoted to discussing about how information security policies can be
used as an active part of an organization's efforts to protect its valuable information assets. In a world that is
essentially technology driven; where the latest IIS exploit is countered with a mad rush to install the relevant
patch and where the number of different operating systems in a network exceeds the number of hairs on the
security administrator's head that haven't turned gray, policies give us an opportunity to change the pace, slow
things down and play the game on our own terms. Policies allow organizations to set practices and procedures in
place that will reduce the likelihood of an attack or an incident and will minimize the damage caused that such an
incident can cause, should one occur.
Many people see policies as an afterthought; a tasty dressing to be added to a veritable technology-salad of
firewalls, virus scanners and VPNs, all lightly sprinkled with just a touch of IDS. This is wrong. In this series I'll
attempt to explain why policies should be the basis of a comprehensive Information Security strategy, and how
policies can be an effective, practical part of your digital defense systems.
What is a Policy?
The nicest definition for 'policy' that I could find is from the American Heritage Dictionary of the English language.
It reads:
"A plan or course of action, as of a government, political party, or business, intended to influence and determine
decisions, actions, and other matters"
In practical security terms, I define a policy as a published document (or set of documents) in which the
organization's philosophy, strategy, policies and practices with regard to confidentiality, integrity and availability
of information and information systems are laid out.
Thus, a policy is a set of mechanisms by means of which your information security objectives can be defined and
attained. Let's take a moment to briefly examine each of these concepts. First, we have the information security
objectives:
x Confidentiality is about ensuring that only the people who are authorized to have access to information
are able to do so. It's about keeping valuable information only in the hands of those people who are
intended to see it.
x Integrity is about maintaining the value and the state of information, which means that it is protected from
unauthorized modification. Information only has value if we know that it's correct. A major objective of
information security policies is thus to ensure that information is not modified or destroyed or subverted in
any way.

x Availability is about ensuring that information and information systems are available and operational when
they are needed. A major objective of an information security polic y must be to ensure that information is
always available to support critical business processing.
These objectives are globally recognized as being characteristic of any secure s ystem.
Having broadly defined the reasons for implementing a security polic y, we can now discuss the mechanisms
through which these objectives can be achieved, namely:
Philosophy
This is the organization's approach towards information security, the framework, the guiding principles of the
information security strategy. The security philosophy is a big umbrella under which all other security
mechanisms should fall. It will explain to future generations why you did what you did.
Strategy
The strategy is the plan or the project plan of the security philosophy. A measurable plan detailing how the
organization intends to achieve the objectives that are laid out, either implicitly or explicitly, within the framework
of the philosophy.
Policies
Policies are simply rules. They're the dos and the don'ts of information security, again, within the framework of
the philosophy.
Practices
Practices simply define the how of the organization's polic y. They are a practical guide regarding what to do and
how to do it.
In the sections that follow I'll be examining each of these mechanisms more closely.
In Praise of Policies: What Benefits Do Policies Offer?
In the previous section we covered briefly what a policy is and, more specifically, what an information security
policy is. From this brief description it should already be clear that, when it comes to policies, I mean business.
And in IT this usually translates to a sizeable investment in time, money and human resources. Don't kid
yourself; effective policies are no quick fix. The question on everyone's lips has got to be: "Yes, but what can I do
with a policy that I can't do with Snort 1.7 on m y favorite Bastion Linux install?" Here are some of the things
policies will do for you that you'll struggle to achieve with technology.
The Boss Can Do It
Most technological controls are the responsibility of the IS manager, the network administrator or some poor sod
who didn't get her leave application forms in on time. Policy, on the other hand, is the responsibility of upper
management. This thinking is consistent with company law in most countries that says it's the responsibility of
the directors of a company to protect its assets on behalf of the shareholders. As such, the development of a
policy includes the ancillary benefit of making upper management aware of and involved in information security.

This should make it a higher organizational priority, which can only increase the level of security throughout the
company.
They Provide a Paper Trail in Cases of Due Diligence
In some industries your company may have legal obligations with respect to the integrity and confidentiality of
certain information. In many cases the only way you can prove due diligence in this regard is by referring to your
published policies. Because polic y reflects the philosophy and strategy of your company's management it is fair
proof of the company's intention regarding information security. Interestingly, an audit against a security standard
works on exactly this principle of 'intention'.
They Exemplify an Organization's Commitment to Security
Because a policy is typically published, and because it represents executive decision, a policy may be just what
is needed to convince that potential client / merger partner / investor exactly how clever you really are.
Increasingly companies are requesting proof of sufficient levels of security from the parties they link to do
business with. Once again, a security policy is exactly the place to start.
Practical Benefits of Security Policies
OK, so much for the soft and fuzzy stuff. W e said policies can play a practical role in securing your information
assets. Here's how.
They Form a Benchmark for Progress Measurement
Policy reflects the philosophy and strategy of management with regard to information security. As such it is the
perfect standard against which technology and other security mechanisms can be measured. For example, if you
want to know whether your brand new "Hack 'em Back" ultra firewall (performance tested by Russian
cosmonauts on Mir) was really worth the price of a small Caribbean island, then check whether it's implementing
the controls stipulated in the polic y. Similarly, to determine whether the new IT manager is effectively investing
her IT security budget, measure her progress against the policy. And here's the best part: if the policies are
correctly formulated and carefully integrated into your employment contracts, then any transgressions against
the policy, such as surfing porn on the company's network, can be punished according to a pre-established
agreement that the employee has signed off on. An information security polic y thus serves as a measure by
which responsible behavior can be tested and suitably punished.
They help ensure consistency
The biggest challenge facing security managers today is not how to negotiate a 512 bit RSA public key
exchange using Diffie-Hellman and self-signed certificates (everyone can do that these days). No, the challenge
is ensuring that the s ysadmin in the Tahiti branch gets off the beach in time to load the patch for the IIS Unicode
exploit on the web server and avoid yet another embarrassing defacement
onwww.tahiti_branch_of_my_respectable_company.com. A well-implemented policy helps to ensure consistency
in your security s ystems by giving a directive and clearly assigning responsibility and, equally important, by
stipulating the consequences of failing to fulfill those responsibilities.
They Serve as a Guide to Information Security

A well-designed polic y can become an IT administrator's Bible. Sadly, not everyone who will ever attach a
computer to your network understands the threat of TCP sequence number guessing attacks against OpenBSD.
Fortunately, your IP network security policy will ensure that machines are always installed in a part of the
network that offers a level of security appropriate to the role of the machine and the information it hosts.
They're Define Acceptable Use
People can be either the strongest or the weakest link in any information security system. Although training,
positive enforcement and technology can all play a role in making people a part of the solution and not part of the
problem, in the end there's nothing like a big stick for bringing people over to your way of thinking. An integrated
policy can be just such a stick in that it serves as a measure of performance according to which responsible
people can be measured and potentially disciplined. By clearly defining what can and cannot be done by users,
by pre-establishing security standards, and by ensuring that all users are educated to these standards, the
company places the onus of responsibility on users who can no longer plead 'ignorant' in case of transgression
of the polic y.
They Give Security Staff the Backing of Management
The objectives of information security are often at ends with the desires of system users. How many times has a
user thanked you for disabling Active X in her browser and blocking access to Napster? Often security staff face
resentment and opposition from people in more senior positions to themselves. The polic y, as a directive from
top management, empowers security staff to enforce decisions that may not be popular amongst system users.
Armed with a polic y your security administrators can do their jobs without having to continuously justify
themselves.
Policy Power - Making Policies Work
OK, OK you're sold. You've seen the light and decided to seriously undertake the implementation of information
security policies in your own organization. But how? In the sections that follow I'll try to share with you some of
the tricks of the security policy trade.
Defining the Objectives
What Are the Policies Actually Protecting?
Before making decisions regarding the Information Security strategy (long or short term) organizations need to
have a sound understanding of their unique risk profile. Risk consists of a combination of information resources
that have value and vulnerabilities that are exploitable. The magnitude of the risk is the product of the value of
the information and the degree to which the vulnerability can be exploited.
As long as the organization has information that has value that information - and by extension, the organization -
will be subject to risk. The function of any information security control mechanism (technical or procedural) is to
restrict that risk to an acceptable level. This is also true for policies. Policies are a risk-control mechanism and
must therefore be designed and developed in response to real and specific risks. Thus, a comprehensive risk
assessment exercise must be the first phase of the policy development process. The risk assessment should
identify the weakest areas of the system and can be used to define specific objectives.

Of course there is also a sheet-bombing approach to policies and generic polic y documents are freely available
on the Internet and from various commercial resources. Although there are a number of issues that can be dealt
with in a generic manner one should be very careful of this approach. A polic y that says too much is no better
then a policy that says nothing at all. Organizations must be prepared to enforce every stipulation your policy
makes (I'll say more about this later in this paper) so policies must be focused and specific.
Security administrators need to define objectives for their particular organization, based on the value of that
information and the specific risks that information faces.
Setting the Stage
Next Time: Creating an Environment that Supports Security Objectives
Policies in themselves are ineffective and their potential to be effective is directly proportional to the support they
receive from the power structures of the organization. Thus there is a flow of authority that stems from upper
management and expresses itself in the implementation of the stipulations of the policies. For this flow to happen
certain fundamental changes may have to be made to the structures and culture of your organization. The bigger
the organization, the more important these changes become. In the next article in this series, we will discuss
some of the organizational conditions that are necessary in order to ensure that information security policies are
effective.
Introduction to Security Policies, Part Two: Creating a

Supportive Environment
Created: 23 Sep 2001 • Updated: 03 Nov 2010
Language Translations
Machine Translations
x Deutsch
x Français
x Español
x 日本語
x 简体中文
00 Votes
inShare0
by Charl van der W alt
Introduction to Security Policies, Part Two: Creating a Supportive Environment

by Charl van der Walt
last updated September 24, 2001
As we concluded the first article of this series, we pointed out that policies in themselves are
ineffective; their effectiveness is directly proportional to the support they receive from the organization.
Thus it is crucial that the organization be aware of the importance of security policies and create an
environment in which security is given a high priority. The bigger the organization, the more important

this support becomes. This article will go over a few of things that can be done to ensure that security
policies given the full support of the management of the organization, which will thereby increase the
efficacy of the policies.
Management support
I've touched on the importance of management buy-in a few times now already but it's worth stressing
again. One of the biggest challenges facing security people is to convince management of the
importance of their involvement in the process. Once again risk assessment and penetration testing can
help with this. Without the buy-in of management at a high level the policy development process is
unlikely to succeed.
Organizational structure
No matter what the size of the organization, a policy should always have an owner. While the titles or
acronyms may vary from organization to organization, the roles, duties and obligations should be fairly
consistent throughout. For the sake of this discussion, I will call this person the 'security officer' or 'SO'.
It is the responsibility of the security officer to oversee the creation, distribution, and implementation of
security policies. In this sense, the SO plays the role of intermediary between management and the user
base. It's obvious then that the SO should report directly to the organization's highest level of control -
the board of directors or even the chief executive.
Because the SO ultimately carries corporate responsibility for information security it is often sensible
for him or her to be a member of the board. In a small or medium organization the role of SO may not
constitute a full portfolio but could simply be an added responsibility. However, no matter how small
your organization, the SO role should be clearly assigned and the responsibilities precisely described.
As owner of the policy the SO has a number of responsibilities including, but not limited to, the
management and distribution of the security policy.
Typically the SO is responsible for aspects of security in the organization, not just issues relating to
policy. It may be that the management structures in your organization have to be adjusted to make
provisions for the new role. In large organizations that are still early in the security cycle we often
propose the creation of a security team or task force (STF) to take responsibility for the security
process. Such a team typically consists of the SO, a project manager (PM) and a collection of business,
technology and security specialists. The functions of the STF include:
x Defining security strategy;
x Creating a mission statement and project plan;The investigation of a formal accreditation program
(more on this later);
x Defining the corporate security policy;
x Defining system specific policies (more on this also);
x A user awareness program; and,
x The appoint of Security Auditors.The structure of the STF is depicted in the diagram below:

Financial Support
The security process will always require an investment in time, human resources and finance. Without
sufficient financial commitment any security effort is bound to fail. The same is true for the policy
development process.
In acquiring funds for the implementation of policies we once again see the value of a comprehensive
risk assessment exercise. A properly implemented risk assessment should give a good indication of the
risk to which your organization's information resources are exposed, the potential financial losses that
may stem from any degradation of those resources may cause, and the role that policies can play in
mitigating that risk. These indicators, combined with a fair understanding of the value of your
information resources (possibly also gained from the assessment) should provide enough objective data
to motivate and scope a financial investment in security.
A Culture for Security
A chain is only as strong as it's weakest link, and the weakest link in a security system is often the end
user. Such problems are exemplified by a new generation of products that allow users to bypass "that
pesky" firewall by subscribing to a service that tunnels TCP traffic over HTTP via a Java Applet that
runs in any browser. I quote:
"ABC is a general-purpose tunnel that allows you to pass through that firewall. ABC works by mapping
your network requests into web request to our server, so if you can read this page, you can use ABC! ?
The uses for ABC are limited only by your imagination. It can pass anything that uses TCP!"
That means that even if your firewall allows only HTTP requests out, and those only via a proxy that
expects user authentication, a clever user can still do whatever she wants on the Internet. If your users
don't understand the value of your information assets and the risks that these kinds of technologies

represent, then you'll be fighting a losing battle. You need to create a culture in your organization that is
conducive to the implementation of security policies. I refer to this as "Selling Security" - and it's
enough of a subject for an article on its own - but here are some strategies that administrators should
consider in order to create an organizational culture that will place primacy on security:
1. User Education - Administrators can consider launching an internal advertising campaign explaining
the value of the corporate information, the risks that it faces, the role of the policies and the
responsibilities of the individual users. They may consider using a series of slogans like "Your
password is you!"
2. Focus on managers - Management usually sets the tone for the workers underneath them and most
passionately enforce the things they personally believe in. Convince the management of the need for
security and half the struggle is won.
3. Be up front with staff - Employees are generally loyal towards the companies they work for, so being
honest with staff about security and the impact it has on the organization will usually help to win
people over to the security cause. One way to do this is to publish the results of security assessments
and audits, or to play open cards about hacking and other security incidents.
4. Positive reinforcement - Because a well-designed policy allows for measurability, staff can now be
rewarded for good security practice. Security administrators could consider the implementation of an
incentive scheme per department that's based on the results of an annual security audit? Remember, a
rule without punishment is just good advice?
5. Negative reinforcement - If the incentive of positive reinforcement does not instill a sense of
urgency, admins can consider going the other way. Firms may want to consider taking disciplinary
action against staff for non-compliant or negligent behavior. Once again, policies introduce
measurability and make this sort of action possible. They also give employees clear guidelines of
acceptable behavior, and clearly spell out the consequences of breaching those guidelines.
6. Acceptance and Signoff - All staff should be made to sign a document stating their acceptance of the
principles of the security policy. This forces staff to read and understand the policy and gives your
organization legal recourse in the case of security breaches.
Using a Classification System
In developing the information security policies, security personnel will need to be able to distinguish
between various groups of people, computers and information that have differing value and differing
requirements in terms of security. This is a form of classifying information in terms of its accessability
to people within the organization. A statement like "Only authorized staff are permitted access to
confidential data" isn't worth the disk segment its saved unless it is clearly stated who is "authorized"
and what data is considered "confidential". This is no simple task: a large area of work has been done in
the security field to answer exactly those two questions. This work has resulted in development of
security "classification" systems - models by which information resources and people are assigned
classification levels which are then used to describe what people will be allowed access to what
resource classifications.
Formal Classification Systems

Let's briefly explore two such systems, just by way of example:

1. The Military Model [1]
In military circles, it is common for information to be classified into five levels:
x top secret
x secret
x confidential
x restricted
x unclassified
These levels form an ordering with top secret at the top, and unclassified at the bottom. Users are also
assigned a classification, and the following rule is applied: "To have access to a document, the user
must have a classification at the same level as, or higher than, that of the document." These levels are
sometimes known as the rank of the information (or user).
Access to military information is also governed by the need- to- know principle, which places
information in compartments. Compartments may extend across security levels, and information and
users may belong (have access) to a number of compartments.
The full classification of both information and users is therefore defined by the pair [rank,
compartments].
In the case of users, the [rank, compartments] pair is called the security clearance of the user.
2. The Bell-LaPadula model [1]
Bell-LaPadula is essentially a simplified version of the Military model and is designed to be slightly
more user-friendly and appropriate to the commercial organizational environment. Bell LaPadula relies
on the fact that there exists a partial ordering of security classifications/ clearances.
If c(O) is the classification of the (data) object and c(S) is the clearance of the (user) subject then two
simple rules (known as "properties") apply.
1. The Simple Security Property (ss): A subject (S) may have read access to an object (O) only if
c(O) < c(S)
2. The "*" Property (star): A subject (S) who has read access to an object (O) may have write access
to another object (P) only if c(O) < c(P)
The first rule is fairly straightforward: no one may receive a piece of information unless their clearance
is at least as high as the classification of the information they are accessing
The second rule states that information obtained from an object may only be passed to another object if
the classification of the target object is at least as high as that of the source object. This is intended to
prevent the so-called "write-down" effect in which the classification level of information is gradually
diluted as it is passed between data objects (e.g. files) of different classifications.
Your Own Classification System
Now, all of this may seem just a little complex. That's because it is. Such a formal approach may not be

necessary in all organizations; however, those in charge of developing security policies should develop
a classification system as well as a supporting rule set that will support the requirements and objectives
of the organization.
In the next few paragraphs I'll outline a simple system that can be applied to both information
and information technology and is flexible enough to work in most types of organizations. Later, I will
refer to this classification system when I give some example policies.
Ownership
Every piece of corporate data is assigned to an owner. By default, the owner is the creator of the data or
the person who loaded the data onto the organizations systems. If it is not clear who the owner is,
ownership then defaults to the originator or the administrator of the system on which the data resides.
The owner of a computer system is defined as the head of division requesting the installation of
equipment.
Classification
All data has a default classification (refer to the sections that follow) but with sufficient justification,
the owner of the data may change the classification. Data may only be changed with sufficient
justifiable reason. The user will ultimately be held responsible for data that has been reclassified. If the
user is not sure about changing the security level, the Security Manager or divisional manager should
be consulted. The person changing the security level will be held responsible for changing the level and
must therefore be able to justify the decision.
Computers are classified in a similar way as data. Each computer has an owner defined as the head of
the division requesting the installation of the equipment and it's the function of the equipment owner to
classify all equipment under his or her control. Classification is done in consultation with the owner (or
an assigned representative) and the Security Manager but the Security Manager must make the final
decision. There may be a predefined list of classifications for computers in the network security policy.
In addition to computers themselves, specific services or processes can also be classified. For example,
on a UNIX machine used to host web a public web site, the web server may be classified in one way
whilst the telnet server has a much higher security level.
The Security Manager must also classify segments of the network and physical locations on the
premises to ensure that computers are connected at the correct location on the network.
Clearance
Finally, all users and potential users should be classified. A user's classification is called a Clearance
Level and is used to determine what data and resources a user may have access to. In general, access is
only allowed when the clearance is the same level or higher than the classification of the item being
accessed (data, equipment or physical locations).
Security Levels
Let's review the security levels. You must define and describes levels of classification that make sense
and are appropriate to your organization. I've already listed the levels typically used in the military
model. Another approach may be as follows:

x Unclassified: Considered publicly accessible. There are no requirements for access control or
confidentiality.
x Shared: Resources that are shared within groups or with people outside of your organsiation. This
can include mail servers that are accessible from the Internet, servers that are accessible from
customers and routers that link you to your ISP. Data that is legitimately accessed by outside
people or groups can be classified as shared and users from outside organizations that have
legitimate access to internal resources could also be classified as shared.
x Company Only: Access to be restricted to your internal employees only.
x Confidential: Access to be restricted to a specific list of people. For someone to have access to
data or resources classified as 'Confidential' they must be cleared at this level and they must be
included in the access list for this resource. The owner of the object (data or computer) is
responsible for managing the access lists.
Not only data but also Users are clearedaccording to this system. Every user requiring access to your
systems must receive clearance first. This includes employees, contractors, consultants etc.
An example Access Matrix
Once you've finalized a classification system a simple access matrix can then be drawn up:
Access Control Matrix

OBJECT
USER
(Data, Equipment, Physical Location)
Unclassified Shared Customer Only Confidential
Unclassified Allowed Denied Denied Denied
Shared Allowed Allowed Denied Denied
Company Only Allowed Allowed Allowed Denied
Confidential Allowed Allowed Allowed Refer Access List
A matrix such as the one above can form a guide when writing a policy and the example policies given
in this document do make use of this system.
Rules for technology
The matrix above deals with user access to objects. To describe where equipment is connected to the
network, there is a very simple rule:
The Very Simple Rule:
1. Equipment may never be connected to a network segment with a different security level to that of
the equipment.
2. Equipment may never stand in a physical location with a lower security level than that of the
equipment.

Default Classifications
It was mentioned previously that objects could have default classifications. The idea behind default
classifications is to minimize the workload on users and security staff whilst still ensuring that the
proper security controls are always applied.
Here is an example of default classifications:
Default Classifications
Object Type Default Classification To Change Classification
Data Company Only User discretion and responsibility
Equiptment Company Only Request to Security Officer
Network Segment Company Only Request to Security Officer
Physical Location Company Only Request to Security Officer
User Unclassified Request to Security Officer
Of course, all of the above serve as examples only. Obviously, final decisions of classification must lie
with the Security Officer and the Security Task Group described earlier in this paper.
Next time?
This concludes the second installment in our four-part series discussing security policies. In the next
installment, we will be looking at structuring and implementing policies in a manner that will ensure
that they are effective and practical.
Introduction to Security Policies, Part Three: Structuring Security

Policies
Created: 08 Oct 2001 • Updated: 03 Nov 2010
Language Translations
Machine Translations
x Deutsch
x Français
x Español
x 日本語
x 简体中文
00 Votes
Introduction to Security Policies, Part Three: Structuring Security Policies

last updated October 9, 2001

This is the third in a four-part overview of security policies. In the first article, we looked at what policies are and
what they can achieve. In the second article, we looked at the organizational support required to implement
security policies successfully. In this installment, we shall discuss how to develop and structure a security policy.
Structuring your policy: How do we put it all together?
An effective classification system can help to make your security policies simpler and easier to develop;
however, if they are to be implemented in a large organization that employs a diversity of technologies, the
development of policies will still require a lot of work. It is essential that the policies be structured and packaged
in such a way that they are as light as possible, without missing any important issues. By "light" I mean that they
should be:
x Light, not weighing. Not using too many trees.

x Simple and practical.
x Easy to manage and maintain.
x Easy to access by people seeking specific information.
To meet these requirements, I typically recommend that a policy be split into a number of smaller policies and
that these be arranged in a hierarchical fashion. The 'smaller' policies I refer to are known and position papers
and they contain specific policies regarding (yes, you guessed it) specific issues and specific systems. Because
each one of these position papers is focused, it can be kept short and practical, can be written by a specialist
and can easily be modified or updated without having any effect on the rest of the policy.
The Security Framework Document
Although each position paper may be written by a different author - typically a specialist in that field - we still
want all the papers to subscribe to some fundamental principles. These principles (what I call the security
philosophy) should be laid out in a single document known as the Security Framework paper. This paper, along
with the classification system, creates a framework of values and principles upon which each other document
should be based. It can be considered an overview or an outline of the Polic y as a whole. The Security
Framework also forms a kind of default polic y that can be referred to whenever there is doubt or in cases where
there is no current policy paper relevant to a particular system. This concept is depicted in the following diagram:

Let's examine each element of this framework in turn:
The Security Framework paper defines a minimum set of organizational security requirements that is applicable
to all management, staff and external consultants. The document defines a set of concepts and principles that
are designed to ensure the protection of all information assets, and the technologies used to store and transmit
them. No decisions regarding the security of information and information technology (IT) should be made without
careful consideration of, and due compliance with, the concepts and principles described in the Security
Framework document.
The Security Framework document should cover at least the following important points:
1. The value of information and the organization's commitment to information security.

2. The classification s ystem, which was discussed in the second article in this series.
3. The principle of accountability that states clearly that users and administrators will be held accountable for
behavior that impacts the security of information.
4. The designation of authority to the Security Officer and security-related people in the organization as is
appropriate.
5. The principle of individual responsibility of all s ystem users for the security of information resources.
6. The organization's approach to security reviews; for example, how often they will take place, who will
perform them, etc.
The function and responsibilities of the Security Officer (SO) have already been covered in some detail in
the second article in this series. The SO assumes ultimate responsibility for security in the organization. It is his
or her job to guide, advise and review the organization's security policies and procedures. The Security
Framework document thus usually falls under the SO's jurisdiction, as does the management and distribution of
the various position papers. In a large organization, the SO may have a dedicated Document Manager on her
team, someone whose specific responsibility it is to ensure that all the policy documents are kept current, that
changes are properly controlled and that users have free and easy access to all necessary security information.
Position Papers

Position papers are written to address the a specific aspect of the security polic y such as the security of some
specific technology, or security in a particular situation. For example, one might have a position paper covering
the secure configuration of W indows 2000 member servers that are connected to the Internet, as well one
describing the process to be followed in the event of a breach of security measures (commonly known as a
security incident.)
The position papers address these specific security issues in a way that is concise, practical and easy to
understand. They should also address the issues in ways that are directly relevant to the organization. Because
these papers are so focused they can be kept short and to the point. They are easily modified and can be written
by someone who is an expert in that particular field. Exactly what topics should be covered varies from
organization to organization: I make some comments on this question in the Policy Content section a little later in
this article.
Policy Owner
The Policy Owner is the person responsible for the maintenance and integrity of a given polic y document. No
changes may be made to a document without the express permission of the Policy Owner. The name of the
Policy Owner must be clearly displayed on the document and the document should always be dated and signed
by the owner. Having a Policy Owner ensures consistency in policy and accountability for the validity and
efficacy of that particular aspect of the policy.
Security Datasheets
I typically recommend that each IT system have a security datasheet. The datasheet document lists specific
settings and parameters that ensure the security of the system. W hereas the Security Framework document and
the various position papers refer to policy in general, the datasheet introduces the details that should be applied
for each system. Each system or host should have a datasheet that is managed by the system owner and is
subject to the principles of this document and the System Paper.
It is the responsibility of information and technology owners and users to obtain the relevant papers from the SO
or the STF and ensure that the standards defined therein are correctly implemented on the s ystems they control.
Technical Guides
Technical guides are another set of useful documents, although they are not actually policies. Technical guides
outline the implementation, operation, configuration and administration of specific systems. They can be bought
off-the-shelf or the organization can commission experts to write them. They can be stored along with the
policies and referred to by the position papers. For example, instead of using a position paper to describe exactly
how Solaris-based Apache W eb servers should be configured, the organization can write or even purchase a
guide that covers exactly that. Again, this contributes to the modular nature of security policies and makes them
both easier to use and easier to manage.
System Owner
In the section about classification in the second article in this series, we referred to the concept of ownership.
The System Owner is the person responsible for the technical management of a given IT system. It is his or her
responsibility to ensure that the specifications of the Security Framework document and the relevant position

papers are implemented and maintained. It is also the System Owner's responsibility to decide on the
classification of the s ystem, should it differ from the default. The name of the System Owner is given in the
datasheet for each system and should clearly displayed whenever a user accesses the system and on or near
the system itself where it can easily be seen.
Policy Content
Now that the framework of the security policy is in place, readers may be wondering just what they should say.
There is no set answer for this question, as it depends on the organization in question. The policies must be
based on the real requirements identified by the security risk assessment that the organization should have
performed. But everyone loves a shortcut, so here are two:
1) What the Position Papers Should Say
Scope - precisely what issue, organizational unit or technological system that the paper cover.
Validity - each policy should have a limited lifespan and be reviewed on a regular basis.
Ownership - a name and contact details for the 'owner' of the document, as described earlier in this paper.
Responsibilities - a description of who is responsible for which elements of the security of the s ystem or issue
being covered. This is important if one wants to enforce accountability.
Supporting Documentation - a reference to other documents higher or lower in the policy structure, for
example, the Security Framework document or a specific Technical Guide.
Position Statement - what you actually want to say about the issue (kind of the hard part.)
Review - whether, when and how security reviews will be performed on the systems in question.
Compliance - a statement regarding the consequences of non-compliance with the polic y.
2) Policies for Free
There are a number of good examples of policies to be found on the W eb, both for free and at a price. One
excellent resource for position papers is Mr. Charles Cresson W oods' comprehensive book - "Information
Security Policies Made Easy", which is available from Baseline Software . Although m y feeling is that Mr.
Cresson W oods' policies are (for the most part) too generic, his book can give you an idea of what should be
covered and there definitely are some policies that can be used. The book comes with a CD that has the policies
in electronic format for easy copy-and-pasting.
What Topics should the Position Papers Cover?
Here's a list of position papers that should exist for most organizations:
x Physical Security
x Network Security
x Access Control
x Authentication

x Encryption
x Key Management
x Compliance
x Auditing and Review
x Security Awareness
x Incident Response & Disaster Contingenc y Plan
x Acceptable Use Policy
x Software Security
Assessing Policies
Once an organization has a system of security policies in place, it will be necessary to determine the efficacy of
the policies within the context of the organization. The proper way to do this is, of course, via another risk
assessment exercise, thus completing the security c ycle. However, it may be possible to properly assess the
policies without having to go through the entire risk assessment process. The following is a list of simple
questions security personnel can use to assess how effective the policy will be for their particular organization.
These are typically also the questions that auditors and security analysts will be asking themselves as they
review your security mechanisms.
1. Does the polic y have a clearly defined scope? Is it clear to which system and which people the policy is
applicable?
2. Is the policy comprehensive in terms of the defined scope it means to address? Are all systems and
issues sufficiently covered?
3. Does the polic y clearly define responsibilities? Is it clear to the end-user, the line-manager and the various
administrators exactly what his or her responsibilities are? Is it clear who is responsible for various
aspects of security?
4. Is the policy enforceable? Can it be applied in a concrete manner so that the compliance is measurable?
5. Is the policy adaptable? Can it be easily changed to address new risks and new technologies?
6. Is the policy having its desired effects?
7. Is the policy universally known and understood within the organization? Is the policy well distributed, is
there an awareness of the policy and is its content understood?
8. Does the polic y comply with law and with duties to third parties? Is the organization fulfilling its statutory
obligations?
Global Best Practice: Measuring Policies Against International Standards.
At least one good reason for an organization to have security policies is to display that it is taking all reasonable
steps to ensure the confidentiality and integrity of its information assets. This is particularly important for publicly-
listed companies, for companies in the process of mergers and acquisitions, and for companies seeking
investors and business partnerships. As security becomes more of a public relations concern, large
organizations will require their e-business partners to comply with a set of operating regulations that ensure that
appropriate levels of security are maintained. For example, industry leaders like VISA have already begun this
process with their partners.
W hat are "appropriate levels of security" then? These levels are often dictated by standard-setting organizations,

such as The International Organization for Standardization. A security standard contains a list of required
controls that need to be in place in order to ensure appropriate levels of security. W hen an organization has
effectively implemented the controls prescribed by the standard it can apply for certification of standard
adherence or compliance from the standard's governing body. One standard that is frequently used in security
circles is BS 7799. Issued by the British Standards Institute (BSI) in the United Kingdom, which has been
incorporated into the ISO standard set. ISO 17799 comprises 137 control objectives that must be achieved
before an organization can apply for certification to the standard.
Implemented properly, standards like ISO 17799 can significantly further an organization's IT security objectives,
but readers should be aware that this is not the only available security standard today. It is important for an
organization embarking on the long and hard (and expensive!) route to certification to understand what the
envisaged security standard will offer them and their business partners in the long run.
If an organization is considering structuring your policies within the framework of a security standard like ISO
17799, here are some issues the it should consider addressing:
1) Recognition - If a major purpose of certification is to assure customers of the organization's security

readiness, the certification chosen must be highly regarded by the target market. This is probably the single most
important factor.
2) Focus - The various certification programs tend to focus on different aspects of IT security. For example,
GMITS takes a business-oriented approach whilst ITSEC tends to focus on technology. A certification path
needs to be chosen that is compatible with your organization's own security objectives.
3) Local presence - Apart from the standards body itself the process of certification typically requires the
participation of two other parties - the process consultant who will lead you through to certification and the
assessors who make the certification approval. You must determine if the correct people are available to be in
your country or state to do this work. This is of course particularly important for the BSI standards.
4) Cost - The cost of the certification must be weighed up against the value it offers.
5) Endurance - The certification process should have long-term benefits that outweigh the costs. This means:
x The effects of the process should be practically tangible (the systems should be more secure afterward)
x The process should not have to be repeated too often.
6) Objectivity - It is generally not a good idea to be officially audited by companies that also sell security
products. However, this is not a black-and-white issue and most security companies today offer both services
and products successfully.
Conclusion
This concludes our discussion of designing and structuring security policies. In the next, and final, installment of
this series devoted to developing effective security policies, we will walk through a couple of examples of security
policies.

Introduction to Security Policies, Part Four: A Sample Policy

Introduction to Security Policies, Part Four: A Sample Policy
last updated October 22, 2001
This is the fourth in a four-part overview of security policies. In the first article, we looked at what
policies are and what they can achieve. The second article looked at the organizational support required
to implement security policies successfully. The third installment discussed how to develop and
structure a security policy. This installment will take a look at a few examples of security policies.
An IP Network Security Policy
This section contains an example of a position paper for an IP network for a fictitious company that we
shall call "Foobar". The policy documented here makes extensive use of the system of classification
that was explained in part two of this series. This system of classification should be well understood
before continuing.
Intent Statement
The intent of this policy is to ensure that all systems installed on the Foobar network are maintained at
appropriate levels of security while at the same time not impeding the ability of Foobar users and
support staff to perform their work. The purpose is:
x to define where equipment is to be placed on the network;
x to define who may access network equipment;
x to define how access to this equipment is to be controlled; and,
x to define how data traveling over the network is to be protected.
Applicability
This policy applies to:
x any IP networks (existing and future) to which Foobar network equipment is connected;
x all equipment connected to the networks mentioned above;
x any IP networks across which Foobar data travels;
x data in transit over any of the above-mentioned networks;
x network administrators managing the equipment;
x project leaders requiring new equipment to be connected to the network; and,
x all users utilizing equipment that is connected to the network.
This includes, but is not limited to:
x the User LAN - 2.3.4.0/24;
x the SERVER LAN - 2.3.5.0/26;
x the Backup SERVER LAN - 2.3.5.64/26; and,
x all backbone services, Switches, ADSL, Internal Dial-Up, etc.; and,
x remote sites.

This policy will also apply to all equipment connected to the networks mentioned above, and all Foobar
employees using any of this equipment.
Statement of Foobar's Position
The security policy is based on the principles and guidelines described in the Foobar Information
Security Framework document. All Foobar network equipment (routers, servers, workstations etc) shall
be classified according to the standard Foobar classification scheme and placed in a network segment
appropriate to its level of classification. Access to these segments must be controlled in an appropriate
manner. Whenever data travels over a network segmentation of a lower security classification then the
data shall be protected in manner appropriate to its classification level.
Classification
In accordance with the Foobar Information Security Framework document, all users, hosts and data
must be classified as security level 1 (unclassified), 2 (shared), 3 (company only) or 4 (confidential).
All physical network segments, IP subnets and other IP traffic carriers must be classified in the same
way. All data travelling on an IP network must be classified, and all users using network equipment or
requesting data over the network must be assigned a level of clearance according to the same system.
It is the function of the person designated as the equipment owner to have all equipment under his or
her control classified. The owner is defined as the head of division installing the equipment.
Classification is done in consultation between the owner (or an assigned representative) and the
Security Officer, but the final decision shall lie with the Security Officer.
For a description of the Foobar system of security level classification, the concept of ownership and the
role of the Security Manager, refer to the Foobar Information Security Policy Framework document.
Network Segmentation
1. Unless otherwise stated in the security policy or in the Information Security Policy
Framework all network segments are classified Level 1 - Unclassified.
2. The classification of network segments is given in the section of this article entitled Discussion of
Classifications, which follows.
3. A network segment can only be classified as another security level with approval of the Foobar
Security Manager. Its new level of classification must be recorded in this document and all
divisional heads must be notified.
4. Wherever a network segment connects to another network segment with a different security
level, then the connection between the two networks must be controlled by an approved trusted
point. A trusted point is equipment capable of regulating the flow of traffic between two network
segments in a manner appropriate to the classification of the networks. Trusted points are
covered in detail in the section that follows.
5. No network equipment may be connected to a network segment that is not of the same security
level as the equipment itself.
6. The Foobar Security Officer may also choose to segment two networks of the same security
level.
Trusted Points

1. The trusted point used to segment two networks shall be appropriate for the network with the
highest security level.
2. The default behavior of a trusted point must be to deny all IP traffic between the network
segments it protects.
3. At the discretion of the Foobar Security Manager, the default behavior of the trusted point may
be to allow all traffic out from the network with the higher security level whilst denying all
traffic in.
4. At the discretion of the Foobar Security Manager, the trusted point may be configured to allow
specific into the network with the higher security level.
5. All trusted points must be completely under the control of the Security Manager. Access to any
trusted point shall only be granted with the explicit permission of the Security Manager and
under his or her close supervision.
6. There are a number of technologies that can act as trusted points. They are divided into the
following categories:
x Network Level Control: TCP wrappers, host.allow lists, filter routers, network-level
firewalls, V-LAN switches etc.;
x User Level Control: application proxies, user-level firewalls etc.; and,
x Strong User-Level Control: token-based user authentication systems, certificates etc.
Whenever there is a connection that skips over one security level the strong user level control
must be used. Even if strong user control is used, a connection may never skip more than one
security level.
Control of traffic must be exercised in the manner listed below:
For connections into Unclassified classified segments
From Control Type Comment
Unclassified No controls
Shared No controls
Company Only No controls With the exception of the Internet
Confidential No controls
For connections into Shared classified segments
Unclassified No controls
Shared No controls
Company Only No controls
For connections into Company Only classified segments
Unclassified Via a proxy: Network level control to This allows both for things like incoming

and from the proxy. SMTP and user dial-in.

Direct: Strong user-level control
Shared Network level control
Company
No controls
Only
For connections into Confidential classified segments
Unclassified Not permitted
Shared Not permitted
Company Only Strong user-level control
Confidential No Control
Data in Transit
1. Data moving on the network between any two network-components is considered to be "data in
transit". This also includes all control and management sessions.
2. All network technologies are regarded as either "safe" or "unsafe" in their native state (i.e.
without any encryption). The only networks regarded as safe by Foobar are Frame-Relay PVCs
(as used on the Foobar backbone) and switched Ethernet LANs. All other network types are
regarded unsafe.
3. All data in transit over an unsafe network segment that has a classification lower than the
classification of the data must be protected by data encryption. Data in transit over a safe network
segment may be encrypted at the discretion of the Security Officer.
4. Encryption of data in transit may take any of the following forms:
x network encryption, in which data is encrypted at the IP layer (for example, with IPSec);
x session encryption, in which data is encrypted at a TCP layer (for example, with SSL);
x message encryption, in which blocks of data are encrypted before they are sent (for
example, with SMIME); and,
x data encryption, in which the entire data package is encrypted before it is transmitted (for
example, with file encryption).
Encryption systems used must offer strong encryption (more then 100 bit encryption keys) and
use internationally recognized encryption algorithms. The choice of the crypto-algorithm is the
responsibility of the Security Officer and is laid out in Foobar's position paper on Cryptography.
Access to the Internet
Access to the Internet from Foobar networks is considered a special case and is dealt with as an issue
on its own in the position paper on Internet Access.
Discussion of Classifications

Classification of Users
1. Every user is designated as unclassified until his or her classification is explicitly changed with
the written approval of the Security Officer.
2. When a new employee joins Foobar, a request is made by the employee's manager to the Security
Officer for a new level of clearance. It is the responsibility of the manager to justify the requested
level of clearance.
3. Unless there is strong justification, all new employees shall be cleared for the level Foobar Only,
but only after they have signed an employment contract including acceptance of this policy and
non-disclosure forms.
4. The Security Officer is responsible for managing and controlling the record of clearance levels
for all personnel.
5. It is the responsibility of all system owners and system administrators to determine the security
level of a given user before granting that user access to any system.
6. It is the responsibility of the user to know his or her own clearance level and to understand the
rights and limitations associated with that clearance.
Classification of Equipment
1. All computing equipment must be given a classification by the Foobar Security Officer.
2. Classifications for existing Foobar equipment are as follows:
x all user workstations, file-servers, print-servers etc should be classified as "Company Only";
x all Server LAN servers and other hosts used in the management of the Foobar backbone
infrastructure or Foobar internal network infrastructure will be classified as "Confidential";
x all backbone equipment (including switches, remote access servers, ADSL chassis etc) that
is not located on Foobar premises will be classified as "Shared"; and,
x all equipment used in the transfer of data to and from the Internet will be classified as
"Shared".
The Security Officer must maintain a complete list of the classifications of all computing
equipment in the Foobar network and in the Foobar backbone.
Classification of Networks
The Foobar Security Officer must classify every network segment that constitutes part of the Foobar
infrastructure. A complete list of the classifications of all network segments in the Foobar network and
in the Foobar backbone is maintained by the Security Officer. Classifications for existing Foobar
network segments are as follows:
x The Foobar User LAN located is classified as Company Only.
x The SERVER LAN & backup SERVER LAN are classified as Confidential.
x The Foobar Frame-Relay Backbone is classified as Shared.
x The Remote sites are classified as Shared.
x The SERVER LAN and the Portal Segment are classified as Shared.
Classification of Data
Any Foobar user with legitimate access to Foobar data may, with sufficient justification, change the
classification of the data. The user may only change the classification of data if there is sufficient,
justifiable reason to do so. Users will be held strictly responsible for these decisions.

All newly created data must be classified "Company Only" until it is reclassified by a user, who does so
on his or her own prerogative. Users are held solely responsible for any data whose classification they
change. Classifications for existing Foobar data are given below:
x Foobar business information (memos, financial documents, planning documents etc) should be
classified as "Company Only";
x Foobar customer data (contact details, contracts, billing information etc) should be classified as
"Company Only";
x network management data (IP addresses, passwords, configuration files, etc.) should be classified
as "Confidential";
x human resources information (employment contracts, salary information, etc.) should be classified
"Confidential";
x Published information (pamphlets, performance reports, marketing material, etc.) should be
classified "Shared";
x E-mail between Foobar employees should be classified "Foobar Only"; and,
x E-mail between Foobar employees and non-Foobar employees should be regarded as
"Unclassified".
Classifications: Roles and Responsibilities
1. It is the responsibility of the user to:
x know his or her own clearance level and to understand the rights and limitations associated
with that clearance;
x ensure all the data he or she works with is correctly classified;
x ensure that he or she understands the restrictions associated with the data he or she is
working with; and,
x ensure all the data he or she works with is housed and protected appropriately.
It is the responsibility of all system owners and system administrators to:
x determine the security level of a given user before granting that user access to any system;
x verify the classification of the equipment they manage; and,
x verify that the equipment is installed and protected in accordance with its classification.
It is the responsibility of each divisional manager to:
x obtain clearance for employees in his or her divisions;
x clarify the classification of data on systems under his or her control;
x clarify the classification of equipment under his or her control and to ensure that those
systems are correctly installed; and,
x ensure all employees in that division understand and implement this policy;
It is the responsibility of the Security Officer to:
x approve all classifications
x maintain a list of all classifications
x approve the final layout of the Foobar network and backbone
x control and manage all trusted points
x determine the type of cryptographic protection to be used for data in transit
Compliance
1. Any user accessing a data, equipment or a physical location with insufficient clearance can face
disciplinary action, dismissal and criminal or civil prosecution.

2. Any user allowing access to a system that he or she controls for someone with insufficient
clearance can face disciplinary action, dismissal and criminal or civil prosecution.
3. Any person connecting equipment that is not classified to the network or connecting equipment
to an inappropriate part of the network or in an inappropriate location can face disciplinary
action, dismissal and criminal or civil prosecution.
4. Any person transmitting data over any network without the appropriate cryptographic protection
for that data can face disciplinary action, dismissal and criminal or civil prosecution.
5. Any person changing the classification of data in a way that is reckless, irresponsible or in any
damaging to Foobar, their share holders or any of their clients can face disciplinary action,
dismissal and criminal or civil prosecution.
Points of Contact and Supplementary Information
1. For a description of the Foobar system of security level classification, users should refer to refer
to the Foobar Information Security Framework document;
2. The security policy should also provide contact details for the Foobar Security Officer.?
For enquiries regarding the classification of data, equipment, network segments or physical locations or
the clearance level of users, interested parties should be directed to contact the Foobar Security Officer.
Conclusion
This has been a long series of articles and a lot of material was covered. Let me try to summarize the
important points should remain stuck in your mind:
1. If policies are properly implemented, they can become an effective and efficient part of your
information security arsenal. Because policies secure the 'human element', they address an
element of your risk profile that is seldom touched by technology.
2. There are no silver bullets in security, and the same is also true for information security policies.
Your policies should be written to counter your specific risk profile and should be based on the
findings of a security risk analysis exercise.
3. Policies can only be effective in a corporate environment that makes information security a high
priority. It may be necessary to make some far-reaching changes to your organizational structure
and culture before policies can effectively achieve the organization's security objectives.
Foremost among these changes are the designation of responsibility and the commitment of
funds.
4. Your policies must be designed 'for the people' and be easy to access, use and understand. To
facilitate this, I suggest that the documents be structured in a hierarchical fashion with documents
having different levels of detail. Responsibility for the management of this document tree should
be specifically assigned.
5. Although the actual content of policy documents should vary radically from organization to
organization, there are some fundamental principles that each policy should enforce. These
principles have been discussed in this series of articles.
Once your policies have been implemented you will have a structured, formal framework to guide your
security strategy and according to which the progress of process can be measured.

Using Windows Security Center

Applies to Windows Vista
In this page
x Firewall
x Automatic updating
x Malicious software protection
x Other security settings
Windows Security Center can help enhance your computer's security by checking the status of several security
essentials on your computer, including firewall settings, Windows automatic updating, anti-malware software
settings, Internet security settings, and User Account Control settings. If Windows detects a problem with any of
these security essentials (for example, if your antivirus program is out of date), Security Center displays a
notification and places a Security Center icon in the notification area. Click the notification or double-click the
Security Center icon to open Security Center and get information about how to fix the problem.
Windows Security Center

Firewall
A firewall can help prevent hackers or malicious software (such as worms) from gaining access to your computer
through a network or the Internet. A firewall can also help stop your computer from sending malicious software
to other computers.Windows checks if your computer is protected by a software firewall. If the firewall is off,
Security Center will display a notification and put a Security Center icon in the notification area. For more
information about using a software firewall, seeWhat is a firewall?

To turn on Windows Firewall
1. Open Security Center by clicking the Start button , clicking Control Panel, clicking Security, and then
clicking Security Center.
2. Click Firewall, and then click Turn on now. If you are prompted for an administrator password or
confirmation, type the password or provide confirmation.
Notes
x If you have a firewall other than Windows firewall, check the information that came with the firewall or go to the
manufacturer's website to find out how to turn it on.
x Windows does not detect all firewalls. If you are sure that you have a firewall installed and turned on, you can
clickShow me my available options to stop receiving notifications from Security Center about your firewall. If
you do this, Windows will not monitor your firewall status or alert you if it is off.
Top of page
Automatic updating
Windows can routinely check for updates for your computer and install them automatically. You can use Security
Center to make sure Automatic updating is turned on. If updating is turned off, Security Center will display a
notification and put a Security Center icon in the notification area. For more information about automatic
updating, see Change how Windows installs or notifies you about updates and What are updates?
To turn on automatic updating
2. Click Automatic updating, and then click Turn on now. If you are prompted for an administrator
password or confirmation, type the password or provide confirmation.
Top of page
Malicious software protection
Malicious software (malware) protection can help protect your computer against viruses, spyware, and other
security threats. Security Center checks if your computer is using up-to-date antispyware and antivirus software.
If your antivirus or antispyware software is turned off or out of date, Security Center will display a notification and
put a Security Center icon in the notification area. For more information about how anti-malware software can
help protect your computer, see Using anti-malware software to help protect your computer.
To install or update your anti-malware software

2. Click Malware protection, click the button under Virus protection or Spyware and other malware
protection, and then choose the option that you want.
Note
x Windows does not detect all antivirus and antispyware software. If you are sure that you have anti-malware
software installed, it is turned on, and it is up to date, you can click I have an antivirus program that I'll
monitor myself or I have an antisypware program that I'll monitor myself to stop receiving notifications
from Security Center about your anti-malware software. If you do this, Windows will not monitor your anti-
malware software status or alert you if it is off.
Top of page
Other security settings
Windows checks your Internet security settings and User Account Control settings to make sure they are set at
the recommended levels. If your Internet or User Account Control settings are changed to a security level that is
not recommended, Security Center will display a notification and put a Security Center icon in the notification
area.
To restore Internet settings to recommended levels
2. Click Other security settings.
3. Under Internet security settings, click Restore settings.
4. Do one of the following:
x To automatically reset the Internet security settings that are at risk to their default level, click Restore
my Internet security settings now.
x To reset the Internet security settings yourself, click I want to restore my Internet security settings
myself. Click the security zone you want to change settings for, and then click Custom level.
To restore User Account Control settings to recommended levels
2. Click Other security settings.
3. Under User Account Control, click Turn on now. If you are prompted for an administrator password
or confirmation, type the password or provide confirmation.

Understanding security and safe

computing
If you connect to the Internet, allow other people to use your computer, or share files with others, you should
take steps to protect your computer from harm. Why? Because there are computer criminals (sometimes
called hackers) who attack other people's computers. These people can attack directly, by breaking into your
computer through the Internet and stealing your personal information, or indirectly, by creating malicious
software to harm your computer.
Fortunately, you can help protect yourself by taking a few simple precautions. This article describes the threats
and what you can do to defend against them.
Protect your computer

These are ways to help protect your computer against potential security threats:
x Firewall. A firewall can help protect your computer by preventing hackers or malicious software from
gaining access to it.
x Virus protection. Antivirus software can help protect your computer against viruses, worms, and other
security threats.

x Spyware and other malware protection. Antispyware software can help protect your computer from
spyware and other potentially unwanted software.
x Windows Update. Windows can routinely check for updates for your computer and install them
automatically.
Use a firewall
A firewall is software or hardware that checks information coming from the Internet or a network and then either
turns it away or allows it to pass through to your computer, depending on your firewall settings. In this way, a
firewall can help prevent hackers and malicious software from gaining access to your computer.
Windows Firewall is built into Windows and is turned on automatically.
How a firewall works

If you run a program such as an instant messaging program or a multiplayer network game that needs to receive
information from the Internet or a network, the firewall asks if you want to block or unblock (allow) the
connection. If you choose to unblock the connection, Windows Firewall creates an exception so that the firewall
won't bother you when that program needs to receive information in the future.
Use virus protection

Viruses, worms, and Trojan horses are programs created by hackers that use the Internet to infect vulnerable
computers. Viruses and worms can replicate themselves from computer to computer, while Trojan horses enter a

computer by hiding inside an apparently legitimate program, such as a screen saver. Destructive viruses, worms,
and Trojan horses can erase information from your hard disk or completely disable your computer. Others don't
cause direct damage, but worsen your computer's performance and stability.
Antivirus programs scan e-mail and other files on your computer for viruses, worms, and Trojan horses. If one is
found, the antivirus program either quarantines (isolates) it or deletes it entirely before it damages your
computer and files.
Windows does not have a built-in antivirus program, but your computer manufacturer might have installed one.
If not, there are many antivirus programs available. Microsoft offers Microsoft Security Essentials, a free antivirus
program you can download from the Microsoft Security Essentials website. You can also go to the Windows 7
security software providerswebsite to find a third-party antivirus program.
Because new viruses are identified every day, it's important to use an antivirus program with an automatic update
capability. When the program is updated, it adds new viruses to its list of viruses to check for, helping to protect
your computer from new attacks. If the list of viruses is out of date, your computer is vulnerable to new threats.
Updates usually require an annual subscription fee. Keep the subscription current to receive regular updates.
Warning
x If you don't use antivirus software, you expose your computer to damage from malicious software. You also run
the risk of spreading viruses to other computers.
Use spyware protection

Spyware is software that can display advertisements, collect information about you, or change settings on your
computer, generally without appropriately obtaining your consent. For example, spyware can install unwanted
toolbars, links, or favorites in your web browser, change your default home page, or display pop-up ads
frequently. Some spyware displays no symptoms that you can detect, but it secretly collects sensitive information,
such as the websites you visit or the text you type. Most spyware is installed through free software that you
download, but in some cases simply visiting a website results in a spyware infection.
To help protect your computer from spyware, use an antispyware program. This version of Windows has a built-
in antispyware program called Windows Defender, which is turned on by default. Windows Defender alerts you
when spyware tries to install itself on your computer. It also can scan your computer for existing spyware and
then remove it.
Because new spyware appears every day, Windows Defender must be regularly updated to detect and guard
against the latest spyware threats. Windows Defender is updated as needed whenever you update Windows. For
the highest level of protection, set Windows to install updates automatically.
Windows Defender is antispyware software that's included with Windows and runs automatically when it's turned
on. Using antispyware software can help protect your computer against spyware and other potentially unwanted
software. Spyware can be installed on your computer without your knowledge any time you connect to the

Internet, and it can infect your computer when you install some programs using a CD, DVD, or other removable
media. Spyware can also be programmed to run at unexpected times, not just when it's installed.
Windows Defender offers two ways to help keep spyware from infecting your computer:
x Real-time protection. Windows Defender alerts you when spyware attempts to install itself or to run on
your computer. It also alerts you when programs attempt to change important Windows settings.
x Scanning options. You can use Windows Defender to scan for spyware that might be installed on your
computer, to schedule scans on a regular basis, and to automatically remove anything that's detected
during a scan.
When you use Windows Defender, it's important to have up-to-date definitions. Definitions are files that act like
an ever-growing encyclopedia of potential software threats. Windows Defender uses definitions to alert you to
potential risks if it determines that software detected is spyware or other potentially unwanted software. To help
keep your definitions up to date, Windows Defender works with Windows Update to automatically install new
definitions as they're released. You can also set Windows Defender to check online for updated definitions before
scanning. For information about keeping your definitions up to date and how to manually download the latest
definitions, see Keep Windows Defender definitions up to date.
x Open Windows Defender by clicking the Start button . In the search box, type Defender, and then, in
the list of results, click Windows Defender.
Update Windows automatically

Microsoft regularly offers important updates to Windows that can help protect your computer against new
viruses and other security threats. To ensure that you receive these updates as quickly as possible, turn on
automatic updating. That way, you don't have to worry that critical fixes for Windows might be missing from your
computer.
Updates are downloaded behind the scenes when you're connected to the Internet. The updates are installed at
3:00 A.M. unless you specify a different time. If you turn off your computer before then, you can install updates
before shutting down. Otherwise, Windows will install them the next time you start your computer.
To turn on automatic updating
1. Open Windows Update by clicking the Start button . In the search box, type Update, and then, in the
list of results, click Windows Update.
2. Click Change settings.
3. Make sure Install updates automatically (recommended) is selected.
Windows will install important updates for your computer as they become available. Important updates
provide significant benefits, such as improved security and reliability.

4. Under Recommended updates, make sure the Give me recommended updates the same way I receive
important updates check box is selected, and then click OK.
Recommended updates can address non-critical problems and help enhance your computing
experience. If you're prompted for an administrator password or confirmation, type the password or
provide confirmation.
Install the latest version of your web browser and keep it up to date
Using the latest version of your web browser and keeping your browser up to date are two of the best ways to
prevent trouble online. In most cases, the latest version of a web browser contains security fixes and new features
that can help protect your computer and your privacy while you're online.
Also, many web browsers offer security updates periodically. So be sure to install updates for your browser
whenever they're available.
If you have Internet Explorer, you can get updates for it automatically using Windows Update. If your computer
isn't set up to automatically receive updates, you can manually request these updates by using Internet Explorer.
Click the Safety button, and then click Windows Update . Follow the instructions on the screen to check for
updates.
Turn on your browser's security features

Many web browsers have security features that help you browse the web safely. So it's a good idea to find out
what security features your browser has and make sure they're enabled.
If you have Internet Explorer, here are some of the security features that are available:
x SmartScreen Filter, which can help protect you from online phishing attacks, fraud, and spoofed or
malicious websites. For more information, see SmartScreen Filter: frequently asked questions.
x Domain highlighting, which lets you more easily see the real web address on websites you visit. This helps
you avoid deceptive or phishing websites that use misleading web addresses to trick you. The true domain
you're visiting is highlighted in the address bar.
x Manage Add-ons, which lets you disable or allow web browser add-ons and delete unwanted ActiveX
controls. For more information, see How do browser add-ons affect my computer?
x Cross site scripting (XSS) filter, which can help prevent attacks from phishing and fraudulent websites that
might attempt to steal your personal and financial information. For more information, see How does
Internet Explorer help protect me from cross-site scripting attacks?
x A 128-bit secure (SSL) connection for using secure websites. This helps Internet Explorer create an
encrypted connection with websites run by banks, online stores, medical sites, or other organizations that
handle sensitive customer information. For more information, see How to know if an online transaction is
secure.

For more information about protecting your computer and your privacy while you're online, go to the Microsoft
Securitywebsite or the Microsoft Online Safety website.
Use a standard user account

When you log on to your computer, Windows grants you a certain level of rights and privileges depending on
what kind of user account you have. There are three different types of user accounts: standard, administrator, and
guest.
Although an administrator account provides complete control over a computer, using a standard account can
help make your computer more secure. That way, if other people (or hackers) gain access to your computer while
you're logged on, they can't tamper with the computer's security settings or change other user accounts. You can
check your account type after you log on by doing the following:
The steps that you should follow will vary, depending on whether your computer is on a domain or a workgroup.
To find out, see "To check if your computer is on a workgroup or domain" in What is the difference between a
domain, a workgroup, and a homegroup?
Tips for safely using e-mail and the web

x Use caution when opening e-mail attachments. E-mail attachments (files attached to e-mail messages)
are a primary source of virus infection. Never open an attachment from someone you don't know. If you
know the sender but weren't expecting an attachment, verify that the sender actually sent the attachment
before you open it.
x Guard your personal information carefully. If a website asks for a credit card number, bank information,
or other personal information, make sure you trust the website and verify that its transaction system is
secure.
x Be careful when clicking hyperlinks in e-mail messages. Hyperlinks (links that open websites when you
click them) are often used as part of phishing and spyware scams, but they can also transmit viruses. Only
click links in e-mail messages that you trust.
x Only install add-ons from websites that you trust. Web browser add-ons allow webpages to display
things like toolbars, stock tickers, video, and animation. However, add-ons can also install spyware or other
malicious software. If a website asks you to install an add-on, make sure that you trust it before doing so.

Building Internet Infrastructure

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Building Internet Infrastructure

Uploaded by

Copyright:

Available Formats

WOLKITE POLYTECHNIC COLLEGE

Prepared by Amaha Alemayehu:- ICT Trainer

1. Plan and organize internet infrastructures

Prepared by Amaha Alemayehu:- ICT Trainer

The backbone is made of high-speed routers/switches interconnected by large-capacity fiber-optic

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Fig 1: TCP/IP protocol layers

Prepared by Amaha Alemayehu:- ICT Trainer

Fig2. Internet Connectivity Distribution & Core

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Fig3.Internet users per 100 inhabitants

Prepared by Amaha Alemayehu:- ICT Trainer

Fig4. Internet users by language

Prepared by Amaha Alemayehu:- ICT Trainer

Fig5. Website content languages

Prepared by Amaha Alemayehu:- ICT Trainer

Social networking and entertainment

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Computer Hardware Required for Internet & Internet Access Components

Prepared by Amaha Alemayehu:- ICT Trainer

Internet Protocol (IP)

Prepared by Amaha Alemayehu:- ICT Trainer

Install and Configure the Email Server in Windows Server 2003

Prepared by Amaha Alemayehu:- ICT Trainer

Internet security policy

Prepared by Amaha Alemayehu:- ICT Trainer

In Praise of Policies: What Benefits Do Policies Offer?

The Boss Can Do It

Prepared by Amaha Alemayehu:- ICT Trainer

They Provide a Paper Trail in Cases of Due Diligence

They Exemplify an Organization's Commitment to Security

Practical Benefits of Security Policies

They Form a Benchmark for Progress Measurement

They help ensure consistency

They Serve as a Guide to Information Security

Prepared by Amaha Alemayehu:- ICT Trainer

They're Define Acceptable Use

They Give Security Staff the Backing of Management

Policy Power - Making Policies Work

Defining the Objectives

What Are the Policies Actually Protecting?

Prepared by Amaha Alemayehu:- ICT Trainer

Setting the Stage

Next Time: Creating an Environment that Supports Security Objectives

Introduction to Security Policies, Part Two: Creating a

by Charl van der W alt

Introduction to Security Policies, Part Two: Creating a Supportive Environment

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Prepared by Amaha Alemayehu:- ICT Trainer

Let's briefly explore two such systems, just by way of example: