● Best Practices in Network Security - 1 - 荔园在线 | 深圳大学学生论坛,荔园晨风BBS,深大在线网站

荔园之美，在春之萌芽，在夏之绽放，在秋之收获，在冬之沉淀

发信人: Lg (创造人生的传奇), 信区: Linux
标  题: Best Practices in Network Security - 1
发信站: BBS 荔园晨风站 (Sun Mar 19 14:54:17 2000), 转信

Best Practices in Network Security

March 20, 2000
Frederick M. Avolio

Information systems security. Computer and network security. Internet security.
It's a complex world, and growing more so every day. With these changes, some
truths and approaches to security remain the same, while others are new and
radically different. Developing a sound security strategy involves keeping one
eye on the reality of Internet-speed changes in threats and technology, and the
other on the reality of the corporate environment. Purchasing security devices
is easy. Knowing how and what to protect and what controls to put in place is a
bit more difficult. It takes security management, including planning, policy
development and the design of procedures.

Not Your Father's Network
When the computer and network space was simpler, you could expect a network to
support any IP service. However, most people stuck to the basics of terminal
service, file copying and e-mail, with some file sharing thrown in. Fewer
services meant fewer avenues of attack.
Today's network incorporates all sorts of wonderful but unsettling services.
Voice data travels over the enterprise network. Files are shared. Corporate
networks now include travelers and customers, often in the name of e-business
and e-commerce. Every new network service represents possibilities for
increased sales.

Businesses reach out and touch partners, customers and potential clients, often
via the Internet. According to the January 2000 Internet Software Consortium's
Inter- net Domain Survey (www. isc.org/ds), there are more than 72 million
hosts on the Internet. Given that many organizations do not advertise their
internal name spaces, we know that many more computers are connected in some
fashion to the Internet. Potentially, perhaps a billion people live in the
"network neighborhood."

Between the vastness of this space and the services available, there are
countless potential avenues of attack. Attackers don't even have to be
particularly smart, skilled or patient to develop an attack. Through the ease
of "user friendly" software, and with the ubiquity of methods for simple file
distribution, anyone with a computer is a potential at- tacker. No special
skills are required. Launching attacks is within the reach of anyone with a
mouse.

The New Ground Rules
To meet the challenges of computer and network security, it's crucial to adopt
ground rules. Once they're in hand, the rest is easy.

  1. Security and complexity are often inversely proportional. Every step
taken--whether it's vulnerability and risk assessment, security policy and
procedure development, deployment of mechanisms or user education--should be as
straightforward and simple as possible. The more cryptic the instructions and
procedures, the more room for misunderstanding and misapplication.

  2. Security and usability are often inversely proportional. There is no such
thing as "complete security" in a usable system. Consequently, it's important
to concentrate on reducing risk, but not waste resources trying to eliminate it
completely. Such a pragmatic mind-set provides a fighting chance to achieve
fairly good security while still allowing productivity.

  3. Good security now is better than perfect security never. This is a
corollary of the previous axiom, since perfect security doesn't exist in a
usable system. Even if it were possible, a usable system is a moving target:
Threats change, technologies change and business needs change. The job is never
done.

This knowledge should actually free you to shoot for "good enough." Come up
with 10 things to do, but only get to four of them now, and you're probably in
a better position than if you wait until it's possible to do all 10. The key is
to prioritize correctly.

  4. A false sense of security is worse than a true sense of insecurity.
Knowing where your enterprise is still insecure provides you with the framework
for moving ahead. It's critical to know where you've left gaps, what documents
and procedures are not quite right and what mechanisms need replacing. A false
sense of security does not motivate improvement--or even analysis--of an
organization's security posture. It leads to false complacency, which can give
rise to disaster, often accompanied by the lament, "I thought we had that
covered." It's better to know where you are weak and avoid unquantifiable risks.

  5. Your security is only as strong as your weakest link. Therefore, be
thorough in examinations and evaluations. For example, if there's a reason to
employ VPNs (virtual private networks) to keep connections from home and remote
offices to headquarters private, it may be necessary to protect that data while
it resides on the notebook PCs of your mobile workforce. It may mean removing
modems from desktop computers, requiring all traffic to flow through the
firewall.

  6. It is best to concentrate on known, probable threats. There are imagined
threats, real threats and probable threats. And there are known and unknown
threats. We are most interested in real and probable threats, while we continue
to expand the set of known threats.

  7. Security is an investment, not an expense. The challenge is to get this
point across to upper management. Investing in computer and network security
measures that meet changing business requirements and risks makes it possible
to satisfy changing business requirements without hurting the business'
viability. Properly secured servers let corporate information be shared with
salespeople in the field and with business partners. Improperly configured
systems lead to data loss or worse.

Although it's comforting when an attack is put off, it is much better never to
have to put security measures to an actual "battlefield" test. As with airbags
in an automobile, it's important that they're there, but better never to have
to use them. With these ground rules in mind, it's time to do the most
important work in securing networks and computers: security management. Keeping
the above axioms in mind should help you streamline the process.

--
☆ 来源:．BBS 荔园晨风站 bbs.szu.edu.cn．[FROM: bbs@210.39.3.97]

荔园在线首页友情链接：深圳大学深大招生荔园晨风BBS S-Term软件网络书店