Howard Fuhs
Howard Fuhs
Howard Fuhs
IT-Sicherheitsberater
IT-Sicherheitsberater
IT-Sicherheitsberater

Internet Security Policies

Copyright (C) 09/1997 by Howard Fuhs


 



 
Content:

    Introduction

    Protective Measures

    Basic Security Stance

    Allocation of Permissions

    Access to Internet Services

    Securing Allowed Services

    Developing the Security Policy

    Allocation of Responsibilities

    Flexibility

    Definition of Consequences

    Copyrights
 
 


Introduction

Prompted by the ascendancy of the net as a fashion phenomenon the discussion of the advisability of connecting the internal company network to the Internet for commercial reasons rages in lots of companies wishing to participate in the excitement of the World Wide Web. Irrespective of the possible business advantages brought about by such a move there is no way to avoid considering the security problems, which may threaten the very existence of the enterprise.

When the military ARPA-Net (which later developed into the Internet) was established, the emphasis was on availability under all circumstances rather than on security (availability under all circumstances is also an important part of security). That fact now forces businesses to face the problem of having to connect their internal networks (however secure they may be) to a network, which must be considered both insecure and unreliable. Add to this that almost anybody with a computer, a modem and a telephone line now can connect to the Internet and use or misuse it for his own purposes and it becomes obvious that it is advisable to take suitable security precautions.

Whenever security measures are discussed in connection with the Internet and internal networks the magic word firewall pops up. Fundamental to such a firewall is not only hardware and software but above all the security policies constituting the guidelines determining the practical installation of the firewall. We are goin to take a closer look at the design of these policies.
 


Protective Measures

In order to tie a protective measure to a security policy it is necessary to define the tasks of the protective mechanism. Thus, a firewall consists of a number of components and systems situated between two networks. lt must be able to perform the following tasks:

The protective measure must not be liable to be attacked or it must be able to defend itself.

All the traffic between the inner and the outer networks must pass through the protective measure.

Only the traffic defined to be legitimate and legal by the security policy may be allowed to pass through the protective measure.

Attempts to violate the security policy must raise an immediate alarm.
 


Basic Security Stance

When a security policy is implemented it is also necessary to decide what the fundamental security attitude in the company should be.

Everything which is not expressly disallowed is permitted.
Most users wish this very liberal attitude to prevail, but from a security point of view it is extremely dangerous and cannot be recommended in case of an Internet connection. This attitude makes it impossible to effectively control data exchange and leaves the door wide open to misuse.

Everything that is not expressly allowed is forbidden.
Hard as this attitude may sound it is only really possible to maintain a defined level of security between the inner and the outer network on this base. This is particularly true when you consider the possible existence of not yet discovered security holes and design weaknesses in the network technologies in use and in future network services.
 


Allocation of Permissions

The allocation of access rights is a fundamental security aspect. Only the access right that a person really needs in order to perform his work efficiently should be granted. In this connection it is important to consider whether a person actually needs access to the Internet in order to be able to perform his job. Company research has shown that people with free Internet access tend to spend progressively more time performing unproductive tasks without relation to their job functions. Typically, tasks such as reading and responding to private email and reading Usenet newsgroups belong in this category.  These types of activities not only cost valuable time but also use valuable resources and storage space on company Computers.
 


Access to Internet Services

The Internet offers many different possibilities in the shape of information services. The best known ones are probably email, FTP (File Transfer Protocol) and (World Wide Web). All these Internet services (including the ones not mentioned here) bring certain security risks and design weaknesses, and offer possibilities for misuse, both internal (company staff) and external ("vile hackers").

In order to obtain good security it is necessary in the security policy to define which of these Internet services should be available to the users in the first place. This is one of the factors that determine how to install the firewall. All the permitted Internet services are allowed to pass through the firewall only after they have been examined and approved. All services which are not permitted in the organisation are stopped at the firewall.
 


Securing Allowed Services

lt can not be assumed that allowed Internet services in themselves are more secure that those not permitted by company policy. Services are permitted or disallowed on the basis of how their use can benefit the company, and for each one it is necessary to evaluate which risks its introduction brings, and at which expenditure of personnel and finance access to the service can be provided in a reasonably secure manner. E.g. it is indispensable to study the known security holes in the permitted services and how to plug these. This knowledge must be kept constantly updated, e.g. by frequently checking the advisories from the Computer Emergency Response Team (CERT) at the Carnegie Mellon University (FTP://cert.org/pub/cert advisories).
 


Developing the Security Policy

When developing the security policy it is necessary to consider various interests in order to attain the desired results. The best corporate security policies fail if the employees disregard them in their daily work. lt is necessary to make very clear policies and to explain the reason for each individual measure. Employees only follow policies that they understand and approve of.

lt is also necessary to consider financial interests. The prescribed security must remain within a business framework and stand in a reasonable relationship to the business and the value of the data that are being secured. lf too much security is required productivity can easily suffer because systems become too complicated to operate and thus can no longer be used profitably. The development of security policies should be carried out by a group including representatives from management, system administration and users. Only a company-wide teamwork can assure that the policies can be implemented in practice and are usable for all groups. This normally means that certain compromises have to be made.
 

When developing a security policy the following points are among those which need to be considered:
 


Allocation of Responsibilities

Responsibilities and data ownership must be clearly defined and allocated to individuals or departments. This serves to give the users clear communication lines in case of problems or misunderstandings. It also serves to counteract this certain responsibility-neutrality which so often can lead to unpleasant mishaps ("But I thought you were doing the backups..."). To these responsibilities belong:
 


 


Flexibility

A security policy must not only be flexible in order to make it possible to work with it as a part of normal work routines but also because the Internet is in a state of constant flux. New services appear, old services are changed. This constantly changes the risk scenario and makes it necessary to regularly re-evaluate the workability of a security policy as well as its ability to cope with new risks. This is an ongoing process. lt is also necessary to evaluate whether new services or changes to existing services collide with the security policy and either change the policy, disallow the service or change countermeasures to counteract the increased risk.
 


Definition of Consequences

The security policy must clearly outline the consequences for staff violating security procedures. The wording of this part of the policy document should not be rigoristic but rather give management the mandate to impose certain sanctions after carefully considering the circumstances of each individual case and the gravity of the transgression.

lt is not advisable to introduce mandatory punishment because this normally turns out to be extremely counterproductive from a security point of view. Fear of severe consequences will often keep an employee from reporting mistakes, e.g. having unintentionally introduced a virus infestation into a computer, thereby delaying the process of limiting the damage and closing security holes. Even worse, an unqualified person may attempt to repair the situation and in fact aggravate it. This is quite frequently seen in case of virus infestations, where users first attempt to remove the virus e.g. by formatting their hard disk, thus destroying valuable data, and subsequently claiming that a computer fault did it...
 


Copyright (C) 09/1997 by Howard Fuhs

 

Fuhs Security Consultants
 
All Rights reserved!
 
 Realisation:
Frank Ziemann
Home Impressum

WebCam
24 Hour Clocks Publications DE Deutsch
Thema 00
Hier finden Sie Information über Dinge, von denen wir jetzt noch nichts verraten wollen.
Thema 01
Hier finden Sie Information über Dinge, von denen wir jetzt noch nichts verraten wollen.
Premium Content
Restricted area. Paying customers only.
News
Company News and Press Informations.
Service
Protect your Assets with our Security Services.
Products
24-hour clocks according to ISO 8601 developed for usage in business, technical and military 24/7 environments.
Lectures
Informations about the worldwide Lecures and Seminars of Howard Fuhs.
Publications
Articles and Manuscripts of Howard Fuhs covering the topic of IT-Security.
Digital Publishing
Publications of Howard Fuhs on CD-ROM.
DEDeutsche Seiten
Hier finden Sie unsere deutschsprachigen Seiten.
Follow this link to our German pages.
      E-Mail
Contact us
via E-Mail
  info@fuhs.de
    Realisation
EDV-Beratung
Frank Ziemann
www.fz-net.com
Content  
Content
Hot Sites
Trade Terms  and Conditions
Hot Sites
Hot Sites (11/1998)
Trade Terms and ...
Trade Terms and Conditions - and Internet Access (05/1998)
Thema C
--not used--
Thema D
--not used--
Thema E
--not used--
Thema F
--not used--