The final section for domain 6.0 will focus on network security, which in many ways is the most important. The ability to control the transmission of information and access to remote resources should be the front line of a defensive security strategy.
In the previous Operating System Security section, we discussed software firewalls a little bit, specifically Windows Firewall. Windows Firewall protects an individual computer from unwanted traffic, but what if we want to block unwanted traffic to an entire network? Windows Firewall can't help us there because it is host-based or personal firewall as are most software firewalls. When it comes to network firewalls in a corporate setting, we are usually referring to hardware firewalls such as the one pictured to the right.
You should note that many network appliances are combo devices and can perform more than one function (i.e. a router with built-in firewall). When applicable, using hardware firewalls in conjunction with personal software firewalls offers the strongest security.
While firewalls prevent unwanted traffic and attacks from occurring on individual computers, the can't do anything to protect data as it travels between them. Hackers can monitor and intercept traffic over a network (i.e. the internet) and gain access to the information being transmitted. The best defense against this is to encrypt the data. Encryption is the conversion of data into a form, called a ciphertext, that cannot be easily decoded by unauthorized people. Decryption is the process of converting encrypted data back into its original form, so it can be understood by the intended recipient.
Not only are there different types of encryption, there is also a variety of occasions when it is used. Some encryption is for network traffic, some is for authentication, and others for applications. Let's look at some of the more common types of encryption and what they are used for.
IPSec - This is a framework of open standards for securing data communications over the Internet. Since the Internet protocol has no data security built-in, both application and user data is sent in clear text. This enables others to view or even modify data as it travels the Internet. For example, passwords are sent in the open and can be seen and used to compromise a system. IPSec encrypts this data making it unreadable to others if intercepted. Windows 2000 and newer operating systems provide support for IPSec.
SSL - SSL is a protocol developed by Netscape used to secure applications. It is most commonly used for e-commerce applications such as the creating secure HTTP pages (HTTPS) that protect confidential information such as credit card numbers during online purchases. SSL uses the public- and private-key encryption system, which includes the use of a digital certificate.
SSH - Stands for Secure Shell and is an application and network protocol used to remotely access a computer, login, and execute commands on it. It is very similar to Telnet, but is better because it provides secure encrypted communications while Telnet has been found to be exploitable and insecure. SSH uses public-key cryptography to authenticate the remote computer.
MS-CHAP - Challenge Handshake Authentication Protocol is an authentication scheme used by Point to Point Protocol (PPP) servers to validate the identity of remote clients. MS-CHAP is Microsoft's version of this protocol. There are other types of authentication protocols you may need to be familiar with including PAP and EAP.
In the Operating System Security section we briefly discussed local user accounts. In a Microsoft network environment, there are also domain user accounts. When these are used, you are actually authenticating with the server(s) when you login. The domain administrator determines what your level of access to the various resources on the network will be, typically by placing you in a group with others who will have the same level of access as you. So while your local user account determines your permissions on the local computer, your domain user account will determine your ability to access other computers via network shares. Once you access a share, your permission levels will determine what abilities you have for interacting with the files and folders on that share. In addition to accessing other computers, your domain user account also determines your abilities in using other network resources such as network printers.
It was mentioned somewhere in the security section of this guide that Windows allows you to change security policies on a local computer. This is different than permissions, and I typically refer to these settings as rights. These policies allow you to do things like prevent the user from installing programs on their computer, change the system time, or even turn the computer off. If you have hundreds or even thousands of computers on a network, setting these policies on each individual computer would be a nightmare. In a domain environment with Active Directory, you can set Group Policies which apply the settings that you desire to groups of users (and individuals if necessary). So if we don't want anyone in the accounting group to be able to install any programs on their computers, we can set this using group policy on the server rather than visiting each of their computers and setting it up.
Wireless networks and connections have introduced a whole new lot of security concerns. By default, a wireless connection will allow people from the outside world to easily connect to your wireless network which is a huge security concern. Below are some tips for securing a wireless network:
First, change the default username and password for your access point.
Set up encryption for your wireless network. WPA2 is currently the best option followed by WPA and WEP. When choosing the key, make it something that cannot easily be guessed just like you would a password.
Change the WAP's default SSID and disable the SSID broadcast.
Use MAC filtering to only allow connections from desired computers. You must get the MAC address of each computer that you wish to allow a connection. All others will not be able to connect.
If the WAP has a firewall built in, consider using it.
It is sometimes recommended to disable DHCP and use static IP addresses. This forces outsiders to guess what IP range and other IP settings you are using in order to connect rather than connecting automatically.