MULTIPLE USER NETWORK ADMINISTRATION SECURITY
This report explores the industry standard concepts and best practices including:
Authentication is the ability to verify the identity of a user, host or system process. Access control determines who, when and what is allowed to access an operating system or network. Encryption is the use of mechanisms to scramble information in order to prevent electronic eavesdropping or data tampering. Preserving data confidentiality involves the use of encryption to ensure that confidential data remains secret. Data integrity is about the use of encryption and other mechanisms to ensure that unauthorised persons have not interfered with data during transmission. Auditing involves keeping track of when and by whom data has been accessed. Non-repudiation is the ability to prove that a transaction has in fact occurred.
Security Documents and Organisations
There are a number of security standards and stands organisations. For example, the National Institute of Standards and Technology (NIST), which was sponsored by the US Department of Defense (DOD), created the Trusted Computer System Evaluation Criteria (TCSEC) also known as the Orange Book. The Orange Book, which is still widely used by security professionals, rates the security protection offered by operating systems on a scale from A, the most secure to D the least secure. The most common rating is C-2. Unix, Windows NT and Novell NetWare are all C-2 compliant. Note that an Orange Book rating applies to an operating system configured to run on a given platform. This means that just because an installation of NT is C-2 compliant on vendor A's sever, in need not be C-2 compliant when installed on vendor B's server.
Additional standards include the International Standards Organisation (ISO) 7498-2 and the British Standards BS 7799 (1995 and 1999). The ISO seven-layer model can be used to help describe how specific implementations such as firewalls operate. Of particular interest are The Application, Transport and at Network layers of the model.
The Computer Emergency Response Team (CERT) at www.cert.org is a vendor neutral organisation dedicated to helping computer users to maintain security.
The rest of this chapter is devoted to looking in more detail at the seven aspects of Internet security listed in the introductory paragraph.
Authentication is the ability to verify the identity of a particular person, network host or system process. According to standards such as the Orange Book and ISO 7498-2 you can authenticate in the following ways:
What you know
What you have
What you are
Where you are
The most common example of "what you know" is a password. You frequently...