Most small- and medium-size businesses have several
issues to keep in mind when securing their configurations. Some of these
might include the following:
The organization
comprises multiple servers, and many have distinct and independent
roles. It is difficult to be consistent and strict enough with a
security policy when multiple machines are performing different
functions, each with its own security requirements. Older
operating systems and applications are in use. Older programs and
systems often use programming and communication techniques that,
although secure enough when they were developed, can be exploited easily
by today's automated attacks. It can be problematic to ensure these
older platforms are supported correctly and are protected adequately
from a constant security threat. In
some markets and professions, you must deal with legal procedures,
protections, and consequences. For instance, in the medical profession,
the Health Insurance Portability and Accountability Act (HIPAA) has
presented some challenges regarding data privacy and safekeeping that
are making life more "interesting" (in the ancient-Chinese-curse sense
of the term) for IT personnel. Such legislation and regulation can alter
your security
policy in specific situations. There
might be a lack of physical security at the site, which makes moot any
computer-based security configurations you plan to make. After all, if
someone can make off with your domain controller, all bets are off. There
might be a lack of security expertise among the technical employees at
your company. Constructing and then implementing a security policy is a
challenging task that requires patience and knowledge. Lacking these two
qualities can make for a painful process.
There
might be threats—internal, external, or even accidental—that could
damage your systems or harm the valuable data contained therein. Take a
hurricane, for example. What happens when looters grab the backup tape
from the regional bank whose walls have collapsed during the storm? What
kinds of bad things might those thieves do with that information? Finally, the most common scenario, there are limited resources—in terms of both money and labor—to implement secure solutions.
Of course, not all of these
conditions apply to all businesses, but it's very likely that each is
an obstacle that most organizations run into.
1. Principles of Server Security
Server security operates off the CIA principle
, which is depicted in Figure 1.
CIA stands for confidentiality, integrity, and availability. Confidentiality is the concept that information access is protected and restricted to only those who should have access. Integrity is the concept that information is protected from being tampered with or otherwise modified without prior authorization. And availability refers to ensuring that access to the information is available at all times, or at least as often as possible.
Keeping the CIA
framework in mind, you can take a number of different security
approaches at the server level. One of the most successful methods of
preserving confidentiality, integrity, and availability is the layered
approach, which both reduces an attacker's chance of success and
increases his risk of detection. The layered approach comprises seven
layers, each with its own methods and mechanisms for protection.
Data level The data
level guards against malicious activity performed on the actual data.
Protection at the data level includes ACLs and encrypting file systems.
Safeguards at this level cover the confidentiality and integrity levels
of the CIA triangle.
Application level Application-level
security protects individual programs from attack. Security at this
level can include hardening the applications themselves, installing
security patches from the vendors, and activating antivirus software and
performing regular scans. Safeguards at this level cover the integrity
and availability levels of the CIA triangle.
Host level Protection at the
host level secures the computer and its operating system from attack,
which nearly eliminates the potential for attack on the data and
application levels. Protection at this level includes hardening the
operating system itself ,
managing security patches, authentication, authorization, and
accounting, and host-based intrusion detection systems. Safeguards at
this level cover the integrity and availability levels of the CIA
triangle.
Internal network level The organization's
network is the next level, which protects against intruders entering at
the perimeter and sniffing traffic, looking for keys to accessing levels
higher than this one. Protection at this level includes segmenting your
network into subnets, using IP Security (IPSec), and installing network
intrusion detection systems. Safeguards at this level include all
facets of the CIA triangle: confidentiality, integrity, and
availability.
Perimeter level The perimeter is
where the internal network connects to other external networks,
including those to other branches of the same corporation and
connections to the Internet. Perimeter-level protections might include
firewalls and quarantining virtual private network (VPN) and dial-up
access. Safeguards at this level include all facets of the CIA triangle:
confidentiality, integrity, and availability.
Physical security level The physical
security level
involves protecting the real estate in which the business practices.
Guards, locks, and tracking devices all comprise protection at this
level. Safeguards at this level cover the confidentiality and integrity
levels of the CIA triangle.
Policies, procedures, and awareness level This level
involves educating users as to best practices and acceptable and
unacceptable methods of dealing with information technology. Safeguards
at this level can include all facets of the CIA triangle:
confidentiality, integrity, and availability.
|
