The 60 Minute Network Security Guide

Home > Network and Security, Operating System > The 60 Minute Network Security Guide

May 27th, 2009

During the last seven years the National Security Agency’s Systems and Network Attack Center has released Security Guides for operating systems, applications, and network components that operate in the larger IT network. These security guides can be found on our web site at http://www.nsa.gov/snac. Many organizations across the Department of Defense have used these documents in the development of new networks and in securing existing IT infrastructures. This Security Guide addresses security a bit differently. Instead of focusing on a single product or component it covers a wide range of network elements with the notion of providing a terse presentation of those most critical steps that should be taken to secure a network. While intentionally not as complete as the totality of our other guides, our goal is to make system owners and operators aware of key actions that are especially useful as “force multipliers” in the effort to secure their IT network.

Security of the IT infrastructure is a complicated subject, usually addressed by experienced security professionals. However, as organizations increase their dependence on IT, a greater number of people need to understand the fundamentals of security in a networked world. This Security Guide was written with the less experienced System Administrator and Information Systems Manager in mind, to help them understand and deal with the risks they face.
Opportunistic attackers routinely exploit the security vulnerabilities addressed in this document. Information Systems Managers and System Administrators perform risk management as a counter against the multitude of threats and vulnerabilities present across the IT infrastructure. The task is daunting when considering all of their responsibilities. Security scanners can help identify thousands of vulnerabilities, but their output can quickly overwhelm the IT team’s ability to effectively use the information to protect the network. This Security Guide was written to help with that problem by offering a focused presentation reflecting the experience gained via our research and our operational understanding of the DoD and other US Government IT infrastructures. It is intended that one can read this “60 Minute Network Security Guide” in around an hour.
This Security Guide should not be misconstrued as containing anything other than recommended security “best practices” and as such must be considered in the context of an organization’s security policies. We hope that this document will equip the reader with a wider perspective on security in general and a better understanding of how to reduce and manage network security risk.

Security Policy
(This section is an abstract of the security policy section of RFC 2196, Site Security Handbook. Refer to this RFC [10] for further details.)
A security policy is a formal statement of the rules that people who are given access to an organization’s technology and information assets must abide. The policy communicates the security goals to all of the users, the administrators, and the managers. The goals will be largely determined by the following key tradeoffs: services offered versus security provided, ease of use versus security, and cost of security versus risk of loss.
The main purpose of a security policy is to inform the users, the administrators and the managers of their obligatory requirements for protecting technology and information assets. The policy should specify the mechanisms through which these requirements can be met. Another purpose is to provide a baseline from which to acquire, configure and audit computer systems and networks for compliance with the policy. In order for a security policy to be appropriate and effective, it needs to have the acceptance and support of all levels of employees within the organization.
…

Website: www.cs.unibo.it | Filesize: 818kb
No of Page(s): 48
Click to download The 60 Minute Network Security Guide