5.6. Summary

This chapter introduced you to the concept of hardening operating systems, network devices, and applications. To secure a network, each of the elements in its environment must be individually evaluated. Remember, your network is no more secure than its weakest link.

Security baselines provide a standardized method for evaluating the security capabilities of particular products. Never consider an operating system or application to be secured unless it has been certified using the EAL standard, which provides seven levels of certification. Common Criteria has replaced TCSEC as the primary security certification. EAL 4 is the level recommended to provide reasonable security for commercial operating systems.

The number of vulnerabilities is rapidly increasing. The increase is partially due to the fact that many systems manufacturers didn't take security issues seriously enough in the past. This attitude is changing, and many of the larger manufacturers now realize the damage that security leaks cause to their users.

The process of making a server or an application resistant to attack is called hardening. One of the major methods of hardening an operating system is to disable any protocols that aren't needed in the system. Keeping systems updated also helps improve security.

The common protocols used in PC-based networks are NetBEUI, IPX/SPX, and TCP/IP. Each of these protocols creates unique security challenges that must be addressed. Unused protocols should be disabled on all devices: Each protocol used increases the potential vulnerability of your environment. ACLs are being implemented in network devices and systems to enable the control of access to systems and users; ACLs allow individual systems, users, or IP addresses to be ignored.

Large-scale networks often use Unix networks and additional protocols, such as NFS. NFS is difficult to secure, and it shouldn't be used in external networks. Additional security is available in this environment if secure VPN connections are used.

The FAT filesystem provides user-level and share-level security. As a result, FAT is largely unsuitable as a filesystem for use in secure environments. NTFS provides security capabilities similar to Unix, and it allows control of individual files using various criteria.

Manufacturers and venders provide product updates to improve security and to fix errors in the products they support. The three primary methods of upgrading systems are hotfixes, service packs, and patches. Hotfixes are usually meant as temporary fixes to a system until a permanent fix can be found. Microsoft also refers to its bug patches as hotfixes. Service packs usually contain multiple fixes to a system. Patches are used to temporarily fix a program until a permanent fix can be applied. Manufacturers tend to replace entire programs rather than patching or hotfixing systems. When you're installing a patch, make sure you follow the directions to the letter; an improperly installed patch can render a system unusable.

Network devices are becoming increasingly complicated, and they require that updates be applied on a regular basis. The update process is usually accomplished using either a terminal-based or a web-based utility. Intruders are increasingly targeting routers and other devices for attack; make sure they're kept to the current software release.

Application hardening helps ensure that vulnerabilities are minimized. Make sure you run only the applications and services that are needed to support your environment. Attackers can target application protocols. Many of the newer systems offer a rich environment for end users, and each protocol increases your risk.

Directory services allow information to be shared in a structured manner with large numbers of users. These services must be secure in order to prevent impersonation or embarrassment. The more common directory services used are LDAP, AD, X.500, and eDirectory.

Database technologies are vulnerable to attacks due to the nature of the flexibility they provide. Make sure database servers and applications are kept up-to-date. To provide increased security, many environments have implemented multi-tiered approaches to data access.