Concepts:Chapter 9Chapter 9 is about network concepts. It begins with some basic ideas
about types of networks based on their geographic size. The designations
below can overlap, and they are only rough designations, not true measures.
On page 193, the text splits resources into two groups, but uses a limited view of the second one;
The text informs us that the point of security controls on a network is to protect the remote resources that are part of the network. However, there are several points that overlap in the list of important controls on page 193. Some are listed below.
The text continues with the idea that having a network itself is a risk.
It exists to share resources, and security exists to control, allow, and
prevent that sharing. The text goes on to consider some aspects of historical
and current network technologies. Four physical
media types are listed on page 196, and six wireless
protocols are listed on page 197. Devices that are commonly found on networks
are discussed on pages 198 through 202. Starting on page 202, the text
reviews the OSI network reference model,
HTTP, and TCP/IP.
More common network protocols
are listed on pages 205 and 206. Several of the listed protocols are used
for secure transmission of data. You should browse through this material in case any of it is not familiar to you. If you have any questions about it, please bring them up in class or in an email to me. On page 207, the text begins some advice about services, the programs we run on a server that justify its existence. There is an insight in the introductory paragraph that is worth noting. Services are programs, and they watch traffic sent to ports or memory addresses for business that concerns them. The text points out that they are programs, and are as prone to error and failures most other programs. Yes, Virginia, there is a Santa Claus, but he's not perfect. The administrator has to help out.
The text offers some advice about wireless configuration on page 210. The suggestions are pretty elementary.
The text concludes the chapter with advice about using authentication and authorization, and about updating your virus protection. No news there. It hints that we can do something with firewalls, but that is beyond the scope of this chapter. Chapter 10Chapter 10 seems very light weight. The summary is one paragraph and it holds no details. Turning to the contents in the chapter, it is nice that the author introduces you to the Deming Cycle, which is one of the many lessons taught by Dr. William Edwards "Ed" Deming, the creator of Quality Improvement. Plan-Do-Check-Act is a profound attitude change for people who have never heard of it. It says that a good idea must be examined in place, so you can judge whether it is still a good idea in the situation where you have applied it. Dr. Deming's Plan-Do-Check-Act cycle is not the only lesson he taught. He wrote a lesson called 14 Points for Management that tell us how to run a business so that everyone in it becomes part of its success. Read that lesson, and you will probably see that everything you have ever seen that works in a business has used some of his principles. The video below presents an additional insight into Dr. Deming's theories, the idea that your four-phase cycle diagram probably does not describe the whole truth. I think he knew that before he taught us PDCA. He just had to get our attention first, then he could teach the next part of the lesson. The idea of looking for other variables, and looking for relationships and dependencies between the causes and effects, leads us to better troubleshooting, whether that troubleshooting relates to our jobs, our games, or our lives. The text gives us a series of lists that may be of use to you:
Page 227 begins a discussion of firewalls, telling us that the Windows Firewall with Advanced Security snap-in for MMC. The link in the previous sentence will take you to a Microsoft document about shutting off the Windows Firewall, which is not recommended by Microsoft, but is recognized as an infrequent necessity. The text provides only one page about settings in the firewall. This article provides a better walkthrough of setting a rule that can be applied to the three domains the firewall recognizes. By the way, the resources on that website, rootusers.com, might provide you with some insights and tools you don't have yet. Page 229 has a brief introduction to Performance Monitor, which can look at performance logs and current performance of your server or workstation. It is recommended that you use it regularly. This article on makeuseof.com gives you a better introduction and walks you through using the application. The text offers some material on backups and restores, but this one is really hard to do unless you have some media to make the backup and have high confidence that your restoration will work. As such, it is recommended that you work through the lab on this subject on the Jones and Bartlett web site. Page 233 discusses Group Policy administration. Be aware that policies in AD can manage assets anywhere on your network, unless you are in a crazy situation with multiple Active Directories in your environment. Page 235 begins a short section on access rights granted through Discretionary Access Control Lists, Every object in a Windows system has such a list in which you can add users and groups, and configure specific rights for them. EFS and BitLocker are reviewed on pages 237 and 238. All of this was discussed back in chapter 4. On page 240, the text briefly discusses due diligence. You may need to know a bit more about it. A previous text discussed a company having to adopt a security standard, perhaps to meet a contract or legal obligation. By doing this, the company can argue in court that it adopted a security standard of due care. This is a defensible legal position, and one that a company following reasonable precautions would take. A related concept is that the maintenance of such security standards must be pursued, or the company can still be found at fault. Maintaining such a standard can be called performing due diligence. That phrase is often used in common business discussions to mean that a company is conducting an investigation of some sort. The meaning is different here, although it should be expected that one would have to investigate and inspect a system in order to maintain it properly. You may wonder why a text would be telling us about pursuing a goal that does not sound like very good protection. Remember that organizations often must make decisions that are based on less than optimal funding. As such, you should still take care to make a choice that provides the best protection you can reasonably obtain, and that still proves that you showed due care and due diligence. Moving on from the a set of standards that are merely adequate, the text
discusses recommended practices
and best practices. We should
remember while reading this discussion that "best" is a relative term
that can only be applied to something until something better comes
along. With that understood, this link will lead you to the Federal
Agency Security Practices page on the NIST web site. A quick
look at some of the documents on that site will show you that most are
several years old, which may indicate that new best practices take a while
to develop. They are, however, best practices that have been used by reasonable
people.
|