Monday, July 19, 2010

Secure Network Devices

It's important to remember that the firewall is only one entry point to your network. Modems, if you allow them to answer incoming calls, can provide an easy means for an attacker to sneak around (rather than through ) your front door (or, firewall). Just as castles weren't built with moats only in the front, your network needs to be protected at all of its entry points.

Secure Modems; Dial-Back Systems

If modem access is to be provided, this should be guarded carefully. The terminal server , or network device that provides dial-up access to your network needs to be actively administered, and its logs need to be examined for strange behavior. Its passwords need to be strong -- not ones that can be guessed. Accounts that aren't actively used should be disabled. In short, it's the easiest way to get into your network from remote: guard it carefully.

There are some remote access systems that have the feature of a two-part procedure to establish a connection. The first part is the remote user dialing into the system, and providing the correct userid and password. The system will then drop the connection, and call the authenticated user back at a known telephone number. Once the remote user's system answers that call, the connection is established, and the user is on the network. This works well for folks working at home, but can be problematic for users wishing to dial in from hotel rooms and such when on business trips.

Other possibilities include one-time password schemes, where the user enters his userid, and is presented with a ``challenge,'' a string of between six and eight numbers. He types this challenge into a small device that he carries with him that looks like a calculator. He then presses enter, and a ``response'' is displayed on the LCD screen. The user types the response, and if all is correct, he login will proceed. These are useful devices for solving the problem of good passwords, without requiring dial-back access. However, these have their own problems, as they require the user to carry them, and they must be tracked, much like building and office keys.

No doubt many other schemes exist. Take a look at your options, and find out how what the vendors have to offer will help you enforce your security policy effectively.

Crypto-Capable Routers

A feature that is being built into some routers is the ability to use session encryption between specified routers. Because traffic traveling across the Internet can be seen by people in the middle who have the resources (and time) to snoop around, these are advantageous for providing connectivity between two sites, such that there can be secure routes.

Virtual Private Networks

Given the ubiquity of the Internet, and the considerable expense in private leased lines, many organizations have been building VPNs (Virtual Private Networks). Traditionally, for an organization to provide connectivity between a main office and a satellite one, an expensive data line had to be leased in order to provide direct connectivity between the two offices. Now, a solution that is often more economical is to provide both offices connectivity to the Internet. Then, using the Internet as the medium, the two offices can communicate.

The danger in doing this, of course, is that there is no privacy on this channel, and it's difficult to provide the other office access to ``internal'' resources without providing those resources to everyone on the Internet.

VPNs provide the ability for two offices to communicate with each other in such a way that it looks like they're directly connected over a private leased line. The session between them, although going over the Internet, is private (because the link is encrypted), and the link is convenient, because each can see each others' internal resources without showing them off to the entire world.

A number of firewall vendors are including the ability to build VPNs in their offerings, either directly with their base product, or as an add-on. If you have need to connect several offices together, this might very well be the best way to do it.

Conclusions

Security is a very difficult topic. Everyone has a different idea of what ``security'' is, and what levels of risk are acceptable. The key for building a secure network is to define what security means to your organization . Once that has been defined, everything that goes on with the network can be evaluated with respect to that policy. Projects and systems can then be broken down into their components, and it becomes much simpler to decide whether what is proposed will conflict with your security policies and practices.

Many people pay great amounts of lip service to security, but do not want to be bothered with it when it gets in their way. It's important to build systems and networks in such a way that the user is not constantly reminded of the security system around him. Users who find security policies and systems too restrictive will find ways around them. It's important to get their feedback to understand what can be improved, and it's important to let them know why what's been done has been, the sorts of risks that are deemed unacceptable, and what has been done to minimize the organization's exposure to them.

Security is everybody's business, and only with everyone's cooperation, an intelligent policy, and consistent practices, will it be achievable.

Saturday, January 16, 2010

DATA ENCRYPTION

Data Encryption is a process in which plaintext data is converted into ciphertext so that it cannot be read. More generally known as “encryption,” this process can be accomplished in a wide variety of ways, and with varying degrees of success. Some of the best data encryption can last for centuries, while other types of decryption can be broken in minutes or even seconds by people who are skilled at such tasks. In the digital age, people rely heavily on data encryption on a daily basis. Chances are high that you have received or sent encrypted data at some point today, even if you did not directly perform the encryption or decryption of the data.

n this process, a perfectly ordinary piece of plaintext which can be read by anyone is converted so that it can only be read by someone with a key. One of the simplest forms of data encryption is a simple alphabetic substitution, in which the letters of the alphabet are scrambled to create a key. One could decide, for example, to shift the letters of the alphabet by five places so that “E” stands for “A,” “F” for “B” and so forth for a simple key, or the letters could be assigned at random to make a piece of text more difficult to decipher without the key.

An alphabetic substitution is usually fairly easy to break; in fact, many major newspapers have a simple substitution on their puzzles page for people to solve. More complex methods of data encryption can be used to make a code more challenging to break. With complex codes, people can try to use brute force to crack the encryption, and they may eventually succeed, but it will take a long time. Many methods of encryption focus on keeping the key secure, and allowing the encrypted data to be freely seen, under the argument that once encrypted, the data is harmless, as long as people cannot obtain the key.

There are a number of reasons to need to encrypt data, most of which rely on shielding data from the eyes of other people. Banks, for example, send encrypted data about their clients back and forth, while governments rely on encryption to get secure messages to overseas embassies. Most email programs offer data encryption while sending and receiving so that emails cannot be read by third parties, as do sites which handle personal information like addresses and credit card numbers.

Some encryption protocols are standardized so that people can easily communicate with each other, while in other cases, a key may be developed specifically for use by particular people, and the key is not standardized to make it harder to crack. Personalized keys were once the only way to encrypt data, until shared key encryption allowed people to exchange information about a key across an open network without disclosing the contents of the key itself.


http://www.filibeto.org/sun/lib/nonsun/oracle/10.2.0.1.0/B19306_01/network.102/b14268/images/transdata.gif

Benefits of Data Encryption

For large commercial organizations, data security is not only a corporation option, it's the law. Losing sensitive data by way of natural disasters or physical theft can have severe consequences on a company, possibly crippling the entire organization. While there are many different security mechanisms, data encryption is perhaps the most effective in regard to protecting confidential information.

Virtual attack - This could be an industry rival that learns to bypass security and gains access to competitive data. It could also be a malicious attack that purposely corrupts data.

Physical attack - Perhaps a disgruntled employee is seeking ways to damage the company by stealing files or purposely destroying data.

Most corporations implement multiple forms of security by using hardware solutions such as routers and firewalls. These devices protect essential data by keeping external threats out of the network. Unfortunately, intruders will employ numerous attacks, specifically targeted at your information. When attackers find a way to penetrate your first line of defense, data encryption steps up and helps to ensure that your secrets can't be viewed.

Encryption has changed drastically over the years, going from a military solution to widespread public use. Whether it's hardware or software-based, this method is fast, easy to use and most important, secure. Here some of the key benefits this solution offers:

Power: The best in data encryption is based on global standards, able to mitigate potential corruption without flaw. Many solutions are large enough to ensure that an entire organization is in full compliance with security policies. Data encryption allows a corporation to achieve military-level security with easy and affordable solutions.

Flexibility: Data encryption can protect your sensitive information whether it's stored on a desktop or laptop computer, a PDA, removable storage media, an email server or even the corporate network. This allows you to securely access important data from the office, on the road or at home. If the device is lost or stolen, the information will be protected by the data encryption mechanism.

Transparency: It wouldn't be a good idea to employ any security measure that negatively impacts your business. An efficient data encryption solution enables your business to flow at a normal pace, silently securing crucial data in the background. Some of the best options are those running effectively without the user even being aware.

There are many benefits of data encryption as this solution provides solid protection in the event of a security breach. Not only does it offer peace of mind, it also frees up resources normally used by your perimeter defenses. Every security measure you set in place is important yet inefficient if confidential data itself is not protected.

Data Security:An Overview

What is Data Security?

In simple terms, data security is the practice of keeping data protected from corruption and unauthorized access. The focus behind data security is to ensure privacy while protecting personal or corporate data.

Hardware based Mechanisms for Protecting Data

Software based security solutions encrypt the data to prevent data from being stolen. However, a malicious program or a hacker may corrupt the data in order to make it unrecoverable or unusable. Similarly, encrypted operating systems can be corrupted by a malicious program or a hacker, making the system unusable. Hardware-based security solutions can prevent read and write access to data and hence offers very strong protection against tampering and unauthorized access.

Hardware based or assisted computer security offers an alternative to software-only computer security. Security tokens such as those using PKCS#11 may be more secure due to the physical access required in order to be compromised. Access is enabled only when the token is connected and correct PIN is entered. However, dongles can be used by anyone who can gain physical access to it. Newer technologies in hardware based security solves this problem offering fool proof security for data.

Working of Hardware based security: A hardware device allows a user to login, logout and to set different privilege levels by doing manual actions. The device uses biometric technology to prevent malicious users from logging in, logging out, and changing privilege levels. The current state of a user of the device is read by controllers in peripheral devices such as harddisks. Illegal access by a malicious user or a malicious program is interrupted based on the current state of a user by harddisk and DVD controllers making illegal access to data impossible. Hardware based access control is more secure than protection provided by the operating systems as operating systems are vulnerable to malicious attacks by viruses and hackers. The data on harddisks can be corrupted after a malicious access is obtained. With hardware based protection, software cannot manipulate the user privilege levels, it is impossible for a hacker or a malicious program to gain access to secure data protected by hardware or perform unauthorized privileged operations. The hardware protects the operating system image and file system privileges from being tampered. Therefore, a completely secure system can be created using a combination of hardware based security and secure system administration policies

http://bbcomputersinc.com/Lan_diagramta.jpg

Encryption

Encryption has become a critical security feature for thriving networks and active home users alike. This security mechanism uses mathematical schemes and algorithms to scramble data into unreadable text. It can only by decoded or decrypted by the party that possesses the associated key.

(FDE) Full-disk encryption offers some of the best protection available. This technology enables you to encrypt every piece of data on a disk or hard disk drive. Full disk encryption is even more powerful when hardware solutions are used in conjunction with software components. This combination is often referred to as end-based or end-point full disk encryption.

Strong User Authentication

Authentication is another part of data security that we encounter with everyday computer usage. Just think about when you log into your email or blog account. That single sign-on process is a form authentication that allows you to log into applications, files, folders and even an entire computer system. Once logged in, you have various given privileges until logging out. Some systems will cancel a session if your machine has been idle for a certain amount of time, requiring that you prove authentication once again to re-enter.

The single sign-on scheme is also implemented into strong user authentication systems. However, it requires individuals to login using multiple factors of authentication. This may include a password, a one-time password, a smart card or even a fingerprint.

Backup Solutions

Data security wouldn't be complete without a solution to backup your critical information. Though it may appear secure while confined away in a machine, there is always a chance that your data can be compromised. You could suddenly be hit with a malware infection where a virus destroys all of your files. Someone could enter your computer and thieve data by sliding through a security hole in the operating system. Perhaps it was an inside job that caused your business to lose those sensitive reports. If all else fails, a reliable backup solution will allow you to restore your data instead of starting completely from scratch.