147 Chapter 11: Securing Your Network File and Directory Permissions Another type of internal security that you need to maintain for information on your network involves the users’ access to files and directories. These settings are actually a bit tougher to manage than user accounts, because you usually have at least 20 directories and several hundred files for every user on the network. The sheer volume of directories and files makes managing these settings a more difficult job. The solution is to establish regular procedures, follow them, and then periodically spot-audit parts of the directory tree, particularly areas that contain sensitive files. Also, structure the overall network directories so that you can, for the most part, simply assign permissions at the top levels. These permissions will “flow down” to subdirectories automatically, which makes it much easier to review who has access to which directories. Network operating systems allow considerable flexibility in setting permissions on files and directories. Using the built-in permissions, you can enable users for different roles in any given directory. These roles control what the user can and cannot do within that directory. Examples of generic directory roles include the following: N Create only This type of role enables users to add a new file to a directory, but restricts them from seeing, editing, or deleting existing files, including any they’ve created. This type of role is suitable for allowing users to add new information to a directory to which they shouldn’t otherwise have access. The directory becomes almost like a mailbox on a street corner: You can only put new things in it. Of course, at least one other user will have full access to the directory to retrieve and work with the files. N Read only This role enables users to see the files in a directory and even to pull up the files for viewing on their computer. However, the users cannot edit or change the stored files in any way. This type of role is suitable for allowing users to view information that they should not change. (Users with read privileges can copy a file from a read-only directory to another directory and then do whatever they like with the copy they made. They simply cannot change the copy stored in the read-only directory itself.) N Change This role lets users do whatever they like with the files in a directory, except give other users access to the directory. N Full control Usually reserved for the “owner” of a directory, this role enables the owners to do whatever they like with the files in a directory and to grant other users access to the directory. These roles are created in different ways on different network operating systems. Chapter 17 provides more details on how Windows server operating systems handle directory permissions. Just as you can set permissions for directories, you can also set security for specific files. File permissions work similarly to directory permissions. For specific files, you can control a user’s ability to read, change, or delete a file. File permissions usually override directory permissions. For example, if users had change access to a directory, 148 Networking: A Beginner’s Guide but you set their permission to access a particular file in that directory to read-only, they would have only read-only access to that file. TIP For a network of any size, I recommend avoiding the use of file-specific network permissions, except in very rare cases. It can quickly become an unmanageable mess to remember to which files each user has special permissions and to which files a new hire needs to be given specific permission. Practices and User Education The most insecure part of any network is the people using it. You need to establish good security practices and habits to help protect the network. It’s not enough to design and implement a great security scheme if you do not manage it well on a daily basis. To establish good practices, you need to document security-related procedures, and then set up some sort of process to make sure that the employees follow the procedures regularly. In fact, you’re far better off having a simple security design that is followed to the letter than having an excellent but complicated security design that is poorly followed. For this reason, keep the overall network security design as simple as possible, while remaining consistent with the needs of the company. You also need to make sure—to the maximum extent possible—that the users are following prudent procedures. You can easily enforce some procedures through settings on the network operating system, but you must handle others through education. The following are some tips to make this easier: N Spell out for users what is expected of them in terms of security. Provide a document that describes the security of the network and what they need to do to preserve it. Examples of guidelines for the users include choosing secure passwords, not giving their passwords to anyone else, not leaving their computers unattended for long periods of time while they are logged in to the network, not installing software from outside the company, and so forth. N When new employees join the company and are oriented on using the network, make sure that you discuss security issues with them. N Depending on the culture of the company, consider having users sign a form acknowledging their understanding of important security procedures that the company expects them to follow. N Periodically audit users’ security actions. If the users have full-control access to directories, examine how they’ve assigned permissions to other users. N Make sure that you review the security logs of the network operating system you use. Investigate and follow up on any problems reported. TIP It’s a good idea to document any security-related issues you investigate. While most are benign, occasionally you might find one in which the user had inappropriate intent. In such cases, your documentation of what you find and what actions you take might become important. 149 Chapter 11: Securing Your Network While it’s important to plan for the worst when designing and administering network security, you also need to realize that most of the time, security issues arise from ignorance or other innocent causes, rather from malicious intent. Understanding External Threats External security is the process of securing the network from external threats. Before the Internet, this process wasn’t difficult. Most networks had only external modems for users to dial in to the network, and it was easy to keep those access points secure. However, now that nearly all networks are connected to the Internet, external security becomes much more important and also much more difficult. At the beginning of this chapter, I said that no network is ever totally secure. This is especially true when dealing with external security for a network connected to the Internet. Almost daily, crackers discover new techniques that they can use to breach the security of a network through an Internet connection. Even if you were to find a book that discussed all the threats to a specific type of network, the book would be out of date soon after it was printed. Three basic types of external security threats exist: N Front-door threats These threats arise when a person from outside the company somehow finds, guesses, or cracks a user password and then logs on to the network. The perpetrator could be someone who had an association with the company at some point or could be someone totally unrelated to the company. N Back-door threats These are threats where software or hardware bugs in the network’s operating system and hardware enable outsiders to crack the network’s security. After accomplishing this, the outsiders often find a way to log in to the administrative account and then can do anything they like. Back-door threats can also be deliberately programmed into software you run. N Denial of service (DoS) DoS attacks deny service to the network. Examples include committing specific actions that are known to crash different types of servers or flooding the company’s Internet connection with useless traffic (such as a flood of ping requests). NOTE Another type of external threat exists: computer viruses, Trojan horses, worms, and other malicious software from outside the company. These threats are covered in their own section later in the chapter. Fortunately, you can do a number of things to implement strong external security measures. They probably won’t keep out a determined and extremely skilled cracker, but they can make it difficult enough that most crackers will give up and go elsewhere. 150 Networking: A Beginner’s Guide Front-Door Threats Front-door threats, in which someone from outside the company is able to gain access to a user account, are probably the most likely threats that you need to protect against. These threats can take many forms. Chief among them is the disgruntled or terminated employee who once had access to the network. Another example is someone guessing or finding out a password to a valid account on the network or somehow getting a valid password from the owner of the password. Insiders, whether current or ex-employees, are potentially the most dangerous overall. Such people have many advantages that some random cracker won’t have. They know the important user names on the network already, so they know what accounts to go after. They might know other users’ passwords from when they were associated with the company. They also know the structure of the network, what the server names are, and other information that makes cracking the network’s security easier. Protecting against a front-door threat revolves around strong internal security protection because, in this case, internal and external security are closely linked. This is the type of threat where all the policies and practices discussed in the section on internal security can help to prevent problems. An additional effective way to protect against front-door threats is to keep network resources that should be accessed from the LAN separate from resources that should be accessed from outside the LAN, whenever possible. For example, if you never need DEFINE-IT! Important Network Security Devices Here are some important security devices you should be familiar with: N A firewall is s system that enforces a security policy between two networks, such as between a local area network (LAN) and the Internet. Firewalls can use many different techniques to enforce security policies. N A proxy server acts as a proxy (an anonymous intermediary), usually for users of a network. For example, it might stand in as a proxy for browsing web pages, so that the user’s computer isn’t connected to the remote system except through the proxy server. In the process of providing proxy access to web pages, a proxy server might also speed web access by caching web pages that are accessed so that other users can benefit from having them more quickly available from the local proxy server, and might also provide some firewall protection for the LAN. N Usually built into a router or a firewall, a packet filter enables you to set criteria for allowed and disallowed packets, source and destination IP addresses, and IP ports. 151 Chapter 11: Securing Your Network to provide external users access to the company’s accounting server, you can make it nearly impossible to access that system from outside the LAN. You can separate network resources through a number of measures. You can set up the firewall router to decline any access through the router to that server’s IP or IPX address. If the server doesn’t require IP, you can remove that protocol. You can set up the server to disallow access outside normal working hours. Depending on the network operating system running on the server, you can restrict access to Ethernet MAC addresses for machines on the LAN that should be able to access the server. You can also set the server to allow each user only one login to the server at a time. The specific steps that you can take depend on the server in question and its network operating system, but the principle holds true: Segregate internal resources from external resources whenever possible. Here are some other steps you might take to stymie front-door threats: N Control which users can access the LAN from outside the LAN. For example, you might be running VPN software for your traveling or home-based users to access the LAN remotely through the Internet. You should enable this access only for users who need it and not for everyone. N Consider setting up remote access accounts for remote users who are separate from their normal accounts, and make these accounts more restrictive than their normal LAN accounts. This might not be practicable in all cases, but it’s a strategy that can help, particularly for users who normally have broad LAN security clearances. N For modems that users dial in to from a fixed location, such as from their homes, set up their accounts to use dial-back. Dial-back is a feature whereby you securely enter the phone number of the system from which users are calling (such as their home phone numbers). When the users want to connect, they dial the system, request access, and then the remote access system terminates the connection and dials the preprogrammed phone number to make the real connection. Their computer answers the call and then proceeds to connect them normally. Someone trying to access the system from another phone number won’t be able to get in if you have dial-back enabled. N If employees with broad access leave the company, review user accounts where they might have known the password. Consider forcing an immediate password change to such accounts once the employees are gone. NOTE An important aspect of both internal and external security is physical security. Make sure that the room in which your servers are located is physically locked and secure. People trying to access the network who have not been associated with the company at some point often try a technique euphemistically called social engineering, which is where they use nontechnological methods to learn user accounts and passwords inside the company. These techniques are most dangerous in larger companies, where not all . their normal accounts, and make these accounts more restrictive than their normal LAN accounts. This might not be practicable in all cases, but it’s a strategy that can help, particularly for. normally have broad LAN security clearances. N For modems that users dial in to from a fixed location, such as from their homes, set up their accounts to use dial-back. Dial-back is a feature. had change access to a directory, 148 Networking: A Beginner’s Guide but you set their permission to access a particular file in that directory to read-only, they would have only read-only access