Network Security Fundamentals [Electronic resources] نسخه متنی

اینجــــا یک کتابخانه دیجیتالی است

با بیش از 100000 منبع الکترونیکی رایگان به زبان فارسی ، عربی و انگلیسی

جستجو بر اساس ... همه عنوان پدیدآور موضوع یادداشت تمام متن
اصطلاحنامه مجموعه ها مرورالفبایی لغت نامه دهخدا
جستجو در لغت نامه
بیشتر
کتابخانه شخصی پرسش از کتابدار ارسال منبع

Network Security Fundamentals [Electronic resources] - نسخه متنی

Gert De Laet, Gert Schauwers

| نمايش فراداده ، افزودن یک نقد و بررسی
افزودن به کتابخانه شخصی
میخواهم بخوانم
درحال خواندن
خوانده شده
ارسال به دوستان

آدرس پست الکترونیک گیرنده :

آدرس پست الکترونیک فرستنده :

نام و نام خانوارگی فرستنده :

پیغام برای گیرنده ( حداکثر 250 حرف ) :

کد امنیتی را وارد نمایید

ارسال
جستجو در متن کتاب
بیشتر
تنظیمات قلم

فونت

اندازه قلم

+ - پیش فرض

حالت نمایش

روز نیمروز شب
جستجو در لغت نامه
بیشتر
لیست موضوعات

Acknowledgments

Icons Used in This Book

Command Syntax Conventions

Foreword

Introduction

Part I. Introduction

Chapter 1. Network Security Overview

Defining Trust

Weaknesses and Vulnerabilities

Responsibilities for Network Security

Security Objectives

Conclusion

Q&A

Chapter 2. Understanding VulnerabilitiesThe Need for Security

Risk and Vulnerability

TCP/IP Suite Weaknesses

Buffer Overflows

Spoofing Techniques

Social Engineering

Conclusion

Q&A

Chapter 3. Understanding Defenses

Digital IDs

Intrusion Detection System

PC CardBased Solutions

Physical Security

Encrypted Login

Firewalls

Reusable Passwords

Antivirus Software

Encrypted Files

Biometrics

Conclusion

Q&A

Part II. Building Blocks

Chapter 4. Cryptography

Cryptography versus Cryptanalysis

Modern-Day Techniques

Conclusion

Q&A

Chapter 5. Security Policies

Defining a Security Policy?

Importance of a Security Policy

Development Process

Incident Handling Process

Security Wheel

Sample Security Policy

Conclusion

Q&A

Chapter 6. Secure Design

Network DesignPrinciples

Network DesignMethodology

Return on Investment

Physical Security Issues

Switches and Hubs

Conclusion

Q&A

Part III. Tools and Techniques

Chapter 7. Web Security

Hardening

Case Study

Conclusion

Q&A

Chapter 8. Router Security

Basic Router Security

Router Security to Protect the Network

CBAC

Case Study

Conclusion

Q&A

References in This Chapter

Chapter 9. Firewalls

Firewall Basics

Different Types of Firewalls

Enhancements for Firewalls

Case Study: Placing Filtering Routers and Firewalls

Summary

Q&A

Chapter 10. Intrusion Detection System Concepts

Introduction to Intrusion Detection

Host-Based IDSs

Network-Based IDSs

IDS Management CommunicationsMonitoring the Network

Sensor Maintenance

Case Study: Deployment of IDS Sensors in the Organization and Their Typical Placement

Conclusion

Q&A

Chapter 11. Remote Access

AAA Model

AAA Servers

Lock-and-Key Feature

Two-Factor Identification

Case Study: Configuring Secure Remote Access

Summary

Q&A

Chapter 12. Virtual Private Networks

Generic Routing Encapsulation Tunnels

IP Security

VPNs with IPSec

Case Study: Remote Access VPN

Conclusion

Q&A

Chapter 13. Public Key Infrastructure

Public Key Distribution

Trusted Third Party

PKI Topology

Enrollment Procedure

Revocation Procedure

Case Study: Creating Your Own CA

Conclusion

Q&A

Chapter 14. Wireless Security

Different WLAN Configurations

What Is a WLAN?

How Wireless Works

Risks of Open Wireless Ports

War-Driving and War-Chalking

SAFE WLAN Design Techniques and Considerations

Case Study: Adding Wireless Solutions to a Secure Network

Conclusion

Q&A

Chapter 15. Logging and Auditing

Logging

SYSLOG

Simple Network Management Protocol

Remote Monitoring

Service Assurance Agent

Case Study

Conclusion

Q&A

Part IV. Appendixes

Appendix A. SAFE Blueprint

Introduction to the SAFE Blueprint

SAFE Blueprint: Overview of the Architecture

Summary

References in This Appendix

Appendix B. SANS Policies

SANS Overview

SANS Initiatives and Programs

Security Policy Project

Is It a Policy, a Standard, or a Guideline?

References in This Appendix

Appendix C. NSA Guidelines

Security Guides

References in This Appendix

Appendix D. Answers to Chapter Q&A

Chapter 1 Q&A

Chapter 2 Q&A

Chapter 3 Q&A

Chapter 4 Q&A

Chapter 5 Q&A

Chapter 6 Q&A

Chapter 7 Q&A

Chapter 8 Q&A

Chapter 9 Q&A

Chapter 10 Q&A

Chapter 11 Q&A

Chapter 12 Q&A

Chapter 13 Q&A

Chapter 14 Q&A

Chapter 15 Q&A

Bibliography

Books

Website References

Index
توضیحات
افزودن یادداشت جدید

Is It a Policy, a Standard, or a Guideline?


What's in a name? People frequently use the names "policy," "standard," and "guideline" to refer to documents that fall within the policy infrastructure. Although they all have different definitions, most people use these names synonymously, which is why the sections that follow define each term separately.

A

policy is typically a document that outlines specific requirements or rules that must be met. In the information and network security realm, policies are usually point-specific, covering a single area. For example, an "Acceptable Use" policy would cover the rules and regulations for appropriate use of the computing facilities. Top management usually sets policies.

A

standard is typically a collection of system-specific or procedural-specific requirements that must be met by everyone. For example, you might have a standard that describes how to harden a Windows NT workstation for placement on an external (DMZ) network. People must follow this standard exactly if they wish to install a Windows NT workstation on an external network segment. Middle management usually sets standards.

A

guideline is typically a collection of system-specific or procedure-specific suggestions for best practices. Guidelines are not requirements to be met but are procedures that are strongly recommended. Effective security policies make frequent references to standards and guidelines that exist within an organization. The IT staff usually sets guidelines.

The following examples further clarify the difference between the three words:

  • A password policy should state that passwords must be sufficient to properly secure a resource.

  • A password standard specifies that a password generator should be used.

  • A password guideline lists all the company-approved, licensed password generators.


Sample Policies


On the SANS website, you can find some sample security policy templates. They can be used as a start for developing your own security policy. The documents on the SANS website continue to be works in progress, and the policy templates are living documents. The available policies on the SANS website are as follows:

  • Acceptable Use Policy
    Defines acceptable use of equipment and computing services and the appropriate employee security measures to protect the organization's corporate resources and proprietary information.

  • Acquisition Assessment Policy
    Defines responsibilities regarding corporate acquisitions and defines the minimum requirements of an acquisition assessment to be completed by the information security group.

  • Analog/ISDN Line Policy
    Defines standards for use of analog/ISDN lines for sending and receiving a fax and for connection to computers.

  • Anti-Virus Process
    Defines guidelines for effectively reducing the threat of computer viruses on the organization's network.

  • Application Service Provider (ASP) Policy
    Defines minimum security criteria that an ASP must execute in order to be considered for use on a project by the organization.

  • Application Service Provider (ASP) Standards
    Outlines the minimum security standards for the ASP. This policy is referenced in the ASP Policy (see previous item).

  • Audit Vulnerability Scanning Policy
    Defines the requirements and provides the authority for the information security team to conduct audits and risk assessments. The team conducts assessments to ensure integrity of information and resources, to investigate incidents, to ensure conformance to security policies, or to monitor user and system activity when appropriate.

  • Automatically Forwarded E-Mail Policy
    Documents the requirement that no e-mail is automatically forwarded to an external destination without prior approval from the appropriate manager or director.

  • Database Credentials Coding Policy
    Defines requirements for securely storing and retrieving database usernames and passwords.

  • Dial-in Access Policy
    Defines appropriate dial-in access and its use by authorized personnel.

  • DMZ Lab Security Policy
    Defines standards for all networks and equipment deployed in labs located in the demilitarized zone or external network segments.

  • E-Mail Retention
    Helps employees determine what information that is sent or received by e-mail should be retained and for how long.

  • Ethics Policy
    Defines the means to establish a culture of openness, trust, and integrity in business practices.

  • Extranet Policy
    Defines the requirement that third-party organizations requiring access to the organization's networks must sign a third-party connection agreement.

  • Information Sensitivity Policy
    Defines the requirements for classifying and securing the organization's information in a manner appropriate to its sensitivity level.

  • Internal Lab Security Policy
    Defines requirements for internal labs to ensure that confidential information and technologies are not compromised and that production services and interests of the organization are protected from lab activities.

  • Internet DMZ Equipment Policy
    Defines the standards to be met by all equipment owned and operated by the organization that is located outside the organization's Internet firewalls (the demilitarized zone, or DMZ).

  • Lab Anti-Virus Policy
    Defines requirements that must be met by all computers connected to the organization's lab networks to ensure effective virus detection and prevention.

  • Password Protection Policy
    Defines standards for creating, protecting, and changing strong passwords.

  • Remote Access Policy
    Defines standards for connecting to the organization's network from any host or network external to the organization.

  • Risk Assessment Policy
    Defines the requirements and provides the authority for the information security team to identify, assess, and remediate risks to the organization's information infrastructure associated with conducting business.

  • Router Security Policy
    Defines standards for minimal security configuration for routers and switches inside a production network or used in a production capacity.

  • Server Security Policy
    Defines standards for minimal security configuration for servers inside the organization's production network or used in a production capacity.

  • The Third Party Network Connection Agreement
    Defines the standards and requirements, including legal requirements, needed in order to interconnect a third-party organization's network to the production network. This agreement must be signed by both parties.

  • VPN Security Policy
    Defines the requirements for Remote Access IPSec or Level 2 Tunneling Protocol (L2TP) virtual private network (VPN) connections to the organization's network.

  • Wireless Communication Policy
    Defines standards for wireless systems used to connect to the organization's networks.



/ 196