Security is one of the most important aspects of a network server environment, because of the amount of different threats toward data in today’s world. These threats are made by people hoping to exploit holes in the security architecture of an organization, and to gain access to network resources for whatever reason. Therefore applications are needed to implement and control the verification of identities using secure keys which identify their communication between each other over the internet.
The head of the Computer Emergency Response Team (CERT), which is a government agency dealing with network security claimed in 2000 that “Security measures that were appropriate for mainframe computers and small well-defined networks inside an organization are not effective for the Internet” (Cordesman & Cordesman, 2002, p. 47), therefore verification of identity is crucial in such elements as e-commerce, in order to identify both buyer and seller. Trust is a key aspect to mention, because verifying the identity of someone who you haven’t met yet is difficult.
However, using this analogy again, if a friend introduces the same person to you there is a third party element of the situation in that your friend is able to verify the integrity and authenticity of the unknown person. This is a key point when talking about how to implement a secure validation system. Building a Public Key Infrastructure in a network server environment is a way of implementing a secure, cheap and easy to use system where two unknown parties can carry out business transactions.
Certificate authorities, also known as CA’s, which act as a high technology intermediary between two parties who want to carry out transactions on a network, are the industry standard. The idea of having an intermediary application like a CA means that verification of both parties uses the basic concept of trust. In the CA architecture the root CA is the central server which issues certificates to subordinate servers in the CA hierarchy. There are also other CA servers which carry out the task of assigning and distributing certificates.
The root CA and the policy CA’s should operate based on a tree structure where the root CA creates the certificates and then delegates them to the policy CA’s. There are usually three levels of CA servers, the highest level is the root CA, which then passes work to a set of intermediary CA’s, maybe kept at various location in the general network architecture to reduce network load, and then finally there are issuing CA’s which deal with purely distribution tasks.
The policy CA’s, which get all their certificates from the root, will then pass them down the chain, acting as a go-between with the root and issuing CA’s. This is crucial in maintaining a secure and functioning system, and the process of separating the root CA from the issuing CA’s by using this intermediary, conforms to the rules regarding implementing a secure network policy in an organization. Having a secure network policy is an important factor in preventing any attack on data integrity.
If a secure network policy is not applied to a network then the risk of being compromised increases. This situation is very dangerous for an organization considering the data that may be available on a network which may be both financial and personal. According to Lane Mills the best example of a network security policy is demonstrated by one of the most prominent networking corporations in the world, Cisco Systems, who offer “an excellent example of a network security policy that addresses network security in three areas: preparation, prevention and response” (Mills, 2005, p. ). Every network administrator should ensure that these three areas are covered, and that the information, as well as the systems used to store this information, is deemed to be secure from unauthorized access, or use by unauthorized persons or organizations, as well as protecting them from modification or destruction. Therefore the infrastructure of the network will need to comply with security models as well as legal and ethical values expected by industry regulators.
The following controls for the protection of information and system resources must be implemented along with an administrative system of controls, which should include written policies, a framework for a high standard of work as well as a set of guidelines to deal with any problems or potential situations. The network security policy must also ensure that strong passwords are used and that intrusion detection is included, with a system of firewalls in place to prevent any unauthorized external access.
Finally the physical location of the network, the server rooms and telecommunications points must pass basic security checks, with entry points protected and security in place to prevent unauthorized physical access. All of “the types of sensitive information that will reside on that system and the rules and restrictions that applies to the users who access the system” (Donnely, 1992, p. 90) must be combined under a totally secure network environment policy.
Securing the administrative system of controls is important because by using these tools, an unauthorized user may be able to gain control over and subsequently manipulate the functions of the network to carry out unauthorized tasks. This is potentially damaging for any organization which uses a network environment for its information technology functions and should therefore be incorporated in the implementation of a secure network policy.
Common administrative tasks can be manipulated to allow total control of the network to the unauthorized user, to cause network damage by changing properties of network resources, and to restrict access to other users. These tools can also be used to destroy data, to stop backups of the data occurring, and to format volumes of data if required. These actions would be very costly to any enterprise and should be prevented at all costs.
Therefore the network security policy should be applied to all elements of the network, and should also be made accessible and available to changes by the network administrators. A security update policy for servers and client systems should be established by first creating a secure environment, using the network security policy, and implementing restrictions on the physical access to the machines. Then Active Directory (AD) security can be applied to the day to day tasks of the network, and for the users of the network.
AD accounts can be created for various kinds of resources, whether they are human or technological, and this structure provides a secure framework for operation and updating. Security updates are one of the most crucial elements of maintaining a secure network policy, as hackers use exploits that have not yet been patched to gain access or control over machines. They use these un-patched exploits along with “a specialized set of tools, and they use those tools to commit crimes” (Thomas, 2002, p. 7), which occur after a hack is successful.
A secure update policy should also be a silent policy, which the user has no access to or control over, and this can be applied using the AD. The best way to allow a complex organization to be updated is to standardize the hardware and software in a test environment which mirrors that of the live environment. Updates can be tested internally in this environment before being rolled out to live where they may cause problems, because under Windows, “Microsoft security updates in the past have caused more problems than they have solved” (Van Horn, 2005, p. 87). This addition of a layer of testing is critical in maintaining a live environment where users can complete their daily tasks without fear of compromise, technical failure or unexpected errors based on updates which have been applied. Therefore in conclusion the issue of network security, trust and the implementation of a set of policies which deal with everything on the network from user access to updates is one which is very important for organizations which want to maximize security and efficiency, yet minimize administration of the network.
From the most basic of tasks to the most complex and important, the design and implementation of a network security policy can be beneficial in many ways from efficiency to security, and by using these systems it is possible to create and manipulate existing policies to aid business operations. The ultimate aim of a network is to allow different aspects of a business to be integrated together to give a secure and efficient system which is both easy to use and cost effective, and implementing the above recommendations will help to achieve these aims.