The first step in every security assessment and hardening process is always to conduct an environmental survey specifically tailored towards promoting a comprehensive scenario specific awareness and understanding of the prevailing functional operating climate/environment.

One all too often overlooked aspect here is physical security. One should never forget that all security starts with the physical and only then progresses to the logical if appropriate. Without further ado here are the issues and potential solutions that merit consideration with regards to all wireless networking environments and implementation scenarios.

Fixing and Camouflage

So make sure that all of your Wireless Access Points (WAPs) are physically secured. Tie downs and camouflage are great ways to do this. Both camouflaged and secreted devices (located in suspended ceilings etc) have the added security benefit of being hidden from general view.

The old adage “out of sight out of mind” immediately springs to mind. What cannot be seen is often out of mind and therefore less likely to go walk-about. WAPs can be secreted in suspended ceilings, wiring closets or fixtures such as ornaments and planter pots. This makes for an all round far more aesthetically pleasing approach.

Signal Degradation

With respect to wireless networking physical security also entails taking such factors as environmental interference from other wireless devices and cell phones etc., electromagnetic interference (EMI) from other electronic and electrical devices such as TVs, radios and public address systems, signal attenuation, degradation and for the network's wired components such as those connecting your WAPs and wireless bridges/routers to your wired network (LAN) noise and cross-talk need to be taken into consideration.

Functional Reliability

Do not overlook the need for equipment reliability and robustness along with adequate emergency situation operating functionality. It is imperative that in the event of an emergency or catastrophe that your wireless network remains fully functional unless circumstances dictate otherwise. Communication is usually the most valuable resource in times of doubt and uncertainty. Just ask the military.

Naming, Labeling and Documentation

An appropriate secure customized naming convention complete with a fully complementary secure labeling system is a must. This is generally of higher importance for a business wireless networking environment where there may be considerable numbers of roaming network member devices than is usually the case for the home wireless network.

On top of this, wireless network physical security requires the appropriate planning to ensure ready location and identification of network devices in the event of malfunctions, failures or hacking (successful or not) especially when physical access of the equipment in question becomes necessary. Of course this will include the proper documentation detailing all physical aspects of the wireless network including device location and identification markers.

Wireless Traffic Control

Another crucial principal element of physical security for all wireless networks that rates special mention here is that of traffic control. Just as one regulates the physical ebb and flow of people on any given site through orchestrated control of transport facilities and mechanisms, the same holds true for the regulation of traffic flow and control for wireless networks.

Consider this to be very much akin to a perimeter-based site/facility security strategy that deploys multiple layers of defenses for physical site access. In networking applications firewalls can do an admirable job of regulating authenticated access; very much as a fence and guard-house does for facility perimeter security. So install one and ensure that it is correctly configured.

Physical Traffic Control Mechanisms

With regards to physical traffic control for wireless networks the majority of options will be partially implemented in hardware and partially logically. The exact mix will be situation specific. Planning and due care with device placement, the selection of transmission frequency bands and power ratings will all have a role to play.

Consider that some frequencies have better physical penetration attributes than others, while more powerful signals (higher wattage) will be propagated further and will also penetrate fixtures better. There have been documented instances of wireless network signals being detectable and of service level quality at up to 125 miles from the transmission source (the official world record distance as recorded by http://www.wifi-shootout.com).

For these reasons in a high security zone one might need to deploy more specialized WAPs set to a lower transmission power rating than usual in combination with unidirectional antennae rather than omnidirectional antennae. The additional costs of these types of units are readily justifiable in terms of the additional security levels attained.

From a fiscal standpoint it is worthy of note that this small additional cost is a onetime up front encumbrance and the financial department will love the fact that these devises are far more sturdy, reliable and in general have a longer expected mean operating life thereby reducing running costs and failure induced troubleshooting and replacement rates.

Logical Traffic Control Mechanisms

Having implemented perimeter-based access verification and validation security initiatives we may well need to implement additional logical controls and network subdivisions such as Demilitarized Zones (DMZs). DMZs for instance allow for additional network traffic control, regulation, isolation and compartmentalization.

Limiting wireless devices to specific areas/zones of a network also delivers additional benefits such as greater economy and efficiency of bandwidth usage patterns and superior levels of granular administrative capabilities and ease of use.

Wireless-Free Zones

There are also many instances where wireless networking devices along with mobile communications or entertainment devices functionality are undesirable or unwelcome. The most sensitive of these areas will be related to sensitive electronic equipment such as that found in hospital trauma, intensive care, surgical units, coronary care units and life support systems. Areas where flammable materials are handled, stored or used also qualify as wireless-free zones.

In these cases and others like them we need to monitor to ensure that within a specific perimeter wireless devices are not functional and that signal leakage from wireless enabled sectors does not leak in. Perimeter threshold detection is generally considered to be the most effective solution here.

By this I mean that metaphorically speaking a line is drawn beyond which none of the above devices will pass while still turned on. Hospitals generally paint a red line on the floor, walls and ceiling to clearly mark this threshold.

Collateral Damage

When designing and planning a wireless network remember to incorporate provisions that address physical security from the health perspective by ensuring that no possible harm, collateral damage or interference can be caused by the network, its devices and its signals. Cables for example, should be secured and out of harm's way as should WAPs.

We don't, for instance want a WAP falling onto somebody from a humane perspective as well as from a litigation avoidance perspective. Nor do we want our wireless network to cause the cardiac pacemaker of a passer-by to malfunction. Here is a case where clear, readily noticeable and unambiguous notifications (signage) are our main preventative and compliance option. I guess this is more or less a disclaimer approach really.

Not only do we need to protect and guard humans from harm caused directly or indirectly by our wireless network and its components but we need to protect our wireless network from physical harm caused by humans and/or the environment as well. It is up to us to provide for our networks physical well-being as it cannot do this for itself.

Regulatory Compliance

Regulatory compliance issues also need to be addressed at all levels and all stages of a wireless network's life cycle. Local and regional standards and regulations need to be researched and fully compliant measures implemented. Policies also need to be developed, made appropriately available to those concerned and of course implemented.

Pass-Through Point Security

Just as a physical site's physical access controls may see the implementation and installation of fences and stationing of security guards at primary access points the same can often be done with wireless networks. For example there may be the opportunity to implement search mechanisms such as the pass-through points seen at airports etc. This is one way of ensuring that unknown devices do not enter within the coverage area of your wireless network.

Unfortunately, for most businesses it is often impractical to implement this type of measure as the cost and negative customer reactions may preclude it as being overly draconian. Larger chain retailers do however, employ pass-through scanning devices but they are more attuned to the detection of theft of merchandise rather than the prevention of unauthorized wireless access.

Note however, that for areas not publicly accessible and/or where sensitive materials are stored pass-through inspection security is a viable option. Espionage is a reality that must be addressed. If not the stealing of properties then the sabotage aspect may be of appropriate weight to implement pass-through surveillance mechanisms.

Much damage has been done in the past by persons posing as service or utility personal that many facilities, especially an organization's research and development and marketing divisions as well as their datacenter have seen fit to implement the pass-through security approach.

Wireless Network Presence Detection

Although a wireless network uses an invisible to the human eye medium with the right tools it becomes very observable. Tools such as Kismet for example, have very little difficulty in detecting the presence of a wireless network. Furthermore, there is very little you can do to prevent this type of detection. After all, wireless signals are transmitted over the public domain. Fortunately however, there is a lot you can do to prevent exploitation of a wireless network after detection.

The implementation of full conversation encryption including that of authentication mechanisms and connection establishment is, as far as most would-be intruders/hackers are concerned, just too much hard work considering that there are untold numbers of easier targets to be had.

Quality of Service (QoS) Geographical Access Parameters

One should always consider geographical access and connectivity requirements and parameters in conjunction with the desired timely delivery of Quality of Service (QoS) metrics. The wireless network's ideal is to provide adequate connectivity and accessibility throughout the entire area of intended coverage (no drop-out zones) and with a specified level of Quality of Service (QoS) for said area but no more.

The Quality of Service (QoS) factor may be defined by either meeting or failing to meet specific performance metrics such as transfer rates or strength of encryption.

The geographical network confinement parameters are generally characterized and measured by the degree of signal leakage beyond a specified intended perimeter of coverage. The distance, signal strength, signal quality and degree of availability both within and beyond the designated network perimeter are the parameters that define and delineate that point at which signal leakage becomes unacceptable.

Network Monitoring and Site Surveys

In monitoring the attributes of a wireless network, tools such as Airsnort, WireShark (formerly Ethereal), NetStumbler and Kismet are your friends. Use them to conduct regular site surveys to assess signal leakage. If need be take the appropriate remedial measures to ensure compliance at all times and locations.

Some organizations even go to the extent of using signal jamming technologies to ensure that any leakage is rendered useless and piggy-backing cannot take place.

Line of Sight

Line of sight requirements need to be assessed carefully from the perspectives of both the current scenario and extrapolated into making predictions of the most likely conditions that will be prevalent at various predefined times in the future. Trees for example have a habit of growing.

So where a clear line of sight exists today the possibility that this will not be so in the future must be evaluated. In the case of trees one solution might entail lopping every other year in order to preserve said clear line of sight. No matter the terms or conditions, the establishment and implementation of a documented schedule or regime that addresses these types of issues needs to be set forth.

Conclusions

Wind, vibration, the environment in general and other factors including human interference of one form or another will all conspire to throw the most carefully designed and implemented wireless network out of alignment. Persistent cognizant vigilance must be your motto and creed.

Virtually every program code has inputs and outputs. Before compiling a source code, programs generally request an input from the user and then output it to the screen after compiling if the program is well designed and there is no error inside it. Usually, as the program becomes more complicated, error possibility increases. A good software expert easily realizes where the code has faults and corrects it. Since our first code will be very small and very simple, we will not face with any error.

Before starting to write code, we initially have a compiler which is going to evaluate our code. I use Dev C for this. There are many other compilers which run on different platforms like Unix, Linux and Windows.

In this project, we will output the names of the subprograms of Triond on to C terminal screen. This is the simplest algorithm since there is no input in this example. Let's start writing our code step by step.

Step 1: Open the File from the menu bar of C software and save as the blank page Project1. This yields a file with an extension of cpp.

Step 2: Describe the name and aim of the programs. To do so, we use comments. Comments are ignored by the compiler. For commenting, we use some special scripts like double slash or slash-asterisk character .

If we use a single line comment, double slash is enough. However, if our comment is placed more than one line, we use double slash for each line or take the commented part between slash-asterisk and asterisk-slash characters .

Step 3: C needs library files which define what the input and output functions are and what they do when they are used in a code. Iostream is the library file of input and output function.

Before the name of library files, we use a special character, preprocessor directive character. Include is used before the name of every library file and such file names are placed mathematical comparison characters.

Step 4: Every C code uses functions. The default function is main. Main function is the first function compiled by the programs. This function usually calls other functions. Before the name of function, we specify which type of output our code returns. In our program, we think that it returns to integer and use int. After the function name, we use parantheses. In this example, there will be nothing between parantheses but in more complicated programs, there may be parameter names and it's types or definitions. We place our statements between left brace and right brace.

Step 5: To print on to the screen,we use cout function. We simply place our string inside double quote characters. Every statement inside the functions ends with a special semicolon character.

Step 6: To check the validity, we use return function.In this simple example, it returns to 0.

Click here for the code

As will soon become apparent, it is the way in which the Internet has evolved and hence its current structure that allows for the possibility of certain ISPs and larger Telcos to jointly exercise what would amount to an elitist monopolistic style of control over the Internet encompassing all elements and aspects of its accessibility, delivery, reach and functionality.

It is those issues surrounding current and future Internet accessibility that are of particular relevance considering the content, scope and provisions of various tabled and pending legislations in the USA and other countries. Make no mistake about it. What is at stake here is the very thing that has made the Internet what it is today; its neutrality.

Therefore; throughout the course of this investigation, we will be keeping an eye to the future while paying specific attention to how it is possible for ISPs, if permitted to control the Internet and all elements and aspects of its accessibility.

A Distributed Wide Area Network (WAN) Model

In essence, the Internet (internetwork) is based around a distributed Wide Area Networking (WAN) model (see Fig.1 above) comprised of untold numbers of different networks of varying architectures, topologies, technologies, sizes and complexity being linked together to form one giant internetwork spanning the entire globe and even beyond into space. Yes, they do have Internet access onboard the International Space Station (ISS).

As depicted in Figure 1; consumers, enterprises and organizations of all types and sizes wishing to access remote resources or to connect with another network via the Internet must first establish and maintain a connection with their Internet Service Provider (ISP). This ISP will in turn accesses the Internet backbone either directly at an Internet Exchange Point (IX or IXP) or by connecting with another (usually larger) ISP from whom they purchase IP transit or peer with. See IP Transit for more details.

The key factor that defines a distributed WAN is that servers and clients will be spread throughout the entirety of the network more or less randomly. In fact, up until recently the majority of Internet access and services were such that end-points would be continually and sporadically connecting and disconnecting without prior notice to their ISP.

From an ISP's perspective, this behavior placed scalability issues among the hardest facets of service provision and quality of service delivery to address.

It was also common for ISPs to terminate endpoint connections that they (the ISP) “deemed” to be idle. Unfortunately, the end user and their ISP often have very different and conflicting ideas and definitions of what constitutes idle and therefore qualifying for connection termination. This has always been the most frustrating characteristic of traditional dial-up Internet access.

The Rise of Point-to-Point Links

When dissecting and analyzing the structure and topology of the Internet it is important to never lose sight of its fundamentally distributed conglomerate nature. One direct consequence of this is that routers play an essential role in connecting together the various networks and subnets which comprise the Internet.

In general, whenever these different networks are not geographically adjacent dedicated always on point-to-point links have up until recently been the traditional modus operandi (see Figure 2 below).

Historically, this type of point-to-point full-time telecommunications interconnect is known as a leased-line and in its simplest form consists of a dedicated telephone line with modems and routers or modem/routers at each end. Standard practice in implementing this design is to assign the dedicated link a subnet unto itself with only two IP addresses; one for each end.

This type of arrangement was fine from an enterprise perspective as it permitted various geographically dispersed branches of an organization to be permanently connected while preserving IP addresses.

The biggest drawback however, is the fact that point-to-point connectivity deployed as a full mesh topology (see Figure 2 above) rapidly becomes an over complicated administrative and economical nightmare. As the number of separated sites requiring interconnection increases, so too does the number of relatively expensive dedicated leased-lines and associated point-to-point connectivity terminal devices (modems, routers, cabling etc.) and infrastructure (distribution and access devices and wiring).

Another problem with traditional point-to-point connectivity is that each individual link consumed two “live” IP addresses. Incorporation of multiple redundant links as in a mesh topology (Figure 2) improved the overall internetwork's reliable availability but consumed ever larger numbers of “live” IP addresses which were fast becoming very hard to come by. This depletion of the available “live” IP address pool is one of the main reasons that we are currently transitioning to IPv6.

The practical establishment of an organization-wide mesh topology network is therefore economically and administratively unrealistic. The result was that in practice, organizations would establish up to three point-to-point links per site thereby providing redundancy of connectivity. Should any one link be disrupted the site could still communicate via the other links; albeit in a circuitous manner. The message still got through.

A Cooperative Model

Moving beyond a single enterprise desiring full-time interconnectivity the picture immediately increases in complexity. Now either every organization has its own routers connecting to the shared internetwork or some organizations could cooperatively share internetwork connected routers as their “gateway” to the internetwork. For a fee of course (see Figure 3 below).

The technical term for cooperative tariff-free network access and IP transit arrangements between different organizations (or even individuals) is peering.

Due to its numerous different forms, details, characteristics and manifestations peering warrants an article unto itself. Similarly, the Internet Service Provider (ISP) Tier system merits further investigation. However, due to the tight relationships between the two (ISP tiers and ISP peering) I will collectively cover them both in another article entitled Internet Service Providers (ISPs) Tiers and Peering.

Jumping forward in time for a moment, we find that for the Internet of today a modified cooperative model has won. Special organizations known as Internet Service Providers (ISPs) have their own Internet internetwork connected routers and the rest of us enter into an agreement with the ISP to gain usage rights for Internet access via their (our IPS's) Internet internetwork connected routers (see Figure 3 above).

Internet Backbone Topology

Right from the outset, the Internet in the USA has always used a backbone topology, with the original backbone network infrastructure being provided by the National Science Foundation Network (NSFNET). This structure was eventually privatised in 1995 when a variety of commercial organizations, known as Network Service Providers (NSPs) collectively took over the backbone functionality.

Note that in most parts of the world today (including Australia and the USA) these original Internet backbone provisioning and support NSPs are now referred to as Tier 1Internet Service Providers (ISPs). As I will discuss shortly; very similar structures, circumstances, peering arrangements and relationships between the Tier 1 ISPs exist in practically every Internet connected country, at least at their local national level.

Internet Exchange Points (IX or IXP)

One particularly important and pervasive characteristic of the Internet that also occurs at the local, national and the global levels is that geographically speaking Tier 1 ISPs interconnect with the Internet backbone and each other at various clearly defined and readily distinguishable physical locations throughout the Internet backbone (see Figure 4).

Originally, these Internet backbone access and ISP interconnectivity points were known as Network Access Points (NAPs). However, the term Network Access Point (NAP) is no longer used in this context. Rather, the name commonly given to the physical locations at which Tier 1 ISP Internet backbone interconnections occur today is Internet Exchange Points (IX or IXP) (see Figure 4).

Note that although the term Network Access Point (NAP) is still in common use today it now refers not to the Internet backbone access points but to those points at which users access their local network. This may be a home or corporate LAN, MAN, WAN or even a public wireless hot-spot. In fact any point at which individuals access a network is considered to be a network access point.

As one would expect either certain cooperative arrangements (peering) or very complex financial schemes exist between the various Tier 1 ISPs. I will be discussing these arrangements and Tier 2 and Tier 3 ISPs in another article so I won't delve into this aspect any further at this point. Suffice to say that on the global stage the Internet is built around the same type of backbone structure with discrete Tier1 ISP access via Internet Exchange Points (IX or IXP).

ISP Point of Presence (POP)

An ISP has a Point of Presence (POP) at a physical location if its customers can connect to it at that location. This holds true regardless of which tier that ISP may be classified as belonging to or which level of the Internet structure or local hierarchy we are discussing.

Local Conditions and Network Evolution

As an example of the changes and local conditions that may prevail in different geographical locations from time to time I will use the Australian case as this is somewhat easier to grasp and illustrate being a one-country continent even though the distinctions between Tier 1, Tier 2 and Tier 3 ISPs are somewhat blurry.

Back in 1990 the Australian Academic and Research Network (AARNet) was established to connect all Australian universities and a number of research institutions. The first AARNet implementation involved a state-level router in each Australian State capital city. These routers were connected to the main AARNet hub router in Melbourne by way of expensive leased-line services. An additional leased-line was used to link the Melbourne-based hub router to the USA.

AARNet retained ownership of all of the routers and the provision of basic carriage services was the only involvement of Telstra, the telecommunications provider at the time. Thus, Internet access between Australian universities more or less followed the cooperative model as already discussed above.

This expensive to maintain and run architecture has now been replaced by a far more economical one where an ISP (C & W Optus in this case) interconnects all state regional networks to each other as well as to the publicly accessible Australian and International Internet.

In this example we see a relatively expensive private hybrid tree/star topology network based upon point-to-point connections being replaced by a far more economical publically accessible commercial backbone-based topology internetwork.

Endpoint Connectivity and Presence

While the Internet backbone is a highly structured, ordered and persistently stable component of the global internetwork, the terminal networks, user nodes and other endpoints connecting to it are free to come and go as intermittently as they please. It is merely a matter of convenience or of a fiscally driven e-commerce desirability that sees most broadband Internet connections being “always on”.

Beyond Terra Firma and into the Future

As already noted Internet access is available onboard the International Space Station (ISS). What is not so well known is the degree to which traditionally Earth-bound communications and networking technologies and devices such as routers and switches are leaving the confines of terra firma and making the transition to space; thereby becoming truly universal infrastructure devices.

To illustrate just how much these unified communications and networking technologies are extending their reach far beyond terra firma, the Japanese have recently launched an ATM switch onboard a communications satellite.

The idea being to perform the switching functions in situ (in space) rather than beaming signals from earth-bound handsets up to the satellite, down to a ground-based exchanges for switching, then back up to the satellite for final relay back down to the intended earth-bound recipient. Compare this to the efficiency of a caller beaming the signal directly to the satellite where onboard switching takes place and the signal will then be transmitted directly to the intended recipient.

With the continuing evolution of converged unified communications and networking technologies and functionalities such as Voice over Internet Protocol (VoIP) this trend will not only continue into the foreseeable future but accelerate exponentially.

Further Reading, Additional Links and Resources:

• Wide Area Networks (WAN)
• Asynchronous Transfer Mode (ATM)
• IP Transit

It really isn't that hard to do so if you follow along with the steps I am about to give you, you should be connected in less than a minute.

This first thing you need to do is launch Crystal Reports XI. Once you have the opening page on the screen click the link that reads “blank database”. For my example we are going to start fresh and new.

After clicking “blank database”, Crystal Reports XI will open and then immediately prompt you asking you to connect to a database. I will assume you have never connected to any database before so we need to make a new connection. To do this, double click the folder “Create New Connection”.

You should now see a complete list of different connection types. This is where we are going to select which database to connect to. We are using Access in our example so double click the “Access/Excel (DAO)” folder.

A window will appear asking you exactly which database you want to connect to. I my example I am going to use the Northwind database which is the sample database that comes with Access. You can choose whichever database that you would like the process is the same.

We locate the database we want to connect to then click the finish button. If you selected a database that requires a username and/or password to gain access you would click the secure log on checkbox and then enter that information in the appropriate fields prior to clicking the finish button.

That is it. Your new blank report is now connected to the database you have chosen. From this point on you can add tables to your report as well as views and of course stored procedures. However I will save those steps for a future article. Today I just wanted to concentrate on getting you connected.

Hierarchies

For the most part the large scale plans that we humans find easiest to comprehend and thus implement tend to be based and structured around a hierarchal model. So, rather than using a “flat network” model upon which to base our design we will use the far more plastic hierarchal model as it allows us a far greater degree of granular control and subdivision of roles and functionalities of its constituent components.

We are now going to take a quick look into the key principles of three-tiered hierarchal network design model that allow the network's which we design to scale as and when required whilst still providing the means by which we can retain control over its functionalities, performance, accessibility, maintenance and evolution with as little effort as possible.

As the name indicates the three-tier network model is a dramatic departure from the flat network philosophy of the past. Fundamentally; this is a layered approach, where the three layers into which all devices are classified are; the core layer, the distribution layer and the access layer. More than 90% of all network elements including infrastructure components like transmission media will fall neatly into one or other of these three categories.

I say more than 90% because there will be those special components which may straddle layer functionalities or perform multiple roles. The modern ADSL broadband modem router with a built-in multi-port Ethernet switch is a common example of this type of device. So do not be fooled into thinking that a three-tiered model ordains that there must be separate devices for each layer.

The number of devices (routers, switches etc) will be in large dictated by the situation specific requirements and resources of each internetwork being designed on a per internetwork basis. What might be considered to be appropriate for a particular internetwork design solution may be totally unreasonable for another.

Always remember that it is the internetwork designer's capacity to incorporate appropriate levels of plasticity and redundancy into their design solutions that is the art in forging an internetwork design that will work and perform in accordance with the desires and capabilities of those commissioning the internetwork. Budgetary concerns will, as is nearly always the case, be one of the biggest driving forces at work here.

The Core Layer

At the top of the hierarchy the core layer is literally the core of the network. A network's core layer's purpose & responsibility is squarely focused upon the transportation of large amounts of traffic both reliably and quickly.

This means that the core should switch traffic as fast and reliably as possible because any failures at the core level will most likely affect every single user of the network. User data should be processed by the distribution layer which will forward it to the core layer if appropriate. When designing a network the high priority objectives that should be built into the core layer include:

High speed, highly-reliable fault tolerant components possessing the lowest possible latency characteristics connected in such a manner as to eliminate bottlenecks are all high priority factors greatly desirable of a networks core layer. Therefore, the routing protocols implemented at the network's core layer must be those with the lowest convergence times as any delays will be amplified downstream throughout the network and hence felt by all.

The core layer's data-link technologies must exhibit high speed with built-in redundancy such as FDDI, Gigabit Ethernet or 10G Ethernet incorporating redundant links and even SONET or ATM both of which also include multiple redundant links.

Ideally there should be no access lists, access list processing or packet filtering performed by the core layer. This means that there will be no workgroup access or workgroup access support provided by the core. Nor will any inter-VLAN routing take place here.

One final point of advice is that one should upgrade to increase core performance rather than expand (adding routers etc.) as the internetwork grows.

The Distribution Layer

The distribution layer (also referred to as the workgroup layer) is the communication point between the core layer and the access layer. The distribution layer should not duplicate the roles or functionalities provided by any of the other layers. Your design solutions should therefore reflect this by ensuring that the distribution layer is characterized by the deliberate exclusion of all factors, services and functions that are or should be the providence another layer.

Furthermore, other design concepts that need to be at the forefront of one's thought processes when designing a network are that the primary functions of the distribution layer will encompass many intermediary or “middle-man” network aspects, functionalities and services. These functions must be transparent to the user.

Network functionalities implemented at the distribution layer will include many of the network's core infrastructure-based decision making processes including routing, routing protocol redistribution, static routing, inter-VLAN routing, best path determination and address translation. Ideally, the definition of broadcast and multicast domains, packet filtering, queuing and the implementation of access lists should all occur at the distribution layer.

Network policy implementation and network security implementation occurs at the distribution layer and includes both hardware and software devices and solutions. Since WAN access provision is generally implemented at the distribution layer firewalls (Cisco PIX, Microsoft ISA server, Zone Alarm etc.), intrusion detection systems and intrusion prevention systems and appliances are incorporated into the network at the distribution layer.

Other critical decision making functions of the network that get implemented at the distribution layer involve core layer access determination (the how & when packets can access the core) and core layer access restriction (limiting access to the core layer on an only if absolutely necessary basis).

The determination of the manner and mechanisms for handling network service requests is conducted by distribution layer devices. For example determination of the fastest way for requests to be forwarded to servers and other peripheral Services (e.g. Internet Access).

Workgroup support functions, the implementation of additional tools and the provisioning of network operation flexibility are some more tasks generally assigned to the distribution layer.

The Access Layer

This brings us to the access layer which is also referred to as the “desktop” layer. The main functions of the access layer revolve around access control, regulation of users and workgroup access to the network/internetwork's assets, resources and services.

The pervading philosophy of “shortest distance” should prevail when designing an internetwork's access layer. This means that those resources that the majority of a group of users or workgroups access regularly should be available locally. Here is where the 80/20 rule comes into play.

The 80/20 rule states that 80% of all network traffic should remain within the boundaries of the local segment. Even better is to subnet a Local Area Network (LAN) and so contain the “local” traffic to a single broadcast domain and only 20% of all network traffic will be transported via the core layer throughout the entire internetwork. This does translate to “real world” performance gains for all concerned.

With the distribution layer taking care of any requests for remote resources & services the access layer's functions, resources and services should focus primarily upon such criteria as workgroup connectivity to the distribution layer and the elimination of potential avenues of direct unabated user or workgroup access to the core layer.

Access layer traffic containment and resources access strategies often include additional network segmentation through the creation of separate collision domains (e.g. by using transparent bridging workgroup class switches or LAN Switches) and more specific access controls & policies to further augment those implemented by the distribution layer.

Static routing protocols rather than dynamic routing protocols should be used at the access layer. DDR Ethernet switching is another technology commonly used at the access layer. Local resources at the access level will include local printers, workstations, caching servers and workgroup switches the use transparent bridging.

Temporary and mobile devices (laptops, notebooks, PDAs, smart phones etc.) must not be permitted any direct access to the core or distribution layers. Rather they should connect via the access layer in a highly secure manner.

This is most often implemented via demilitarized zones (DMZs) as one can never be sure what nasties the device may have picked up on its wanderings. Generally the device will be scanned immediately upon connection and cannot be used for network access until after it passes its sanitization requirements. Better safe than sorry.

DMZs are also widely employed to allow Internet traffic a web site while reducing the web site/web site's owner potential exposure to malware. Email, bulletin boards and interactive Web 2.0 sites are other situations where implementation of DMZs is commonly used to erect a “barrier” between the public and private domains while allowing users (including the anonymous variety) to maintain their full site experience without unduly exposing the site to every piece of malware or bad intent out there.

This includes the selection of a secure location and placement of all mission critical hardware, software and services along with the core communications and network infrastructure that provide them with support.

Physical Connectivity, Availability and Accessibility

Physical security encompasses physical connectivity, availability and accessibility. It is no good having the most physically secure mission critical components if they are inaccessible. The access types and capabilities will vary in accordance with the purpose of the access and the entity requesting that access.

Limiting user access in a Microsoft Windows Server 2003 environment involves domain controllers, the local machine, security descriptors, NTFS File and Folder permissions, Group Policy to name but a few.

The feature that I use most is to “hide” the resource from users. They will not try to access that which they cannot see.

Will all this said the main thing we need to do now is to define exactly what are your mission critical components, devices, infrastructure and services. We also need to examine possible scenarios and solutions that others have proven to work. There is no need to reinvent the wheel if you do not have to.

Mission Critical Components and Devices

Mission critical devices are those core mission critical components and services without which your organisation would not survive. Servers and communications and networking devices and infrastructure, including cabling all fall into the mission critical category.

Whenever it comes to mission critical devices, infrastructure and services if in doubt always take the most draconian restrictive measures. Now apply these measures with rigidity to your mission critical devices, infrastructure and services.

If necessary, you can always loosen security to better cater for special requirements and access rights and privileges. It is no good shutting the gate after the horse has bolted. So always, err on the side of higher security (the safe side).

Leveling The Playing Field

One of the more common reasons for adopting this strategy is that all devices and services for all users will start from a common set of conditions on a level playing field. Now you have a set of baseline metrics and quantified assets, attributes and services.

You can refer to your baseline values in the future. On top of this, these baseline values are useful when making head-to-head comparisons between different devices at different points in time. A reliable set of known “good” configuration parameters makes for a very handy troubleshooting strategy and tool.

Lock and Key - Ensure that all those devices classifiable as “mission critical” are permanently under lock and key at all times

Accessibility - Enforce strict physical access rights, permissions and policies

Assimilation and Unification - Consider incorporating your physical security initiatives into your overall security plans

Identifying Mission Critical Devices and Services

I will explain in another article how to determine precisely which components are your mission critical components. They will vary from one network or implementation to the next. For now just think of what would affect your job and your users most and make a list of them.

Now think of what outages would affect your boss the most and make another list. Do not forget to include those factors that would affect your boss's secretary as what affects the boss's secretary also affects the boss.

Crosscheck both lists and then compile a new list containing both sets of elements. Now begin prioritizing the items on your lists. Start with the things that would affect your boss, the boss's secretary and users alike.

You will be surprised as to how many factors will be common to both groups of people. Then list the remaining items from your boss list. Finally add in the user factorials.

Have a break and let the list for at least 30 minutes. Now review the list. This time make a note next to each item of the services that are required to deliver each item on your list.

Some of these services will be dependent upon more than one other service/machine. Other services will be common to quite a few of the items identified on your list.

Now make another list containing the prioritized services identified in the previous step. Identify which components are required to deliver these services.

Write them down alongside each of the services that you have just listed in your “must have” mission critical (job keeping) services list that you created in the last step.

Review and test the items on your list. Change priorities as and when required. You have now identified those elements that you deem to be “mission critical”. Once identified it is now time to test and rate those items on the list.

Implement changes that you deem appropriate for your current situation. These will include those changes that represent the greatest overall reduction in your vulnerability to the risks and threats already identified.

Review and test the changes that you just made. Continue watching and monitoring the changes and impacts resulting from your changes.

High Impact Threats and Vulnerabilities

Place all mission critical components into a secure controlled environment. Securely lock and monitor this facility at all times. Personal do not generally need physical access to your servers on an hourly basis.

Administrative functions performed in regards to an organisation's servers take place via “middle” machines such as the administrator's workstation. Enjoy next time enjoy!

Remember always, that physical security encompasses both physical connectivity and availability. It is no good having the most physically secure core components if they are inaccessible. The access types and capabilities will vary in accordance with the purpose of the access and the entity requesting that access.

The major desirable attributes of core components are maximizing up time, reliability, availability, stability, confidentiality and authorized accessibility with the appropriate privileges of course. Down time, particularly of the unplanned variety has no place here.

Achieving these objectives is no mean feat but we are now going to take our first steps in this area. Eliminating all public access to the core components of our communications and networking structure is a good place to start. Let us start by reviewing the first seven rules of location and placement.

The Rules of Location and Placement

Here again are the first seven rules of location and placement.

1. Restrict Access

The first rule of location and placement tells us to whenever and wherever possible locate core components, devices and infrastructure where the public cannot gain free access to them. Be aware that you also need to secure your core devices and infrastructure against subversion from within.

2. Camouflage and Concealment

The second rule of location and placement states that if infrastructure and core components must pass through a publicly accessible location then camouflage and conceal them to keep them out of sight. Use camouflage to your advantage. For more see Location and Placement.

3. Lock Up and Lock Down

Complement your secure location and placement of core components in a secure location with the appropriate lock up and lock down measures.

Incorporating locking devices of all types in your physical security strategies is imperative. These measures should compliment one another and any additional lock down technologies and procedures that you implement.

Monitoring and alarm systems have a big role to play in heightening the security of core components.

4. Eighty/Twenty

Location and placement rule four (the 80/20 rule) - 80% of the entire network's traffic should remain local while only 20% leaves the local network. The local traffic and the local network traffic are relative to the subnet(s), internal network(s), external network(s) and internetworks in question.

Only 20% of the total network traffic should travel over internal core links or the exterior (e.g. the Internet or another branch). Local traffic is between devices located on the same network segment (subnet).

Provision for organization-wide structures and subdivisions such as branches, facilities, buildings, departments, work groups, functionalities, services, logical associations, processes, traffic type, priorities etc. needs inclusion.

5. Proximity

Location and placement rule five is the proximity rule which tells us that wherever possible all devices including core components, that have a physical and logical relationship (linked or associated in some way e.g. subnets, work group membership) should be located as physically near to each other as possible.

This means that you would place all devices servicing B Block together. The distribution layer routers, switches and servers for B Block would be located in the same rack.

6. Reflection

The sixth rule of location and placement states that physical location, placement and naming should reflect both physical and logical associations as well as any other relevant relationships and dependencies. This holds true for communications and network core components.

7. Redundancy

Location and placement rule seven is the redundancy rule. Whenever possible ensure that you have included adequate and appropriate redundancy features into your network design. The production environment implementation should reflect this. Having redundant core components adds reliability and robustness to communications and networking environments.

The Location and Placement of Core Components

Once again that old saying about “location, location, it's all about the location” comes to mind as does “Out of sight, out of mind”.

Unrestricted Public Access

Unlike devices placed in areas permitting free and unrestricted public access, because you have no other practical or feasible alternative, core components and infrastructure beg strict adherence to the first three rules of location and placement.

This brings forth the question “What about rule two how and where do camouflage and concealment come into the picture?”

Concealment

Concealment is achieved simply be locating your core components in a location that has highly restrictive accessibility. One easy way of doing this is by ensuring that there are no less than five controlled access points en route from the most proximal publically accessible area to the core component facility.

Controlled Access Routes

Controlled access routes also help to regulate staff access to the facility housing your core components. Members of staff with no immediate and legitimate purpose for needing access to the core components facility will find that, just like the public they too cannot gain access unheralded.

No Justification

There is most definitely no justifiable reason that members of the public should or might need access to the core components facility. In fact, this applies to all persons other than the communications and networking teams.

Any necessary transient visitations (technicians etc.) are manageable by authorizing and regulating such events as and when required. Once concluded all access authorization and permissions are withdrawn.

Camouflage

Camouflage is achievable by not having a whole pile of signs saying things like “Core infrastructure this way.” In other words, do not advertise your core center's location. Those who need to go there will know where it is. Do not place your core center where outsiders can look in.

Public Free Zone

Selection of a “public free zone” for the location of your key communications and networks core components and infrastructure will go a long way to achieving as high a level of physical security possible.

There is absolutely no reason why any anonymous member of the public should ever need to access your communications and network core components. Permitting the public the freedom to access your core components at will is just crying out for a catastrophe to strike you down.

Security in Depth

Implementation of multiple additional layers of physical security along the access route to the secure location in which you have placed your core components is essential. This strategy goes by the name of security in depth.

Although, we are focusing on and dealing with the physical elements of this strategy here it would still be amiss of me not to mention that additional procedural and logical security measures also need implementing.

Subversion From Within

You should also take into consideration the sad reality of subversion from within. Whether the intentions are malicious or not, some people just cannot help themselves from putting a spanner in the works.

Lock Up and Lock Down

No prizes for guessing that the “lock up and lock down” rule location and placement involves locks and keys as well as biometrics and other security-oriented aspects such as authentication and identification procedures and processes.

The exact manner of the implementation of these initiatives I will not go into here now but stay tuned because I will elaborate further in another article.

Physically Secure Locations

Place as many; if not all, network core components into as secure an environment as you possibly can. This should include such core components as servers, routers, switches, administrative access workstations and major communications links and equipment. However, this does not mean that they will all be in the same room.

Physical Security Perspective

From a physical security perspective, a secure environment means a whole lot more than just locks and keys, video cameras and security guards. It also includes the actual physical “health” and functional availability of the devices concerned.

Core Component Facility Environment

Environmental control systems such as air-conditioning are an essential part of every communications and networking core components facility. Their management and delivery is also a matter for physical security and not just the maintenance staff.

Utilities

Utilities such as electricity and communications links (telephone lines, leased lines, cable etc.) are other key mission critical service components that need addressing from a physical security perspective.

Next time we will look into Mission Critical Components. Until then enjoy!

How the physical location and placement of your assets relates to their physical security and well-being is where we will take up the story now.

Physical Location and Placement

The first factor that we need to consider is the element known as the “general public”. It is here that we need to review the first two rules of location and placement.

1. The first rule of location and placement tells us to whenever and wherever possible locate devices and infrastructure where the public cannot gain free access to them
2. The second rule of location and placement states that if infrastructure and core components must pass through a publicly accessible location then keep them out of sight

Wireless Access Points (WAP) Location and Placement

The location and placement of Wireless Access Points (WAP) is a case where this rule needs heeding. Many a good WAP has mysteriously gone walk-about and never seen again.

If you have no other choice but to place a WAP in a publically accessible location there are a number of tricks that you can employ to help ensure that the WAP stays put. If the WAP is not readily visible then it is likely that the temptation to “borrow” it will not present itself to the majority of the public.

Physical Security, Location and Placement

One way of increasing the physical security of devices in insecure locations is through careful and cunning placement. Ways of doing this include the placement of the WAP inside a camouflaged container that is porous to radio frequency signals in the Wireless Access Point's (WAP) frequency range.

I have seen numerous “pot plant containers” used in this way. False speaker fronts also work very well. I have also seen numerous instances of fake security cameras used to camouflage the location and precise placement of wireless access points. Bit of a double-edged sword that one. A false camera to make the public think they are being video taped and a hiding place for the WAP.

The majority of materials used in the construction of suspended ceilings are also porous to the frequency ranges used by the average WAP. Place the WAP with a directional or bidirectional antennae in the ceiling, as the radio signals will pass through the ceiling materials unhindered. This definitely counts as a more secure location.

Using a WAP with a directional antenna ensures that only those signals transmitted and received from below are within the range of your WAP. This doubles as a good energy saving tactic that also reduces signal leakage and so helps reduce your wireless network's exposure and liability to “freeloaders” and hackers alike.

An additional benefit of locating a WAP in the ceiling is that if it is placed in the center of the ceiling then for rooms whose walls do not exceed the radius of the wireless access point's (WAP) primary (highest bandwidth) zone can all be covered by just the one WAP.

Physical Security, Location and Placement Documentation

Documenting the location and placement of all peripherals such as a Wireless Access Point (WAP) is essential. Do not forget to name them correctly. For example, you could name the WAP CR1CW1, which might stand for Coffee Room 1 Ceiling Wireless access point 1. For more about naming see the following article: Building Your Own Naming Convention

Location and Placement - Weighing the Fiscal Benefits

Another point to consider here is the overall benefit gained by hiding the WAP from view. This may cause you to need to install additional Wireless Access Points (WAP), if required in order to achieve the desired coverage and Quality of Service (QoS).

The other alternative is to end up replacing missing WAPs on a regular basis as and when they go missing.

The trick is to balance these two strategies from a fiscal point of view and adopt the option that achieves the majority of the goals that the deployment was implemented to provide. Never forget the reasons that you undertook the original expenditure.

If the implementation was justified and worthy then these goals will still hold true for quite some time after the implementation phase is complete. Factors such as Quality of Service (QoS) that were so important in the original planning, design and implementation stages still carry great weight now. If not then you must seriously reconsider why you even bothered.

Secure Fixing, Location and Placement

Once the location and placement of the Wireless Access Points (WAP) is under control it is time to ensure that their points of attachment are firm and secure. This is essential not just from the going AWOL perspective but from the preferred placement and antenna direction perspective to ensure the WAP delivers its services as planned and without undue signal leakage.

The location and placement of many other key network infrastructure components need viewing in this light as well. Cabling and workgroup access switches being two of the more prominent components in the category of easily removed or otherwise interfered with devices.

Secure fixing is often the only option for the workgroup switch but the cabling is easier to locate behind walls, in conduit and in wiring closets to protect it from untoward events. With that, we will conclude our discussion of the physical security aspects of devices and infrastructure that have a location and placement that is inherently insecure (public Places).

We can now begin to look at the location and placement of core networking and communications devices and core infrastructure and devices. This is where the story continues in the next article “Core Components”. Until then enjoy!

It seems that for any single measure that you take to thwart the villains, they have a library of ever more expanding insidious counter-counter measures. This is the reason that the implementation of all security measures must be as a suite rather than as a single stroke.

The deployment of a suite of security initiatives where more than one tool address different vulnerabilities at different points of susceptibility is known “in the trade” as security-in-depth. We are going to adopt this ethos as our approach to wireless security hardening.

The Physical

As always, security starts at the physical level. Initiatives that all of us can employ include lock-down and lock-up. Ensure your mobile devices are secure. Whenever left unattended, they seem to have a habit of growing legs. Restrict physical accessibility further reduces your systems security threats exposure.

Secure all Wireless Access Points (WAP) - This means to make sure that the placement of your Wireless Access Points (WAP) allows the desired coverage whilst maintaining minimal likelihood of displacement, tampering or unauthorised removal.

All wireless enabled networks risk collapse if enough Wireless Access Points go out of commission. This is most important in areas where public access is possible. Another point to consider here is that the wind can cause a WAP to become out of true alignment.

Coverage Pattern Shaping - Test to ensure that your wireless access covers those areas you wish to cover whilst maintaining zero leakage or as close to zero as you possibly can. The use of directional antenna is a possibility that merits consideration at the planning stage of deployment. The fewer “freeloaders” your network is exposed to the better your overall security will be.

War Driving - Remember that it is always advisable to place your wireless access points such that they face inward. This can dramatically reduce your exposure and subsequent security vulnerability to external mobile devices.

The practice of “war driving” using wireless scanning software with portable devices such as laptops and notebooks will not pose an attack risk if they do not get a signal.

Security Consciousness

Develop and foster a security conscious environment. Everybody does his or her bit to help. An organisation that is security “aware” is much harder to penetrate.

Social Engineering - Reduce the potential opportunities for social engineering tactics. Keep the insiders in and the outsiders out.

Security Policies - Develop and implement appropriate wireless usage security policies.

User Education - Educate your users in wireless security best practices. Update and communicate with wireless users whenever issues arise. What affects one user in all likelihood is capable of affecting them all.

Power-Off Unused Wireless Client Adapters

There are many benefits to powering off unused wireless client access adapters. Here are a few:

Battery Life - Powering off unused wireless client adapters will help promote battery life for mobile devices.

Prevention - Powering off the unused wireless client adapter is the simplest preventative measure to guard against a type of penetration attack known as "Microsoft Windows silent ad hoc network advertisement." This type of attack takes advantage of the default configuration setting Microsoft Windows Zero Configuration.

The Microsoft Windows Zero Configuration is to enable anonymous ad hoc connections. It works on the “advertisement” principle. Both the wireless enabled client and wireless access points continually advertise their presence to the world.

“Is there anybody out there?” This is an offer to request connectivity (the client-side) or an offer to provide connectivity (the wireless access point side). Most operating systems, networks and wireless access devices also exhibit the same type of behavior when it comes to announcing their presence.

Disable Internal Anonymous Ad Hoc Connectivity - From a security standpoint once authorised users are internal to your perimeter, they do not need anonymous ad hoc connectivity capabilities. All they need do is logon to the network in their usual prescribed manner. Your authentication procedures will define who is, and who is not permitted access and Oh-La wireless accessibility is theirs.

The Boardroom - When it comes to “official” meeting places such as the boardroom, you really do not want outside of the boardroom access to be possible. This is one location where your job will depend upon ensuring maximum security and zero leakage.

Service Set Identifier (SSID) Verification

Service set Identifier (SSID) - SSID is the name used to identify different 802.11x wireless networks (WLAN) that a user wants to connect. Clients receive broadcasts from all wireless access points that are within range.

Selection of the wireless access point used for the connection depends on the specific configuration of the client, either a pre-configured wireless access point or one from a list that the user selects.

The Evil Twin Attack - Patterned after the Man-in-the-middle attack where a hacker falsely represents the true wireless network. The user obliviously connects and the hacker obtains every byte of traffic transmitted or received by that client.

SSID Verification - By simply verifying the SSID of the wireless network you are about to connect with is the easiest way to overcome most evil twin security threats.

Firewalls

Install and run software firewall if you have not already done so. Microsoft Windows XP and Vista both have a built-in firewall application. Although it receives, criticism from some quarters the Windows Firewall application is free with the Microsoft Windows OS and has recently received additional improvements. If nothing else is available, use it.

There are however many alternatives which do offer considerably greater functionality than the Microsoft offering. Many of them are “free”. The free generally applies only to non-corporate users. You will need to check each candidate application for the specifics of their user licenses.

If you are looking for a range of applications from which to choose and want some background on each then I recommend that you pay the SANS institute a visit. They are a not-for-profit organisation that embraces all things “security”.

Disable Unused and High Risk Services

File and Printer Sharing - Users with new mobile devices such as new notebooks and laptops that run some version of the Microsoft Windows operating system will find that file and printer sharing disabled by default.

This can be a bother in the workplace environment. So it becomes enabled fairly soon after the device is first connected to the network.

On the Road - In fact, some administrators do so prior to issuing company laptops and notebooks to their users. It certainly saves a lot of help desk time.

Unfortunately, not everybody uses a wireless enabled computer only within the confines of corporate network space. The “road warrior” for example has the need to do so in the most insecure of all computing environments; the publically accessible ad hoc wireless network environment.

With file and printer sharing enabled anyone connected to any ad hoc network to which you connect can SHARE your files. No authorisation is required. Extra security precautions are therefore required. Disabling this feature is a good place to start.

The Microsoft Knowledge Base - The article entitled "Disable File and Printer Sharing for Additional Security" explains how to determine your current file and printer sharing status. It also outlines the procedure to disable this feature.

Let the Server Serve - Why file and printer sharing have become so inextricably linked? This question has had me transfixed for quite some time now. Given most users use client machines in a client-server environment, there is no “real” need for them to “moonlight” as servers. Leave the serving to the server. An old adage that is more applicable today than ever.

Security Risks Levels Increasing - Wireless devices include so many more computing devices today than ever before. Many “stationary” client machines are now wireless enabled. While this does add greater flexibility and plasticity to networks, it also poses a higher degree of risk than was previously the case.

Authorisation - You should also consider implementing “access by authorisation only” features. Even Microsoft Windows XP and Vista mobile devices have a Local Users and Groups management capability. It works very much in the same way that Active Directory Users and Groups works.

The main difference is that it only applies to that specific device. Security conscious network administrators will be very happy to show you how to use this feature. It is after all to their benefit that you do so.

Personally Identifiable Information (PII)

Information that explicitly identifies you must attraction additional security measures. The name given to this type of information is “Personally Identifiable Information (PII)”.

Personally Identifiable Information (PII) Requirements Variation - Different systems, networks, services, service providers and regulatory bodies all require certain information from you. The exact nature and type of information requested differs from one organisation to the next.

Commonly Requested Personally Identifiable Information (PII) - Various organisations require different types of Personally Identifiable Information (PII) including Account Login Names, Passwords (for authentication purposes), Banking and/or Credit Card Details, Tax File Number, Social Security Number, Residential Address Details, Phone Numbers etc.

Other less frequently requested Personally Identifiable Information (PII) include Health Records, Passport Details, Driver's License and Registration Forms

Web Browser Access - Permitting your Web browser to remember your Personally Identifiable Information (PII) opens the door for hackers to compromise your assets. It is very easy to retrieve this sensitive information particularly in the event that you device is stolen.

Online Transactions

Although this may seem self-evident, it still constitutes one of the major avenues for breaching security in general and network security specifically. If you do not want everybody else to know, the details of every wireless online transaction then do not do it.

When it comes to sensitive information, the best advice is never use an unsecured publically accessible ad hoc wireless network service. This also holds true for many locations and circumstances inside your network security perimeter.

Wireless Device Updates

Regularly Update Wireless Enabled Devices - As with any other computer always update your wireless enabled devices operating system, applications, utilities, tools, etc.

Other Components - Additional components of your device that you must check and update regularly include antivirus software, firewalls, drivers, web browser and Wi-Fi client applications.

Automatic Update - Today most antivirus software includes an automatic update option. Automatic download and installation of new versions, virus databases, patches, fixes and updates take place without any input from the user.

Application Vulnerabilities - It is not until long after many applications, operating systems, software and drivers have been implemented into a production environment that unforeseen vulnerabilities surface. By regularly checking the manufacturer's website, you will be able to keep up-to-date with the current state of affairs pertaining to your situation specifically.

Scheduler - You can also use the scheduler applications that come supplied with most operating systems, Microsoft Windows, UNIX, Linux and MAC OS. Many administrators will schedule automatic updates to discover and download those elements relevant to their systems.

Granular Control - If there were some critical updates, patches or fixes contained within the download the administrator can opt for installing them all or installing only those specifically applicable to their current network and network security requirements. The selection of specific units from a wider and more diverse pool of options is a technique known as granular control.

Eliminating Risk - The elimination of many potential points of attack arising from application vulnerabilities is achievable in this way.

Secure Web Surfing

Whenever possible make sure that you use secure and anonymous web surfing practices. This takes on greater importance when a Virtual Private Network (VPN) service is not being used or available. Safe web surfing practices help to minimize your risk exposure in the event of incorrect Virtual Private Network (VPN) configuration.

Web Based SSL VPN Solutions

Numerous web services currently provide SSL VPN solutions. An encrypted tunnel between your device and the provider of the SSL VPN solution's servers is established. You are now free to surf the net.

Note: This solution only applies to web based applications.

Fully Encrypted - Full encryption to all traffic generated from or returned to a wireless device now occurs by default. This procedure eliminates a whole bunch of potential security and network issues. Some of these web based SSL VPN solutions include TOR, Megaproxy and IronKey.

The IronKey solution uses a secure USB flash drive. It is also capable of establishing and auto-configuring a secure SSL VPN tunnel once wireless Internet access becomes available.

Virtual Private Networks (VPN)

Since web based SSL VPN solutions only apply to web based applications another solution is required to deal with email applications such as Microsoft Outlook.

Remote Access - Here is where a full feature rich VPN solution is necessary. The VPN tunnel will allow authorised personal to connect to the home or office networks remotely. Now the company network will take care of all the normal business applications, file sharing, and Internet access.

Availability - Today on the open market, there are many hardware and software VPN application solutions from which to choose.

Remote Access Applications

Using remote access applications means that no sensitive data travels over questionable networks. The basic idea here is that specialty software allows you to control remote devices. The devices can be located anywhere.

The only proviso being that they have Internet connectivity 24/7 if you want to access or control them 24/7. An SSL tunnel is established. Then the remote access session takes place through it. Web surfing, e-mail, and other applications are active only on the remote computer.

LogMeIn and MioNet are two applications that deliver this type service.

Users, Groups and Guest Accounts

Users and Groups Accounts Administration - The administration of “regular” users by way of Active Directory Users and Computers to control their access rights and privileges is straightforward. It is far more difficult to administer the access rights and privileges for intermittent and transient users.

Fortunately, there are a number of ways in which to achieve this. Using Active Directory is one way to apply network access restrictions.

Local Users and Groups - Another is to use the Local Users and Groups snap-in at the client level. These access rights and privileges apply only to the local machine and not the entire network as is the case with domain controller applied access rights and permissions.

Special Accounts - Special guest accounts can be set up to allow security access rights for temporary, intermittent and or transient visitors. Once they gone the account is closed. Microsoft Windows Server 2003 allows you to set specific access times and account durations via Group Policy.

Access Point Associations - Visitors can have their wireless access privileges associated with specific wireless access points or LAN segments. For example, they can access the network via wireless access points in the boardroom but nowhere else. They may be giving a presentation that requires access for the duration of the meeting.

Authentication Controls - Increasing the time that Windows waits before permitting another logon retry is one way to negate brute force password attacks. You might want to change the number of password entry attempts before the system stops responding (locks itself). Customising the Time-To-Live (TTL) attribute is another.

Anti-Malware Software

Never forget to install antivirus software, spam filters, pop-up blockers, disable scripts and applets that you do not want or use. Antispyware and adware filters are more initiatives that merit consideration.

The full range and diversity of options available here is something that I will discuss in a future article. Until then enjoy!

Introduction

The birds and the bees do it. From microbes to ants to dogs, to lions and elephants and all the way to the biggest of them all, the blue whale, it is the one thing that all have in common. The need to perpetuate the species can be totally consuming at different points in time but can only be successful with adherence to the social rules of each species.

Humans well we are no different. Except for the antisocial element and it's their “raining on the party” activities that we are going to have a look into here.

Security, Society and Civilizations

Security, security threats, security risks and other security issues and concerns; have with respect to security status or lack thereof, been with us since day one. A basic fact-of-life inherent to all social beings and the collective societies and social protocols they forge in establishing their civilizations.

In these regards humans, bees, ants etc all have much in common, where humans differ is in their capacity for conceptualization and virtualisation of thought and self.

Passing the Torch

Among the most powerful and pervasive products of these processes are the concepts of knowledge, information, and the accessibility, transmission, and passing-on of said knowledge and information to contemporaries and succeeding generations alike.

The label we humans have given to this is Information Technology (IT) and its most obvious manifestation in our world today is The Internet.

Technological Benefits and Freedoms

The benefits and freedoms delivered by these technologies and the technologies are as with everything else in the universe, susceptible to damage, degradation, or destruction from a host of very diverse threats.

The securing of our information technologies by way of protection of information assets using technology, regulatory compliance, experience, processes, and training.

It is the security threats, risks, vulnerabilities, impacts and counter measures involved with IT and Internet security in particular that we are going to be investigating.

Speaking the “Lingo”

They say that you must walk the walk and talk the talk before you can get in. Well in our case, we do need to do as the Romans did and come to a consensus regarding the basic technical terms used in information technology and Internet security circles.

Here is a brief list of the most basic terms and concepts that we will need to further our understanding of security threats, security risks, security vulnerabilities and the counter measures that we can use to protect ourselves from malicious intent.

Entity - That which exists or is perceived to exist

Attack - The direct or indirect, real or perceived, consequences and effects of actions perpetrated by one or more entities; with the intent to intrude, compromise, degrade, control, or adversely affect; either directly or indirectly, the assets, prerogatives, freedoms, rights or the sense of “security” or that of feeling of “being secure” of one or more other entities; generally with deliberate malicious intent, manner or purpose

Security - The state of being safe, protected, and free from worry about possible loss by the assurance that something of value will not be taken away, degraded, or threatened in any manner by attack from without or subversion from within

Security Measures - The precautions taken to defend maintain or improve the safety and sanctity of an entity(s) (somebody or something) from attack, danger, or crime whether these security threats are potential, real or merely perceived to exist

Security Goals - The predefined targeted levels of protection, precautions, or defensive strategies deemed to be "adequate` and/or "appropriate` for specific "real world` scenarios.

It comes as no surprise that security goals will vary considerably from one entity to the next but all will have a commonality of providing an acceptable, predefined level of security assurance in conjunction with elements of acceptable exposure that are usually weighted by economic factors such as cost effectiveness.

Security Policy - A set of organisation-level rules governing the acceptable usage of such resources as:

• Information Technology Resources
• Acceptable Security Practices
• Acceptable Operational Procedures
• Best Practices Guidelines

Security Threats - Any entity possessed with the deliberate intent to cause hazard, harm, degradation or unsolicited action to the disadvantage, peril or jeopardy of another entity or asset

Security Vulnerabilities - That which is potentially susceptible to attack by a threat(s)

Security Exploit - Something that can be used to the advantage of a threat in an unsolicited, unfair or selfish manner to the advantage or intent of said threat, and/or disadvantage or detriment of the exploited

Malicious - Motivated by or resulting from a malevolent desire to cause harm, degradation or pain to others

Vindictive - Motivated by the malicious desire or intent to harm or degrade a specific target; often as a result of a desire for revenge for some perceived "wrong' or "unfairness` allegedly perpetrated by the target

Security Risks - The chance or statistical probability that a threat will eventuate as well as the jeopardy that such a scenario will impart upon the entity deemed at risk.

Security Impact - The amount or type of potential losses that could result should a given threat eventuate

Zero-Day Vulnerabilities - No patches were available at the time of public disclosure of the vulnerabilities

Auditing - The process of recording; usually to a log file, information regarding network and resource access including which computer(s) and/or user(s) are issuing said access requests. Typically, audited criteria include:

• System/Network Assets and Resources Access Requests - Both successful and unsuccessful can be monitored and recorded
• Security Events - Can be categorized into many predefined classes of attacks and security risks and threats to facilitate easier analysis and so promote quicker response times for the deployment of counter measures
• Authorised Access - Legitimate users are entitled to different levels of resource access
• Unauthorised Access - Also includes authorised users attempting to access beyond their access rights and privileges as well as the absolutely no authorised access what-so-ever category of attack
• Successful and Unsuccessful Login Events

Not all attempts by authorised users are successful and it is an important warning that you may be under attack from some unknown threat when those who should be able to access assets and resources cannot do so.

It could also be the result of an authentication problem. An actual security threat or real attack event are not always the correct explanation.

Files do become corrupted or errors can creep in undetected. It is just too bad if they happen to be in your Active Directory group policy structures for example.

• Communications - Such as attacks that attempt to access external assets and/or resources including other web sites

Today events such as monitoring the use of IP Telephony systems such as VoIP and wireless communications network resources are becoming increasingly more of a security “blind spot” that can often place an organisation into a situation of excessively unacceptable degree of risk.

The abuse of these services is also of major concern. The frequency of incidence is escalating as we speak as the experts and their surveys show.

Security Risk and Attack Source Categories

1. Outside - Resources and assets external to an organisation come under attack. The effects and consequences of which are felt by the organisation and other parties. This type of collateral damage can be resultant from malicious intent by the attacker or as a side-effect unforeseen by the attacker.
2. Outside In - This is a more of the classic form of attack whereby an external attacker desires to intrude into the targeted system/network by penetrating said system or network"s defenses in order to execute ill intent
3. Inside - The attacker is internal to the target system or network. A very common example of this is authentic users of a system/network attempting to inappropriately access resources, services, or data to which they are not explicitly entitled.
4. Inside Out - The attacker is inside the target and either instigates the download of remote malware and then leaves it to do its damage or the attacker wishes to propagate from its current host system to other external systems
5. Proxy - The attacker focuses on surreptitiously enslaving; usually very large numbers, of unprotected innocent 3RD party machines and then; when ready, will launch an attack from all enslaved machines simultaneously. The intended result is to simply over-whelm the target by sheer volume.

Typical Security Risks, Threats and Vulnerabilities

Physical Security Risks - Breaches of physical security are the most basic of all security risks as they have been with us for a long time now. Physical robbery and theft along with kidnapping and extortion are tools the most determined can put to use in forcing an individual to assist them breach security. There are multitudes of other ways of acquiring passwords, key codes, and smart cards for nefarious purposes.

Denial-of-Service (DoS) and Distributed Denial-of-Service (DDoS) Attacks

All means and manner from the very basic to the most sophisticated of technologies; have at one time or other, been used to perpetrate these attacks. For example taking down a few telephones lines can take an organisation and many others off the Internet. No phone line = No Internet.

As ever more sophisticated ways to implement these forms of attacks develop so to our detection and counter measures need to be at least as sophisticated to provide us with the degree of security and freedom of threat or risk that being more secure makes us or at least makes us feel.

Spoofing - Here is another area in which organisations and individuals face a very real and critical security risk. The falsification of credentials particularly in the electronic form is something that we all need to be on our guard for.

Man in the Middle Attacks - A form of message interception/injection attack

TCP/IP Session Hijacking - Redirection and false URLs are very common tactics that are very easy to instigate

Social Engineering

People are too trusting of callers claiming to be who they are not. When combined with a multitude of other tactics that prey on the normal social behaviors of people to extract or to be able to “deduce” information that can then be used “against them” in some form of security breach attempt.

Vulnerabilities Scanning, Sniffing and Eavesdropping - Checking for known vulnerabilities and exploits as well as for casual security measures at the machine (OSI Layer one, two, three and/or four levels). Backdoors are a favorite target here.

Password Attacks

Passwords that have are stolen, overseen, acquired via social engineering, dictionary attacks and other brute force type tactics are being joined by new threats in this arena arising from massive increase in processing power that has taken place over the years.

What was once impractical is now a very real and quick to deploy security risk such as those to be seen in “rainbow tables” encryption cracking

Malicious Code Attacks

Including the more traditional types of attack such as viruses, worms, Trojan horses, polymorphic viruses, botnets, spyware, adware, script attacks, rootkits, backdoor vulnerabilities and spam to name but a few of the types of security risks and threats that can originate from this quarter.

Hackers

I would be amiss to leave these folk out of the discussion. Yet not all hackers have purely evil or malicious intentions, just as not all programmers make software with more security holes than Swiss cheese.

Common Exploits of Wireless Networks

Many of which originate from poor or obsolete connectivity processes and poor encryption technologies

Identity Theft and Fraud

The security risks posed by impersonation for profit have been around for a long time and can be a very effective means to breach the security of many organisations

New Exploits

It seems that with every new day some new form or variation of an existing attack is jumping up out of the woodwork to invade our sense of security. Keeping on top of it all is a daunting prospect in deed. I will show you some ways that you can strike back.

Defensive Strategies

Just as the perpetrators of these malicious activities have a vast array of tools upon which to draw so do their intended targets have an equally impressive array of tools at their disposal to counter these and many more types of security risk and attacks. Some of the more common of these include:

• Antivirus Software - Basic security measure to guard against; the most well-known form of security threat, the malicious code attack
• Antispyware Software - Another area of great concern. Who is watching you? This is something that we will find out
• Spam Filters - Get rid of spam - Most work on using a database of known spammers or with the addition of a “learning system”
• Intrusion Detection Systems (IDS) - Lets you know when somebody is trying to do something that they are not authorised to do
• Intrusion Prevention Systems (IPS) - Unlike IDS these systems do more than just warn you when somebody or something is attempting to execute activities for which they do not have the appropriate credentials
• Access Control Systems - From the most basic to the most sophisticated, the majority of access control systems are built specifically to limit access; to your resources to various groups with various different access rights and permissions. Authentication is one of the main access control security measures that is commonly to be found today
• Firewalls - Both hardware and software based as well as the free, open source and fully subscribed commercial varieties will be discussed
• Honey-Pots - Very much like dangling a carrot in front of a horse's nose but none-the-less a highly effective way of degrading the severity of an attack or totally nullifying it
• Encryption - Technologies designed to provide you with confidentiality
• Verification and Validation - Designed to protect against the threats and risks posed by tampered objects and persons not being who they claim to be. SSL and extended SSL certificates are very widely used today for validation purposes.
• Service packs for your operating system, general OS and software updates, security fixes, patches, vulnerabilities addressing and fixes and work-a-rounds, threat specific counter measures and on the list goes
• Security Hardening - This is the technical term for improving your current levels of security preparedness to levels that are better or perceived to be better and with the overall effect of reducing the risks and threats to which you are exposed to at least tolerable levels
• Penetration Testing - The object is to use numerous well known and readily available tools to attempt to breach security thereby aiding in the identification of areas of security weakness and the vulnerabilities that need immediate attention as well as providing an indication of your overall security readiness
• Administrative Practices - NTFS file and folder permissions along with Share permissions and Group Policy are all avenues we can all take advantage of to harden our systems against security threats and risks from many quarters. These and many other operating system level security tools and counter measures will be discussed
• Security Policies - A best practices document and standard organisational policy do help the everyday user to ward off attackers at least from a preventative point or view. Forewarned is forearmed.
• Black Hat Hackers - Not many people realise this but a whole bunch of people out there who do nothing but attempt to hack into various systems. I know there is a lot but what makes this group different is that they are on your side.

It has been through the diligence and dedication of these folk that many security flaws and vulnerabilities have been exposed and subsequently patched or the software has been re-written. The potential risks and threats; that may have existed, being removed before the software hits the store shelves. We will be having a look at what these folk do.

Tools

It is always good to have a well-stocked toolbox whenever you tackle a tricky job. You just never know what you might come across. Like the Boy Scout's “it pays to be prepared” and that is just what we are going to do. Get prepared.

I will be introducing a number of tools that can be of great value in the fight against security threats and the best part is that many of them are free or free to use. So stay tuned and I will let you know where you can get your hands on these goodies.

Prevention is better than the Cure

Proactive measures are always to be preferred over knee jerk responses. Over the course of the next few days, I will be exploring all of these and many more topics with a focus on security risks and prevention and counter measures and the many tools at our disposal will come under our microscope. Many of which are free or open-source.

So until next time enjoy!