Neon-komputadór

Security

The following can be stated as a matter of fact. At some stage a computer network will be subject to a virus, unauthorized use and access (physical and virtual), or a deliberate denial-of-service attack. The task of the system administrator is to reduce the quantity, severity and effect of these security breaches through developing and implementing a security and data backup policy, having disaster contingency plans, installing and maintaining a firewall, ensuring virus protection and the installation and review of vendor patches. This will save a systems administrator's organization significant time and money

The first step for a system administrator in ensuring physical and data security is to identify weaknesses in the current network and administrative operations relative to the location and importance of data and equipment. In part this initially consists of preventative maintenance - ensuring that data backups occur on a regular basis and that the computing environment is kept clean and there are policies in place to prevent damage from thermal expansion and contraction (particularly important for a hot, moist, dusty climate like East Timor!). Data backup plans require the system administrator to consider what sort of device is to be used for the backup, how often the backup is to occur, who is responsible for the backup, when they'll occur, and whether or not they are stored off-site.

The next consideration should be physical security. This is, in many ways, the best security. Regardless of how secure a computer is in terms of software protection, it takes merely a five minutes and screwdriver to remove all the data from a machine - or to take the entire machine in the case of a laptop. If a physically insecure computer is on a network, this provides to access other machines. Thus, the basic rule should be that only legitimate users may have physical access to the computers of an organization. Everything else must be expressly prohibited by policy. A further elaboration of this principle is to ensure that the central computers of a network (the various servers) are physically isolated from the rest of the network and are kept in a secure, lockable room where the only people who can access the room are those with specific and legitimate reasons to have access to such computers. Disabling booting from the floppy disk and CD-ROM is also recommended, with BIOS password protection.

Assuming preventative maintenance and physical security measures are in place, user security must be considered, and the primary means of security in this instance is passwords. Strict enforcement and implementation of a secure password policy must occur in any organization that treats security with any degree of seriousness. The key principles is to have a long password - or better still, pass-phrase (minimum eight characters), one that uses different character groups (uppercase letters, numbers, other symbols), one that is unique, different to previously chosen passwords and changes on a regular basis. In an government organization, such as the Ministry of Foreign Affairs and Cooperation, distribution of a user's password is considered a breach of national security and should be treated as such. Any user who breaches these policies must be dealt with swiftly - the surest and quickest way is to disable their account. Don't be lenient. Network security infractions are too serious.

System administrators must also set quotas on user space on shared drives. A malicious or unauthorized user can create havoc by merely filling up drives with garbage script. Security monitoring must be a regular, preferably several times a day, task - either through the log files in Linux or Event Viewer in Windows 2000. User policies should be restricted to the minimum required - any service or software that is not explicitly required is disabled - including hours of access.

A system administrator must have a maintenance procedure as well. These includes daily checks for virus alerts, alerting users of virus outbreaks, and collecting and installing vendor patches for virus, with www.cert.org being a useful first port of call. Filesystem, networking and configuration auditing software should be run and reviewed on a dialy basis as well.

A firewall protects computer from electronic intrusion by limiting access to a particular access point. They do not provide protection for physical or internal security problems, but they do provide protection from outside attempts to breach security. There are two basic types of firewall: an absolute firewall and a proxy server. In an absolute firewall, no traffic is permitted except through the designated access point. In the latter type, a proxy machine makes the connection for the user. The common characteristic in both these types and various implementations is the use of packet filtering to prevent unauthorized connections. Proxy servers require more configuration, however their use is transparent to the user, to whom an absolute firewall may prove difficult. Firewalls should be set at a level of "what is not expressly permitted is prohibited".

There are a large number of proxy software systems available. The most common in Linux are transproxy, squid, socks and TIS FWTK. For MS-Windows 2000, Microsoft's ISA provides excellent web caching and firewall services. Each package has different capabilities and configuration options. TIS FWTK (Trusted Information Systems Firewall Toolkit), is a set of programs for the construction of firewalls. Note the use of the plural. Each protocol has its own daemon, and each daemon has its own configuration file. In comparison, Squid supports FTP, HTTP, ICP, GOPHER, and WAIS protocols, the Secure Socket Layer, and DNS lookup requests (but notably not ReadAudio, POP and NNTP). Squid's strength is in its versatility, performing not only caching, but also redirection (http://squid.nlanr.net).