PC Security #2 Network Security
The Hub of the Dilemma
The network, consisting normally of a file server or two and a collection of workstations, is, today, the information centre of many businesses. Losing a workstation or laptop is a serious issue, but losing a server could mean the demise of your business. Securing your server should be an integral component of any business continuity plan.
The Obvious Issues
In our November number (see our Web page for back numbers), we discussed how it is vital to keep your workstations clear of malware. Malware presently consists of viruses, spyware, adware, trojan horses and worms.
If you are serious about protecting your network, you will be as vigilant about keeping your servers safe from these malicious attackers as you are with your workstations. Windows servers are very susceptible, and particular care should be taken to ensure they are protected.
Provisioning
Much network security is established on the basis of the user’s login. After a user is authenticated to a server, certain rights are attributed to that user.
Additional rights are allotted because of membership of a particular group.
User rights
Rights granted based on user login are best kept to a minimum. Things like access to a home directory are suitable for association with a user’s login.
It is also important to ensure that user login details are kept securely. Each user should have a login that is not broadcast to the rest of the business, and to the world.
To enhance the security of the user login, passwords should consist of characters and numerals mixed, and be changed frequently. It is also possible to add tokens or biometric measurement to require the presence of the user at the time a login is entered.
Users should be required to log out of the network when they leave the workstation unattended for any length of time.
Group rights
The more effective manner of allocating rights in most circumstances is to allocate them to a group and to make users members of various groups. This saves a vast amount of setup time and tightens security and simplifies management and control.
Physical Security
The physical security of the network is a key requirement. Your server should be located in a spot which is not a major public thoroughfare And if there is no alternative, you should consider a lockable rack or some other form of security.
The server should not normally be left logged in. If it is left in this state, and a malicious intruder were to gain access, the damage that could be done is unthinkable. It is even worse if the server is logged in as the Administrator, a very common sign-on at a server. So either set auto lock on the console or log out completely when not working on the server.
Try to keep the temperature of your server as even as practical. Allowing the temperature of the server environment to rise and fall too much may have a deleterious effect on server performance and reliability. Your server specifications will state the optimum operational temperature range.
As we mentioned in our January newsletter, keep your server’s air filters and other components free of dust and fluff. A buildup of this sort of material can reduce the air flow and also act as a blanket, causing components to run hotter than they should and become unstable.
Data Security
The server should be the repository for virtually all data generated within or collected by the enterprise. This is the component of the IT system which is of greatest value to your business. Many managers are rather undisciplined in their approach to maintaining a complete backup set.
Primary data security -
tape backup
While using a tape drive is not a perfect solution, in almost every case, it is the best option. Tape is a reasonably cost effective medium, it is adequately fast for the task, particularly if run over night, and it is easy to take several copies off site for additional protection. So your primary security practice to keep your data safe is your off line backup
Each day, it is imperative that the latest backup log is checked for completeness and absence of errors. Someone must be delegated this responsibility and any issue must we reported immediately to the person responsible for IT.
There are other alternatives, like CD-RW, DVD-RW and removable hard disks, but a commercial strength tape backup is hard to beat.
Secondary data security -
other methodologies
Nothing that follows should be seen as replacing the primary backup regime.
Secondary data security options include, starting from the least expensive, mirroring (RAID1, striping (RAID5), clustering or the use of a backup server.
Mirroring involves installing two identical drives in the server and using either hardware or software to maintain both drives in an identical state. Saving a new file to the combined mirror will add the file to one drive, either one will do, and then the system will add a complete replica to the second drive.
RAID5 takes this to a further level of flexibility. Data is saved twice across three or more drives.
Should one drive fail in either of the above situations, the system will continue to work until it is convenient to replace the failed component.
The reason this does not replace the backup is that if you delete a file, or if a file becomes corrupt, the second copy is deleted or corrupted almost simultaneously. No backup is provided.
Clustering or a backup server are generally used in larger enterprises. Here a separate machine, or separate machines are installed to either replicate the main machines and step in should they fail (clustering) or to spend the day making a series of backups to disk and the copying of data to an external source, like a tape unit, at a convenient time, a backup server.
One more thing
Like a car, many purpose built servers can be equipped with a range of accessories. A second, redundant power supply, additional fans and the like may be selected and added to the base model. In the case of one power supply failing, the second will keep the system working until the failed supply is replaced. In the case of the server being in a warmer environment, or stuffed full of additional gear, an additional fan can be quite an aid.
These are really nice to haves and should be considered on their merits.
Changes to your subscription
Removal:
If you would like to be removed from our mailing list, please send an e-mail to the address below with UNSUBSCRIBE in the subject line.
Additional subscriptions:
If you would like our eNewsletter to be sent to others in your enterprise, please send an e-mail to the address below with ADDITIONAL SUBSCRIPTIONS in the subject line and the recipients’ e-mail addresses contained in the body of the message.
support@tripos.com.au
Thank you.
Stewart Rankin Pty Ltd – ACN 007 972 901 & DL & LD Greenhough trading as
TRIPOS IT
All Newsletters
|