Chapter 2-2-2 An Introduction to LAN/WAN Security
Steve Blanding
The purpose of this chapter is to provide a basic understanding of how to protect Local Area Networks (LANs) and Wide Area Networks (WANs). Connecting computers to networks significantly increases risk. Networks connect large numbers of users to share information and resources, but network security depends heavily on the cooperation of each user. Security is as strong as the weakest link. Studies have shown that most of the abuses and frauds are carried out by authorized users, not outsiders. As the number of LANs and WANs increase, cost-effective security becomes a much more significant issue to deter fraud, waste, and abuse and to avoid embarrassment.
This chapter is intended to help LAN managers understand why they should be concerned about security, what their security concerns should be, and how to resolve their concerns. We will begin by introducing the concept of risk management and touch on basic requirements for protecting LANs. This will be followed by a summary of LAN components and features that will serve as a foundation for determining security requirements. LAN security requirements will then be discussed in terms of the risk assessment process, followed by a detailed discussion of how to implement LAN security in a step-by-step approach. This should provide the necessary guidance in applying security procedures to specific LAN/WAN security risks and exposures.
DEFINITIONS
A LAN, or local area network, is a network of personal computers deployed in a small geographic area such as an office complex, building, or campus. A WAN, or wide area network, is an arrangement of data transmission facilities that provides communications capability across a broad geographic area. LANs and WANs can potentially contain and process sensitive data and, as a result, a plan should be prepared for the security and privacy of these networks. This plan should involve mandatory periodic training in computer security awareness and accepted security practices for all individuals who are involved in the management, use, and operation of these networks and systems. Organizations should have a security program to assure that each automated system has a level of security that is commensurate with the risk and magnitude of the harm that could result from the loss, misuse, disclosure, or modification of the information contained in the system. Each systems level of security must protect the confidentiality, integrity, and availability of the information. Specifically, this would require that the organization has appropriate technical, personnel, administrative, environmental, and telecommunications safeguards; a cost-effective security approach; and adequate resources to support critical functions and provide continuity of operation in the event of a disaster.
Risk management is defined as a process for minimizing losses through the periodic assessment of potential hazards and the systematic application of corrective measures. Risk to information systems is generally expressed in terms of the potential for loss. The greater the value of the assets, the greater the potential loss. Threats can be people such as hackers, disgruntled employees, error-prone programmers, careless data entry operators, things such as unreliable hardware, or even nature itself such as earthquakes, floods, and lightning. Vulnerabilities are flaws in the protection of assets that can be exploited, partially or fully, by threats resulting in loss. Safeguards preclude or mitigate vulnerabilities.
Managing risks involves not only identifying threats but also determining their impact and severity. Some threats require extensive controls while others require few. Certain threats, such as viruses and other computer crimes, have been highlighted through extensive press coverage, while other threats such as repeated errors by employees generally receive no publicity. Yet, statistics reveal that errors and omissions generally cause more harm than virus attacks. Resources are often expended on threats not worth controlling, while other major threats receive little or no control. Until managers understand the magnitude of the problem and the areas in which threats are most likely to occur, protecting vital computer resources will continue to be an arbitrary and ineffective proposition. The added complexity of LAN/WAN environments creates greater challenges for understanding and managing risks.
LAN/WAN ENVIRONMENT
A brief overview of the highly complex LAN/WAN environment serves as a foundation for the understanding of network security issues and solutions. Many environments use a mix of personal computers (PCs), LANs/WANs, terminals, minicomputers, and mainframes to meet processing needs. LANs are primarily networks that come in many varieties and provide connectivity, directly or indirectly, to many mini and mainframe computers.
A LAN is a group of computers and other devices dispersed over a relatively limited area and connected by a communications link that enables any device to interact with any other on the network. LANs commonly include PCs and shared resources such as laser printers and large hard disks. Although single LANs are typically limited geographically to a department or office building, separate LANs can be connected to form larger networks. Alternatively, LANs can be configured utilizing a client-server architecture which makes use of distributed intelligence by splitting the processing of an application between two distinct components: a front-end client and a back-end server. The client component, itself a complete, stand-alone PC, offers the user its full range of power and features for running applications. The server component, which can be another personal computer, minicomputer, or mainframe, enhances the client by providing the traditional strengths offered by minicomputers and mainframes in a time-shared environment. These strengths are data management, information sharing among clients, and sophisticated network administration and security features.
|