Network Management

The overall management of a LAN/WAN is highly technical. The ISO’s network management model divides network management functions into five subsystems: Fault Management, Performance Management, Configuration Management, Accounting Management, and Security Management. Security management includes controlling access to network resources.

Network management products, such as monitors, network analyzers, and integrated management systems, provide various network status and event history data. These and similar products are designed for troubleshooting and performance evaluation, but can also provide useful information, patterns, and trends for security purposes. For example, a typical LAN analyzer can help the technical staff troubleshoot LAN bugs, monitor network traffic, analyze network protocols, capture data packets for analysis, and assist with LAN expansion and planning. While LAN audit logs can record the user identification code of someone making excessive log-on errors which might not be the owner, it may require a network analyzer to determine the exact identity of the PC on which the log-on errors are occurring. As passive monitoring devices, network analyzers do not log on to a server and are not subject to server-software security. Therefore, analyzer operators should be appropriately screened.

Access Control Mechanisms

Network operating systems have access control mechanisms that are crucial for LAN/WAN security. For example, access controls can limit who can log on, what resources will be available, what each user can do with these resources, and when and from where access is available. Management, LAN, security, and key user personnel should cooperate closely to implement access controls. Security facilities typically included with network operating system software such as Novell NetWare and Banyan Vines include user security, network file access, console security, and network security. These are highlighted below to illustrate the range of security that a LAN can provide.

User security controls determine how, when, and where LAN users will gain access to the system. Setting up user security profiles generally includes the following tasks:

•  Specify group security settings

•  Specify settings for specific users

•  Manage password security — length, expiration, etc., prevent user changes to settings

•  Specify log-on settings

•  Specify log-on times

•  Specify log-out settings

•  Specify, modify, and delete log-on locations (workstation, server, and link)

•  Delete a user’s security

•  Specify user dial-in access lists for servers

Network file security is determined by the level of security that is imposed on the directory in which the file resides. Individual files can be secured by employing password protection or other security mechanisms allowed by the specific application software. Each directory has access rights defined to it that consist of an ordered series of user names and access levels.

The console security/selection function allows the system administrator to prevent unauthorized persons from using the operator console. This function allows the system administrator to assign a console password, lock and unlock the console, and change the console type (i.e., assign operator functions to a workstation).

Network security controls determine how outside users and servers can access the resources in the LAN over dial-up lines or intermediate networks or wide area networks. Network security tasks include specifying user dial-up access and specifying Internetwork access.

Future of LANS/WANS

The future direction of computing is increased information sharing across the organization. A host of technologies are evolving to assist companies in reaching this goal. These goals include powerful computers connected to large-bandwidth circuits to move huge amounts of information, open systems architectures to connect various hardware systems, portability of software across multiple systems, and desk-top multi-media capabilities, to name just a few. The center of these evolving technologies is the LAN/WAN. Office networks will continue to grow rapidly, becoming the lifeline of overall organization activity. The goal is to provide transparent access to local office data across mainframes, minicomputers, and PCs. Network security must be included commensurately. The key is to balance information sharing with information security. The information systems security specialists for the LAN environment of tomorrow will, by necessity, require a high degree of technical hardware and software knowledge.

ASSESSING RISK

In general, risk analysis is used to determine the position an organization should take regarding the risk of loss of assets. Because LANs and WANs represent critical assets to the organization, assessing the risk of loss of these assets is an important management responsibility. The information security industry has used risk analysis techniques for many years. A risk analysis is a formalized exercise that includes:

•  Identification, classification, and valuation of assets;

•  Postulation and estimation of potential threats;

•  Identification of vulnerabilities to threats; and

•  Evaluation of the probable effectiveness of existing safeguards and the benefits of additional safeguards.