WARNING: This site is intended for online use only; mass-downloading of pages degrades the server and is prohibited.
If you attempt to use tools to mass-download the site, you may be blocked permanently by automated software.
If you want to read this CertiGuide offline, please use one of the links on the left to purchase a convenient PDF copy. Thank you.

Get this Security+ CertiGuide for your own computer.
Click Here!
Use coupon code "certiguide" to save 20%!
(Expires 2004/12/31)

Also available: 300-question Security+ practice test!
Get It Here!

Google
Web CertiGuide






Table Of Contents  CertiGuide to Security+
 9  Chapter 1:  General Security Concepts (Domain 1.0; 30%)

Previous Topic/Section
1.2.8  Biometrics
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 Pop Quiz 1.1
Next Topic/Section

1.3  Non-Essential Services and Protocols
(Page 2 of 2)

Doing More: Defense In Depth



This approach does not stop at boundary firewalls, routers and servers. “Defense in depth” is an important concept. Don’t rely on a single barrier to protect your sensitive data and system operations. Instead, erect multiple zones of security around your resources, to help ensure that they cannot be compromised if a single security mechanism fails due to a software bug, operator error, etc. Apply the same level of security to your internal systems as you would to your external systems. Remember that according to various studies up to 80% (average +/- 70%) of data compromises come from within. (These numbers vary widely, with recent figures trending substantially lower – around 30%. Nevertheless, keep in mind that internal attacks generally are more likely to be successful, and result in higher-valued losses, so even if they are in the minority, they’re worth paying attention to.)

The exact specifics of doing this vary based on where you are disabling things. Each router manufacturer typically has its own command language or menu system for enabling and disabling TCP/IP protocol ports. Similarly, ea=ch OS has a different way (sometimes more than one) to control services and TCP/IP. It’s best to see your vendor’s documentation for the most up-to-date information on how to do this.

The good news here is that extensive preventive pessimistic tweaking is becoming less necessary as operating systems evolve. More and more frequently, we’re finding services, like FTP on certain Linux distributions, and the IIS web server on Microsoft Windows .Net Server, disabled by default “out of the box”.

Remember of course that a balance must be struck between functionality and security. If your organization is impeded from conducting business due to excessive security restrictions, your salary may be drastically affected! Section 5 deals with Operational and Organizational Security.

Have a Test Bench

Find a server on your network that you can use for an experiment (this usually means, a server not in active use at the present time!). Ideally, choose one that can be accessed from the net. What services are running on it? On many systems, you can get a good start on determining this with the “netstat –a” command, looking up the port numbers listed for each local connection, in a recent port numbers list, such as the one from the Microsoft Windows 2000 Resource Kit63. For UNIX and Linux systems, you can also consult inetd.conf, to find out what servers are available, but which don’t run until they receive a network request for that service.



 __________________

63. “Port Assignments and Protocol Numbers”, http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_zqyu.asp

Previous Topic/Section
1.2.8  Biometrics
Previous Page
Pages in Current Topic/Section
1
2
Next Page
 Pop Quiz 1.1
Next Topic/Section

If you find CertiGuide.com useful, please consider making a small Paypal donation to help the site, using one of the buttons below. You can also donate a custom amount using the far right button (not less than $1 please, or PayPal gets most/all of your money!) In lieu of a larger donation, you may wish to consider buying an inexpensive PDF equivalent of the CertiGuide to Security+ from StudyExam4Less.com. (Use coupon code "certiguide" by December 31, 2004 to save 20%!) Thanks for your support!
Donate $2
Donate $5
Donate $10
Donate $20
Donate $30
Donate: $


Home - Table Of Contents - Contact Us

CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004

Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.