Financial Daily from THE HINDU group of publications
Monday, Mar 21, 2005
eWorld
Features
Stocks
Port Info
Archives

Group Sites

 eWorld - Books
Columns - Books 2 Byte


Hosts are the lowest-hanging fruit on a network...

D. Murali

... and represent the greatest risk on a network. For more on security and availability of systems, just read on.

SAFE. That's the word many old-timers start their letters with. And that's also how CCSP CSI Exam Certification Guide, by Ido Dubrawsky and Paul Grey begins.

SAFE is a security blueprint for enterprise networks, a resilient and scalable architecture from Cisco. The book explains the six design objectives in the approach: Security and attack mitigation based on policy, security implementation throughout the infrastructure, secure management and reporting, authentication and authorisation of users and administrators to critical network resources, intrusion detection for critical resources and subnets, and support for emerging networked applications.

So, first, define a security policy. Opt for a restrictive policy that is based on the assumption "everything that is not expressly permitted is prohibited", rather than a permissive policy that assumes, "everything that is not expressly prohibited is permitted." The policy is a bunch of sub-policies, explain the authors. "The SysAdmin, Audit, Network, Security (SANS) Institute defines 27 possible policies," such as acceptable encryption, anti-virus, extranet, remote-access, password-protection, and so on.

For instance, `internal-lab security policy' can define how confidential information such as source code is to be protected. Internet DMZ equipment policy can deal with the security of systems lying between the organisation's firewalls and `edge devices' such as routers.

"These areas are considered `dirty' or `semitrusted'," point out the authors. You'd also come across CIA - for confidentiality, integrity, and availability - as the three aims of asset protection.

The book classifies `rudimentary network attacks' into reconnaissance, unauthorised access, denial of service, and so on.

"Application layer attacks target specific applications such as Web, FTP, or SMTP services," the authors explain, while discussing buffer overflow and string attack.

Trust exploitation is another category; "there are Windows trust relationships in which one domain may trust another domain and provide pass-through authentication."

Likewise, there are r-services trust relationship on Unix systems. Attacks such as IP spoofing, packet sniffing, port redirection, Trojan Horse and so on come under `sophisticated network attacks'.

Know that network management can be in-band or out-of-band. The first is about "flow of management traffic that follows the same path as normal network data." To minimise interception and modification of management data, you need to think of making access read-only, and use tunnelling protocols.

The second, that is, `out-of-band network management' has usually a parallel path for management data, alongside normal network data. The authors advise that out-of-band is "the least cost-effective" and offers higher security.

There's a `do I know this already?' quiz in most chapters, and a Q&A at the end. There are simple questions such as `what is authentication' and tougher ones like `what is a blind-TCP scan?'

Here's an interesting query: "Why do hosts represent the greatest risk on a network?" If you thought hosts are the safest, the answer from the authors can debunk such a myth: "Hosts represent the greatest risk on a network because of the large number of different hardware platforms, operating systems, and applications - each with its own set of patches and updates - and their high visibility."

As a result, "hosts represent the lowest-hanging fruit on a network and are the target of choice for an attacker."

Good read, even if you don't plan to take the CCSP CSI exam.

Beyond 99 per cent availability

KEITH Hutton and Amir Ranjbar have edited CCDP Self-Study, a book on `designing Cisco network architectures'. It begins with the three primary concerns while deploying an enterprise network. These are performance, scalability, and availability. "Performance might be the least understood term in networking," write the editors, and that may come as a shock. But how so? Because it is normal to define performance as throughput - measured in pps or packets per second. "These are easy numbers to gauge and report, but these values relate to a single switch or router and make no sense when measuring an entire network's performance."

Some sage advice, therefore, is to optimise each component, because "only a cohesive, integrated, and optimised network can ensure the best network performance."

Know that metrics or parameters to `reasonably gauge network performance' are three, viz. responsiveness, throughput, and utilisation. Responsiveness is the most important, and "if an application does not respond in an acceptable time, the network's claimed speed is rendered irrelevant."

Ensure that responsiveness does not switch from fast to slow, and "ultimately to never" when network utilisation peaks.

A similar problem in throughput is `congestive collapse'. Utilisation is an indicator of ROI or return on investment, because it measures "how full the network pipes (links) are."

99 per cent availability may not be enough because it translates to an annual downtime of 3 days, 15 hours, and 36 minutes. Enterprises look for `high availability', that is 99.999 (or `five nines') and 99.9999, especially when applications are mission-critical, employee/customer satisfaction has to be improved, reactive IT support costs are to be reduced, and financial loss is to be minimised. The formula to remember is, `availability = MTBF/ (MTBF + MTTR)' where the abbreviations mean `mean time between failure' and `mean time to repair'. To build high available networks, you need fault-tolerant devices throughout, having "redundant key components, such as supervisor engine, routing module, power supply, and fan."

A book on design that is essential to performing networks, so have it on your `high availability' rack.

Books courtesy: Cisco Press (www.ciscopress.com)

Tailpiece

"When I was leaving the office, I saw a stranger entering the computer room."

"Oh, an intruder, perhaps!"

"No, I guess he was from housekeeping."

"Are you sure?"

"Yes, he said, `I've come to clean up everything.'"

Books2Byte@TheHindu.co.in

Article E-Mail :: Comment :: Syndication :: Printer Friendly Page

Stories in this Section
Outsourcing: The cost equation

Master the mouse
Just hired
Update in a jiffy
Select rural talent too
Trouble after firefox installation
Meshing IT and BPO
Hackers - show them the door
`I want to be... '
Keen to score?
Quiz
Hosts are the lowest-hanging fruit on a network...
Cartoon
Thought-provoking

The Hindu Group: Home | About Us | Copyright | Archives | Contacts | Subscription
Group Sites: The Hindu | Business Line | The Sportstar | Frontline | The Hindu eBooks | The Hindu Images | Home |

Copyright © 2005, The Hindu Business Line. Republication or redissemination of the contents of this screen are expressly prohibited without the written consent of The Hindu Business Line