1、 515 Chapter 8 Telecommunications,Network,and Internet Security The Telecommunications,Network,and Internet Security Domain encom-passes the structures,transmission methods,transport formats,and secu-rity measures used to provide integrity,availability,authentication,andconfidentiality for transmiss
2、ions over private and public communicationsnetworks and media.Simply stated,a network consists of two or moredevices connected together in such a way as to allow them to exchangeinformation.This chapter is divided into five topic areas.The first section deals withthe requirements for telecommunicati
3、ons and network security.The Infor-mation Protection Environment section describes the telecommunicationsand network environment for security consideration.The third section,Security Technology and Tools,explains the types of controls available tomitigate the threats.The final two sections address t
4、he assurance aspectsof the effectiveness of controls and the management actions used to imple-ment appropriate security.In this domain,the CISSP should be able to:Describe the telecommunications and network security elements asthey relate to the transmission of information in local area,widearea,and
5、 remote access.Define the concepts associated with the Internet,intranet,and extra-net communications,such as firewalls,gateways,and associatedprotocols.Identify the communications security management and techniquesthat prevent,detect,and correct errors so that the protection ofinformation transmitt
6、ed over networks is maintained.AU1707_book.fm Page 515 Friday,October 31,2003 3:44 PM 516 OFFICIAL(ISC)2 GUIDE TO THE CISSP EXAM 8.1Information Protection Requirements Maintaining the security of a distributed environment is one of thegreatest concerns for most organizations.The convergence of the I
7、nternet,the corporate network and technologies including microcomputer-basednetworks,wide area networking,intranets,extranets,e-commerce,wire-less technologies,and electronic mail have increased the security expo-sure of most organizations.Information security managers and executivesrely on the assi
8、stance of security and audit personnel to devise plans thateffectively monitor the complex distributed environments of today andtomorrow.An organizations information assets have differing levels of value.Onone level,there are the costs of hardware,software,and technology usedto develop and store dat
9、a to generate information.On another level,thereare the human resource costs of actually collecting and interpreting data inorder to store meaningful information for ongoing decision making.Finally,there is the value of keeping the information confidential and secret fromoutside entities to maintain
10、 a competitive advantage.The goal of network security is to preserve the varying levels of invest-ment,maintaining trustworthy and accurate data,and ensuring a sustain-able level of trust in the automated systems used to collect,store,and dis-seminate accurate,reliable information.Elements making up
11、 network security objectives may include:Maintaining secure and accessible transmission channels and services.Interoperability of network security mechanisms are operational.Messages sent are the actual messages received.A given message link is between a valid source and destination node.Message non
12、-repudiation is available.Unauthorized disclosure of messages is prevented.Unauthorized disclosure of traffic flows is prevented.Remote access mechanisms are secure.Security mechanisms are easy to implement and maintain.Security mechanisms are transparent to end users.Todays security professionals h
13、ave more tools,techniques,and meth-odologies to meet their objectives,with more becoming available daily.8.2Information Protection Environment Data Networks A network is an integrated,communicating aggregation of computersand peripherals linked through communications facilities;basically,two or AU17
14、07_book.fm Page 516 Friday,October 31,2003 3:44 PM 517 Telecommunications,Network,and Internet Security more computers that share resources and data,linked by cabling,tele-phony,or wireless equipment.The term“data network”refers to the elec-tronic transmission of data.Although the term is usually us
15、ed to refer todata that is manipulated by computers,it also encompasses traffic derivedfrom other types of systems that have been digitized for transmission,such as voice,video,and images.Data Network Structures Data network structures include local area networks(LANs),wide areanetworks(WANs),the In
16、ternet,intranets,extranets,value-added networks,and the World Wide Web.Networks typically contain systems acting as cli-ents and servers.The client computer operates and requests resourcesfrom the server.The server provides dedicated and shared resources tothe client,including applications,disk stor
17、age,printers,and databases.Insmall networks,the server may also be a client.However,larger networksmake a distinction to allow for improved performance,capacity planning,and security.Systems today include a network-aware or network operating system tocoordinate resource allocation,sharing of network
18、-based resources,device management,data protection,and error control.Current systemimplementations include a range of attached input/output devices,includ-ing printers,scanners,faxes,and CD-RW drives,all of which are sharedresources for LAN users.LAN/WAN Environment.The Local Area Network(LAN)is typ
19、ically asmall network,generally limited by geographic bounds such as a buildingor an office.When a connection of multiple LANs occurs within a largerarea,such as a group of buildings,a campus,or a city,a Metropolitan AreaNetwork(MAN)is formed.The final grouping covers many networks overa large geogr
20、aphic area such as a state,country,or the globe;these arecalled Wide Area Networks(WANs).Regardless of the geographic area covered,all types of networks cancarry information that is sensitive to the organization.Consequently,plan-ning for the security and privacy of these networks is imperative.The
21、net-work security plan covers all aspects of the network from architecture,access to the network to policies,user awareness,and appropriate prac-tices for the management and operation of the network.LAN(Local Area Network).A LAN is primarily limited to a small geo-graphical area or one site,such as
22、an office building.However,LANs maybe limited for technical reasons as well,such as reaching the limits on net-work connections or cable length.Many of todays environments incorpo-rate a vast array of computing equipment,including PCs,minicomputersand mainframes,network printers,and storage.Although
23、 a LAN itself has AU1707_book.fm Page 517 Friday,October 31,2003 3:44 PM 518 OFFICIAL(ISC)2 GUIDE TO THE CISSP EXAMcertain limitations,LANs can be connected together to form larger net-works.A LAN is either peer-to-peer or client/server(server based).Peer-to-peer networks share resources between com
24、puters and are directly con-nected.Client/server networks have a dedicated machine as a server thatprovides resources,data,and security.LANs are interconnected using a backbone LAN.The backbone providesresources to each of the LANs and transmits data from one LAN to another,as required.Backbone netw
25、orks are built like any other LAN;however,theytend to use high-capacity cabling,as the backbone must be capable of car-rying a larger amount of traffic than each individual LAN.Additionally,thebackbone has similar security risks,as it sees all the traffic flowing betweendevices on the backbone as we
26、ll as traffic between the LAN segments.WAN(Wide Area Network).A WAN is a data communications networkthat serves users across a broad geographic area and often uses transmis-sion services provided by common carriers.These services include FrameRelay,SMDS,and X.25.Internet.The Internet is a worldwide
27、system of computer networks:anetwork of networks linking computers to computers sharing the TCP/IPprotocols.If they have permission,users at any one computer can getinformation from any other computer.Each runs software to provide orserve information or to access and view information.The Internet is
28、 thetransport vehicle for the information stored in files or documents onanother computer.Intranet.The term“intranet”commonly refers to the application ofInternet technologies within an organization.Unlike the Internet,whichmust support all TCP/IP applications,a corporate intranet can be tailoredto
29、the specific requirements of an organization.For example,if users needto transfer files,a File Transfer Protocol(FTP)application must beobtained.Similarly,the ability to provide direct point-to-point communica-tions between individuals or groups of employees can be satisfied throughthe Simple Mail T
30、ransfer Protocol(SMTP)application,and the ability toaccess computer systems remotely would be satisfied through the use of aterminal emulator such as Telnet or TN3270 for access to an IBM main-frame.An intranet represents much more than installing a browser and lettingusers access a Web server conne
31、cted to the corporate network.AlthoughWeb browsers and Web servers can play an important role in a corporateintranet,they represent just two of the many technologies that can be usedon a TCP/IP network.An intranet can also support other non-Internet appli-cations,such as transferring legacy SNA traf
32、fic from PCs using emulationboards or TCP/IP traffic from PCs connected to LANs.AU1707_book.fm Page 518 Friday,October 31,2003 3:44 PM 519 Telecommunications,Network,and Internet Security Extranets.Extranets have been around as long as the first rudimentaryLAN-to-LAN networks began connecting two di
33、fferent business entitiestogether to form WANs.In its basic form,an extranet is the interconnectionof two previously separate LANs or WANs with origins from different busi-ness entities.This term emerged to differentiate between the previous def-initions of external“Internet”connection and just a co
34、mpanys internalintranet.Value-Added Networks.Companies operating computers for others areknown as service bureaus.Private companies,the common carrier,haveoperated communications systems on behalf of others for a century ormore;the telephone companies are the best example.Certain vendors ofcommunica
35、tions services combine the message transmission of the com-mon carriers with the specialized processing of the service bureaus.Theseare known as value-added networks(VANs).Different VANs can respond differently to a companys needs.SomeVANs have advantages in technology strength.Some offer low prices
36、.Thus,the selection of communication type and VAN needs careful investigationto ensure that a company can gain maximum benefits from the serviceimplementation,and the selected alternatives can serve a companysneeds without introducing problems.World Wide Web(WWW).The World Wide Web is a set of servi
37、ces on theInternet that provides archives of information accessible via browsers andsearch engines.The data is presented in hypertext format,with links toother Internet sites.Graphics,video,and audio can be included in thehypertext document,or as a linked document.Data Network Components There are f
38、our main components of a data communications system:aterminal or computer,network software or operating systems,a communi-cations adapter,and the communications channel.A terminal can be either dumb or intelligent.An example of the formeris the 3270 terminal used in the mainframe environment;an exam
39、ple of thelatter is a PC or workstation.The difference is that the terminal relies on ahost for processing and storage,which provides economic advantages;aPC or workstation contains its own processing and storage resources.Through a technique called emulation,a PC or workstation can act like atradit
40、ional 3270 terminal to communicate with a host,to provide flexibility.A network operating system is a special control program that sets up theconnections and manages the flow of data over the communications chan-nel.In addition to link setup and flow control,the communications AU1707_book.fm Page 51
41、9 Friday,October 31,2003 3:44 PM 520 OFFICIAL(ISC)2 GUIDE TO THE CISSP EXAMsoftware may perform other functions such as error correction,data com-pression,and encryption.The communications adapter provides the interface between the termi-nal or PC and the communications facility.There are many kinds
42、 of com-munications adapters,the choice of which depends on the type of commu-nications lines or services being used.When analog lines are used for the communications channel,the deviceused is a modem.A modem,or modulator-demodulator,converts the digi-tal signals generated by the terminal or PC into
43、 analog signals suitable fortransmission over dial-up telephone lines or voice-grade leased lines.Another modem,located at the receiving end of the transmission,convertsthe analog signals back into digital form for manipulation by the data recip-ient.A modem can be used to transfer files,access remo
44、te electronic mailservices,connect to mainframe or servers from remote sites,share print-ers and access file or applications servers,or connect to the Internet.Another type of communications adapter is the channel serviceunit/digital service unit(CSU/DSU),which provides the interface betweendata com
45、munications equipment such as multiplexers and digital lines(i.e.,T1).The CSU/DSU encodes serial data from terminals or computersand performs wave-shaping of the transmit signal before it is sent over thedigital facility to ensure an acceptable level of network performance.Thisdevice is also used by
46、 the telephone company and the customer for routinetesting and for isolating problems on the network.Different types of communications adapters are also required for con-nection to other services,such as X.25 and Frame Relay,which are packetservices.Among other things,these types of communications a
47、daptersassemble data into packets or frames for transmission over the networkand perform disassembly at the receiving end.In addition,flow control andcongestion management functions are performed.The communications channel provides the means by which data istransmitted from one point on the network
48、to another.In a wide area net-work,the channel is provided by a leased line or carrier-provided service.Perhaps the best-known example of a digital line or service is T1,whichprovides 1.544 Mbps of aggregate bandwidth.This amount of bandwidthcan be used as a single channel for a high-speed data appl
49、ication or it canbe divided into as many as 24 channels of 64Kbps each for use by manylower-speed applications.Channel derivation is usually accomplishedthrough a T1 multiplexer.Computers and other equipment are pluggedinto the multiplexer on the terminal side and assigned a dedicated chan-nel for t
50、ransmission on the network side.At the receiving end,anothermultiplexer routes the channels to the appropriate computer or otherequipment.AU1707_book.fm Page 520 Friday,October 31,2003 3:44 PM 521 Telecommunications,Network,and Internet Security LAN/WAN Components.PCs are an integral part of the LAN
