78
Chapter 8. Hardware and Network Protection
segment where inbound traffic from the Internet would only be able to access those services in the
DMZ. This is effective in that, even though a malicious user exploits a machine on the DMZ, the rest
of the Internal network lies behind a firewall on a separated segment.
Most enterprises have a limited pool of publicly routable IP addresses from which they can host
external services, so administrators utilize elaborate firewall rules to accept, forward, reject, and deny
packet transmissions. Firewall policies implemented with
iptables
or dedicated hardware firewalls
allow for complex routing and forwarding rules, which administrators can use to segment inbound
traffic to specific services at specified addresses and ports, as well as allow only the LAN to access
internal services, which can prevent IP spoofing exploits. For more information about implementing
iptables
, refer to Chapter 7.
8.2. Hardware Security
According to a study released in 2000 by the FBI and the Computer Security Institute (CSI), over
seventy percent of all attacks on sensitive data and resources reported by organizations occurred from
within the organization itself. Implementing an internal security policy appears to be just as important
as an external strategy. The following sections explain some of the common steps administrators and
users can take to safeguard their systems from internal malpractice.
Employee workstations, for the most part, are not as likely to be targets for remote attack, especially
those behind a properly configured firewall. However, there are some safeguards that can be imple
mented to avert an internal or physical attack on individual workstation resources.
Modern workstation and home PCs have BIOSes that control system resources on the hardware level.
Workstation users can also set administrative passwords within the BIOS to prevent malicious users
from accessing the system. BIOS passwords prevent malicious users from booting the system at all,
deterring the user from quickly accessing or stealing information stored on the hard drive.
However, if the malicious user steals the PC (the most common case of theft frequent travelers who
carry laptops and other mobile devices) and takes it to a location where they can disassemble the PC,
the BIOS password does not prevent the attacker from removing the hard drive, installing it in another
PC without BIOS restriction, and mount the hard drive to read any contents within. In these cases, it
is recommended that workstations have locks to restrict access to internal hardware. Hardware such
as lockable steel cables can be attached to PC and laptop chassis to prevent theft, as well as key locks
on the chassis itself to prevent internal access. Such hardware is widely available from manufacturers
such as Kensington and Targus.
Server hardware, especially production servers, are typically mounted on racks in server rooms. Server
cabinets usually have lockable doors; and individual server chassis also are available with lockable
front bezels for increased security from errant (or intentional) shutdown.
Enterprises can also use co location providers to house their servers, as co location providers offer
higher bandwidth, 24x7 technical support, and expertise in system and server security. This can be an
effective means of outsourcing security and connectivity needs for HTTP transactions or streaming
media services. However, co location can be cost prohibitive, especially for small to medium sized
businesses. Co location facilities are known for being heavily guarded by trained security staff and
tightly monitored at all times.
footer
Our partners:
PHP: Hypertext Preprocessor Best Web Hosting
Java Web Hosting
Inexpensive Web Hosting
Jsp Web Hosting
Cheapest Web Hosting
Jsp Hosting
Cheap Hosting
Visionwebhosting.net Business web hosting division of Web
Design Plus. All rights reserved