1. A security policy describes security rules for your computer systems and defends against

all known threats.

2. The first step in establishing a security policy is to establish functional requirements,

features, and security requirements.

3. Automated security policies avoid the weakness of having to be enforced by humans.

4. An appropriate use policy allows users to understand their security responsibilities.

5. Users should not be required to change passwords often; rather, they should select

extremely strong passwords which can be relied upon for much longer periods of time than simple passwords. 6. 8 characters should be the minimum length of a password in todays environment.

7. Enforcing password lockout after failed attempts prevents automated password guessing.

8. Execution environments are dangerous because they can be exploited to propagate viruses and Trojan horses. 9. Java is limited to a sandbox environment, which while not perfect, is far more secure than the unlimited ActiveX execution environment. 10. Digital signatures are only a means of verification; They do not perform any security function beyond attesting that content has not been modified and that it originates from a known source. 323Terms to Know • ActiveX • application • appropriate use policy • attachment • content signing • execution environment • firewall • group policies • Java • lessons learned • macro • password • permissions • policy • requirements • sandbox • system

Chapter 5: Border Security

Overview Where does your network stop, and the Internet begin? Thats like asking where one country stops and another starts. The line between them is merely a subjective boundary where one set of rules start and another set of rules stop. But like the border between China and Russia, where one country is built out and densely populated right to the edge, while the other is nothing but forest for hundreds of miles, the place where the force of these two sets of networking rules meet delineates a dramatic change in character of the networking landscape. Firewalls, also called border gateways, are routers whose purpose is to give administrators fine-grain control over which traffic is passed to and from the Internet and which is rejected. Modern firewalls also perform on-the-fly modification of streams, authentication, and tunneling in order to further eliminate threats from the Internet. firewall A gateway that connects a private network to a public network and enforces a security policy by allowing only those connections that match the devices security settings. border gateway A firewall. tunneling The process of encapsulating packets within IP packets for the purpose of transporting the interior packets through many public intermediate systems. When reassembled at the remote end, the interior packets will appear to have transited only one router on the private networks. Firewalls are the foundation of border security. The strength of your border security is equal to the strength of your firewalls and their proper configuration. Firewall security is by far the most important aspect of Internet security. Principles of Border Security Your network and the Internet both utilize TCPIP as a connection methodology, and since you have at least some valid Internet addresses, your network is technically just part of the larger Internet. From a security standpoint, your network is actually defined as that place where you begin to enforce rules about how the network will be used. Outside those borders, its no-mans land. Like nations, you could simply have open borders and enforce security within every city. This would be analogous to having servers and clients placed directly on the Internet and requiring them to each handle their own security. This is exactly how the Internet worked originally. Prior to 1990, there were so few hacking attempts CERT listed only six for 1988 that serious attempts at security would have been an unnecessary distraction. Tip This chapter serves as an introduction to border security. Border security is a vast topic that would easily fill a book. I recommend mine: Firewalls 24seven, 2nd Ed. Sybex, 2002 But today, enforcing security at every machine within your network would put a serious burden on your users and staff, and you would have no control over the use of bandwidth within your network-hacking attempts could reach inside your network and propagate there. Universities began having this problem in the early nineties, as students began setting up