2 Background to network security
2.3 Network security when using your computer
Before considering the more technical aspects of network security I shall recount what happens when I switch my computer on each morning at The Open University. I hope you will compare this with what happens when you use a computer, and relate it to the issues discussed in this unit.
After pressing the start button on my PC, certain elements of the operating system load before I am asked to enter a password. This was set by the IT administrators before I took delivery of my PC. The Microsoft Windows environment then starts to load and I am requested to enter another password to enable me to access the Open University's network. Occasionally I am told that the password will expire in a few days and that I shall need to replace it with another one. A further password is then requested because I have chosen to restrict access to the files on my machine, although this is optional. While I am waiting I see a message telling me that system policies are being loaded. These policies in my workplace are mainly concerned with providing standard configurations of services and software, but could be used to set appropriate access privileges and specify how I might use the services. Sometimes the anti-virus software begins an automatic update on my machine to counter new threats that have recently been identified.
I can now start my work on my computer, although if I decide to check my email account, or access some information on the Open University intranet, or perhaps seek to purchase a textbook from an online retailer, I may need to enter further user names, account details or passwords. This sequence of events is likely to be fairly typical of the requirements of many work environments and you will, no doubt, appreciate the profusion of password and account details that can result.
In this short narrative I have omitted an essential, yet easily forgotten, dimension of security that affects access to networks – the swipe card on the departmental entrance door and the lock on the door to my room. Although these may be considered mundane and unimportant, they are essential aspects of network security and a common oversight when the focus is on more sophisticated electronic security measures.
An important criterion, which is generally applicable, is that a system can be considered secure if the cost of illicitly obtaining data from it is greater than the intrinsic value of the data. This affects the level of security that should reasonably be adopted to protect, for instance, multi-million pound transfers between banks or a student's record at The Open University.
In this unit I shall introduce some of the fundamental concepts that underpin approaches to achieving network security, rather than provide you with the knowledge to procure and implement a secure network. The Communications-Electronics Security Group is the government's national technical authority for information assurance. If you need to investigate matters relating to procurement and implementation, you should refer to its website (www.cesg.gov.uk), from which you can find an introduction to the Information Assurance and Certification Service and also the Information Technology Security Evaluation and Certification Scheme. The latter scheme enables you to identify products that have undergone security evaluation.
In the next section I shall introduce the categories of attacks that can be launched against networks, before discussing appropriate countermeasures.