Breaking Into the Basics of Network Security

Network security can be as simple as adhering to a set of rules; technology alone can't thwart hack attacks and other security breaches. The following sections include details of just some of these rules.

Use strong passwords

Passwords are often the only protection used on a system. A user ID is only a name and doesn't verify identification, but the password associated with the user ID works as an identifier. Therefore, passwords are the keys to your network, and you should protect them as such. Firewalls and intrusion detection systems mean nothing if your passwords are compromised.

A strong password is one that you can't find in any dictionary — English or foreign. It also means a password that isn't easily guessed. Longer passwords are harder to guess or crack than short passwords are.

Following is a list that you can use to set (and help your users set) strong passwords:

• Use a nonsensical combination of letters: The best passwords appear to be sheer nonsense. For example, if you take the phrase, "Nighty, night and don't let the bed bugs bite," and use just the first letter of each word, your password would appear to be nnadltbbb.

• Include a mix of upper- and lowercase letters: You should include an uppercase letter somewhere other than at the beginning and also include a number. Because the letter l looks like the number 1, you could use a one instead of that letter; your password then becomes: nnAd1tbbb. A password cracker could conceivably still crack this word with a brute force attack (letter by letter), but that process takes many hours.

• Longer passwords are better: Your password should be at least 8 characters long.

• Change your passwords regularly: Even the best passwords should be changed regularly (every 60 days or so) to prevent its being used long term if it's cracked. Many operating systems enable you to set this rule for each user. The user will most likely find this practice inconvenient, but it's smart security.

• Set new passwords instead of reusing the same ones over and over: Your users should not be using the same password again within the same year or even 18 months.

• Don't use a set of characters straight off the keyboard: You should never use something like qwerty, 12345678, or asdfghj for passwords. Even though they look nonsensical, they follow a distinct pattern of consecutive keys on the keyboard and password crackers will break them in seconds.

• Treat your passwords as top-secret information: All passwords should be protected and not shared! This is the biggest security no-no there is. Many users write their passwords on sticky notes attached to their computers or put them under their keyboards. That's not fooling anyone!

Root and administrative level passwords are the keys to the kingdom for an intruder. System administrators with root privileges — that is, with no access restrictions and the ability to make any sort of changes — should therefore have the hardest passwords and the most stringent rules about changing and reusing them.

Follow these guidelines:

• Write down all root passwords and store them in a safe: Then, if an administrator is incapacitated for a time or leaves the job suddenly, the password isn't lost forever. Password recovery programs are available, but you don't really want to rely on them in an emergency.

• Change ALL user passwords if you suspect a root password has been compromised: You can't guarantee that the all the passwords haven't been stolen if an unknown person has a root or administrative level password.

Likewise, if a general user suspects that a password has been stolen or compromised, that user should change the password immediately and notify those in authority at the company.

Always use anti-virus software

Anti-virus software isn't always 100 percent effective, it's better than no protection at all. If you don't have anti-virus software, then how do you know you've never had a virus? Most common viruses are not obvious to the user.

Anti-virus software consists of two parts: the scanning engine and the signature files. You need to regularly update both the scanning engine and the signature files on a regular basis or the anti-virus software will lose its effectiveness. The software program usually has an update command, or you can check at the vendor's Web site for updates.

The scanning engine tells the software how and where to scan, and the signature files are essentially a database of known viruses and their actions. The scanning engine compares files on your computer to the known viruses in the signature files. Anti-virus software is prone to false positives, but that's a small inconvenience for the protection it affords you.

When new viruses are found, anti-virus software vendors issue updates to their .dat files to include the new strain. Occasionally, the scanning engine itself needs updating, too. If one part of the program is updated and the other part is obsolete, it simply won't work properly — but you won't know it's not working until it's too late.

For your anti-virus software to be most effective, you need to install it on individual workstations as well as on all the servers and other computers on your network. That is the only way to catch viruses at all entry points. All removable media, such as floppies and CDs, should be scanned before used on a system. Unfortunately, legitimate software CDs sometimes carry viruses, and floppies that people bring from home may also have viruses on them.

If you install anti-virus software on your Internet gateway servers, the software can catch viruses coming in from outside connections.

Although most viruses target the Windows operating system, you still need anti-virus software on Unix-based and Mac systems. A virus can travel across Unix and Mac systems and will not affect those systems. However, a virus can travel across those systems, and when it encounters Windows-based systems, the virus will start working. I've seen e-mail viruses that were perfectly harmless on a Unix-based e-mail server, but all the workstations were Windows-based. As soon as the mail was retrieved by the Windows-based computers, the computer starting infecting all the other Windows computers it could find.

Always change default configurations

Installing a system right out of the box and leaving it with the default configuration is probably one of the most common mistakes that people make when setting up a network. Default configurations often have default administrative accounts and passwords that hackers the world over know. This applies to routers, hubs, switches, operating systems, e-mail systems, and other server applications, such as databases and Web servers.

In addition to having known passwords on the computers, default configurations contain multiple security holes that you need to plug. Before you ever put any computer online, you should change the default account names and the passwords and apply all security patches. A little bit more time spent on a computer at this point can save you a lot of grief later. The fewer holes you leave on a network, the harder it is for someone to break into your system.