Top » Catalog » UPES » Dec 2014 »

Rs.1,000.00

Business Computing-1-July-Dec-14

Business Computing-1-July-Dec-14

Section B (30 marks)

(Attempt any three)

  1. Some high level programming languages often use an interpreter instead of a compiler to translate instructions into machine code. Comment.
  2. Discuss the concept of storage management in time sharing system.  
  3. Explain the concept of resource sharing and cost reduction in computer network.
  4. What is Windows 7 Taskbar? Discuss the functions of Windows 7 Taskbar.

 

Section C (50 marks)

(Attempt all questions. Every question carries 10 marks)

Read the case “Connecting a Classified Network to the Internet” and answer the following questions:

Case Study: Connecting a Classified Network to the Internet

A classified (computer) network is one that stores information that is sensitive and should not be made available to the general public. This may be;

  • Military secrets
  • Financial records
  • Personnel records
  • Trade secrets

Generally only the first type of information, military secrets, will make classification mandatory, but lower classifications (NATO RESTRICTED or equivalent) may be imposed by civil law. The purpose of this case study is to point out some common elements from the guidelines published to regulate computer security and suggest administrative action and technical solutions to build a network that may be connected to the Internet, and still obtain/retain a classification up to and including NATO RESTRICTED. The author is not aware of any standard that will allow a system classified at NATO CONFIDENTIAL or higher to be connected to a public network (Internet). Note that the standards mentioned (BS7799, ITSEC, CommonCriteria a.s.o.) only tell what to achieve, not how In Europe certification schemes are coordinated by the European co-operation for Accreditation and will be quite similar.

For the rest of this case study the internal, classified network will be referred to as the R-net. (R=Restricted).

What’s changed?

For years the standard way to protect R-networks from intrusion was to simply not connect them to any external nets. The rationale here was that the hacker can’t compromise what he or she can’t physically connect to. This holds true today; network devices such as hubs, routers and switches merely extend the physical cable. Interrupt the stream of electrons (or radio waves /optic signals, and data traffic is stopped instantly! With the widespread use of the Internet, the situation has changed. Even organizations that have information that must remain protected, find that they need an Internet connection in their day to day tasks, or that their employees demand it. A lot of them have simply connected their R-net to the Internet just separated by a network device called a “firewall”, and pray that they will not be compromised.

In most countries the fact that organizations, both governmental and private, store information that may be highly sensitive on networks that might be accessible from the public Internet is unnerving. Governments in the western world including the United States and most of the European Union have now passed laws that require all classified networks to be protected. In Europe usually a government agency is required to check and approve a network before it may store classified information.

Where to start

The procedures in this case study might be helpful in these situations:

  • The network will be connected to the Internet and is storing classified data.
  • The network is presently connected to the Internet, and you’re going to store classified data.
  • You are presently both connected to the Internet and storing classified data and praying your firewall will protect you (bad idea…).

Although this case study assume that the reason for protecting the internal network is to obtain/retain an official classification, more and more organizations realize that they store sensitive information that they are morally and maybe legally required to protect.

The first thing to get in place is backing from management. To do this, an official information security policy (ISP) identifying what assets need protecting and why, should be written, and signed by the CEO. It is not easy to find templates for security policies, but the research project “What do I put in a security policy” by William Farnsworth  on the GSEC pages of SANS is a good starting point. You might find that the provided sample Security Policy has all you need.

Now you are ready to plan how you will meet the demands set by the policy (or the approving body) on your network. A good roadmap to this process is the British Standard 7799 . It comes in two parts;

1. The standard code of practice.

2. Information Security Management System (ISMS) standard specification.

  • Step one, the Information Security Policy, is not discussed in detail here.
  • To define the scope of the ISMS you should describe the following:

Conceptual aspects of security

The extent and purpose of the network.

  • What classification you want to obtain.
  • How traffic between the classified and unclassified network should be handled.
  • If commercial hardware and software (COTS) or tailor made solutions should be used.
  • A drawing of the network as you plan to implement it.
  • Control Objectives and Controls

Here you describe, in detail, how you plan to implement the ISMS.

a)      A list of all the documents that is needed to regulate computer security (contingency plan, access policy, and computer security policy.)

b)      The hardware (secure placement, cabling, marking and electronic radiation protection).

c)      Handling of data storage devices (floppy’s, tapes, hard disks and so on).

d)     Handling of print devices

e)      Data Communication (e.g. encryption; yes/no, what kind)

f)       System configuration control and maintenance.

Finally you should produce a document called the Statement of Applicability. The document identifies all your controls, justify how they will mediate the risk, and how they map to the BS7799 or whatever standard you are using. If you deviate from the standard you must be able to explain why your implementation is better.

The Classification Process

With all your paperwork in order you should contact whatever body you want to classify your network (either government agency or high level management). If you don’t seek official classification you should also present a cost analysis at this point. Management might care about this aspect, a government agency will not! Note that few or none of the countermeasures in your plan are in place, but not to worry. When you first present your plan, an official body more often than not have some additions or changes you need to include. Finally, when you get acceptance of your policy and plan then its time to start thinking about implementation.

Doing the work

The first part of implementation is a lot or writing. You will need to write procedures for just about every aspect of your IT operation; backup, restore, user management, file and print access, logging, mail and web access, and so on. You also need a full detailed inventory of your computer network configuration. The procedures are referenced in the applicable policy. When this is done you should turn your attention to your physical network. You will need to evaluate if you are going for a strong perimeter defence, hardening the inside or both. Of course a strong perimeter defense AND a hard inside is ideal, but building this to perfection might be a daunting task… Further you need to decide how you should handle traffic going to and from the public network to your protected network (or how to avoid it). Usually your greatest concern is to stop data from your protected network being sent to the public network thus compromising the confidentiality of your data, but having unwanted data from the public network getting in is not good either, basically threatening both integrity and availability.

The router may be complemented with an application layer gateway, or proxy, which has access control on a higher level (application layer). But beware the no firewall (packet-filtering, state full, proxy or other) is secure out of the box. For example; some well-known firewalls are default configured to allow all connections initialized from the inside. This is not desirable since if a Trojan is introduced in the R-net it may be able to open an outbound connection to its “master”.

Many implementations, like the one in the example, require an extra network segment between the R-net and the Internet. Let’s call it the controlled network (C-net). Its function is to be a controlled buffer zone that can prevent or delay an attack on the Rnet, and to host services not able to run in the most secured environment. Such an implementation requires duplication of several systems, like the mail-server. Of course you will also need a second firewall. Since logging is part of the requirements you might need some centralized logging functionality. You don’t want to run around checking each and every log on every network object in the middle of a hacker attack!!! There are COTS products that can send both UNIX and NT events to a syslog server. Some kind of database is needed to systemize and store entries from the syslog.

Although not usually mentioned as a formal requirement the author strongly believes that the following should be found in all secure networks: Some form of user verification/authentication other than that of the host OS (Tacacs, Radius, and RSA…) An Intrusion Detection System (ISS, Shadow, Cisco Secure…) Remember that your certification depends on the level of trust the classification body has in your network configuration and countermeasures. Going that extra mile can only give an impression that you are truly serious about security!

 

Questions:

  1. Define computer network.
  2. What has changed since last years in computer network field?
  3. Describe the classification process in your own words.
  4. How is ISMS process implemented?
  5. Analyze the above case in your own words.
Quick Find
 
Use keywords to find the product you are looking for.
Advanced Search
0 items
Share Product

osCommerce Online Merchant Copyright © 2010 osCommerce
osCommerce provides no warranty and is redistributable under the GNU General Public License
Note: We provide all Solutions and Contents for Reference/Study purpose only.