1.3 Non-Essential Services and Protocols
(Page 2 of 2)
Doing More: Defense In Depth
This approach does not stop at boundary firewalls, routers and servers. Defense in depth is an important concept. Dont rely on a single barrier to protect your sensitive data and system operations. Instead, erect multiple zones of security around your resources, to help ensure that they cannot be compromised if a single security mechanism fails due to a software bug, operator error, etc. Apply the same level of security to your internal systems as you would to your external systems. Remember that according to various studies up to 80% (average +/- 70%) of data compromises come from within. (These numbers vary widely, with recent figures trending substantially lower around 30%. Nevertheless, keep in mind that internal attacks generally are more likely to be successful, and result in higher-valued losses, so even if they are in the minority, theyre worth paying attention to.)
The exact specifics of doing this vary based on where you are disabling things. Each router manufacturer typically has its own command language or menu system for enabling and disabling TCP/IP protocol ports. Similarly, ea=ch OS has a different way (sometimes more than one) to control services and TCP/IP. Its best to see your vendors documentation for the most up-to-date information on how to do this.
The good news here is that extensive preventive pessimistic tweaking is becoming less necessary as operating systems evolve. More and more frequently, were finding services, like FTP on certain Linux distributions, and the IIS web server on Microsoft Windows .Net Server, disabled by default out of the box.
Remember of course that a balance must be struck between functionality and security. If your organization is impeded from conducting business due to excessive security restrictions, your salary may be drastically affected! Section 5 deals with Operational and Organizational Security.
63. Port Assignments and Protocol Numbers, http://www.microsoft.com/windows2000/techinfo/reskit/samplechapters/cnfc/cnfc_por_zqyu.asp
Home - Table Of Contents - Contact Us
CertiGuide for Security+ (http://www.CertiGuide.com/secplus/) on CertiGuide.com
Version 1.0 - Version Date: November 15, 2004
Adapted with permission from a work created by Tcat Houser et al.
CertiGuide.com Version © Copyright 2004 Charles M. Kozierok. All Rights Reserved.
Not responsible for any loss resulting from the use of this site.