The 60 Minute Network Security Guide

During the last four years the National Security Agency’s Systems and Network Attack Center
(C4) has released Security Guides for operating systems, applications and systems that
operate in the larger IT network. These security guides can be found at our web site
www.nsa.gov / Security Recommendation Guides. Many organizations across the
Department of Defense have used these documents to develop new networks and to secure
existing IT infrastructures. This latest Security Guide addresses security a bit differently. Our
goal is to make system owners and operators aware of fixes that become “force multipliers” in
the effort to secure their IT network.
Security of the IT infrastructure is a complicated subject, usually addressed by experienced
security professionals. However, as more and more commands become ``wired'', an
increasing number of people need to understand the fundamentals of security in a networked
world. This Security Guide was written with the less experienced System Administrator and
information systems manager in mind, to help them understand and deal with the risks they
face.
Opportunistic attackers routinely exploit the security vulnerabilities addressed in this
document, because they are easily identified and rarely fixed. ISSMs, ISSOs and System
Administrators provide a level of risk management against the multitude of vulnerabilities
present across the IT infrastructure. The task is daunting when considering all of their
responsibilities. Security scanners can help administrator identify thousands of
vulnerabilities, but their output can quickly overwhelm the IT team’s ability to effectively use
the information to protect the network. This Security Guide was written to help with that
problem by focusing the experience our research and operational understanding of the DoD
and other US Government IT infrastructures.
This Security Guide should not be misconstrued as anything other than security “best
practices” from the National Security Agency's Systems and Network Attack Center (C4). We
hope that the reader will gain a wider perspective on security in general, and better
understand how to reduce and manage network security risk.

Security Policy
(This section is an abstract of the security policy section of RFC 2196, Site Security
Handbook. Refer to this RFC for further details.)
A security policy is a formal statement of the rules that people who are given access to an
organization's technology and information assets must abide. The policy communicates the
security goals to all of the users, the administrators, and the managers. The goals will be
largely determined by the following key tradeoffs: services offered versus security provided,
ease of use versus security, and cost of security versus risk of loss.
The main purpose of a security policy is to inform the users, the administrators and the
managers of their obligatory requirements for protecting technology and information assets.
The policy should specify the mechanisms through which these requirements can be met.
Another purpose is to provide a baseline from which to acquire, configure and audit computer
systems and networks for compliance with the policy. In order for a security policy to be
appropriate and effective, it needs to have the acceptance and support of all levels of
employees within the organization.
A good security policy must:

Be able to be implemented through system administration procedures, publishing of
acceptable use guidelines, or other appropriate methods

Be able to be enforced with security tools, where appropriate, and with sanctions, where
actual prevention is not technically feasible

Clearly define the areas of responsibility for the users, the administrators, and the
managers

Be communicated to all once it is established

Be flexible to the changing environment of a computer network since it is a living
document

.

.

Cick Here to Download