Kitsap Peninsula Business Journal Article - News, Business, Homes, Politics, Automotive, Reviews, Bremerton, Silverdale, Poulsbo, Gig Harbor, Port Orchard, Bainbridge

3-14-2003

Network Security III:
“Configuration Management”
By Jim Kendall

Way back in before-wife-and-kids, before-really-needing-to-shave-every-day, there was a grouchy old Chief Bosun’s Mate in my life — Chief Clark — my boot camp company commander. One of the things he used to say (it seemed like every day), and which sticks in my mind was “Uniformity Must Prevail!” And oh-boy did he ever have a way to make it stick! (Ahem!) He was referring to his gaggle of raw recruits (me!) of course, and attempting to make sailors out of us (But that’s another story).

Any time I think of “network security” I think of “configuration management.” In the strictest application, “uniformity must prevail!” What this means is that, in a perfect world, every computer connected to a network would be absolutely identical in every respect. Every video card would be identical. Every operating system would be identical. Every hard drive, peripheral, software driver and accessory would be identical on every computer. Every printer would be identical. Every monitor, scanner, modem, and software package would be identical (Uniformity, in other words).

“Why would you want to go that far?” you ask. One of the benefits would be the greatly simplified task of troubleshooting problems and keeping software up-to-date. Another benefit is that, by prohibiting installation of “unique” software or hardware, security is greatly enhanced. For every variation of software or hardware (but especially software), a potential security hole is introduced, and a whole new set of security “patches” may be required.

Realistically, only a very few situations lend themselves to such a strict regimen. Any company that is serious about security will, however, create and enforce as strict a policy as their situation permits, and then they must enforce it. or example, any employee who installs the KAZAA file sharing software should immediately be terminated. End of story. No excuses. Tell it to the unemployment office.

“But why?” you ask. For several reasons, not least of which that the software can open and has opened a gaping hole in firewalls and security schemes that are almost instantaneously exploited by hackers and spammers. OOPS! “Open ports” are to hackers what honey is to bees.

No matter how large or how small your company or your system, no software should be permitted except that approved for use by the company, and then only that software necessary for the actual conduct of business. The same applies to a lesser extent to peripherals such as scanners or web-cameras.

Once you have established your baseline (or starting) configuration, document it in great detail. Do a complete “inventory” of each system, to include all software installed, drives, drive types, operating system, amount of memory, CPU, and so on. Document it in such a way that any updates or security patches that may be applied can be carefully documented and tracked. This could save you enormous headaches later, when you need to reconstruct the sequence of actions taken on any given machine.

Why might that be important? If you do have a “security event” of some sort, you will have information on which to base an investigation into the possible causes. If it was an unauthorized piece of software, you can pinpoint it. If it were a failure to install the latest upgrade or security patch, then that would be useful information on which to base a recovery plan (The latest attack on the Internet was actually a result of one security patch opening a hole in previous security patches, so that an “old” exploit was then once again affective).

Is a constant battle to maintain an effective level of security, and the fewer variables in the mix, the better? Hence, NO game programs, NO KAZAA file sharing programs, NO extraneous, non-business related software or gadgets should be tolerated. Not if you are serious about protecting your business!

Perhaps network security is not high on your priority list. It should be. Just remember, lightning does strike, and unless you don’t care if you are a smoking cinder after it does, take precautions now.

(Editor’s Note: Jim Kendall is the owner of Telebyte NW, Kitsap County’s oldest Internet Service Provider, and an officer in the Washington Association of Internet Service Providers. He can be reached at 360-613-5220.)