Special considerations for network-based access control

Information Security: Design, Implementation, Measurement, and Compliance Timothy P. Layton 222 pages; $89.95  Auerbach Publications

NETWORK ACCESS CONTROL
Network services provide critical and trusted services for the organization. Special care should be taken to prevent unauthorized access to networked services.

POLICY ON USE OF NETWORK SERVICES
Scope: Management should develop and create a written policy informing users that they should use only the network services they have been specifically granted.
Key Risk Indicator: No
Control Class:(O) Operations, (T) Technical
Key Questions:

Additional Information:
Network connections and particularly Internet and wireless connections have the ability to introduce significant and unidentified risks in the environment. Management should develop a clear policy on the use and creation of networks and routinely monitor the environment to ensure that no new networks have been implemented without management approval.

USER AUTHENTICATION FOR EXTERNAL CONNECTIONS
Scope: A secure form of authentication should be used to control external network connections to the information processing facility.
Key risk indicator: No
Control Class: (O) Operations, (T) Technical
Key questions:

EQUIPMENT IDENTIFICATION IN NETWORKS
Scope: As appropriate, equipment can be a secure means to authenticate network communications from a specific controlled environment and piece of equipment.
Key Risk Indicator: No
Control Class: (T) Technical
Key questions:

REMOTE DIAGNOSTIC AND CONFIGURATION PORT PROTECTION
Scope: Diagnostic and remote ports to networking and telecommunications equipment should be closely controlled and protected from unauthorized access.
Key risk indicator: No
Control class: (O) Operations, (T) Technical
Key questions:

SEGREGATION IN NETWORKS
Scope: Services on the network should be segregated in logical networks when possible to increase the depth of controls.
Key risk indicator: Yes
Control Class: (O) Operations, (T) Technical
Key questions:

Additional Information: Network services are simply network-based services such as Internet services, internal networking, wireless networking, IP telephony, video broadcasting, etc.

NETWORK CONNECTION CONTROL
Scope: When networks extend beyond organizational boundaries, special care should be taken to implement safeguards and controls to limit user connectivity and access to the network.
Key risk indicator: No
Control Class: (O) Operations, (T) Technical
Key questions:

More information on network access control Learn more about Access Control, download the full pdf. Receive network access control tips and tactics in this Learning Guide  Determine if network access control  is a compliance enabler or detractor.

Additional Information: Controlling network connections to third-party vendors or external business partners can be challenging from an information security perspective and is often overlooked because they may be considered trusted network connections.

NETWORK ROUTING CONTROL
Scope: Logical control of network routes can be critical to control the flow of data and information. Network routing control should be developed in conjunction with the access control policy of specific applications and services.
Key Risk Indicator: No
Control Class: (T) Technical
Key Questions:

Additional Information: Network routing control is a highly technical subject and, typically, only a very select few individuals in the IT department possess the knowledge to design and implement this type of control. This control is a prime candidate for validation by an external subject matter expert.

Copyright 2006 Timothy P. Layton. Used with permission of the publisher.

Want more from Chapter 13: Access Control? Download the full pdf.

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Network Access Control Basics Forrester: NAC ready for wider deployments Quiz: Using NAC to create a strong endpoint security strategy Phased NAC deployment for compliance and policy enforcement What should an internal support model for identity management look like? Security Wire Weekly: Sizing up the NAC market Making the NAC decision: Open source vs. commercial network access control products Experts: NAC not dead, just immature FreeRADIUS: Acing a secure connection How to test drive NAC without busting the budget Is a 'self-defending network' possible? Creating and Managing Information Security Policies How to lock down instant messaging in the enterprise Worst practices: Security incidents to avoid Thompson calls for marriage of data and security management Incident response success in five quick steps Social networking Web site threats manageable with good enterprise policy IT GRC: Combining disciplines for better enterprise security Security management in 2008: What's in store Should keystroke loggers be used in enterprise investigations? Exploring enterprise policy management options With data breach costs soaring, companies should review data sharing policies Creating and Managing Information Security Policies Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Kerberos  (SearchSecurity.com) masquerade  (SearchSecurity.com) phreak  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary