Skip Navigation
small NCES header image
Chapter 1 Chapter 2 Chapter 3 Chapter 4 Chapter 5 Chapter 6 Chapter 7 Chapter 8 Chapter 9 Chapter 10
Table of Contents Glossary of Terms
    CHAPTER 9
Protecting Your System: Network (Internet) Security
 
 
Illustration of the Cover of Safeguarding Your Technology
   

CHAPTER 9 IN A NUTSHELL:

Introduction to Network Security
Commonly Asked Questions
Policy Issues
Network Security Countermeasures
Closing Thoughts on Network Security
Network Security Checklist





  Any connection of two or more computers constitutes a network. The Internet is simply a worldwide connection of computers and networks.
 
Introduction to Network Security

Network security, especially as it relates to the biggest network of all, the Internet, has emerged as one of today's highest-profile information security issues. Many education organizations have already connected their computing resources into a single network; others are in the process of doing so. The next step for these organizations is to weigh the costs and benefits of opening a connection between their private networks (with their trusted users) and the unknown users and networks that compose the Internet.

 
excerpt icon
  If, like many readers will, you have turned to this Network and Internet chapter first because it is your highest priority, be reminded that the information included in the other chapters of this document cannot be ignored. To reduce redundancy, security strategies from Chapters 1-8 and 10 that apply to Network and Internet security are not repeated in this chapter.

Warning!

Discussions about Internet security can get technical. But while this issue is not for the faint of heart, it can and must be addressed before going online!

         Q&A

 




While employment sanctions and denial of access privileges are enforceable deterrents for internal users, they are not options for external Internet users.

  Commonly Asked Questions

Q. What is the Internet?
A. A. The Internet is simply a worldwide connection of computers and networks. That is why this chapter is titled Network Security--because the Internet is, in its simplest terms, a very large network. If your organization has its own network (which can be called an Intranet), you are basically working with a scale model of the Internet.

Q. Wouldn't an internal network be safer if it was never connected to an external network like the Internet in the first place?
A. A.Yes, just as a person would be better protected from automobile accidents if he or she walked everywhere instead of driving. If walking (or avoiding external networks) meets your transportation (or computing and communication) needs, then it is a fine strategy. If, however, an organization wants to take full advantage of its equipment's powerful communication capabilities, then isolating itself from outside networks is a very poor plan. Instead, it would be better to connect with those networks that benefit the organization (including the Internet if that is the case), and then invest in, and implement, those protection strategies necessary to provide adequate security.

Q. Why is there so much anxiety over connecting to the Internet?
A. Internet access opens lines of communication with the world. But while this is potentially a powerful education tool, the admonition "beware of strangers" certainly applies. The major concern about being connected to the Internet is one of trust. Internet users and machines are not known to your network, don't fall within your policy and management jurisdiction, and may not share your opinions on appropriate use.

excerpt icon
  When you don't know who is accessing your network, you also don't know their intentions or level of technical expertise--thus, choosing to connect to the Internet has a significant impact on an organization's risk assessment (see Chapter 2).


It Really Happens!

Dan's files were losing data. There were no two questions about it--they had somehow been infected by a computer virus, and it deeply perplexed him. After all, hadn't he just downloaded a new virus scanner from the Internet precisely so this wouldn't happen. He was so baffled by the situation that he called Lisa, the office's computer guru to explain the mystery.

"I had been worried about my files accidentally getting infected by a virus for some time--you know, you read so much about it. So when I received this e-mail about getting a free virus scanner..." Lisa interrupted, "What do you mean you received an e-mail? Who sent it?"

"That's the interesting part," Dan replied, "the guy who sent it said it was an electronic cold call. It seems that he was working for a software company and was trying to drum up business by offering a free virus scanner on a trial basis. I thought that it sounded weird, but when I visited the Web site, it all checked out."

Lisa also thought that it sounded odd and resolved to do some investigating. The first thing she did was run the software Dan had downloaded through her own virus scanner, one that had been verified for its authenticity. Sure enough, the scan revealed that Dan's download harbored a hidden virus--probably the one that was destroying his files. Now convinced that something very fishy was indeed going on, she decided to pay a visit to the Web site from which Dan had downloaded the software. When she got to it, the solution to the puzzle stared her in the face.

    Be realistic! Recognize that as beneficial as the Internet can be for communicating and gathering resources, not everyone on it has your best interests in mind.
 
The web site you have accessed belongs to Antivirus, Inc.
Antivirus, Inc. warns its customers that our sales staff is not, and never has been, responsible for sending random e-mail messages offering free trials of virus scanner software from this site. If you have received such an e-mail, you are the victim of a hacker who is masquerading as an agent of this company. This criminal has spoofed this Web site address and distributed a computer virus within software wrongly attributed to our product line. If you have downloaded this software, please e-mail Antivirus, Inc., and we will immediately furnish you an authentic version of our virus scanner for your temporary use while you disinfect your files. As co-victims of this crime, we understand your displeasure and apologize for any damage to your computing environment this incident has caused.


Guidelines for security policy development can be found in Chapter 3.
  Policy Issues

Connecting to the Internet doesn't necessarily raise its own security policy issues as much as it focuses attention on the necessity of implementing security strategies properly. Internet security goals fall within two major domains. The first centers around protecting your networks, information, and other assets from outside users who enter your network from the Internet. The second deals with safeguarding information as it is being transmitted over the Internet.

excerpt icon
  Although it is not within the scope of this document to address in sufficient detail, policy-makers must consider what information can and cannot be posted to the Internet on, for example, a school's Web page.

As discussed more completely in Chapter2, a threat is any action, actor, or event that contributes to risk. 
 

Network Threats (Examples)

    Examples of network threats include:
  • Intentional acts of destruction (e.g., address spoofing and masquerading)

  • Unintentionally destructive acts (e.g., accidental downloading of computer viruses and improper release of information)


excerpt icon

  If your brand-name operating systems, hardware, or software have any known security weakness built in, someone on the Internet will know about it. The Computer Emergency Response Team (CERT) Web site and comparable sites (see Appendix E) monitor weaknesses in computer software and post corrections. You should watch these sites--after all, hackers do.



A countermeasure is a step planned and taken in opposition to another act or potential act.


Select only those countermeasures that meet perceived needs as identified during risk assessment (Chapter 2) and that support security policy (Chapter 3).

 

excerpt icon
  Network Security Countermeasures

Because the Internet is relatively new, it isn't surprising that its standards are still being established and agreed upon. Consequently, it also shouldn't be surprising that its existing mechanisms for governing information exchanges are varied, not uniformly implemented, and, in many cases, not interoperable. Thus, it is only fair to admit that although the following countermeasures will greatly increase Internet security, more sophisticated and robust solutions remain on the horizon.

The following countermeasures address network security concerns that could affect your site(s) and equipment. These strategies are recommended when risk assessment identifies or confirms the need to counter breaches in the security of your network.

Countermeasures come in a variety of sizes, shapes, and levels of complexity. This document endeavors to describe a range of strategies that are potentially applicable to life in education organizations. In an effort to maintain this focus, those countermeasures that are unlikely to be applied in education organizations are not included here. If after your risk assessment, for example, your security team determines that your organization requires high-end countermeasures like retinal scanners or voice analyzers, you will need to refer to other security references and perhaps even hire a reliable technical consultant.


                            something you should do (icon)





  Many of these countermeasures get very technical very quickly. Non-experts need appreciate only the concepts, and then collaborate with technical staff to ensure that appropriate solutions are properly implemented.







Digital signatures, time stamps, sequence numbers, and digital certificates are simply more examples of "authentication" procedures as discussed in Chapter 8.




  Keep in mind that monitoring "authentication" procedures is accomplished by software. Once the systems are established, the user need only read the warning that the transmission did not maintain its integrity.
 
Protect Your Network from Outsiders:
  • Implement applicable security recommendations as raised in previous chapters: Solid defense against external Internet threats includes the proper implementation of relatively straightforward security measures like encryption software (Chapter 6), virus scanners (Chapter 7), remote access regulations (Chapter 8), and passwords (Chapter 8).

  • Isolate your network through the use of a firewall: Installing a firewall enables the organization to decide which types of messages should be allowed into the system from external sources (e.g., "nothing with identifiable virus coding" and "nothing with decryptor coding structures"). The actual installation and operation of the complex features requires expert technical assistance, but policy-makers can make informed decisions about product features all the same.

  • Locate equipment and information that is intended for external users outside of the firewall: If an organization's Web server is intended to provide information and services to the public, it should not be located on the private side of the firewall. Nor should it be able to access confidential information that resides inside the firewall. This way, if the public Web server should ever be compromised, confidential information is still protected.
  Protect Transmissions Sent over the Internet:

  • Use Secure Sockets Layer (SSL) Servers to secure financial and information transactions made with a Web browser: In a secure Web session, your Web browser generates a random encryption key and sends it to the Web site host to be matched with its public encryption key. Your browser and the Web site then encrypt and decrypt all transmissions.

  • Authenticate messages through the use of digital signatures: A digital signature amounts to a "fingerprint" of a message. It depicts the message such that if the message were to be altered in any way, the "fingerprint" would reflect it--thus making it possible to detect counterfeits. The converse, of course, is that if the "fingerprint" does not change during transmission, you can be confident that the message was not altered.

  • Authenticate messages through the use of time stamps or sequence numbers: Another way to recognize when messages have been modified is to challenge the "freshness" of the message. This is done by embedding time stamps, sequence numbers, or random numbers in the message to indicate precisely when and in what order the message was sent. If a received message's time and sequence are not consistent, you will be alerted that someone may have tampered with the transmission.

  • Authenticate message "receivers" through the use of digital certificates: By requiring an authentication agent or digital certificate, you force the person on the other end of the transmission to prove his or her identity. In the digital world, trusted third parties can serve as certificate authorities--entities that verify who a user is for you. In this way, digital certificates are analogous to a state-issued driver's license. If you trust the party that issues the certificate (e.g., the state or the certificate authority), then you don't need to try to verify who the user is yourself.

  • Encrypt all messages sent over the Internet (see Chapter 6): As more and more messages are sent over larger and larger networks, information becomes increasingly vulnerable to assault. Encryption has become a leading tool to combat this vulnerability. Like other countermeasures, it can be very effective if used properly and regularly.


Quote- None goes his way alone.  (Edwin Markham)

"Encryption" is a term used to describe when information is transformed into an unreadable format unless the reader possesses the appropriate key for decryption. The term "key" refers to a mathematical equation used to code (encrypt) information.

 


More Than You Need to Know about How Messages Are Encrypted

The process of encrypting and decrypting files depends on which encryption model your security solution employs. Encryption models vary in the number and size of the key(s) they use. As a general rule, the larger the key, the tougher it is to crack. There are two major types of encryption keys, systems currently in use:

  • In a Single Key Encryption System, parties exchange a key known only to themselves, and use that key to encrypt and decrypt messages. The fundamental premise of this system is that parties must securely communicate the secret key to each other in order to encrypt and decrypt messages.

  • The Public/Private Key Encryption System is based on a pair of mathematically related keys--a public key and a private key. Each key can decrypt information encrypted by the other. Your public key is used by anyone who wishes to send you an encrypted message or to verify your digital signature. Your private key is known only to you and is used to decrypt messages sent to you through the public key, or to digitally sign messages you are sending. This model allows for a much larger number of users than single key encryption because you need not have a separate key sent secretly to every trading partner.

Consensus appears to be moving the Internet toward a public/private key system in which third-party organizations that are entrusted as certificate authorities provide key management. Key management refers to the secure administration of encryption keys so that they become available to users only when and where they are required. This system is often referred to as the Public Key Infrastructure.




Policy-makers need not worry about the security of the entire Internet if they can be confident of the security of their connection to it.

  Closing Thoughts on Network Security

The Internet simply is not secure unless you make it so. Luckily, basic Internet security is not beyond a non-technical person's ability to understand. By collaborating with technical support staff (or outside consultants if necessary), educational administrators can ensure that the near limitless amount of information and resources that exist on the Internet are available to system users without jeopardizing system integrity.

It should also be noted that network configurations are constantly changing. Many organizations are now relying upon Intranets for their internal communications. All security recommendations for the Internet can also be applied to Intranet applications.


Network Security Checklist

While it may be tempting to refer to the following checklist as your security plan, to do so would limit the effectiveness of the recommendations. They are most useful when initiated as part of a larger plan to develop and implement security policy within and throughout an organization. Other chapters in this document also address ways to customize policy to your organization's specific needs--a concept that should not be ignored if you want to maximize the effectiveness of any given guideline.

   
Security Training Checklist

While it may be tempting to simply refer to the following checklist as your security plan, to do so would limit the effectiveness of the recom-mendations. They are most useful when initiated as part of a larger plan to develop and implement security policy throughout an organization. Other chapters in this document also address ways to customize policy to your organization's specific needs--a concept that should not be ignored if you want to maximize the effectiveness of any given guideline.

   

Security Checklist for Chapter 9
The brevity of a checklist can be helpful, but it in no way makes up for the detail of the text.

Check Points
for Policy Development and Implementation

Protect Your Network from Outsiders       Click here
  1. Have you fully implemented applicable security strategies as recommended in previous chapters?
     
      Click here
  1. Has your network been isolated from the outside (e.g., the Internet) through the use of a firewall?
     
      Click here
  1. Is equipment and information that is intended for "external" use logically located outside of your firewall?
     
      Click here
Protect Transmissions Sent over the Internet       Click here
  1. Is a Secure Sockets Layer (SSL) used to secure financial and information transactions made with a Web browser?
     
      Click here
  1. Are messages authenticated via digital signatures?
     
      Click here
  1. Are messages authenticated via time stamps or sequence numbers?
     
      Click here
  1. Are message recipients authenticated by digital certificates?
     
      Click here
  1. Are all messages sent over the Internet first encrypted?
     
      Click here
     

back to topback to home page
back to previous chapternext chapter

Would you like to help us improve our products and website by taking a short survey?

YES, I would like to take the survey

or

No Thanks

The survey consists of a few short questions and takes less than one minute to complete.
National Center for Education Statistics - http://nces.ed.gov
U.S. Department of Education