Information Technology Reference
In-Depth Information
Tr u st levels s uch as the inter nal net work c an be ver y open and flex ible, whereas the out-
side needs to be considered unsafe and therefore needs strong security to protect the re-
sources. Table 12-10 shows different levels of trust, from low to high.
Ta b l e 1 2 -1 0
Domains of Trust: Risks from Low to High
Domain
Level
Safeguards Required
Production to lab
Low risk
ACLs and net work monitoring
Headquarters to branch
(IPsec VPN)
Medium
risk
Authentication, confidentiality, integrity concerns,
ACLs, route filtering
Inside (private) to outside
(public)
High risk
Stateful packet inspection, intrusion protection (IPS),
security monitoring
Identity
Identity is the “who” of a trust relationship. These can be users, devices, organizations, or
all of the above. Network entities are validated by credentials. Authentication of the iden-
tity is based on the following attributes:
Something the subject knows:
Knowledge of a secret, password, PIN, or private key
■
Something the subject has:
Possession of an item such as a token card, smartcard,
or hardware key
■
Something the subject is:
Human characteristics, such as a fingerprint, retina scan,
or voice recognition
■
Generally, identity credentials are checked and authorized by requiring passwords, pins,
tokens, or certificates.
Passwords
Passwords are used to give users access and allow them to access network resources. Pass-
words are an example of the authentication attribute called “something you know.” Typi-
cally, users do not want to use strong passwords; they usually prefer to use passwords that
are easy to remember. Users present a weakness in password security that requires in-
creased enforcement of the organization's password policy. Passwords should not be com-
mon dictionary words and should be time-limited. Passwords should never be shared or
posted on a computer monitor.
To k e n s
To k e n s r e p r e s e n t a w a y t o i n c r e a s e s e c u r i t y b y r e q u i r i n g “ t w o - fa c t o r a u t h e n t i c a t i o n . ” T h i s
type of authentication is based on “something you know” and “something you have.” For
example, one factor may be a six-digit PIN, and another is the seven-digit code on the
physical token. The code on the tokens changes frequently, and it is not useful without the
PIN. The code plus the PIN is transmitted to the authentication server for authorization.
