Network Security Requirements. Without a clear understanding of the requirements for network security, there is no way to implement the correct level of security.
Objective summary
Network Security Requirements is a list of requirements that need to be implemented for a secure network. It is composed of the following elements:
Identification and authentication
Authorization
Access control and management of security policies and services
Data confidentiality, integrity, and availability
Although it is important to know what controls you should have in place. It is equally important to know why you have them. For example, if you are implementing encryption between two locations, what are you trying to protect? Are you trying to protect data in transit or the data at rest? Depending on the answer, you might need to consider different types of encryption.
Identification and authentication
It is important to know who is on the network and what they are doing on the network. This will help you enforce policy and protect resources from unauthorized users. It is also important to know multiple pieces of information about each user (such as their identity). This information can be as part of an authorization scheme. To allow or deny access to resources based on specific criteria.
Ensuring data integrity
Ensuring data integrity means that data has not been modified or destroyed during transmission by unauthorized sources. Data integrity can be achieved through proper transmission protocols and encryption techniques. Encryption techniques can also be in conjunction with digital signatures for message authentication. That is, verifying that a message came from a specific person or system (and not an imposter posing as that person or system).
Ensuring data confidentiality
Ensuring data confidentiality means that unauthorized parties are unaware of data transmission or storage. Data confidentiality can be through proper transmission protocols. Also, with strong cryptography, access control mechanisms and authorization schemes. And physical controls over sensitive information such as laptops or removable hard drives (e.g., locking cabinets). Encryption techniques can also be in conjunction with digital signatures for message authentication. Especially, verifying that a message came from a specific person or system and not an imposter.
Access controls
Access control lists (ACLs) are lists that define who has which level of access to which resources on a computer system. ACLs can be implemented through software such as operating systems or application programs. ACLs are used to enforce authorization.
Access controls can be implemented in at least three ways: through the operating system, through application programs, and through networked devices such as firewalls or routers. Operating systems contain access control mechanisms for all resources on a computer system. For example, for each file on your hard drive, the operating system will have an ACL (e.g., read access to everyone).
Application programs also contain their own access control mechanisms. For example, some applications include their own user interface that allows you to determine who has what level of access to information. Finally, networked devices such as firewalls and routers can define which machines on the network have what level of access to which resources on other machines.
Monitoring activity
Determining the importance of the information assets being protected is the first step in determining your requirements for network security. The second step is identifying who needs to access those assets. The final step is determining how you will grant access to those assets (e.g., user IDs and passwords) and how you will prevent unauthorized access to those assets (e.g., physical or logical access controls).
This objective covers identification, authorization, and access controls as well as methods for monitoring activity on your network. this is important because these are the first steps in determining what type of monitoring you need to implement on your network (and more importantly why you need it). Without a clear understanding of the requirements for network security, there is no way to implement the correct level of security.