Filter
Top Products
Network Security Issues C Security Issues
Administration for Network Connectivity
CID: 77730 555-233-504 — Issue 1 — April 2000
404
A second line of defense can be thought of as damage control — how to limit the
amount of damage that can be done if someone does gain unauthorized access to the
system? Damage control can be provided by application restrictions.
Each of these control methods is described below.
Access control —
network topology
Network topology refers to how the DEFINITY ECS network is connected to the
customer’s network.
Private network
One option to restrict access is to make sure that the DEFINITY ECS network is not
connected to any other network; that is, the DEFINITY ECS network is private. This
topology clearly solves all three access security concerns mentioned above. However,
a private network is not an option for all customers.
Private segment
Another topology is to put the DEFINITY ECS network on a private segment, behind
a router or a firewall. This approach can also solve all three concerns above by
implementing packet filtering in the router/firewall such that only legitimate traffic
can pass through.
Open network
One other topology that may be chosen is a completely open network, where
DEFINITY ECS nodes are placed on the customer network just like any other piece
of data networking equipment. An open network topology addresses none of the three
security concerns above, and other methods of access control must be used for these
installations.
Access control —
network administration
Network administration refers to how a DEFINITY ECS (specifically, the C-LAN
circuit pack) is administered in terms of dial-up PPP ports and routing information. A
carefully administered system has only dialup ports in service for DCS and adjunct
sessions that will be established at boot time. This means that normally there will not
be any ports available for a hacker to dial into. Additionally, the C-LAN circuit pack
should be administered only with routes specific to the DCS and adjunct nodes. This
ensures that anyone getting into a DEFINITY ECS can only get to other DCS or
adjunct nodes, not anywhere else on the customer network. Careful administration
will address concerns #1 and #2 above.
Note that no new access to the system access terminal (SAT), such as network-based
SAT, is introduced in Release 7. As in earlier releases of DEFINITY ECS, all port
and route administration can be done only via the SAT, and all changes are logged.
Access control —
authentication
Authentication also plays a role in providing access control to dial-up PPP ports. All
of these ports can be protected by Challenge Handshake Authentication Protocol
(CHAP). This provides an extra level of assurance that no unauthorized user will be
able to connect to a PPP port on C-LAN.