A lone light shines across his right shoulder, lighting the notepad on the right side of the desk. In the penumbra falling across his face the phosphorescence from the monitor before him makes his eyes glow with an almost sea-blue quality. The eyes are intense, small squint lines forming at the corners as he focuses, watching the progress of the download. Upon its completion his fingers flick from mouse to keyboard.
He is filling his toolbox, printing out documentation, learning the trade that will take him on an adventure, hopefully behind the walls of protection the government and corporations are beginning to erect.
With his hacking toolkit downloading, he sits silently, watching.
This scene plays out in many of our minds as a stereotype of today's "hacker." Many of us see the danger as being "out there." Someone on the Internet may break into our network and do something malicious. Large businesses spend a lot of time and energy in protecting their networks from these external threats. Why would a hacker be interested in breaking into a library network?
As we begin to peel away the stereotypical images associated with network security, we are all learning that the total threat to our systems and network resources isn't quite this simple, not so easily defined. First we learn that it's not just external threats that are a problem. Many times the threats are local, inside our buildings. Then we learn that it's not the devastating things that are the biggest threats-it's those annoying little things patrons do that consume what little time, and sometimes funds, we have for managing the computers through which we offer services. We're also learning, as we put up web servers on the Internet, that there really could be a threat from Internet-based attackers. It's not rocket science to obtain and use tools that can devastate our servers and our workstations as well.
With the proliferation of funding for computers and Internet access the past two years, it has been terribly easy to walk into a quagmire of issues we didn't know existed. Now we find ourselves having to put on yet another hat, learning the basics of another responsibility we must take on: network security. What is it? How do we get it done? What impact will it have on our daily operations? Over the next hundred pages or so we will address these questions, but let's begin here with the first one: what is it?
What is Network Security?
Network security is the process of configuring network hardware, computers, software, and the physical environment to minimize the risk of attack to these resources. Or, more simply put, network security is protecting your equipment and software so people aren't likely to do bad things with or to them. Or at least reduce the chance that they'll do these things. The key idea here is that network security is a process.
(Did this just wash right over you? It's easy to assume that a reader already knows the basics about what a network is, but many may not. If you're totally new to this topic, you might find a basic discussion of networking helpful. To learn more, there are lots of tutorials available on the Internet. You can also find a basic discussion in a previous manual the Texas State Library published. See Part Two of the Wireless Community Networks beginning in Chapter 6, available online at http://www.tsl.texas.gov/ ld/pubs/wireless/chapter6.html .)
The practices that make up good network security evolve over time as vulnerabilities in network operating systems, network hardware, and software are discovered. Vulnerabilities are weaknesses in network configurations that can be exploited (taken advantage of) to gain unauthorized access to network resources. These are most often discovered through experimentation, either by those who want to break into networks or by those charged with securing them. This experimentation normally involves using software in a way it was not designed to be used.
The "bad guys" and security experts push the boundaries of programmers' expectations of use to see if a system responds in ways that are advantageous to malicious users. Such cracking attempts may originate just as easily on local workstations as from the Internet. Some patrons may use public workstations in a way you would never dream of (as an anonymous way to break into other Internet-based computers, for example).
Because those on both sides of the security fence keep trying new methods, new vulnerabilities continue to surface. The notion that network security is implemented once and taken care of forever is a misconception. Making a network 100% secure is also a misconception; absolute security simply cannot be achieved. So, the process of network security is about minimizing, rather than eliminating, the risk of misuse of one's network resources.
The Three Goals of Network Security
As you become familiar with network security, you will see three theoretical goals commonly presented: availability, confidentiality, and integrity. These form the foundation for effective use of shared resources.
Availability - the whole purpose of a computer network is to share limited resources in a convenient way. Resources, as we define the term later, may include equipment, software, or data. In small public libraries, the most commonly shared items are an Internet connection and a printer. If something blocks or interferes with a user's access to one of these resources, it renders the resource unavailable and therefore unusable. To justify the expense of creating a network, its resources must remain available.
Confidentiality - shared resources have a theoretical problem, though. If I store my data "on the network," what's to prevent someone else from accessing it? If data packets are transmitted across a shared network medium, what's to keep someone else from seeing what's in them? Few of us would use shared resources if we believed someone else could read or view all the information we transmitted or stored. So keeping data confidential is a foundational requirement of network services.
Integrity - not only is confidentiality important, but we must also be able to trust the data stored on a network. Thinking about a teacher's electronic records, what would be the impact on network use for the project if we believed data stored online could easily be altered? Most of us would find another method of storing data. In order to make network use practical, we must provide a reasonable guarantee that data stored or transmitted on the network will remain in its intended form.
In order to accomplish these goals, a solid program of network security will seek to accomplish the following tasks:
analyze the risks associated with threats to network resources
determine which risks are most likely to occur
apply current practice in protecting against these risks
review security alerts and bulletins regularly for the emergence of new vulnerabilities and repeat the process
Why Should a Library be Concerned with Network Security?
Securing the library's computer network means the library will spend less time reconfiguring workstation settings, recovering from the mischief patrons may do, and responding to system and server problems resulting from unauthorized use of systems. Network security will also provide a defense against accidental or malicious deletion or alteration of data residing on network servers.
Properly implemented, network security will also reduce the risk of attackers (from both the Internet and the internal network) breaking into library systems and either rendering various systems unusable or just creating a nest from which to launch attacks on other systems across the Internet. In other words, implementing adequate network security measures provides the benefit of minimizing the following:
the potential for loss of data.
the staff time required to manage local workstations and servers.
the funding required to maintain networked services.
the potential for embarrassment from the effects of break-ins.
Limits of This Work
Network security, because it involves many aspects of both computer and network operation, is an extremely wide subject. In order to pare down the material to be covered, I make the following assumptions about your network:
Someone other than staff (a vendor, consultant, or volunteer) will be doing the actual installation, configuration, and maintenance of the library network.
The library uses Microsoft Windows NT/2000 Server for its server operating system.
The library uses Microsoft Windows NT Workstation/2000 Professional or Windows 9x for its workstation operating system.
Other operating systems may be used in some libraries (e.g., Novell Netware for an automation server, Linux for servers or workstations, MacOS for workstations). However, Windows NT/2000 is currently the most common server and workstation operating system used in small Texas public libraries, due to the influence of Gates Foundation grants and the ease-of-use of the Explorer interface shared with the Windows 9x desktop operating systems. So, for the remainder of the manual, we will focus on Windows NT/2000 Server (for servers) and Windows 9x or Windows NT Workstation/2000 Professional (for workstations).
This manual is divided into three distinct parts:
Part One: features the management issues related to network security: analyzing risk, developing a security plan and policy, the funding requirements libraries can expect in operating their networks, and implementing adequate security
Part Two: describes the areas of computer networks that need to be secured, and provides a description of many of the security measures necessary for adequate security
Part Three: presents sample documents that may be helpful in your library's work in securing its network.