Infrastructure Security: Devices and Media • Chapter 6  415

                 tion credentials.After the credentials are verified, users are granted access and their
                 computers act as if they are physically located on the corporate network. Since this
                 is an intentional remote access point to a network, it is wise to secure it as much as
                 possible.This includes good password security, encryption, and possibly callback
                 verification.
                    Since most businesses require telecommunications to work with their cus-
                 tomers, telecom and PBXes are critical to business functions. Since many of these
                 systems allow for remote access, securing that remote access is one way of pre-
                 venting attacks on the telecommunications infrastructure.
                    VPNs allow you to create a secure tunnel over an unsecured network such as
                 the Internet between either a computer and a network or two networks.This
                 allows users to connect to the corporate network from their normal ISPs, saving a
                 great deal of cost. Using strong encryption for this link is critical to maintaining a
                 secure network. In addition, using good authentication will help keep intruders
                 from using the VPN against you.
                    IDS, whether implemented passively or actively, goes a long way towards
                 helping keep a network secure. If you do not know that an attack is occurring,
                 there is not much you can do to stop it. IDS helps solve this problem by making
                 technicians aware of a situation before it escalates to a point where it can no longer
                 be contained. If your IDS is designed as an active IDS, it can help stop an attack as
                 soon as it happens without relying on an administrator to be immediately available.
                    Network monitoring and diagnostic equipment should be kept off the network
                 whenever possible. Due to the need to monitor and analyze the network, this may
                 not always be possible. In this case, it is best to keep these devices as secure as pos-
                 sible by encrypting communication between the device and its user, and always
                 making sure that the devices do not use default passwords. Good password security
                 is critical to keeping these devices safe from intruders.
                    Workstations are one of the most insecure devices on a network, because they
                 are constantly used locally by users with a huge range of skills and needs. Since users
                 have direct local access to the system, it is impossible to keep the system completely
                 secure. Use password policies to force users to change their passwords regularly.
                    Servers are one place where administrators should focus a great deal of time
                 implementing good security practices. One of the most important security policies
                 to implement with servers is to make sure that they always have the latest OS and
                 application security patches. In addition, it is important to always monitor security-
                 related newsgroups and listservs to keep abreast of the latest vulnerabilities in the
                 software on the network.




                                                                              www.syngress.com