Page 505 - StudyBook.pdf
P. 505

Infrastructure Security: System Hardening • Chapter 8  489

                 Patches

                 Patches for OSes and NOSes are available from the vendor supplying the product.
                 These are available by way of the vendor’s Web site or from mirror sites around the
                 world.They are often security-related, and may be grouped together into a cumu-
                 lative patch to repair many problems at once. Since patches are issued at unpre-
                 dictable intervals, it is important to stay on top of their availability and install them
                 after they have been tested and evaluated in a non-production environment.The
                 exception to this is when preparing a new, clean install. In this case, it is wise to
                 download and install all known patches prior to introducing the machines to the
                 network.


                 EXAM WARNING

                      The Security+ exam requires good knowledge of the hardening pro-
                      cesses. It includes questions relating to hardening that you may not
                      have thought about. For example, hardening can include concepts pre-
                      sent in other security areas, such as locking doors, restricting physical
                      access, and protecting the system from natural or unnatural disasters.






                 Network Hardening

                 When discussing network hardening, there are a number of concerns that are sepa-
                 rate from those realized while evaluating and hardening OSes and NOSes.The
                 appropriate firmware and OS updates implemented on hardware must be evalu-
                 ated, tested, and implemented. In addition, network configurations must be as tight
                 as possible.This includes developing appropriate rule sets and not allowing unnec-
                 essary protocol or service access to other areas of the network.To keep access as
                 restrictive as possible, administrators should follow the principle of least privilege,
                 and not allow any services, protocols, or transports to operate that are not defined
                 as critical or necessary to the operation of the networks. It may be appropriate to
                 implement new technologies while in the network hardening process. Evaluation
                 of Intrusion Detection Systems (IDSes), firewall products, and anti-virus solutions
                 are also appropriate to hardening networks. Monitoring systems must be checked
                 and adjusted to verify that the network portion of the system is secure.
                 Administrators must remain vigilant and proactive in maintaining these entryways




                                                                              www.syngress.com
   500   501   502   503   504   505   506   507   508   509   510