Security management establishes and maintains the criteria for access to network resources. Network resources include the network management data and applications, so the security subsystem may also set up and alter the permission levels for individuals who access the network management system. This subsystem also partitions the network, as required, for corporate network operation.
Security management can be thought of as the triple A: Access, Authentication, and Authorization. For example, you access your bank’s network with your ATM card in the machine, you authenticate your identity with your PIN, and only then are you authorized to get funds from your own account, assuming sufficient funds are available.
Security often includes both electronic and physical access to a data center. The same system that manages PINs can also be used to maintain a record of door codes/cards to control who enters and when.
From a network management perspective, two aspects of security must be considered in communicating management information between a managed device and the managing device: authentication and encryption. Since network management information and commands are flowing between a management station and a managed element or device, each must validate the sender (i.e., the authentication part) and keep the actual information secret (i.e., the encryption part). There would be a major breach of security if an intruder could learn how to extract and manipulate routing tables, for example. The intruder could then instruct the router to change its table and route all packets to a specific station.
Examples of Assets to Protect
Network management systems must be able to track access to and modifications of many different environments in the IT domain. Each area listed below requires management and possibly some configuration. There should also be restricted access to a small community of individuals responsible for network management. Limiting access to a small universe reduces the probability of asset loss.
- Expertise, corporate memory
- CPU, routers, drives, keyboards
- OS, diagnostic software, application, source code
- Database, backup media
- Media, ink, paper
Example Security Information
As the list below suggests, security information ranges from monitoring the simple passwords for logging into a LAN or host system to controlling the interconnection of networks. Security functions are likely to be distributed among many components in the system(s). For example, a file server might control the access rights to a file system, the router might control switched access to other systems, and each element would authenticate queries from the appropriate network management station or console.
To summarize, information related to the secure operation of the network infrastructure is distributed like the systems themselves. The challenge is to use management systems and software that make controlling, changing, and monitoring these security functions as simple and consistent as possible.
- File server
- Login passwords
- File passwords/access privileges
- Web server
- Chat room access
- Closed user groups
- Communication servers
- Dial-up passwords
- Callback operation
- “Gateway” access from other networks
- Authority to issue GET/SET operations from network management console