There are two approaches to the problem of ensuring the safety of computer systems and networks (COP): "fragmentary" and complex.

"Fragmentary" The approach is aimed at countering well-defined threats in specified conditions. As examples of this approach, you can specify individual access controls, autonomous means of encryption, specialized antivirus programs, etc.
The advantage of this approach is high selectivity to a specific threat. A significant disadvantage is the lack of a single protected medium of information processing. Fragmented information protection measures provide protection for specific COP objects only on a specific threat. Even a small modification of the threat leads to the loss of protection efficiency.

A complex approach Focusing on the creation of a protected medium processing information in the COP, which combines in a single complex heterogeneous measures to counter threats. The organization of the protected information processing environment allows you to guarantee a certain level of security of the COP, which is the undoubted advantage of an integrated approach. The disadvantages of this approach include: restrictions on the freedom of action of users of the COP, sensitivity to the error errors and setting the means of protection, the complexity of management.
A comprehensive approach is used to protect CS large organizations or small CS, performing responsible tasks or processing particularly important information. Violation of the safety of information in the COP of large organizations can cause tremendous material damage to both the organizations themselves and their customers. Therefore, such organizations are forced to pay special attention to security guarantees and implementing comprehensive protection. An integrated approach adhere to most state and large commercial enterprises and institutions. This approach was reflected in various standards.
A comprehensive approach to security problem is based on a security policy developed for a specific CS. The security policy regulates the effective work of the CS protection funds. It covers all the features of the information processing process, determining the behavior of the system in various situations. A reliable network security system cannot be created without an effective network security policy. Security policies are discussed in detail in Ch. 3.

To protect the interests of subjects of informational relations, it is necessary to combine the measures of the following levels:
legislative (standards, laws, regulations, etc.);
administrative-organizational (general action taken by the management of the Organization and concrete security measures dealing with people);
Software-technical (specific technical measures). Legislative levels are very important to ensure
information security. This level includes a set of measures aimed at creating and maintaining a negative (including punitive) attitude towards violations and information security violators.

Information Security - This is a new area of \u200b\u200bactivity, it is important here not only to prohibit and punish, but also to learn, clarify, help. Society must be aware of the importance of this issue, to understand the main ways to solve the relevant problems. The state can do this in an optimal way. Here you do not need large material costs, intelligent investments are required.

Administrative and organizational levels. The administration of the organization should be aware of the need to maintain the security regime and allocate relevant resources for these purposes. The basis of the protection measures of the administrative and organizational level is the security policy (see Chapter 3) and a complex of organizational measures.
The complex of organizational measures includes security measures implemented by people. Allocate the following groups of organizational measures:
personnel Management;
physical protection;
maintaining performance;
response to security violations;
Planning restoration work.

For each group, each organization should exist a set of regulations defining personnel actions.

Measures and means of software and technical level. To maintain information security mode, the program and technical level measures are particularly important, since the main threat to computer systems comes from them: equipment malfunctions, software errors, promotions of users and administrators, etc. As part of modern information systems, the following safety mechanisms must be available :
identification and authentication of users;
access control;
logging and auditing;
cryptography;
shielding;
Ensuring high availability.

The need to apply standards. Information systems (IP) companies are almost always built on the basis of software and hardware products of various manufacturers. So far there is no developer company that would provide a consumer with a complete list of funds (from hardware to software) to build modern IP. To ensure that highly qualified specialists are required in henelenly reliable information protection, which must be responsible for the safety of each component of the IP: correctly configure them, constantly track the changes occurring, control the operation of users. Obviously, than hemodifornies IP, the harder it is to ensure its safety. The abundance of corporate networks and systems of protection devices, firewall (ME), gateways and VPNs, as well as the growing demand for access to corporate data from employees, partners and customers lead to the creation of a complex protection environment, difficult to manage, and sometimes incompatible .
Interoperability of protection products is an integral requirement for kitty. For most heterogeneous environments, it is important to ensure consistent interaction with products from other manufacturers. The Safety Decision adopted by the Organization should guarantee protection on all platforms within the framework of this organization. Therefore, the need for the use of a single set of standards as providers of protection tools and companies - system integrators and organizations acting as customers of security systems for their corporate networks and systems is quite obvious.
Standards form a conceptual basis, which builds all operations to ensure information security, and determine the criteria to follow the security management. Standards are the necessary basis that ensures the compatibility of products of different manufacturers, which is extremely important when creating network security systems in heterogeneous media.

A comprehensive approach to solving the problem of ensuring security, the rational combination of legislative, administrative-organizational and technical measures and the obligatory following industrial, national and international standards is the foundation on which the entire protection system of corporate networks is built.

Lecture 31 Introduction to Network Security

Lecture 31.

Topic: Introduction to Network Security

Network security covers many measures and should be considered as part of a general policy conducted by the Organization (enterprise, company, firm) for information security. In ensuring network security, many services are employed and various means are used. Network security written a huge number of books and articles affecting the wide range of IB.

Basic concepts.

The efficiency of the computer network largely depends on the degree of security of the processed and transmitted information. The degree of security of information from a different type of threats when obtaining, processing, storage, transmission and use is called the security of information.

The relevance of network security problems attaches widespread use of computer technologies in all spheres of life of modern society, as well as the transition from the use of allocated channels to public networks (Internet, Frame Relay), which is observed when building corporate networks.

A secure network (or secure connection) has properties:

■ confidentiality (confidentiality), i.e. Protects data from unauthorized access, providing access to secret data to authorized users who are allowed to be allowed;

■ Availability (Availability), which means ensuring permanent access to data from authorized users. A secure connection is characterized by the authenticity property, i.e. The ability of the sender and the recipient to confirm their identity: the sender and the recipient must be sure that each of them is for whom he gives himself;

■ Integrity, which guarantees the data saving, which is provided by the ban for unauthorized users to change, modify, destroy or create data.

The security policy, which includes the totality of norms and rules governing the process of processing information, is formed at the network deployment phase with such fundamental principles as:

■ a comprehensive approach to security, starting with organizational and administrative prohibitions and ending with embedded network protection;

■ providing each employee of an enterprise (user of computers, information system, network) of the minimum level of privileges for access to data, which is necessary for him to fulfill its official duties;

■ The principle of the balance of possible damage from the implementation of the threat and will initiate on its prevention. For example, in some cases it is possible to abandon costly hardware protection, tightening administrative measures.

The main task of the security policy is to protect against unauthorized access to the resources of the information system. Security Policy is an effective tool forcing all users of the corporate network to follow once and forever established security rules. Its implementation begins with identifying vulnerable components and threats and adopting appropriate countermeasures.

Vulnerable is such a component, incorrect use or a failure of which can jeopardize the safety of the entire network. The vulnerable components include network users who can harm consciously, by chance or due to lack of experience.

If the information is irregularly reserved, the entire corporate network has a very real threat of data loss as a result of intentional or accidental damage to the main drive.

The threat is a potential attempt to use the shortcomings of the vulnerable component for harm. Advances of threats can serve as crackers, viruses, fires, natural cataclysms.

After estimating possible threats (risks), the countermeasures are transferred. Under countermeasure understand the action that allows you to minimize the risk from a certain vulnerable component or some threat. One of the most effective countermeasures for minimizing the risk of data loss is to create a reliable backup system.

Risk assessment results and advanced countermeasures are used to create a security plan, which should be described in the smallest details to describe the system strategies of the organization directly and remote related security issues.

Network security planning and data.

A high degree of security can be achieved by using a plan providing for the use of various security measures and assets.

Evaluation of network data security requirements is the first stage of developing a plan to take action. It should be taken into account the nature of the organization's activities and the organization stored on the network, the strategy and style of management of the organization, who must know the network administrator and implement it in the network subordinate.

The high level of data security should be maintained in organizations that have data, which are strictly confidential by their nature. An example is commercial organizations providing services or manufacturing products in areas with high level of competition. Some types of data must be protected regardless of the nature of the organization. These include accounting documentation, tax information, industrial secrets (plans of the activities of organizations and commercial plans, recipes, manufacturing technologies, texts, etc.).

To take measures to protect data on the network, it is necessary to identify the main sources of threats to their safety.

There are the following types of threats:

■ unintentional to which the erroneous actions of loyal employees, natural disasters, unreliability of software and hardware, etc.;

■ deliberate, which are clearly aimed at causing damage to information security;

■ external, which are manifested in forms such as unauthorized use of passwords and keys; DOS attacks (DENIAL OF SERVICE - refusal to maintain) aimed at breaking the network connection or bring it into an inoperable condition; address substitution; Computer viruses and worms;

■ Internal to which industrial espionage, intrigue and discontent of employees, random disorders, etc.

The security plan should be the most detailed way to list the procedures, the execution of which is prescribed by security policies. Each employee responsible for performing a specific procedure should be warned about the possible consequences in the event of a retreat from the prescribed method of performing the procedure. It is recommended to take a written confirmation from the employee that he understands the meaning of the security strategy, I agree with it and undertakes to follow it, and it is regularly updated to update the plan, i.e. Repeat aspects of security, trying to identify new potentially vulnerable components, threats and countermeasures to combat them, and reflect changes in terms.

Security tools

For network security, a wide range of various means and technologies is used. Consider some of them.

Basic security technologies.

In various software and hardware products intended to protect data, the same approaches, techniques and technical solutions are often used, which together form security technology.

Cryptographic. Cryptography is engaged in the development of information transformation methods in order to protect it.

Converting publicly available (understandable) data to the form that makes it difficult to recognize them, is called encryption (encryption), and the reverse conversion is decryption (decryption). Encryption is an accessible to the agent for administrators and users and one of the effective means of providing the confidentiality of information. Two main ways to encrypt data should be selected: permutation (transposition) when the source data changes the sequence of characters, and the replacement (substitution), at which with a certain template, it is replaced by all the characters of the alphabet used, for example, the letters are replaced by numbers.

Operations of encryption and decryption data (information) are carried out using keys that are created with the involvement of mathematical formulas.

The method in which one key is used for both operations, is called symmetric cryptography (Symmetric Cryptography). With asymmetric cryptography (asymmetric cryptography), each network user should have two keys: common (Public Key) and private (Private Key). Both keys are connected with each other with some mathematical function. The common key is known to each user. The message encrypted using a common key can be read only with a private key. Since it is assumed that the user who is addressed to the message does not disclose his key, it is the only person who can read the message.

Two encryption algorithm: symmetric DES (Data Encryption Standard - Data Encryption Standard, which is the official standard of the US government) and non-symmetric RSA, developed by scientists Rivest, Shamir, Adle-MAN and named by initial letters their surnames.

For encrypting, authentication and checking the integrity of the packet transmitted over the network, an IPSec (IP Securi-Ty) protocol has been developed, which includes the An Authentication Header, which allows you to check the sender's identity, and the ESP protocol (Encapsulating Security PAYLOADS) that ensures the confidentiality of the data themselves. IPsec protocol support Cisco Systems and Windows 2000 / XP routers.

For transmission through the Internet encrypted, authenticated messages, the SSL protocol is used (Secure Sockets Layer is the level of protected sockets, or sockets). In this protocol, the open key cryptographic system is combined with block data encryption.

Authentication (Authentication).

This is a user authentication procedure when prompted access to system resources (computer or network). Authentication prevents access to unwanted individuals and allows access to all legal users. The authentication procedure involves two parties, one of which proves its right to access (authenticity), presenting some arguments, the other - checks these arguments and decides. To prove the authenticity, some known word (password) or a unique physical subject (key), as well as its own bio-characteristics (fingerprints or drawing of the iris) can be used.

Most often, authentication use password-entered keyboard.

The password is an encrypted sequence of characters that keeps in the secret and is presented when accessing the information system.

Authentication objects may not only be users, but also various devices, applications, textual and other information.

Identification of subjects and access objects.

Identification involves consolidation for each subject of access of a unique name in the form of a number, cipher or code, for example, a personal identification number (PERSONAL Identification Number - PIN), a social safe number (SOKIAL Security Number - SSN), etc. Users identifiers must To be registered in the information security service administrator.

When registering, such data as surname, name, patronymic and unique user identifier, the name of the procedure for establishing the authentication and password of the user, user authority on system resources, and other, are entered into the protection system database for each user, the user's authority for system resources and others. Identification should be distinguished from authentication. Identification lies in the user's message to the system of its identifier, while authentication is the proof procedure by the user that it is the identifier entered by it.

This is the procedure for providing each of users of the rights of access to directories, files and printers, which administered it. In addition, the authorization system can control the ability to perform various system functions by users, such as system time setting, creating backup data copies, local access to the server, shutdown server, etc.

■ selective, in which individual users (or groups) explicitly specified by their identifiers are allowed or certain operations on a certain resource are allowed;

■ The mandatory, in which all information, depending on the degree of secrecy, is divided into levels, and all network users are on groups forming a hierarchy in accordance with the level of admission to this information.

The authorization procedures are implemented by software tools on a centralized scheme, in accordance with which the user once logically enters the network and receives a certain set of permissions to access network resources, and a decentralized scheme, when access to each application must be monitored by security tools. The application itself or the means of the operating environment in which it works.

Auditing. This is a fixation in the system log of events related to access to protected system resources. Audit is used to detect unsuccessful attempts to hack system. When trying to perform unlawful actions of the audit system, identifies the intruder and writes a message to the registration log. An analysis of the accumulated and the information stored in the journal may be an effective measure of protection against unauthorized access.

Procedure of handshake. For the authentication of users, the procedure of handshaking is widely used (handshaking - consistent exchange, acknowledged), built on the principle of the question-answer. It suggests that the correct answers to the questions give only those users for whom these questions are intended. To confirm the authenticity of the user, the system consistently specifies it a number of randomly discharged issues to which it should answer. The identification is considered positive if the user correctly answered all the questions.

Protected Channel Technologies are widely used in virtual private networks that require additional measures to protect the transmitted information. The confidentiality requirement is especially important because packets transmitted via a public network are vulnerable to interception when they pass through each of the nodes (servers) on the way from the source to the recipient. The technology of protected channel includes:

■ mutual authentication of subscribers when establishing sealing;

■ protection of messages transmitted over the channel from unauthorized access;

■ Confirmation of the integrity of the communications channels.

Depending on the location of the protected channel software, two schemes of its formation differ.

1. Scheme with end nodes (Fig. 1, a). In this scheme, the protected channel is formed by software tools installed on two remote computers. Computers belong to two different speakers of one organization and are interconnected through a public network.

2. Scheme with the equipment provider of a public network service located on the border between private and public networks (Fig. 1, b). In this scheme, the protected channel is placed only inside the public packet switching network. Protection tools are border access devices (PUD).

Security tools provided by operating systems.

Modern OS are able to provide access to one computer and network resources to many users. This uses individual accounts that are assigned different passwords. After entering the registration information, the user can access OS and Network; Read, modify resources and perform any other actions that meet the rights of its account, create the desired user interface configuration (working environment), etc.

Select (or assignment) passwords is subject to network security strategy. Passwords must meet certain requirements. Many networks allow the administrator to set the length and lifetime of the password; Check the password for the presence of a specified password in the dictionary and, if any, prevent password use; Follow the user password not repeated. In addition, the administrator provides ample opportunities to control access to resources. For example, by the same account, it can simultaneously allow you to view the contents of the filel file. Doc, but to prohibit changes to it; Provide the right to read, modify, delete File2 file. DOC and even set access rights to other users, and to cancel all access rights to file3.doc.

In the High Security File Systems, access rights can be installed both on the separation of resources on the network and to use these resources on the same local computer. Local and network access rights may not compare. For example, the user can provide the right to control the File4 file. DOC when it is registered on the computer stored this file, but to limit the right to access the same user to File4. Doc when trying to access it from another network computer.

The administrator should know and take into account how this default OS is given (immediately after loading). So, by default, a shared resource in Windows NT / XP servers is available for any network user. To limit access rights to the resource, the administrator must change them, and in the NetWare servers, the shared resource is not available for one user. Here, the provision of access requires explicit administrator intervention.

The Network OS Windows NT allows each user to assign four types (or privileges) of access to a shared resource: no access (NO access); Full access (Full Control); Reading (READ), providing the right to view a list of files, open files, study their contents and copy files to your media; Editing (Change), providing additional (to read) the ability to change the contents of existing files and directories. Windows NT also allows you to manage access to local files. To do this, files or directories must be located in the logical partition of the hard disk marked with the NTFS file system. In addition to the above privileges, the NTFS system allows you to view the directory files (LIST privilege), add files to the directory without changing their contents (add), view existing and add new files (Add & read).

The administrator must understand the ways to assign privileges and the relationship between the designated privileges of access to local and shared resources and adopt the most effective way to assign privileges to users. At the same time, users must be deprived of the possibility of accessing the resources that are not necessary for work.

The Windows NT security system provides the ability to register all occurring events. However, reporting requires constantly running applications, which reduces network performance, therefore, to logging events, which also takes time, the administrator and network users should be able to selectively and activate event registration tools only on those workstations that you require. Event registration log may be a useful source of information when administering the network.

Hardware protection.

The basis for reliable data protection from many hardware faults is redundancy. When the failure of some network device, it starts to function its backup dubler. Data loss When the hard drive can be filled with files stored in the backup system.

Some servers support the possibility of installing redundant devices that automatically transmit the authority of the failed component in a serviceable. Such redundancy is applicable to cooling fans, power sources, network adapters, hard disks and central processors.

When reserving the power supply, excess electrical sources are used - uninterrupted power supply, along with electricity. Backing up data involves creating redundant copies of valuable files on additional (backup) media. In fault-tolerant discs, the data is recorded on excess disks. The highest redundancy is clustering when several servers are combined into a group. In the network, the server cluster is visible to users as one server. If one of the cluster servers fails, its responsibilities perform another server. Users do not notice this transition. Cluster support tools are embedded in OS such as, for example, Windows NT.

Data backup. It is carried out with the help of special programs and is an effective measure of protection against their possible loss with regular execution of this procedure. The presence of a backup allows you to quickly restore lost data.

The following backup methods are used:

Full, in which all the data of the specified disks are copied, no matter when their copying was last performed and were made to changes since then;

Differential when all the files are copied from the last full copy time. Differential copying is performed between full copying, thanks to this, time saves. To update the data you need to restore the last two copies - complete and differential;

Incremental. In this case, all the files that changed from the time of any last copying (and not the last full copy) are copied. This is the fastest way, however it is more difficult and takes a lot of time to restore data, as it is necessary to restore the last full copy and all incremental copies created since the last full copy time.

Finding the disk system.

Under fault tolerance understand the ability of the system to recover after an accident. Combining (configuration) of several physical hard drives to a failover set is called the RAID system (Redundant Array of Independent Disks - an excess set of independent discs). It can be implemented in non-slip various forms. Depending on the level (0 - 5 and 7), various ways to combine disks are provided: RAID O, RAID 1, RAID 2, RAID 3, RAID 4, RAID 5.

Firewalls allow you to organize protection throughout the perimeter of the AC, creating a barrier between the inner speakers and connections with the outside world (Internet). Such a protected area can also be installed in the subnet.

Firewall can be implemented both hardware and software.

In fact, it is a means of filtering incoming and outgoing packets.

Based on the security rules established by the network administrator, the firewall determines whether the package received the received. Typically, firewalls are located on the network gateways, which are points of its connection to another network.

Network Safety Solutions

Firewall

Network, or firewall, screen - This is a set of software and hardware, carrying out the information protection of one part of the computer network from another by analyzing the traffic passing between them.

For the network screen, one part of the network is internal, the other external one. The network screen protects the internal network (for example, the local network of the enterprise or, as a degenerate case, a separate user's computer) from the threats emanating from the external network (as a rule, implies the Internet).

Protection of borders between local networks of the enterprise and the Internet provides corporate network screens, the same functions, but on the border between the home computer and the Internet, fulfill personal network screens.

To effectively perform its main protection function, it is necessary that all traffic passed through it, which are exchanged nodes of the protected part of the network with Internet nodes.

This location allows the network screen to be fully monitored (prohibit, limit or logging) access to external users to the resources of the internal network. The network screen protects the network not only from unauthorized access of external intruders, but from erroneous actions of users of the protected network, for example, such as transferring to the external network of confidential information.

To monitor access, the network screen should be able to perform the following functions:

ѕ analyze, monitor and adjust traffic (filtering function);

ѕ play the role of a logical intermediary between internal clients and external servers (proxy server function);

ѕ Fix all security issues (audit function).

Along with these basic functions, other auxiliary protection functions can be assigned to the network screen, in particular:

ѕ antivirus protection;

ѕ traffic encryption;

ѕ Filtering message messages, including types of transmitted files, DNS names and keywords;

ѕ Prevention and intrusion detection and network attacks;

ѕ VPN functions;

Translation of network addresses.

As you can see, most of the listed functions are implemented as separate products or as part of the protection systems of other types. Thus, the packet filtering functions are embedded in almost all routers, the virus detection task is solved by many diverse programs, traffic encryption is an integral element of protected channel technologies, etc., and so on. Proxy servers are often supplied as applications, moreover , they themselves often integrate many features inherent in network screens, such as the authentication, network address transmission or content filtering (content).

From here there are difficulties in determining the concept of "network screen". For example, it is quite common that the network screen is a border device that performs packet filtering (that is, a router), and the proxy server is a completely different protection tool from the network screen. Others insist that the proxy server is an indispensable and integral attribute of the network screen. Third believe that only such a software or hardware device may be called a network screen, which can monitor the state of the packet stream within the connection. So we will stick to a widespread point of view that the network screen is a software and hardware complex that performs a variety of internal network protection functions, the set of which can vary depending on the type, model and specific network screen configuration.

Invgested detection system

The intrusion detection system (HAL) is an intrusion detection system (IDS) - a software or hardware, designed to detect unauthorized access (invasion or network attack) in a computer system or network.

IDS increasingly becoming a necessary addition to the network security infrastructure. In addition to the firewall (Firewall), the operation of which occurs based on security policies, IDS serve as mechanisms for monitoring and observing suspicious activity. They can detect the attackers who went around Firewall and issue a report on this to the administrator, who, in turn, will take further steps to prevent attack. The penetration detection technologies do not make the system absolutely safe. Nevertheless, practical benefits from IDS exists and not small.

The use of IDS helps to achieve several goals:

ѕ detect an invasion or network attack;

We predict possible future attacks and identify vulnerabilities to prevent their further development. The attacker usually performs a number of pre-action, such as, for example, network sensing (scanning) or other testing to detect the vulnerabilities of the target system;

ѕ perform documentation of existing threats;

ѕ to control the quality of administration in terms of safety, especially in large and complex networks;

ѕ to get useful information about the penetrations that took place to restore and adjust the factors that caused the penetration of factors;

ѕ Determine the location of the source of the attack relative to the local network (external or internal attacks), which is important when making decisions on the location of resources on the network.

Intrusion prevention system (eng. INTRUSION PREVENTION SYSTEM (IPS)) is a software or hardware that monitors the network or a real-time computer system in order to detect, prevent or block malicious activity.

In general, IPS on classification and its functions are similar to IDS. The main difference is that they function in real time and can block the network attacks in automatic mode. Each IPS includes an IDS module.

As already mentioned above, the proper placement of IDS / IPS systems in the network does not affect its topology, but it is of great importance for optimal monitoring and achieving the maximum effect on its protection.

Data backup

The backup the topic of the working UNIX-like operating system (as a rule, Linux) regularly pops up in mailing lists and Linux forums. And it consistently advises simply to archive with TAR CVFZ Backup.tgz / Bin / Boot / etc ... Unfortunately, it will take more effort to create a correct backup.

Not only data is saved in the correct backup. There are also data on data: metadata. Also copied attributes of a particular file system and files of special devices needed to operate the OS. It is vital that the backup media and program to work with it can provide such copying. For example, we categorically do not recommend making a backup copy of the EXT3 file system (standard file system in Linux) to the partitions formatted in FAT32 / FAT16 (the doppople file system from Microsoft, still occurring on USB drives and similar devices, although they can, of course , format in any file system).

On sections with FS EXT3, file metadata include: File Change Time, Change Time of Index Descriptor (Inode), Last Access Time, User Identifiers and Groups, as well as access rights to files and catalogs. If there are extended attributes, metadata can be much more, mainly due to information from the Access Control List (ACL, Access Control List). The more data will be copied, the better. Of course, if you do not save and not restore the access rights, it will lead to the inoperability of the system. This is true even for such simple things as MTIME (Modification Time, time to change the contents of the file). For example, in the Gentoo Linux MTIME distribution, it is used to determine whether files are related to a specific package or they are changed later. If you do not restore the right time to change files, the package management system will be fully inoperable.

Depending on the software used, different steps may be required to save all this information. For example, when using tar with default parameters, you cannot save correct information about access rights. If you spend a quick test, it may seem that it is possible, but it is a deceptive impression. With default parameters, TAR unpacks files with the UMASK settings (User File Creation Mode Mask, the mask of the creation of user files) of the current user. If the current Umask settings are sufficiently free, then the files can be restored with their rights settings, but with more stringent UMask parameters, these restrictions will be applied to restored files. To prevent this, TAR must be used with the PRERSERVE-PERMISSIONS parameter.

Information about the owners of files can be stored in two ways: in numerical and in text form. Many backup programs prefer a textual representation for the convenience of reading by a person, but when creating a backup of the entire system is undesirable. It is likely that you will restore the system using some Live CD, while the backup is created on the most copied system. When restoring the files belonging to the BIN user will receive a file system identifier (ID) based on file / etc / passwd file with Live CD. If it is, for example, ID 2, but the same identifier in the system recovered is assigned to the Daemon user, then the files belonging to the BIN will belong to Daemon. Therefore, you should always store information about the owners of files in a numerical form. To do this, TAR has a --numeric-Owner parameter. In RDiff-Backup, there is a similar parameter --Preserve-Numerical-IDS added from version 1.1.0. Dar will never support text presentation.

Some backup programs (for example, TAR and DAR) can restore ATIME (Access Time, the last access time) after reading the files during copying. This is done so that the copies of the original correspond to the original. This feature should be used with caution, since the recovery of the ATIME changes CTime (Change Time, the time of change of the index descriptor). You can not do anything with that, since CTime cannot be installed forcibly. The DAR man page states that the LEAFNDE NNTP server when caching expects that the last access time is restored, but is usually very rarely required to restore ATIME. For any program, assume that the value of ATIME is restored in a backup copy is a serious flaw. Access time may vary arbitrarily, even a user who does not have access to the file entry. In addition, programs for automatic indexing, such as Beagle, can change ATIME. In addition, the change in CTIME can cause individual programs to protect the computer. As already mentioned, CTIME cannot be installed forcibly, and therefore, if the file has changed the CTime value when the MTIME is unchanged since the last check, this file can be replaced by another, usually indicates the introduction of rootkit. Consequently, to save the access time makes sense only if you absolutely know what you are doing. By default, DAR saves ATIME. Changes that correct this behavior have already been entered in CVS, and most likely will appear in version 2.4.0. For old versions, use the --alter \u003d ATIME parameter.

Links are two types: symbolic and hard. Symbolic link, or simlink, is just a pointer to another location of the file system. Hard link, or Hardlink is an additional pointer for inode (index descriptor).

To save symbolic links, everything that needs to be done is to make sure that the backup application saves a link, and not the file to which it indicates. Not all programs behave like the default settings, so be careful.

Hard links require a few more attention. As already mentioned, a rigid link is in principle the second (third, fourth ...) file name. If you have a file A and referring to it file B, they behave as if you had two files. If both files are 1 GB, they will occupy 1 GB on the disk, but applications will assume that they occupy 2 GB. Since the B file is not just a reference to A, and another name for the same file can be painlessly deleted file A. File B will not be deleted when the file is deleted.

Most of the backup applications support hard links, but only if they are all in one catalog tree. If you copy / bin, / etc, / usr, etc. Catalogs, etc. Separate CP -A command for each, then information about hard links will not be recognized and copied. Since strict links cannot specify a file in another file system, it is enough to copy and restore one section at a time. For example, if the / home directory is transferred to a separate partition, you can make a separate archive with the / no / home root directory and a separate archive only with / home. If you create an archive that includes all points of mount, you will need additional actions so that the data is restored on the desired sections. If the program does not interfere with existing directories, you can create mount points with the same names in the new file system before recovering data. Otherwise, such an option should help: first restore the data to one partition, and then copy parts to your sections using CP -A. Do not use MV to move data. Imagine what will happen if the program is accidentally completed without finishing the work.

In Linux and other UNIX-like operating systems, hard links are widely used.

A rarefied file (Sparse File) is a file in which zeros are not recorded on the disk as zeros, but simply not marked. Due to this, for example, a gigabyte file with a large number of empty space may occupy the entire megabyte. Such files use Azureus torrent client.

In programs for backing up, support for sparse files is far from always. When using a program that does not support sparse files, the file is read as usual. The data in the file remains the same, but it can take much more space. Be careful, the backup can not fit on the disk intended for it when recovery if the rawls are created as usual.

For files loaded through torrents, it is not too scary, they are somehow possible when loading will be filled with data. But if there is a large number of rarefied files that must remain rarefied, a program for backing up with support for sparse files is required. But in any case, even if the file is defined as a rarely, the copy will not be placed there as well as the original, since this information cannot be obtained. Instead, a new rarefied file will be created, in which unintended areas will be used at the discretion of its program. However, it should not be a problem.

There are other special files such as FIFO, named pipes (Named Pipes), block devices, etc. They are not particularly noteworthy and most applications know how to work with them. But it is necessary to specify the correct parameters. For example, CP without parameter -a will try to copy the data of the named conveyor instead of recreating it.

There are also special directories: LOST + FOUND (in EXT2 / 3/4 file systems). In fact, this is not a directory at all, it is impossible to create a MKDir program. Use Mklost + Found instead. If you do not know, LOST + FOUND is used to store files restored by the E2FSCK program when damaged the file system.

To save space on a media with a backup, you can not save some directories.

There are still special file systems mounted in the root, which are dynamically created when loading, they should not be saved.

By creating a backup copy of the working system, you should not forget about programs that can change your data during copying. A good example is databases such as MySQL or PostgreSQL, as well as mail programs (MBOX files are more vulnerable than maildir). Data files (usually stored somewhere in / var) may be subject to change in the operating system. This can be caused by conventional operations or automatic database cleaning. Never rely on files with a working database data, LDAP server, Subversion repository, or any similar programs that you use.

If you stop the work of these programs before backups, it is not possible, it is necessary to schedule jobs for the periodic storage of database dumps.

Creating scheduled dumps is always useful, regardless of the situation. With sudden damage to the data, the dumps of previous states of the base will remain and not everything will be lost. And if the dump is stored in a local file system, you do not have to suffer with searching in backups when you need to restore the database (or other applications data).

WPA-PSK mode is designed for personal use. It provides for the application of predetermined encryption keys (access password), the same for all network devices, and primary user authentication is carried out using this key.

To configure WPA encryption in the access point settings window, you must select the WPA-PSK authentication type and set the type of encryption (WPA Encryption) TKIP or AES. Then the encryption key is set (WPA-PSK Passphrase). As a key can be any word. This key, like the key in the case of WEP encryption, is set on all devices.

As an encryption algorithms when using the WPA standard, TKIP is selected.

WPA-PSK encryption according to the TKIP method is considered an impregnable wall for unauthorized access and is an even more powerful way to protect previously used in VPN networks. This technology is not supported by all modern network equipment.

In PSK mode, wireless access cannot be managed individually or centrally. One password applies to all users, and it must be manually changed on each wireless device after it manually changes on the wireless router or at the access point. This password is stored on wireless devices. Thus, each computer user can connect to the network, as well as see the password.

A big plus when implementing EWPA is the ability to work technology on the existing WiFi hardware.

TKIP is responsible for increasing the key size from 40 to 128 bits, as well as for replacing one static WEP key keys that are automatically generated and sent by the authentication server. In addition, the TKIP uses a special keys hierarchy and key management methodology that removes excessive predictability, which was used for unauthorized removal of the WEP key protection.

The concept of "authoritative recommendations" is a set of instructions that ensure the proper level of security. Authoritative recommendations (hereinafter referred to as recommended) is a combination of instructions, the effectiveness of which is proved when applied in a wide variety of organizations. Not all instructions are suitable for use in a particular organization. Some companies require additional policies and procedures, personnel training or technical safety control to achieve an acceptable level. security management.

Administrative security

Administrative Security Recommendations are those solutions that comply with policies and procedures, resources, degree of responsibility, staff training needs and output plans from critical situations. These measures are designed to determine the importance of information and information systems for the company and explain to the staff, what exactly is this importance. Recommendations for administrative security are determined by the resources necessary for the implementation of due risks and determining persons responsible for security management Organizations.

Policies and procedures

Security policies determine the method according to which security is ensured within the organization. After determining the policy, it is assumed that most employees of the company will be observed. It should be understood that there will be no full and unconditional policies. In some cases, the policy will be violated due to the requirements related to the business of the organization. In other cases, ignoring policies is due to the complexity of its implementation.

Even taking into account the fact that the policy does not constantly fulfill, it forms a key component of the security program and should be included in the list of guidelines. In the absence of policies, employees will not know what to do to protect information and computer systems.

• Information policy. Determines the degree of secrecy of information within the organization and the necessary requirements for storing, transferring, noting and managing this information.
• Security policy. Defines the technical controls and security settings used by users and administrators on all computer systems.
• Policy use. Determines the permissible level of use of computer systems of the organization and penalties provided for their inappropriate use. This policy also determines the software installation method and is known as an acceptable use policy.
• Backup policy. Determines the frequency of backup data and the requirements for moving backup data into a separate storage. In addition, backup policies determine the time during which the data must be reserved before reapply.

Politicians themselves do not form comprehensive instructions for the implementation security programs Organizations. Procedures should be defined according to which employees will perform certain tasks, and which will define further steps on the processing of various situations in terms of safety. Inside the organization, the following procedures must be defined.

• Users management procedure. Determines who can carry out authorized access to those or other computers of the organization, and what information administrators must provide users with supporting support. Users management procedures also define who is responsible for informing administrators that the employee no longer requires an account. Cancellation of accounts is important from the point of view that access to systems and networks of the Organization had only persons with relevant business needs.
• System administration procedures. Describe how the security policy is applied at the given time on various systems available in the organization. This procedure determines in detail how work with updates and their installation on the system should be carried out.
• Configuration management procedures. Define steps to make changes to functioning systems. Changes may include updating software and hardware, connecting new systems and removing unnecessary systems.

Note

In many organizations, the update management is a greater problem. Tracking updates to reduce system vulnerability levels, as well as testing these updates before installing the functioning systems (so as not to disable running applications) takes a lot of time, but these tasks are very important for any organization.

Along with the configuration management procedures are set development methodologies new systems. They are very important to manage the vulnerabilities of new systems and to protect the functioning systems from unauthorized changes. Development Methodology Determines how and when protection measures should be developed and apply. It is necessary to focus on these information when conducting any briefings of developers and project managers.