Security Fundamentals: Maintaining Network Availability
Get started on your cybersecurity degree at American Military University.
By Edward J. Hawkins, II
This is the third of three articles on security fundamentals.
Availability is probably one of the more convoluted security goals in the CIA Triad. This is due to its position in terms of security. If confidentiality and integrity are removed from the security equation, then availability provides unrestricted access to an organization’s information technology (IT) assets.
But what is the definition of availability in terms of security goals? One definition that business and IT security experts Jake Kouns and Daniel Minoli provide is the “maintaining [of] unimpeded access 100% of the time to all IT assets [while protecting] against blockage, limitation or diminution of benefit from an asset that is owned.”
In other words, an organization’s employees should have access to their IT assets anytime that access is required. What this definition does not state is who precisely should have access to IT assets; authorized users need to be explicitly identified. Unauthorized users, inside or outside, of a company should not have access to organizational assets.
At the same time, there needs to be a balance in how an organization implements its security measures. This is a core concept for developing and deploying security measures due to the nature of denial of service (DoS) attacks.
Denial of Service attacks are the last resort of threat actors who have failed in all other attempts to gain unauthorized access. This leads to the attacker mindset of “If I cannot have access to the IT resource, then no one will.”
For network administrators, implementing the security goal of availability is simple when it comes to network environments. However, in home-based environments, maintaining availability and security can be a challenge that the average user may not want or understand.
While at a computer sales store years ago, for example, I was in the networking section of a popular retailer. I overheard a salesman trying to sell a very robust wireless router to an older woman who was looking for a hub.
Knowing how to configure routers for secure access, I asked the salesman if the retailer provided an in-home installation and configuration service for such a device due to the complexity involved in configuring it. The salesman soon scurried away. The store did not offer such a service, nor were they interested in educating their customers in what was required to ensure a secure environment after installation.
All the woman needed was to share access among a few devices in her home and creating functionality was the right answer for her needs. Fortunately, hubs are not available today due to their security vulnerabilities and other security violation issues that they create. I finished helping the woman and went on my way.
Home Users Are at a Disadvantage in Regard to Availability
When it comes to ensuring availability, home users are at a disadvantage because there are different versions of operating systems. Microsoft is notorious for creating this problem because it offers “Home” and “Professional” editions of the same operating system.
This would be fine if the local security policy editor was in all versions of the operating system. The local security policy editor was an integral part of the Windows NT framework, which is the underlying mechanics of the operating system. It allowed the system administrator to create granular security policies for a given operating system.
Today, this editor is available only in the “Professional” and higher versions of operating systems. These higher versions also allow for the operating system to be integrated into a server environment, which can provide even more granular control using group policy objects (GPOs).
Ensuring Availability and Security for Household Networks
So what options do home users have to secure their systems and ensure availability? For starters, they still have a router that can be used to deny access to unauthorized devices and permit access to authorized devices. This process is called whitelisting or blacklisting, depending on which approach is used.
Whitelisting involves the identification of authorized devices; all others are denied access to a system (blacklisting). Modern wireless routers also include a firewall and some even include an intrusion detection system (IDS).
There are two basic types of firewalls and IDSs that can be used in home-based networking: network-based and host-based. Network-based firewalls and IDSs are typically special devices or computers that screen all network traffic coming from and going to the network gateway (i.e. the router). Host-based solutions focus on securing network-based traffic within the individual computer.
Other security solutions are virtual private networks (VPNs) and virtual local area network (VLANs). Both have benefits to ensuring the availability of network resources.
By implementing VPN technology, for example, a user can connect into a trusted network from an untrusted, unsecure network. However, VPNs can be difficult to implement and may cost the user regular fees from services that provide dynamic Internet Protocol (IP) address tracking. VLANs, on the other hand, allow network devices to be segmented away from other devices.
Maintaining the Balance between Availability and Security
To ensure that the goals of security and availability are properly met, the network administrator must use resources and take the necessary steps to prevent unauthorized access from threat actors. At the same time, the network administrator must also ensure that those who need access to the network have it.
This control is accomplished through access control policies, user permissions, firewalls, intrusion detection and prevention systems, VPNs and network segmentation. By taking the time to properly investigate the needs of stakeholders who utilize the network and implementing a privilege policy, the twin goals of availability and security can be effectively met.