147
Chapter 11: Securing Your Network
File and Directory Permissions
Another type of internal security that you need to maintain for information on your
network involves the users’ access to files and directories. These settings are actually a bit
tougher to manage than user accounts, because you usually have at least 20 directories
and several hundred files for every user on the network. The sheer volume of directories
and files makes managing these settings a more difficult job. The solution is to establish
regular procedures, follow them, and then periodically spot-audit parts of the directory
tree, particularly areas that contain sensitive files. Also, structure the overall network
directories so that you can, for the most part, simply assign permissions at the top levels.
These permissions will “flow down” to subdirectories automatically, which makes it
much easier to review who has access to which directories.
Network operating systems allow considerable flexibility in setting permissions on
files and directories. Using the built-in permissions, you can enable users for different
roles in any given directory. These roles control what the user can and cannot do within
that directory. Examples of generic directory roles include the following:
N Create only This type of role enables users to add a new file to a directory,
but restricts them from seeing, editing, or deleting existing files, including
any they’ve created. This type of role is suitable for allowing users to add new
information to a directory to which they shouldn’t otherwise have access. The
directory becomes almost like a mailbox on a street corner: You can only put
new things in it. Of course, at least one other user will have full access to the
directory to retrieve and work with the files.
N Read only This role enables users to see the files in a directory and even to pull
up the files for viewing on their computer. However, the users cannot edit or
change the stored files in any way. This type of role is suitable for allowing users
to view information that they should not change. (Users with read privileges can
copy a file from a read-only directory to another directory and then do whatever
they like with the copy they made. They simply cannot change the copy stored in
the read-only directory itself.)

N Change This role lets users do whatever they like with the files in a directory,
except give other users access to the directory.
N Full control Usually reserved for the “owner” of a directory, this role enables
the owners to do whatever they like with the files in a directory and to grant
other users access to the directory.
These roles are created in different ways on different network operating systems.
Chapter 17 provides more details on how Windows server operating systems handle
directory permissions.
Just as you can set permissions for directories, you can also set security for specific
files. File permissions work similarly to directory permissions. For specific files, you
can control a user’s ability to read, change, or delete a file. File permissions usually
override directory permissions. For example, if users had change access to a directory,
148
Networking: A Beginner’s Guide
but you set their permission to access a particular file in that directory to read-only,
they would have only read-only access to that file.
TIP For a network of any size, I recommend avoiding the use of file-specific network permissions,
except in very rare cases. It can quickly become an unmanageable mess to remember to which
files each user has special permissions and to which files a new hire needs to be given specific
permission.
Practices and User Education
The most insecure part of any network is the people using it. You need to establish
good security practices and habits to help protect the network.
It’s not enough to design and implement a great security scheme if you do not
manage it well on a daily basis. To establish good practices, you need to document
security-related procedures, and then set up some sort of process to make sure that the
employees follow the procedures regularly. In fact, you’re far better off having a simple
security design that is followed to the letter than having an excellent but complicated
security design that is poorly followed. For this reason, keep the overall network security
design as simple as possible, while remaining consistent with the needs of the company.

You also need to make sure—to the maximum extent possible—that the users
are following prudent procedures. You can easily enforce some procedures through
settings on the network operating system, but you must handle others through
education. The following are some tips to make this easier:
N Spell out for users what is expected of them in terms of security. Provide
a document that describes the security of the network and what they need
to do to preserve it. Examples of guidelines for the users include choosing
secure passwords, not giving their passwords to anyone else, not leaving their
computers unattended for long periods of time while they are logged in to the
network, not installing software from outside the company, and so forth.
N When new employees join the company and are oriented on using the network,
make sure that you discuss security issues with them.
N Depending on the culture of the company, consider having users sign a form
acknowledging their understanding of important security procedures that the
company expects them to follow.
N Periodically audit users’ security actions. If the users have full-control access to
directories, examine how they’ve assigned permissions to other users.
N Make sure that you review the security logs of the network operating system
you use. Investigate and follow up on any problems reported.
TIP It’s a good idea to document any security-related issues you investigate. While most are
benign, occasionally you might find one in which the user had inappropriate intent. In such cases,
your documentation of what you find and what actions you take might become important.
149
Chapter 11: Securing Your Network
While it’s important to plan for the worst when designing and administering
network security, you also need to realize that most of the time, security issues arise
from ignorance or other innocent causes, rather from malicious intent.
Understanding External Threats
External security is the process of securing the network from external threats. Before
the Internet, this process wasn’t difficult. Most networks had only external modems

for users to dial in to the network, and it was easy to keep those access points secure.
However, now that nearly all networks are connected to the Internet, external security
becomes much more important and also much more difficult.
At the beginning of this chapter, I said that no network is ever totally secure. This
is especially true when dealing with external security for a network connected to the
Internet. Almost daily, crackers discover new techniques that they can use to breach the
security of a network through an Internet connection. Even if you were to find a book
that discussed all the threats to a specific type of network, the book would be out of
date soon after it was printed.
Three basic types of external security threats exist:
N Front-door threats These threats arise when a person from outside the
company somehow finds, guesses, or cracks a user password and then logs on to
the network. The perpetrator could be someone who had an association with the
company at some point or could be someone totally unrelated to the company.
N Back-door threats These are threats where software or hardware bugs in
the network’s operating system and hardware enable outsiders to crack the
network’s security. After accomplishing this, the outsiders often find a way to log
in to the administrative account and then can do anything they like. Back-door
threats can also be deliberately programmed into software you run.
N Denial of service (DoS) DoS attacks deny service to the network. Examples
include committing specific actions that are known to crash different types of
servers or flooding the company’s Internet connection with useless traffic (such
as a flood of ping requests).
NOTE Another type of external threat exists: computer viruses, Trojan horses, worms, and other
malicious software from outside the company. These threats are covered in their own section later in
the chapter.
Fortunately, you can do a number of things to implement strong external security
measures. They probably won’t keep out a determined and extremely skilled cracker,
but they can make it difficult enough that most crackers will give up and go elsewhere.
150

Networking: A Beginner’s Guide
Front-Door Threats
Front-door threats, in which someone from outside the company is able to gain access
to a user account, are probably the most likely threats that you need to protect against.
These threats can take many forms. Chief among them is the disgruntled or terminated
employee who once had access to the network. Another example is someone guessing
or finding out a password to a valid account on the network or somehow getting a
valid password from the owner of the password.
Insiders, whether current or ex-employees, are potentially the most dangerous
overall. Such people have many advantages that some random cracker won’t have.
They know the important user names on the network already, so they know what
accounts to go after. They might know other users’ passwords from when they were
associated with the company. They also know the structure of the network, what the
server names are, and other information that makes cracking the network’s security
easier.
Protecting against a front-door threat revolves around strong internal security
protection because, in this case, internal and external security are closely linked. This
is the type of threat where all the policies and practices discussed in the section on
internal security can help to prevent problems.
An additional effective way to protect against front-door threats is to keep network
resources that should be accessed from the LAN separate from resources that should
be accessed from outside the LAN, whenever possible. For example, if you never need
DEFINE-IT! Important Network Security Devices
Here are some important security devices you should be familiar with:
N A firewall is s system that enforces a security policy between two networks,
such as between a local area network (LAN) and the Internet. Firewalls can
use many different techniques to enforce security policies.
N A proxy server acts as a proxy (an anonymous intermediary), usually for
users of a network. For example, it might stand in as a proxy for browsing
web pages, so that the user’s computer isn’t connected to the remote

system except through the proxy server. In the process of providing proxy
access to web pages, a proxy server might also speed web access by caching
web pages that are accessed so that other users can benefit from having
them more quickly available from the local proxy server, and might also
provide some firewall protection for the LAN.
N Usually built into a router or a firewall, a packet filter enables you to set
criteria for allowed and disallowed packets, source and destination
IP addresses, and IP ports.
151
Chapter 11: Securing Your Network
to provide external users access to the company’s accounting server, you can make it
nearly impossible to access that system from outside the LAN.
You can separate network resources through a number of measures. You can set
up the firewall router to decline any access through the router to that server’s IP or
IPX address. If the server doesn’t require IP, you can remove that protocol. You can
set up the server to disallow access outside normal working hours. Depending on the
network operating system running on the server, you can restrict access to Ethernet MAC
addresses for machines on the LAN that should be able to access the server. You can also
set the server to allow each user only one login to the server at a time. The specific steps
that you can take depend on the server in question and its network operating system, but
the principle holds true: Segregate internal resources from external resources whenever
possible.
Here are some other steps you might take to stymie front-door threats:
N Control which users can access the LAN from outside the LAN. For example,
you might be running VPN software for your traveling or home-based users to
access the LAN remotely through the Internet. You should enable this access
only for users who need it and not for everyone.
N Consider setting up remote access accounts for remote users who are separate
from their normal accounts, and make these accounts more restrictive than
their normal LAN accounts. This might not be practicable in all cases, but it’s

a strategy that can help, particularly for users who normally have broad LAN
security clearances.
N For modems that users dial in to from a fixed location, such as from their
homes, set up their accounts to use dial-back. Dial-back is a feature whereby
you securely enter the phone number of the system from which users are
calling (such as their home phone numbers). When the users want to connect,
they dial the system, request access, and then the remote access system
terminates the connection and dials the preprogrammed phone number to
make the real connection. Their computer answers the call and then proceeds
to connect them normally. Someone trying to access the system from another
phone number won’t be able to get in if you have dial-back enabled.
N If employees with broad access leave the company, review user accounts
where they might have known the password. Consider forcing an immediate
password change to such accounts once the employees are gone.
NOTE An important aspect of both internal and external security is physical security. Make sure
that the room in which your servers are located is physically locked and secure.
People trying to access the network who have not been associated with the company
at some point often try a technique euphemistically called social engineering, which is
where they use nontechnological methods to learn user accounts and passwords inside
the company. These techniques are most dangerous in larger companies, where not all