Which of the following is an example of configuring an application program?

Configuration

This is commonly done with administrator authority for the application via an interface created by the application developers for this purpose. Unfortunately, creating that interface is often done at the last minute and done poorly. Sometimes, but not always, this results in an interface that is arcane and difficult to use. Fortunately, more experienced developers recognize the importance of that human interaction and deliver an interface for application configuration that is more user-friendly.

It is in the configuration process that the application’s operating parameters are set. Those parameters include such things as:

Users and their respective authority levels, a.k.a., what can each person do?

Data sources/repositories and the location(s) of them

Dependencies to other applications

Port mapping

URL specification

Network configurations

Some applications need to have multiple network cards installed on the server for additional bandwidth or parallel processing. It is also important to specify such items as quality of service (QoS) priorities so network settings can reflect how the application actually works. Anything involving video or even audio would need higher priority, while bulk data exchange or transfers can often proceed at a slower rate. Also, if a virtual private network (VPN) connection is required, that needs to be defined.

Getting the configurations right is critically important. Mistakes in configurations are a common source of application-related problems; for example, where mismatches occur between “as designed” and “as provisioned.”

Note: It is important to recognize that the term “configuration” in the context of this book refers specifically to the operating parameters of an application. In the world of application development, “software configuration management” refers to the processes put in place to manage the introduction of changes to an application.

Publisher Summary

The installation process and initial configuration process for GFI EventsManager tend to be tedious. Taking one last look at the Component Configuration Quick Start screen is recommended since so much work is involved. GFI EventsManager is designed to help in cutting through the log file clutter. It organizes event log entries in a more meaningful way and sends alerts when important events occur. It acts as a networkwide events manager that lets administrators monitor and manage events through a single user console. GFI EventsManager has the ability to send e-mail alerts whenever certain events occur. Configuring the e-mail alerts can be a bit tricky, but it is well worth the effort. The first method for setup involves configuring Internet Information Service to act as a Simple Mail Transport Protocol server and then using it to send e-mail alerts. The other method involves using a Microsoft Exchange Server.

7.4.5.2.3 Configuration Manager

The CfM is responsible for the configuration process and to act as sponsor for all configuration issues within the Forensic Laboratory. The responsibilities of this role include:

producing and maintaining a Configuration Management Plan, as defined in Appendix 21;

liaising with other Forensic Laboratory Resource Owners and Line Managers to implement consistent change management, configuration management, and Release Management across the Forensic Laboratory;

identifying, managing, and controlling CIs;

ensuring consistency of the CMDB and DSL so that the authorized state of the Forensic Laboratory infrastructure is properly reflected;

maintaining control of hardware, technical standards, and all documents;

providing supporting services (such as registration and checking) of releases delivered by third parties;

producing regular reports on the configuration database and all CI status;

promoting the awareness of configuration management processes and procedures appropriate to their work;

managing the configuration audit process and monitor exceptions and implement corrective actions;

providing advice on configuration management issues to the Forensic Laboratory.

Local Authentication Database

Locally stored credentials for firewall authentication require a two step configuration process.

// First, define the local login and related password

config user local

 edit

  set type password

  set passwd

 next

end

// Second, link the locally created login credentials to a FortiOS user group. This user group name is referenced in the identity firewall rule for firewall authentication

config user group

 edit

  set group-type firewall

  // multiple login(s) are delimited by a space

  set member <...>

 next

end

“set group-type” should be set to “firewall” to enforce the firewall authentication method. The other choice of “fsso-service” would be used for MS AD integration, which will be discussed later.

Planning Your Logical Security Configuration

Now we are ready to start the planning phase of our logical configuration process. It is recommended you complete the following four steps before starting the actual writing of your logical security configuration documents.

Identifying network assets.

Profiling your network assets.

Creating security areas.

Assigning network assets to security areas.

Keep in mind, once you capture some of this information, it can be leveraged in each of the logical configuration documents we identified in the previous step.

Profiling Your Network Assets

In this step, you will profile each of the network assets you identified in the identification step in the previous section. The network asset profile is a report on the various attributes that are important to you and your organization.

First, we need to determine what information we are going to collect about our network assets. It is recommended you identify as much information as possible and clearly mark which attributes are required and which are optional. For our example, we are going to use the following attributes for Example Corporation (see Table 2.2 and Table 2.3):

Table 2.2. Attributes for Example Corporation

Device Name:Device Type:IP Address:DNS Name:Physical Location:Services:Access Requirements:

Table 2.3. Defined Attributes for Example Corporation

Device Name:Web serverDevice Type:Server, Red Hat Enterprise Server 3.0IP Address:10.1.1.10DNS Name:webserverl .example.comPhysical Location:Server farmServices:Apache, SSH, my SQLAccess Requirements:Internet hosts, internal employees

For each of your network assets, you should collect similar information and record it in your asset management system or in a spreadsheet similar to the preceding template. While the device administrator might be able to provide it for you, it is recommended you verify the information yourself and use various security tools to verify which services are available.

Note

Profiling your assets is an important process and one that is often done with the aid of tools and management systems.

As you plan and implement your written security policies, understanding and using a concept of “security areas” will be very beneficial. They will have impact from the beginning network architecture and design phases through the ongoing, daily management and maintenance of your security systems. In this section, we discuss what security areas are and how they will be used as you design your logical security configurations of your firewall and VPN solutions.

What Are Security Areas?

Security areas are logical and sometimes physical groupings of network assets and resources that share a common set of security attributes. At first you might ask, what is the difference between security areas and VLANs? Don’t VLANs create a separate logical and physical separation between systems? The quick answer is yes and yes.

While different in many ways, VLANs and security areas are commonly used with one another but don’t have to be per se. Based on the requirements of a given security area, a network administrator might create a VLAN that will be used by the systems that are assigned to a security area or not. The main difference is, security areas are created by analyzing and grouping devices together based on the security attributes and not just on the physical separation. For example, what if your written security policy states that all hosts that belong to a “special group” are allowed to talk to one another but are required to pass through a firewall access policy first? Just defining a VLAN will not allow us to enforce our policy when these hosts communicate with one another. Using the concept of security area provides an abstraction that will help ensure our written policy can be enforced and ultimately help us in our actual design and configurations.

Implied Security Areas

If you are like many security professionals today, early in our careers we were introduced to implied security areas when we were asked to help protect our networks from the Internet. The Internet connections were assigned to an implied interface known as “untrusted,” while our networks connected to an interface known as “trusted.” These are two examples of implied security areas. Another example is the now famous “DMZ.” As pictured in Figure 2.1, an interface called the DMZ interface of the firewall connects to a network that provides DNS, mail and Web services for our example company. Based on the fact that these devices provide public services and are likely to be targets for attacks, we separate them from other hosts based on best security practices.

Figure 2.1. Legacy and common DMZ architecture

While much focus is put on protecting our “perimeters” from the Internet, it is not the only area that needs to be protected. It is now common security practice to view internal, traditional “trusted” networks and resources as important as protecting our perimeters.

The real question behind the implied groups like “trusted” and “untrusted” is what defines and constitutes these groupings? In our opinion, this is a great question and one that could be the basis for a very long discussion. In fact, as you probably know, many firewall vendors hard-code these implied areas and assign them to default physical interfaces. Since firewalls originally were designed to protect our company resources from the Internet, it was easier to have these defaults versus introducing a more complex concept like security areas. While it is still very common to see and use these implied security areas, it is not as simple as just assigning your resources to one of these groups.

The real reason to create security areas is not because of physical groupings. It is because it allows us to understand the inter- and intra-relationships between the devices that are part of a security area. For example, it is very common to have a written security policy that requires traffic traversing between security areas be inspected for violation of a specific access policy. Based on this requirement, we must implement some access control and logging for all traffic between these two areas. This point of inspection is known as an enforcement point (see Figure 2.2).

Figure 2.2. Logical Enforcement Point Diagram

Enforcement Points

Now that we have created an abstraction between security areas and enforcement points, it is easy to convert written security policies to logical security configurations that are not limited by feature or functionality of a device. In fact, this process becomes invaluable later as we use this information to help us select the right type of device to implement between our security areas. In our previous example, our enforcement point is the intersection between our two security areas. An important point is that an enforcement point does not just imply using a firewall to apply a policy to the traffic. It allows us to understand the security requirements at a specific point in our network, which might mean using a product, products, and or features of a product to enforce our written security requirements.

Creating Security Areas

In this step, we will create security areas that are specific to your network. Before we start, however, we need to define the attributes we will use.

Security Area Attributes

Before creating your security areas, we recommend you write down and agree to a set of attributes that are important to your organization. While there is not a clearly defined group of attributes to use, some common ones include:

■

Access rights

■

Services offered

■

Risk profile

For our discussion, we are going to use three attributes: access rights, services, and risk.

Note

While we are going to use these attributes, you can use your own, based on your specific environment. For example, the Federal Government has developed strict guidelines that are used to classify systems, their services, and their users.

Access rights define who and what needs access to use a resource or series of resources on an end device, such as a server. It is common for a single server to host multiple services.

In our network example, we have three servers that provide Internet-based services to the world. These services include mail, Web, and name services. Each of our servers is dedicated to one of these functions. Since all of these servers provide public services, they all require access to and from the Internet. For security purposes, we have decided to separate these servers onto a dedicated network and assign them to the DMZ-Server1 security area.

Assigning Network Assets to Security Areas

Now that we have created our security areas, we will need to assign our network assets to one of these areas. This step is pretty simple and straightforward. For each of our network assets, assign them to one of your security areas. Here is our example for Example Corporation (see Table 2.4):

Table 2.4. Assignment of Network Assets to Security Areas

Network AssetSecurity AreaWeb serverDMZ-1Mail serverDMZ-1DNS serverDMZ-1Exchange serverInternal-ITWeb serverInternal-ITFile serverInternal-ITDomain serverInternal-ITDomain serverInternal-ITUser networkUser-NetworkIT networkIT-NetworkConference networkConference-NetworkInternetUntrusted

Security Area Risk Rating

An optional set we like to use and recommend is to assign a risk rating to each of your security areas. While not necessary, risk ratings are a subjective numerical rating that you assign to each particular security area. The main reason to assign this rating is to help understand the risk level between areas, and how access rights between those areas might apply. Risk ratings typically correlate to attributes like:

■

Access and availability

■

Public

■

Private

■

Data sensitivity

■

Critical, high sensitivity

■

Sensitive

■

Low, informational

■

Security and encryption

■

Encrypted

■

Clear

An example to discuss is the DMZ security area, where many companies place their Internet services and servers. The DMZ is a common location for those companies that host their own Web, mail, and DNS services. Access to these services is general not authenticated or encrypted, and the trust of the client systems is very low. Taking these attributes in consideration, most companies will not allow access to more secure areas, such as their intranet, from this security zone.

While there are not specific rules for assigning risk ratings, it is common to find customers using a 1 through 10 scale. In our example, 1 represents high risk and 10 represents low risk. This might sound counterintuitive at first; however, it allows an easy understanding for assigning access rights based on security areas. For example, a risk rating has access rights to any security area with a risk rating equal to or below its own.

Table 2.5 is an example chart illustrating security risk ratings.

Table 2.5. Example Chart Illustrating Security Risk Ratings

Security Area NameRisk RatingNotesDMZ-12Internet servicesVPN Network4VPN segmentUser-Network5User workstationsIT-Network4File servers, network servicesConference-Network1Untrusted hosts, guest accessUntrusted1Internet router, firewall

Creating Site Links

After creating and defining the scope of each site, the next step in the site configuration process is establishing connections between the sites. The physical connectivity between the sites is established between the Active Directory databases by site link objects. A site link object is an Active Directory object that embodies a set of sites that can communicate at uniform cost. A site link can consist of two or more sites. Because a site link joins two or more sites with a uniform cost and replication schedule, they are used to determine the efficiency and direction of replication traffic throughout the Active Directory topology. Each site link is based on the following four components:

Transport The networking technology to move the replication traffic.

Sites The sites that the site link connects.

Cost The value to calculate the site links by comparing to others, in terms of speed and reliability charges.

Schedule The times and frequency at which the replication will occur.

Site links are created using the Active Directory Sites and Services tool of Windows Server 2003. Exercise 6.05 walks you through the steps involved in creating site links.

Exercise 6.05

Creating Site Links

To open the Active Directory Sites and Services tool, click Start | Control Panel | Administrative Tools, and then double-click Active Directory Sites and Services.

Highlight the Inter-Site Transports folder in the left tree pane of the Active Directory Sites and Services console. Expand the Inter-Site Transports folder as shown in Figure 6.21.

Right-click either the IP or SMTP folder (depending on what protocol the network is based on) in the left tree pane of the Active Directory Sites and Services console. Select New Site Link from the context menu as shown in Figure 6.22.

Selecting New Site Link option opens a New Object – Site Link dialog box as shown in Figure 6.23.

Type the name of the new site link object in the Name box in the New Object – Site Link dialog box as shown in Figure 6.24.

Select two or more sites for establishing connection from the Sites not in this site link box, and click Add as shown in Figure 6.25.

Click OK. This completes the process of creating a new site link object using the Active Directory Sites and Services tool. Figure 6.26 shows the final screen shot of the process.

Creating Site Links

After creating and defining the scope of each site, the next step in the site configuration process is to establish connections between the sites. The physical connectivity between the sites is established between the Active Directory databases by site link objects. A site link object is an Active Directory object that embodies a set of sites that can communicate at uniform cost. A site link connects only two sites and corresponds to a WAN link for an IP transport. A site link connecting more than two sites corresponds to Asynchronous Transfer Mode (ATM) and metropolitan area network (MAN) through leased lines and IP routers. Each site link is based these four components:

Transport The networking technology to move the replication traffic

Sites The sites that the site link connects

Cost The value to calculate the site links by comparing to others, in terms of speed and reliability charges

Schedule The times and frequency at which the replication will occur

You create site links using the Active Directory Sites and Services tool of Windows Server 2008. The following Sidebar walks you through the steps involved in creating sitae links.

Configuring & Implementing…

Creating Site Links

To open the Active Directory Sites and Services tool, click Start | Administrative Tools, and then click Active Directory Sites and Services.

Highlight the Inter-Site Transports folder in the left-hand tree pane of the Active Directory Sites and Services console. Expand the Inter-Site Transports folder, as shown in Figure 2.19

Right-click either the IP or the SMTP folder (depending on what protocol the network is based on) in the left-hand tree pane of the Active Directory Sites and Services console. Select New Site Link from the context menu, as shown in Figure 2.20

Selecting the New Site Link option opens a New Object – Site Link dialog box.

Type the name of the new site link object in the Name box in the New Object – Site Link dialog box.

Select two or more sites for establishing connection from the Sites not in this site link box, and click Add

Click OK. This completes the process of creating a new site link object using the Active Directory Sites and Services tool.

Configuring Site Link Cost

Site link costs are calculated to determine how expensive an organization considers the network connection between two sites that the site link is connecting.

Higher costs represent more expensive connections. If two site links are available between two sites, the lowest-cost site link will be chosen. Each site link is assigned an IP or Simple Mail Transfer Protocol (SMTP) transport protocol, a cost, a replication frequency, and an availability schedule. All these parameters reflect the characteristics of the physical network connection.

The cost assigned to a site link is a number on an arbitrary scale that should reflect, in some sense, the expense of transmitting traffic using that link. Cost can be in the range of 1 to 32,767, and lower costs are preferred. The cost of a link should be inversely proportional to the effective bandwidth of a network connection between sites. For example, if you assign a cost of 32,000 to a 64 kbps line, you should assign 16,000 to a 128 kbps line and 1,000 to a 2 Mbps line. It makes sense to use a high number for the slowest link in your organization. As technology improves and communication becomes cheaper, it's likely that future WAN lines will be faster than today's, so there's little sense in assigning a cost of 2 for your current 128 kbps line and a cost of 1 for your 256 kbps line, because quicker links can't be priced more cheaply.

You configure site link costs using the Active Directory Sites and Services tool of Windows Server 2008. The following Sidebar illustrates the steps involved in creating site link costs.

Configuring & Implementing…

Configuring Site Link Costs

1

To open the Active Directory Sites and Services tool, click Start | Administrative Tools, and then click Active Directory Sites and Services.

2

Highlight the Sites folder in the left-hand tree pane of the Active Directory Sites and Services console and expand the Sites folder.

3

Highlight the Inter-Site Transports folder in the left-hand tree pane of the Active Directory Sites and Services console and expand the Inter-Site Transports folder.

4

Right-click the site link whose cost you want to configure in the left-hand tree pane of the Active Directory Sites and Services console, and select Properties. Selecting Properties opens a dialog box, as shown in Figure 2.21

Figure 2.21. The Properties Option

5

Type the value for the cost of replication of the site link object in the Cost box in the dialog box.

6

Click OK. This completes the process of configuring site link costs using the Active Directory Sites and Services tool.

Considerations in Windows Auditing

The following list is a quick introduction into some of the things you should be considering when creating a checklist for your Windows system. This is by no means comprehensive but may be used as a quick framework in association with the standards listed above.

Some of the MANY questions to ask include:

Does the organization have any installation and configuration processes or standards for the Windows systems?

Does a policy describing allowed or disallowed services exist, and is it enforced?

Do the system administrators recognize the standard services and ports that are present on their systems?

Are periodic checks performed to detect new or changed ports or services?

Next, remember to document your findings. Without a report there is nothing to return to later. Include the following in the report:

What you found

What works and was it secure

What doesn't work and what was not secure

This will allow you to incorporate the results into subsequent tests. Build a baseline for the organization's systems and network. By maintaining details of the system installation and configuration, future system audits become progressively easier.

Discovery

The next step of data accessing involves executing the discovery process, which is the crux of processing social media data into the enterprise. In this step, we execute a series of business rules multiple times on the data set from the semantic processes to create the final outputs for metric execution and integration. The process is captured in Figure 6.8.

The key steps in the discovery process are the following:

Configure business rules—The configuration process for business rules is executed in the following steps.

Data discovery rules—In this process, we will set up rules for discovering the patterns we want to search and contextualize the discussion or data set from social media. The rules are simple English-like patterns processing on the data set.

Taxonomies integration—Once the data discovery process is executed, run a taxonomy engine on the data and create additional semantic layers as feasible. Once the taxonomy is executed, reexecute the data discovery rules for new contexts.

Contextualization and tagging—As a final step of processing, create the contextualization setup for the data and tag the appropriate set of contexts and the data applicable to the same.

Execute business rules—The business rules configured and the data discovery processing and contextualization are executed in this step. The outcomes are stored in the structured database and a file.

Complete the result processing as the last step. Now the data is ready to execute metrics engine on the top.

Which of the following is an example of application software Quizizz?

Which of the following is an application software?

What is the function of an application software?

What is application software in computer?