NETWORK OPERATING SYSTEM

A network operating system (NOS) is a software package that makes it possible to implement and control a network and enables users to use the resources and services on that network. A NOS's tasks include:

l Providing access to files and resources;

l Providing electronic mail (e-mail) services;

l Enabling nodes on the network to communicate with each other;

l Enabling processes on the network to communicate with each other;

l Responding to requests from applications and users on the network; and

l Mapping requests and paths to the appropriate places on the network.

A NOS may be server-based or peer-based. Server based NOSs are considerably more complex and powerful than NOSs for peer-to-peer networks. In a server-based network, the NOS and the server run the show, and the workstations will generally run a network shell. By contrast, in a peer-to-peer network any station can function as file server or as a client for network services.

Operating systems which have built-in networking capabilities include the following: l UNIXR . Windows NTR l NovellR DOS 7

In most of these cases, the operating system's networking capabilities can be greatly enhanced through the use of utilities or other third-party programs. To learn more about these utilities or programs, check the manuals that come with the operating system.

FIREWALLS

Firewalls can be used for securing a local area network from a public network like the Internet. Firewalls are always a part of a much larger security plan. Choosing a firewall starts with a clear definition of the security goals. This includes decisions on what logging and alarms are needed, what authentication is acceptable and where security barriers are needed. Once the policy, philosophy, and service goals are defined, often only a few products on the market really fit these needs.

There are several types of firewalls that can be divided into packet filtering and application layer firewalls.

Packet Filters

Packet filters operate at a lower level than application layer firewalls. Packet filters decide whether to forward an IP packet based on the source or destination address found at the network layer. Routers typically implement this type of filtering, but since packets containing bogus IP addresses can easily be created, it's not too hard to gain access through even the most elaborate set of IP address filters. Although the router on an Internet link can filter packets, it probably wasn't designed to provide the level of control that a firewall product can. A router examines one packet at a time and forwards the packet.

Application Layer Firewall

Application layer firewalls, on the other hand, are designed specifically to control unwarranted access to your network. They can also deal with some of the trickier protocols. Application layer firewalls gain more insight into the data conversations that traverse an Internet link because they examine packets and protocols at and above the transport layer, which

controls the dialogue between communicating end nodes.

As an application gateway, the firewall typically behaves as a client on the Internet and appears as a server to users on its secure, protected side. When operating in this mode, the firewall will examine specific application protocols to decide whether connections are permissible. The range of supported application protocols varies from firewall to firewall, but most examine such popular ones as TELNET, the World Wide Web's HyperText Transfer Protocol (HTTP) or File Transfer Protocol (FTP).

Application layer firewalls offer greater protection against hacker attacks than the packet filtering firewalls. Besides providing stronger logging capabilities, many firewalls can also provide features like network address translation, authentication, and virtual private net works.

Choosing A Firewall

Once the decision is made to use firewall technology to implement an organization's security policy, the next step is to procure a firewall that provides the appropriate level of protection and is cost-effective. We cannot say what exact features a firewall should have to provide effective implementation of your policies, but we can suggest that, in general, a firewall should be able to do the following:

Support a "deny all services except those specifically permitted" design policy, even if that is not the policy used.

Support your security policy, not impose one.

Accommodate new services and needs if the security policy of the organization changes.

Contain advanced authentication measures or contain the hooks for installing advanced authentication measures.

l Employ filtering techniques to permit or deny services to specified host systems as needed.

l Use an IP filtering language that is flexible, user-friendly to program, and able to filter on as many attributes as possible, including source and destination IP address, protocol type, source and destination TCP/UDP port, and inbound and outbound interface.

l Use proxy services for services such as FTP and TELNET, so that advanced authentication measures can be employed and centralized at the firewall.

The firewall should contain the ability to concentrate and filter dial-in access. The firewall should contain mechanisms for logging traffic and suspicious activity, as well as mechanisms for log reduction so that logs are readable and understandable. If the firewall requires an operating system such as UNIXR, a secured version of the operating system should be part of the firewall, with other security tools as necessary to ensure firewall host integrity. The operating system should have all patches installed. The firewall should be developed in such a manner that its strength and correctness are verifiable. It should be simple in design so that it can be understood and maintained. The firewall and any corresponding operating system should be updated with patches and other bug fixes in a timely manner.

SUMMARY

In this chapter, we have covered some of the areas that need to be considered in the administration of a network. We have discussed network operations, the configuration of the network, network software, and network design. This is by no means all that will be required for administration, but it is a beginning.