c




?

P
 c  c

P  

 Pc 

c



c
cP
 P 

c






c
P
  cP

 
c 
 


P   c
 P

c PP


 ? 


 
 ?   

 


9?
?
c



?

P
 c  c

P  

 Pc 

c



P   c
 P

d
d 

This is to certify that    

 
 


 has completed the case study

of Internet Security satisfactorily during academic year 


 






   
 
 c P


?
c



?





c        

1. Security 4
2. Need of security 6
3. Security Policy 7
4. Purpose of Security Policy 8
5. Characteristic of Security Policy 10
6 Strategies of Security Policy 11
7. Components of Security Policy 15
8. Person involved in framing Security Policy 18
9. Steps in Security Policy 19
10. Ethics of Security Policy 22







·
?
c



?

c

?

In simple words security means safety and protection. In technical

terms security means the protection of data, networks and computing
power. The protection of data information security is the most important.
The protection of network is important to prevent loss of server
resources as well as to protect the network from being used for illegal
purposes.

  

?

The internet has made a tremendous impact on security. While it

has many good aspects, there are many bad things that can come of this
powerful communications tool. These problems included concerns about
the validity and appropriateness of the material found online .when
computer application were developed to handle financial and personal
data real need for security came into picture. Two typical example of
security mechanism are:
Provide a user_id and password to every user, and use that
information to authenticate a user
Encode information stored in the database in some fashion, so that
it is not visible to users who do not have the right permission.

£
?
c



?

We need security for the following purpose

p? To protect our data, files or folders
p? To protect our resources example: hardware, software etc.
p? To protect e-commerce, transaction, information, user id,
password, pin
p? To protect website from getting blocked any attack as DOS (Denel
Of Service)
p? To protect IP address
p? To protect e-mails
p? To protect incoming packets so that no virus/worms comes in
p? To protect outgoing packets so that secrets does not leak out














?
c



?

c



?

?In simple words a security policy in terms of computer systems

defines what is secure and what is unsecured.

?In technical terms a security policy is a set of formal statements of
the rules by which people that are given access to organization¶s
technology and information must abide.

?• Security policy defines the overall security and risk control
objectives that an organization endorses.


?• security policy is a formal statement of the rules through which

people are given access to an organization¶s technology, system
and information assets.

?The security policy defines what business and security goals and
objectives management desires, but not how these solutions are
engineered and implemented.


å
?
c



?

?• security policy should be economically feasible, understandable,

realistic, consistent, procedurally tolerable, and also provide
reasonable protection relative to the stated goals and objectives of
management.

?• security policy is the primary way in which management¶s
expectations for security are translated into specific, measurable,
and testable goals and objectives.



c


 

?

The goal of the security policy is to translate, clarify and

communicate management¶s position on security as defined in high-
level security principles. The security policies act as a bridge between
these management objectives and specific security requirements.






ü
?
c



?

   c




?

The primary purpose of a security policy is to inform users, staff, and

managers of those essential requirements for protecting various assets
including people, hardware, and software resources, and data assets. The
policy should specify the mechanisms through which these requirements
can be met. •nother purpose is to provide a baseline from which to
acquire, configure, and audit computer systems and networks for
compliance with the policy. This also allows for the subsequent
development of operational procedures, the establishment of access
control rules and various application, system, network, and physical
controls and parameters.

p? To inform all of their obligatory(mandatory) requirements for

protecting technology and information assets
p? The policy should specify the mechanism through which these
requirements can be met
p? To provide a baseline from which to acquire, configure and audit
computer systems and networks for compliance with the policy.
•n •ppropriate Use Policy (•UP) may also be part of a security
policy

3
?
c



?

p? It should spell out what users shall not do on the various

components of the system, including the type of traffic allowed on
the networks.

p? The •UP should be as explicit as possible to avoid ambiguity or

misunderstanding.















A
?
c



?

P 

 
  



  

p? They must be 
 
 through system administration
procedures, publishing of acceptable use guidelines, or other
appropriate methods.
p? They must be  

with security tools, where appropriate,
and with sanctions, where actual prevention is not technically
feasible.
p? They must clearly define the areas of   
for the users,
administrators, and management.
p? They must be 
  ,  , and

 .











9

?
c



?

c   




?

 xefore you can decide on how to safeguard your network, you

must identify what level of security you require, i.e. whether you want a
lower, medium or a very security. (For example, famous personalities
will require more life security ± Y level, Z level etc than a common
man) once this job is done, you are ready to make your strategies to
secure your network. The various strategies used further to secure the
network will include the following




c    p? Vost security

p? •uthentication of user
c

p? Choosing good password & protecting


 them
p? Using firewall & proxy servers
p? DMZ¶s
p? Making use of encryption techniques



99
?
c



?

p? V 

?Securing the prime, host machines by logically isolating them. In
most situations, the network is not the resource at risk rather; it is
the endpoint of the network that is threatened.
?Usually, there are bugs in the program for networks or in the
administrator of the system.
?It is this way with computer security; the attacker just has to trust
them in some fashion. It might be therefore a major risk that the
intruder can compromise the entire system.
?Ve will now be able to attack other systems, either by taking
over root, and thence the system¶s identity, or by taking over
some user account. This is called transitive trust.

p?  
   

?It provides checking the identity of valid users keeping the
unauthorized user away.

p?     
 

?• good password should be developed using various criteria and
safeguarding it as well. •lso making sure it is not reuse and
change frequently.



9
?
c



?

p?  

   

?These firewall and proxy servers are act like a logical security
guard to monitor traffic in and out of your local network and the
internet.
?• firewall is a collection of components placed between two
networks that have the following properties

ÿ?•ll traffic from inside to outside and from outside to inside

must passed through firewall
ÿ?Only authorized traffic refund by local security policy will be
allow to pass
ÿ?For firewall login NIS (Network Interface System) not
necessary
ÿ?It gives protection administration
ÿ?It helps in security without disturbing a population of users

?• proxy server is known as virtual directories to share the data

 
 
 (DMZ¶S)

?Some servers are difficult to trust because of the size and the
complexity of the code they run. Web server for an example. If
we place web server inside the firewall then a compromise

9·
?
c



?

creates a launch point for further attacks on inside machines. If

you place it outside, then you make it even easier to attack. The
common approach is therefore to create a demilitarized zone
(DMZ) between two firewalls.
?• DMZ is an example of general philosophy of defense in depth.
That is multiple layers of security always provide better shield. If
an attacker penetrates past the first firewall he or she gains access
to the DMZ, but not necessarily to the internal network. Without
the DMZ, the first successful penetration could result in a more
serious compromise.

p?    
 
 

?It is used to encrypt the sensitive information to be sent out
making it harder to crack if intercepted
?Encryption is often consider as the ultimate weapon in the
computer security
?Encryption is based to safe guard file transmission if a key is
generated from a type password
?There are various encryption techniques like symmetric and
asymmetric
?•symmetric encryptions technique use the public or private key
concept


9£
?
c



?

    





    
c




p? Purchasing guideline
p? Privacy policy
p? •ccess policy
p? •ccounting policy
p? •uthentication policy
p? •vailability policy
p? Information technology and
network maintenance policy
p? ^iolation reporting policy
p? Supporting information?
?
?
?
?
?
?

p?    P

 
 
  which specify
required, or preferred security features. Theses should supplement
existing purchasing policies and guidelines.

?
p?  
 

 which defines   
 
  

 
    

 



    

  
 

9
?
c



?
?
p?  

 

 
    access rights and privileges to
protect assets from loss or disclosure by specifying acceptable use
guidelines for external connections, operation staff, and
management. It should provide guidelines for external connections,
data communication, connecting devices to a network, and adding
new software to systems. It should also specify any required
notification messages (e.g., connect messages should provide
warnings about authorized usage and line monitoring, and adding
simply say ³Welcome´).

?
p?  


 

 which defines the responsibilities of
users, operation staff, and management. It should specify an audit
capability, and provide incident handling guidelines (i.e., what to
do and who to contact if a possible intrusion is detected).

?
p?   
  

 establishes trust through an effective
password policy, and by setting guidelines for remote location
authentication and the use of authentication devices (e.g., one-time
password and devices that generate them).

?
p?  

 statement which sets users expectations for the
availability of resources. It should address redundancy and
recovery issues, as well as specify operating hours and

9å
?
c



?

maintenance downtime periods. It should also include contact

information for reporting system and network failures.

?
p?    P

c    



 which describes how both internal and external
maintenance people are allowed to handle and access technology.
One important topic to be addressed here is whether remote
maintenance is allowed and how such access is controlled. •nother
area for consideration here is outsourcing and how it is managed.

?
p?  
     

 that indicates which types of
violations (e.g., privacy and security, internal and external) must
be reported and to whom the reports are made. • non-treating
atmosphere and the possibility of anonymous reporting will result
in a greater probability that a violation will be reported if it is
detected.

?
p? c     which provides users, staff, and
management with contact information for each type of policy
violation; guidelines on how to handle outside queries about a
security incident, or information which may be considered
confidential or proprietary, and cross-references to security
procedures and related information, such as company policies and
governmental laws and regulations.
9ü
?
c



?

  
 
 



?

p? Site security administrator

p? Department within the university etc.)
p? Security incident response team
p? epresentative of the user groups affected by the security policy
p? esponsible management
p? ñegal counsel(if appropriate)
p? Information technology staff(e.g., business divisions, computer
science

93
?
c



?

c  





?
? • security policy is the set of decision that collectively, determines
an organizations attitude towards security. • security policy
defines boundaries of acceptable behaviors and what response to
the violations should be. Security policies differ from organization
to organization. Every organization should have security policy. In
a security policy one must decide what is permitted and what is not
permitted. This depends on the business or structural needs of
organization. a security policy. In a security policy one must
decide what is permitted and what is not permitted. This depends
on the business or structural needs of organization.
?xefore a security policy is set up the following points should be
considered

p?    
   


?The resources you want to protect may include Physical resources
like printers, monitors, keyboards, drives, modems etc. and ñogical
resources include source and object program, data utilities,
operating system, application etc.




9A
?
c



?

p? o  
    


?The answer to this is will dictate the host specific measures that are
needed. Machines with sensitive files may require extra security
measures. Stronger the authentication, keystrokes logging and
strict auditing, or even file encryption. If the target of interest is the
outgoing connectivity, the administrator may choose to require
certain privileges for access to the network.

p?   
 
?Physical threats to the resources such as stealing,
malfunctioning devices.
?ñogical threats such as unauthorized access to data,
information, resources.
?Unintended disclosure of your information.

p? o    
 
?Outsiders as well as insiders may from the collective answers
here.
?What kind of security therefore must be provided differs from
the type of attacker you are planning against.






?
c



?

p? V 


  

?Part of cost of security is directed financial expenditures, such
as extra routes, firewalls, software packages, and so on. Often,
the administrative costs are overlooked. There is another cost,
however a cost in convenience and productivity, and even
moderate. Too much security, people get frustrated. Finding
the proper balance therefore essential.

p? o
   
?The stance is altitude of the designer. It determined by the cost
of failure and the designer¶s estimate of that likelihood. It is
also based on the designer¶s opinions of the own abilities. •t
the one end of the scale is a philosophy to correct it only when
mistaking happen end. The other one is taking preventive
measures so that no mistake occurs.

9
?
c



?


 
 


?

p? The way anyone has ³the right to protect ³they also have ³the right
to protect them´. The way you have the right to protect your own
assets the other people around you too, have the same right. Thus
while demanding Computer Security for yourself; the foremost
point is that one should not deprive others from having their rights.

p? In a technological era, Computer Security is fundamental to

individual privacy. • great deal of personal information is stored
on computer. If these computers are not safe prying eyes, neither is
the data they hold. Worse yet, some of the most sensitive data-
credit histories, bank balances, and the like-lives on machines
attached to very large networks.

p? It is a fair school of thought that ³I have a right to attack others

because someone else has attack me!´ No it is not ethical to do so!
Vow can you take the law in your hands? This cannot be treated as
³self defense´. Can it be?

p? Computer Security is a matter of good manners. If people want to

be left alone, they should be.


?
c



?

p? More and more modem society depends on computers, and on the

integrity of the programs and data they contain. These range from
obvious (finance industry) to the telephone industry controlled by
bugs in such systems can be divesting.

p? The administrator may gain some knowledge, some information

about the users, about the organization, by the virtue of his
position. Using such information for personal gain is not ethical.

·
?