I NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 5, 2003Approach to Auditing Network SecurityBy S. Anantha SayanaToday we live in a connected world. Communication is akey requirement for all systems. Increased integration ofsystems requires a compulsive need to establish fast andreliable communication that is as widespread as the organizationand its business dealings. Information systems need to reach outto users, vendors, customers and partners (irrespective of theirlocation); everything is connected to nearly everything else. All this brings us to the issue that looking at any system assomething that is inside one box or in one enclosed space isnot enough to gain assurance about its security. The reality isthat nearly every computer in the world could be, and in mostcases is, connected to every other computer through theInternet. The worldwide propagation of the (in)famous Nimda,Code Red and Lovebug viruses and worms are proof of thisconnectivity. Such connectivity has the propensity to provideaccess or communication paths for anyone to any system inthe absence of any measures to prevent such access.Fortunately, a plethora of technical solutions, many of whichhave become standards, keeps most networks and systemssegregated and protected. Therefore, let us look at how we fashion an approach toauditing networks and ensuring that they are secure.It is also good to emphasize at this stage that in the overallinformation systems audit framework, the audit of networks isone piece of the puzzle, with the other notable pieces beingaudit of application software, audit of operating systems anddatabases, audit of physical and environmental security andaudit of business continuity (these have been dealt with inearlier issues of the IT Audit Basics column). To obtain acomprehensive assurance about systems, it is important toassess and evaluate all the parts. In this issue, we will focus onauditing network security. A network could be as simple as a small local area network(LAN) connecting a few computers inside a single room or abuilding, or it could be something that connects computers atfactories and offices spread over a number of cities or evencountries. A network could also be connected to other networks,such as the networks of customers or vendors or a publicnetwork like the Internet. Network VulnerabilitiesThe basic vulnerabilities associated with a network can begrouped into three broad categories:1. Interception—The data that are transmitted over the networkpass through some medium that consists of a carrier andother equipment, often in the physical control of other thirdparties. These data could be intercepted. Once intercepted,there is a risk of undesirable disclosure, i.e., someonestealing data or modifying the intercepted data, resulting inloss of integrity and consequent other, more material losses.2. Availability—As networks proliferate, more and more usersare remote and access their applications over the network,crossing hundreds or thousands of miles. If networkconnectivity fails or becomes unavailable for any reason,there would be serious interruption to business andconsequent damages. 3. Access/entry points—The network extends a computersystem beyond the box into the world. The networkprovides the ability to extend the system to users acrossgeographical boundaries, resulting in conveniences andefficiencies otherwise impossible. Conversely, the samenetwork provides the feasibility for access to the systemfrom anywhere. A single weak point in the network canmake all the information assets in the network vulnerable tointruders. The network can provide many points of entry forintruders, interceptors and malicious code-like viruses,worms and Trojan horses. The ability of the network toenable access to a system from anywhere is the most seriousof a network’s vulnerabilities. Given the fact that a majorbenefit of a network is its ability to provide access fromelsewhere, the task at hand becomes discovering how best todevise controls around this access. Fortunately, the problem is not as formidable as it sounds.Access control solutions for the network exist in many formsand products that have been successfully deployed and tested. Controls Having identified the vulnerabilities, let us look at thepossible controls one by one:1. Interception—Good physical access controls at data centersand offices, and physical security over telecommunicationequipment can act as deterrents to interception throughsniffing. As a first step, the auditor could evaluate physicalsecurity, including all the points where the communicationlinks terminate and where the network wiring anddistributions points are located. However, there are limitationsto the effectiveness of such controls, especially withincreasing wireless communication. The most effectivecontrol to interception is encryption. When data areencrypted, even if they are intercepted, disclosure ormodification cannot occur unless the scrambled data can bedecrypted. Today, there exist many methods of encryptionand many combinations of its use. Encryption can be doneeither by the application or at the communication level by adevice such as a router, switch or a multiplexer. A virtualprivate network (VPN) is an example of the usage ofencryption to tunnel data securely over a public or sharedCopyright © 2003 Information Systems Audit and Control Association. All rights reserved. www.isaca.org.I NFORMATION S YSTEMS C ONTROL J OURNAL,VOLUME 5, 2003network. The use of digital certificates and digital signaturesis another example. 2. Availability—The control to ensure availability andreliability of a network is through good network architectureand monitoring. The design of the network should ensurethat between every resource and an access point there areredundant paths and automatic routing to switch the trafficto the available path without loss of data or time. Everycomponent in the network needs to be fault-tolerant or builtwith suitable redundancies. Complex and widespreadnetworks need to be monitored and managed. This is oftendone by using network management software. Theestablishment of a network operations center (NOC) withsoftware tools and a service desk often staffed 24/7 providesthis capability. Such tools provide data for capacitymanagement. They also ensure that the networks provideadequate bandwidth to enable the data to move alongwithout bottlenecks and with the speed required by the users and applications. The IS audit review