CompTIA Security_ Deluxe Study Guide_ SY0-201 - Emmett Dulaney [137]
Databases need patching just like other applications. You should configure them to use access controls and provide their own levels of security.
To improve system performance, as well as to improve the security of databases, companies have implemented the tiered model of systems. Three different models are explained here:
One-tier model In a one-tier model, or single-tier environment, the database and the application exist on a single system. This is common on desktop systems running a stand-alone database. Early Unix implementations also worked in this manner; each user would sign on to a terminal and run a dedicated application that accessed the data.
Two-tier model In a two-tier model, the client PC or system runs an application that communicates with the database that is running on a different server. This is a common implementation, and it works well for many applications.
Three-tier model The three-tier model effectively isolates the end user from the database by introducing a middle-tier server. This server accepts requests from clients, evaluates them, and then sends them on to the database server for processing. The database server sends the data back to the middle-tier server, which then sends the data to the client system. This approach is becoming common in business today. The middle server can also control access to the database and provide additional security.
The three models provide increasing capability and complexity. You must individually manage each system and keep it current for this system to provide security.
Summary
This chapter introduced you to the concept of hardening operating systems, network devices, and applications. To secure a network, each of the elements in its environment must be individually evaluated. Remember, your network is no more secure than its weakest link.
Security baselines provide a standardized method for evaluating the security capabilities of particular products. Never consider an operating system or application to be secured unless it has been certified using the EAL standard, which provides seven levels of certification. Common Criteria has replaced TCSEC as the primary security certification. EAL 4 is the level recommended to provide reasonable security for commercial operating systems.
The number of vulnerabilities is rapidly increasing. The increase is partially due to the fact that many systems manufacturers didn’t take security issues seriously enough in the past. This attitude is changing, and many of the larger manufacturers now realize the damage that security leaks cause to their users.
The process of making a server or an application resistant to attack is called hardening. One of the major methods of hardening an operating system is to disable any protocols that aren’t needed in the system. Keeping systems updated also helps improve security.
The common protocols used in PC-based networks are NetBEUI, IPX/SPX, and TCP/IP. Each of these protocols creates unique security challenges that must be addressed. Unused protocols should be disabled on all devices: Each protocol used increases the potential vulnerability of your environment. ACLs are being implemented in network devices and systems to enable the control of access to systems and users; ACLs allow individual systems, users, or IP addresses to be ignored.
Large-scale networks often use Unix networks and additional protocols, such as NFS. NFS is difficult to secure, and it