Information Systems Security, 16:47–53, 2007 Copyright © Taylor & Francis Group, LLC ISSN: 1065-898X print/1934-869X online DOI: 10.1080/10658980601051490 Designing Networks that Enforce Information Security Policies Alex Malin, CISSP Los Alamos National Laboratory, Los Alamos, NM, USA One boy is eating peanut butter off a spoon. Another boy is munching on a bar of chocolate. One of them trips and slips. “Hey, you put peanut butter in my chocolate.” “Well you put chocolate in my peanut butter.” They’re both angry until they taste the combination. Both boys smile as they eat. Americans of a certain TV generation will remember the commercial for a candy bar that combines chocolate with peanut butter. The notion that a child who doesn’t like chocolate will touch peanut butter, or visa versa, is universal. In the world of networking there has been a similar phenomenon. Once upon a time and not long ago, network infrastructure managers generally were adamant that network devices should not do security. Routers should route and switches should switch. Routers shouldn’t be firewalls and shouldn’t mirror traffic for intrusion detection. Switches shouldn’t VLAN or generate flow records. While there have always been exceptions and grey areas, there were many who believed that chocolate and peanut butter should never touch. Convergence of Network Infrastructure and Network Security Devices Address correspondence to Alex Malin, CISSP. E-mail: amalin@lanl.gov When vendors first shipped network infrastructure gear that was loaded with security features, customers were understandably skeptical. There were performance issues –memory and CPU were costly and precious. For many, the added complexity of configuring and maintaining security features wasn’t worth the cost. Resistance was also philosophical and sometimes territorial. While the debate between lovers of chocolate and lovers of peanut butter may be eternal, there is no question that attitudes in the network operations center are changing. After witnessing mobile malicious code bringing a network to its knees, network managers understand in a tangible way that they have a stake in making security work. Information security managers are increasingly being heard when they articulate the ethos that security is a business enabler. Meanwhile, the integration of security features into network infrastructure devices has matured considerably. Network switches and routers subdivide networks and may be configured to restrict traffic between zones to enforce security policies. They create and enforce VLANs and provide 47 stateful firewalls for single ports or groups of ports. Network infrastructure devices prioritize traffic to meet availability requirements for critical systems and enhance the security of services such as VOIP. They sniff traffic and may be configured to generate flow records used to identify indicators of malicious activity and to characterize traffic for network forensics investigations. Network devices may participate in complex identity management schemas, detecting when users or systems connect to the network and then segregating or quarantining systems or users to strictly enforce security policy criteria. Vendors are more reliably delivering security features at an acceptable cost. Network infrastructure devices will be increasingly capable of enforcing information security policies and demonstrating compliance. A new generation of network engineers is better equipped to configure and maintain a complex system of security in myriad networking devices. New software simplifies the task of configuration management. When business managers ask network and information security managers the relatively simple question–can you prevent a worm from infecting us again—the answer is probably still a bit too complex and may depend on technology that is still some years from full maturity. But the answer clearly includes the integration of security capabilities into network infrastructure components. Opportunity for Information Security Managers As more security managers become involved in the selection of network infrastructure components, there is a greater opportunity to forge an alliance with network and business managers and to participate meaningfully in network design. This raises the question—how may this increasing influence be leveraged to meet the broader objectives of an information security program? The intent of this article is to offer information security managers an approach to secure network design that is aligned with an information assurance program’s objectives and is readily communicated to management colleagues. This article advocates making security policy enforcement a central element in network design. It defines a set of principles and provides examples for segmenting computer systems Malin into security policy zones, leveraging the capabilities of network components to enforce security policies more effectively. Networks That Enforce Information Security Objectives The central idea of the architecture proposed here is that computer networks should be split into distinct network zones. These zones should be organized with the primary objective of articulating and enforcing appropriate security policies. In this context, security policies include all information security objectives that may be addressed through technical mechanisms. In the typical flat computer network, where every client workstation can reach every other workstation and server, there is an implicit assumption that a common security policy applies to all computer systems. The reality is that not all computer systems and computer users warrant this implied trust. Can every system that connects with the network be trusted with the same level of confidence? Can every computer system be securely configured and maintained with equal facility? Does every computer system have an identical requirement for system availability? Are the integrity and confidentiality requirements of all data identical? Do all computer users need equal access to all systems and all data processed and stored on the network? A network segmented into security policy zones makes these various levels of trust explicit. It also facilitates identifying the variations in risk related to different classes of computer systems and mitigating these risks through technical measures. Dr. Peter Stephenson, a writer, consultant and researcher, describes the theoretical foundations for this concept in several articles referenced at the end of this work. He defines a security policy zone as a network segment for which the same security policy may be defined for all computer systems within that zone. Stephenson’s central idea is to identify computer systems that share a common security policy and place these systems into distinct network zones. To accomplish this, systems are evaluated by their criticality, the type of information they process and store, various requirements for secure system ­configuration and maintenance, and the relative 48 trustworthiness of users who access these computer systems or the information they store. All systems in a security policy zone share a common policy and relative priority for many aspects of technical information assurance. An architecture based on security policy requirements facilitates a clear assessment of risk for each zone and the application and enforcement of protection mechanisms that are appropriate for each class of computer assets. The segregation of systems into security policy zones leverages the capabilities of networking devices to enforce policies more effectively. By clarifying the various requirements for confidentiality, integrity, and availability for each network zone, we may more easily map information security goals to tangible objectives. Mitigation efforts are more easily identified and prioritized. And since most technical measures may be audited, it also greatly simplifies the task of defining metrics that demonstrate continuous improvement in meeting these goals. Network Zones and System Availability Not every network manager will readily agree that networks should be segmented. A flat network simplifies the task of routing and switching packets between source and destination. A network infrastructure device that restricts traffic to meet security objectives in effect slows down the delivery of packets, raises questions about the reliability of the network, and complicates the task of troubleshooting network problems. The information security manager should acknowledge the tradeoffs between the benefits of splitting networks into discrete zones and the added costs and complexity associated with schemes that segment the network. It is natural for the network manager to ask, “What is in it for me?” The best way to demonstrate the value of security policy zones to the network manager is likely in the area of system availability. Two instances where these benefits are easily articulated are in the creation of high-availability network segments and the prevention and mitigation of worms. These will each be examined in some detail. Assuring the availability of network-critical systems and services may easily justify the costs ­associated 49 with filtering internal network traffic. The creation of a high-availability network zone simplifies the task of devising policies that protect these systems, leverages the capabilities of network devices to apply technical measures that mitigate threats to system availability, and facilitates defining metrics that demonstrate success. One example of a high-availability zone may be termed the utility zone, consisting of communications infrastructure (telephone, computing), physical plant infrastructure (electricity, heating, cooling), and the safety and security infrastructure (ambulance, fire, police, 911, security badging systems). These and other systems essential to an organization’s operations may be isolated from other network elements, providing stronger assurance that the computer systems that are critical to the delivery of utility systems and services are protected appropriately and that related communications are appropriately prioritized. Most network routers and switches can be configured to prioritize packet delivery for communications to or from specified network segments or VLANs. The creation of a utilities network zone is the critical first step toward prioritizing these communications. The utilities zone may be further subdivided to create zones that reflect an organization’s priorities and values. For example, systems that are essential for life and safety may be given highest priority for TCP/IP communications. Another likely high-availability zone would consist of the systems on which all other network services depend. In most network environments this would include DNS, authentication, and directory systems. A network design based on the concept of security policy zones isolates systems so that like protection strategies may more easily be identified and applied. Firewall filters set at the router or switch provide a technical means of enforcing these policies along the principle of least privilege. Ingress filters can allow only DNS-related traffic to the DNS servers, for example. Egress filters may be applied to prevent and detect attacks on these critical servers. The high-availability zone also provides a means to protect critical servers and services when a new threat emerges. In many network environments, operational requirements may dictate the patching schedule for high-availability systems. In some organizations, there is a reluctance to scan these ­systems Designing Networks that Enforce Information Security Policies for vulnerabilities. This may yield a diminished degree of assurance for the systems that are most important to an organization. When firewall filters enforce the principle of least privilege, exposure to new threats at the network layer is reduced. In environments where high-availability systems cannot be patched immediately, ingress/egress filters may also be reconfigured quickly to apply a workaround that mitigates a new threat. Defense Against Worms Segmentation of the network can also add significantly to a multi-layered defense against worms. A network separated into security policy zones combats the spread of mobile malicious code in several important ways. By isolating classes of systems most likely to become infected with malicious code, and by establishing choke points in the network between these higher-risk segments and the rest of the network, we have an opportunity to prevent the spread of an infection to the remainder of the network. The architecture proposed here provides a mechanism to identify and isolate systems (e.g., laptops and remote access) that put other systems at risk. In a network architecture that defines both high-availability zones and high-risk zones, classes of systems that have high-availability requirements may be protected from less trustworthy zones. This raises the likelihood that high-availability requirements will be realized when worms breach perimeter defenses. By leveraging firewall capabilities in network infrastructure devices, we may prevent the spread of mobile malicious code at relatively little cost. Many worms exploit weaknesses in services that listen on easily identified ports, including 135, 137, 139, and 445. In many network environments, a firewall filter placed between high-availability and high-risk zones may be configured to block this traffic. In environments where some traffic on these higher risk ports is necessary, ingress and egress filters may be configured to explicitly allow this traffic to a limited set of sources and destinations while blocking this port traffic to and from all other hosts. This adds a layer of protection to high availability systems and reduces the risk that a worm infection will lead to a network-wide denial of service. Malin Commercial intrusion prevention appliances that detect and block attack code provide a strong layer of defense between high-risk zones and the remainder of the network. If the intrusion prevention vendor puts sufficient resources into signature development and maintenance, these devices can offer a significant defense against the entry of worms into the network and against the spread of worms that have breached gateway defenses. As the convergence of network infrastructure and network security devices continues to mature, we may expect intrusion prevention capabilities to be bundled into many network infrastructure devices. The segmentation of the network into security policy zones creates choke points that are ideal locations for deploying intrusion detection systems. The capabilities of network infrastructure devices may be combined with intrusion detection systems to detect and prevent the spread of malicious code and limit the likelihood that a denial of service results from a worm infection. For example, if a computer in a security policy zone that consists of laptop computers attempts to connect to 1,000 other systems on port 445 in under a minute, it is fairly likely that it has been infected. Many routers and switches are capable of generating flow statistics that can be used to characterize malicious traffic. When combined with software processes that identify infections, an infected computer may be automatically blocked at the switch or put into quarantine for remediation. Controlling Access to the LAN Computers that connect from remote locations raise questions with regards to confidence and trust. These systems may reside on networks that are not as well protected as the enterprise network. The host computers may not be as securely configured or as well maintained as computer systems directly under the control of one’s own organization. There are few technical mechanisms to assure that remotely connected host computers are in compliance with an organization’s security policies. In a flat network, where any workstation can reach every other workstation and server, it is significantly more difficult to apply technical measures that address variations in assurance and trust. A 50 ­ etwork segmented into security policy zones pern mits the architect to address variance in risk posed by different channels of network access. Access from locations that are less inherently trustworthy may be grouped into distinct security policy zones. This may include VPN, dialup, and partner or subsidiary connections. Wireless networking is another example of network access that may be inherently less trustworthy. By isolating network connections such as wireless or VPN into separate segments or VLANs, it becomes easier to apply security policies to these connections that are commensurate to their level of trust. It is also easier to change this policy quickly in response to future threats. Once a network has been segmented into security policy zones, the communications between zones may be studied to identify network traffic that is necessary and legitimate. Ingress and egress filters may then be applied to permit this traffic and block all other traffic, based on the principle of least privilege. The security policy zone architecture facilitates the application of technical measures to mitigate risk posed by variations in assurance and trust. Traffic may be filtered based on the principle of least privilege. Intrusion detection and intrusion prevention devices may be placed at chokepoints between security policy zones to protect information confidentiality, integrity, and availability. A network segmented into security policy zones allows the architect to identify classes of systems that are inherently less trustworthy, place these systems in distinct network zones, restrict traffic between zones, and monitor and audit traffic to enforce and demonstrate compliance. Protecting Information Confidentiality and Integrity Many organizations have policies that identify higher protection requirements for specified classes of information. In many environments, law or regulation requires this. Multinational organizations must comply with an array of local laws and regulations. Security policy zones present a significant opportunity to protect data confidentiality and integrity and to demonstrate compliance requirements. 51 Computers that process and store sensitive information may be placed in distinct security policy zones. This facilitates the deployment of protections commensurate with the value of the data protected and allows for more finely tuned prioritization of host security measures. Logical access to these segments may be restricted to computer users who have authorized access to these classes of information. For example, all users should generally have ready access to web-based information on benefits or human resources policies, but access to confidential human resources information may be restricted appropriately. An analysis of this sort lends itself to the easy identification of potential violations in security policy. By placing like information systems into discrete zones, traffic flows between zones may more easily be filtered and restricted to comply with an organization’s security requirements. Implementation of VLANs is a common approach to the creation of information protection zones. Many organizations approach the problem of identifying information protection zones by creating departmental VLANs. For example, all desktop computers and information servers belonging to the accounting department may sit on a common VLAN. Filters are set so that most other user VLANs cannot route to the accounting department’s VLAN. This presents a network layer barrier to prevent accidental or deliberate disclosure or alteration of sensitive information. In environments where confidentiality of data in transit must be assured, network devices such as routers may be configured to provide point-to-point encryption. The confidentiality of information that is passed over wireless networks may be assured by encrypting traffic between wireless clients and wireless access points. Server Zones and System Administrator Zones In many organizations, there are important differences in the requirements that govern the protection of host computers and servers. Separating servers into a distinct security policy zone facilitates the clarification of policy appropriate to this zone and strengthens an organization’s ability to the enforce policy through network infrastructure devices. Designing Networks that Enforce Information Security Policies How quickly do server patches need to be applied as compared with workstations? How often do servers need to be scanned for vulnerabilities as compared with workstations? Are there more exceptions to the common policy based on operational requirements? Are there different flavors of operating systems? Are there different requirements for server availability? The complexity of managing servers adds to the challenge of configuring and maintaining hardened systems throughout the enterprise. Separating servers into a distinct zone (or zones) facilitates the establishment of measures to protect these systems appropriately. Placing the desktop computer systems used by system administrators in a distinct security policy zone addresses several risk factors related to system administration. System administrators have a unique level of access to business-critical systems and information. The establishment of a system administrator zone facilitates auditing the actions taken by those with authorized system administrator access. It also provides a network layer of defense that reduces the likelihood that an unauthorized user can accidentally or maliciously gain root access to servers, limiting exposure in a situation where an adversary gains or abuses access to the LAN. Once server and system administration zones have been established, access to the server zone may be restricted to the network zone or VLAN used by system administrators. Access to the system administrator zone may likewise be restricted to reduce the likelihood that an unauthorized user may gain logical access to a system administrator’s workstation. The chokepoints in the network created by the establishment of these zones are ideally located to detect attempted or successful attacks directed against these important segments. They may also be used to audit system administration actions, offering a layer of deterrence against abuse. They also enhance our capacity to demonstrate compliance and continuous improvement through metrics. Host Security This article has described an architecture based on security policy zones. It has described how Malin ­ etwork infrastructure devices may add additional n layers of defense, enforcing inter-zone routing policies at zone borders and preventing and detecting the propagation of malicious activity. The last section of this article describes how an architecture based on security policy zones may serve to strengthen host security. Host security represents the final layer of defense against attack. The redistribution of hosts into security policy zones may improve host security in three important areas: requirements for each zone are more clearly defined; policies directly address the unique needs of each zone; and efforts to harden, scan, and patch systems are more readily prioritized. In many organizations, the advent of mobile malicious code has exposed weaknesses in system hardening and patching. Worms exploit weaknesses in system configuration, often targeting default settings that expose systems to vulnerabilities. Worms typically attack systems that have known vulnerabilities for which security patches are available but have not been installed. Newly built systems are particularly at risk. Few organizations can achieve 100 percent compliance with policies that govern system configuration and security patching. It is an open question whether the current model for distributing critical security patches will ever attain 100 percent saturation. In an environment where consistent hardening and patching may not be attainable, better prioritization is needed to provide a higher degree of assurance that more critical systems get the attention they need. The security policy zone architecture directly addresses the need to identify the security policy requirements for various classes of computer systems. In many computing environments, institutional security policies that describe hardening requirements are more generalized and cannot address unique needs. Systems are scanned on a schedule that cannot address diverse needs. With the segmentation of systems into security policy zones, the requirements and scheduling for hardening, scanning, and patching systems may more appropriately reflect the risk to each zone and each zone’s purposes and unique needs. 52 References Biography Stephenson, P. (2004). The Application of Formal Methods to Root Cause Analysis of Digital Incidents. International Journal of Digital Evidence, 3:1. Stephenson, P. (2003). Modeling of Post-Incident Root Cause Analysis. International Journal of Digital Evidence, 2:2. Stephenson, P. (2001). S-TRAIS: A Method for Security Requirements Engineering Using a Standards-Based Network Security Reference Model. http://www.sreis.org/old/2001/papers/sreis018.pdf. Alex Malin, CISSP, is an intrusion detection system architect and incident response manager for Los Alamos National Laboratory. His interests include assuring information confidentiality through technical controls and integrating security into network design. 53 Designing Networks that Enforce Information Security Policies Running head: INFORMATION SECURITY 1 Information Security Name Institution Professor Course Date INFORMATION SECURITY 2 First Source Source: Okenyi, P. O., & Owens, T. J. (2007). On the Anatomy of Human Hacking. Information Systems Security, 16(6), 302-314. doi:10.1080/10658980701747237 Documentation style: APA Authors: Okenyi P.O and Owens T.J Thomas J. Owens is a doctor at the Brunel University London in the college of engineering, Design, and Physical sciences. Since February 2014until March 2018, Tom was an Executive Vice President of Real Estate at Cinemark Holdings Inc. Mr. Owens is also a Coowner at Thomas J Owens and Margaret E Richards Trust. As from 1996, Mr. Owen has served in Executive positions in various companies and organizations dealing with information technology and other technological development aspects.Lastly, Owens is currently conducting a research fixated on Security and Network Security of Wireless Communications, a course he also teaches in London. Okenyi P.O. is also a doctor who has worked with SWH IT security, HSBC Technologies, Inc. Before his entry to the HSBC, Okenyi worked the Credit Suisse Asset Management New York (CSAM NY) and as a part of the IT Risk team in Credit Suisse First Boston New York (CSFB). Dr. Peter Okenyi additionally has worked as a senior security consultant for eFortresses which is located in Atlanta, Ga. eFortresses is a firm that deals with information technology Risk management whose headquarter is in Atlanta. The profiles of the two doctors described above are a clear indication that they are the best. Publisher: Taylor & Francis Group, LLC Taylor & Francis Group, LLC is an international academic publisher that is well-known and recognized with offices all over the world. The group is world-leading both academic and professional publisher that cultivates knowledge through the creation of efficient and effective partnerships with a commitment to quality. Taylor & Francis Group publishes books, journals and online articles for all academic study levels as well as professional development across a wide range of disciplines and subjects. The group’s journals are quality and peer-reviewed usually published under the Routledge and Taylor and Francis Imprints. An access program that is purely open is offered by the group’s newest part, Cogent OA. The publisher’s information and journals are available in archives that are trusted and can also be accessed through subscription databases. Accuracy The published information in the journal is not only accurate but also of high quality. The information contained in the journal has been peer-reviewed and can readily be availed or accessed from the APUS library. At the end of the journal, a list of references has been provided so that any interested parties having any doubts can confirm what has been presented by the two doctors, Okenyi and Owen. Current Information The information in the journal, pages 302-314 was published online on the 19th of December 2007. The abstract can be accessed free by anyone but to gain full access one is INFORMATION SECURITY 3 required to register so that they can access the entire document at a certain fee. The information provided was based on factual data and figures but since its publication online in 2007, it has not been updated. Objectivity Issues in the journal are treated in a fair way and there is no side that seems to have been addressed more or less than the other. The issues addressed by the two doctors address human hacking as being a type of interruption that is nontechnical and profoundly relying on the manipulation of human beings. Second source Malin, Alex. Information Systems Security. Jan2007, Vol. 16 Issue 1, p47-53. 7p. DOI: 10.1080/10658980601051490. The journal is has been peer-reviewed at APUS library. Documentation Style: APA Author: Alex Malin, CISSP. Alex Malin, CISSP is an architect in intrusion detection systems and also a manager of incident Responses for the National Laboratory of Los Alamos. Alex has a wide range of interests which include assuring the confidentiality of information through technical controls and the integration of security into various designs of networks. Alex's immense interest and confidence in these areas make him an expert in the general field of information systems. Publisher: Taylor & Francis Group, LLC. The publisher, Taylor & Francis Group, LLC commits to partner with authors that are world-class, from renown researchers, leading scientists, scholars, and professionals who operate at the top of their various fields. As a team, the group publishes in all areas of social sciences, science, behavioral science, medicine sectors, technology, and humanities.The group currently stands as among the world leading publishers of books, eBooks, textbooks, reference works and scholarly journals like this one. The group’s offices network has expanded since its formation to include numerous representatives in New York, Boca Raton, Singapore, Tokyo, Kuala Lampur, New Delhi, Johannesburg, Melbourne, and Philadelphia. The expansion has helped the group’s staff be in a position to provide expertise locally and offer editors support. Societies, authors can be offered customer service that is efficient and tailored to the company’s library colleagues all over the world. Accuracy The information provided in the journal is very accurate and corresponds with other various resources that have historically been reliable. The journal describes an architecture that is based on different zones of security. Network infrastructure devices as described by the author can add more defense layers, enforcing routing policies of inter-zones at zone borders thus preventing and detecting malicious activities propagation. INFORMATION SECURITY 4 Reliability of the information provided The information provided by Alex Malin in the journal has been peer-reviewed and contains a list of references that one can use to confirm that the provided information is correct in case of any doubts. Considering the immense experience that the author, Alex Malin, has, the information provided is factual with no errors. Current information The journal was published in Jan/Feb 2007 (pages 47-53) and has not been updated ever since. What Alex, the author, presented are facts and updating them would mean changing the truth of what is already in existence. A preview of the journal can be accessed online but the full document can only be accessed from institutions’ libraries and the APUS library upon request. Objectivity In designing networks that enforce information security policies, every side and angle has been considered with all of them being treated the same and none is more regarded than the other. Security of networks is something that long time ago was not considered as the population was less and technology had not fully been embraced. The central objective of the journal was that computer networks needed to be split into various network zones that are distinct. A point reached when network infrastructures and network security devices had to converge for a better solution. The issue of network security has been addressed fairly with all sides being keenly attended and without any bias. Running head: INFORMATION SECURITY 1 Information Security Name Institution Professor Course Date INFORMATION SECURITY 2 First Source Source: Okenyi, P. O., & Owens, T. J. (2007). On the Anatomy of Human Hacking. Information Systems Security, 16(6), 302-314. doi:10.1080/10658980701747237 Documentation style: APA Authors: Okenyi P.O and Owens T.J Thomas J. Owens is a doctor at the Brunel University London in the college of engineering, Design, and Physical sciences. Since February 2014until March 2018, Tom was an Executive Vice President of Real Estate at Cinemark Holdings Inc. Mr. Owens is also a Coowner at Thomas J Owens and Margaret E Richards Trust. As from 1996, Mr. Owen has served in Executive positions in various companies and organizations dealing with information technology and other technological development aspects.Lastly, Owens is currently conducting a research fixated on Security and Network Security of Wireless Communications, a course he also teaches in London. Okenyi P.O. is also a doctor who has worked with SWH IT security, HSBC Technologies, Inc. Before his entry to the HSBC, Okenyi worked the Credit Suisse Asset Management New York (CSAM NY) and as a part of the IT Risk team in Credit Suisse First Boston New York (CSFB). Dr. Peter Okenyi additionally has worked as a senior security consultant for eFortresses which is located in Atlanta, Ga. eFortresses is a firm that deals with information technology Risk management whose headquarter is in Atlanta. The profiles of the two doctors described above are a clear indication that they are the best. Publisher: Taylor & Francis Group, LLC Taylor & Francis Group, LLC is an international academic publisher that is well-known and recognized with offices all over the world. The group is world-leading both academic and professional publisher that cultivates knowledge through the creation of efficient and effective partnerships with a commitment to quality. Taylor & Francis Group publishes books, journals and online articles for all academic study levels as well as professional development across a wide range of disciplines and subjects. The group’s journals are quality and peer-reviewed usually published under the Routledge and Taylor and Francis Imprints. An access program that is purely open is offered by the group’s newest part, Cogent OA. The publisher’s information and journals are available in archives that are trusted and can also be accessed through subscription databases. Accuracy The published information in the journal is not only accurate but also of high quality. The information contained in the journal has been peer-reviewed and can readily be availed or accessed from the APUS library. At the end of the journal, a list of references has been provided so that any interested parties having any doubts can confirm what has been presented by the two doctors, Okenyi and Owen. Current Information The information in the journal, pages 302-314 was published online on the 19th of December 2007. The abstract can be accessed free by anyone but to gain full access one is INFORMATION SECURITY 3 required to register so that they can access the entire document at a certain fee. The information provided was based on factual data and figures but since its publication online in 2007, it has not been updated. Objectivity Issues in the journal are treated in a fair way and there is no side that seems to have been addressed more or less than the other. The issues addressed by the two doctors address human hacking as being a type of interruption that is nontechnical and profoundly relying on the manipulation of human beings. Second source Malin, Alex. Information Systems Security. Jan2007, Vol. 16 Issue 1, p47-53. 7p. DOI: 10.1080/10658980601051490. The journal is has been peer-reviewed at APUS library. Documentation Style: APA Author: Alex Malin, CISSP. Alex Malin, CISSP is an architect in intrusion detection systems and also a manager of incident Responses for the National Laboratory of Los Alamos. Alex has a wide range of interests which include assuring the confidentiality of information through technical controls and the integration of security into various designs of networks. Alex's immense interest and confidence in these areas make him an expert in the general field of information systems. Publisher: Taylor & Francis Group, LLC. The publisher, Taylor & Francis Group, LLC commits to partner with authors that are world-class, from renown researchers, leading scientists, scholars, and professionals who operate at the top of their various fields. As a team, the group publishes in all areas of social sciences, science, behavioral science, medicine sectors, technology, and humanities.The group currently stands as among the world leading publishers of books, eBooks, textbooks, reference works and scholarly journals like this one. The group’s offices network has expanded since its formation to include numerous representatives in New York, Boca Raton, Singapore, Tokyo, Kuala Lampur, New Delhi, Johannesburg, Melbourne, and Philadelphia. The expansion has helped the group’s staff be in a position to provide expertise locally and offer editors support. Societies, authors can be offered customer service that is efficient and tailored to the company’s library colleagues all over the world. Accuracy The information provided in the journal is very accurate and corresponds with other various resources that have historically been reliable. The journal describes an architecture that is based on different zones of security. Network infrastructure devices as described by the author can add more defense layers, enforcing routing policies of inter-zones at zone borders thus preventing and detecting malicious activities propagation. INFORMATION SECURITY 4 Reliability of the information provided The information provided by Alex Malin in the journal has been peer-reviewed and contains a list of references that one can use to confirm that the provided information is correct in case of any doubts. Considering the immense experience that the author, Alex Malin, has, the information provided is factual with no errors. Current information The journal was published in Jan/Feb 2007 (pages 47-53) and has not been updated ever since. What Alex, the author, presented are facts and updating them would mean changing the truth of what is already in existence. A preview of the journal can be accessed online but the full document can only be accessed from institutions’ libraries and the APUS library upon request. Objectivity In designing networks that enforce information security policies, every side and angle has been considered with all of them being treated the same and none is more regarded than the other. Security of networks is something that long time ago was not considered as the population was less and technology had not fully been embraced. The central objective of the journal was that computer networks needed to be split into various network zones that are distinct. A point reached when network infrastructures and network security devices had to converge for a better solution. The issue of network security has been addressed fairly with all sides being keenly attended and without any bias.
Purchase answer to see full attachment