Safeguard Network  «Prev  Next»
Lesson 9 Internet security requirements
Objective Describe the different security requirements for the Internet, intranets, and extranets.

Internet Security

An Internet connection exposes your personal computer or company network to the entire Internet. Security needs arise on the Internet whenever information passes back and forth through the connection. Internet security entails the following:
  1. Securing information sent and received during transactions
  2. Checking to ensure that viruses are not downloaded with software and other files

Intranet security

An intranet is a network used to manage software, data files, communications, and file sharing within a single company. The intranet uses browsers and servers; it is a network designed by the company and tailored to the company's specific needs. Access is generally limited to employees with various levels of authorization depending on their roles within the company.
The main security requirements of an intranet are:
  1. Controlling who has access to what kinds of information
  2. Preventing the outside world (such as competitors) from seeing the intranet
  3. Controlling remote access (as when employees travel)

Internet Security

Extranet security

An extranet is a specially designed portion of an intranet that has strictly controlled access. It can reside completely outside the intranet. The extranet allows limited access to company-proprietary information; for example, to salespeople. Only these authorized users can send and receive information and conduct transactions using the extranet.
The security requirements of an extranet include:
  1. Controlling who has access to the extranet
  2. Controlling the permission levels of users (who can only view the data, who is authorized to edit or add the data)
  3. Controlling which specific users access which specific data

Define System Security Requirements

When defining system security requirements, the information systems security engineer identifies one or more solution sets that can satisfy the Information Protection Policy's [1] information protection needs. A solution set consists of the following items:
  1. Preliminary security CONOPS[2]
  2. The system context
  3. The system security requirements
Based on the IP, the information systems security engineer, in collaboration with the customer, chooses the best solution among the solution sets. The preliminary security CONOPS identifies the following:
  1. The information protection functions
  2. The information management functions
  3. The dependencies among the organization's mission
  4. The services provided by other entities
To develop the system context, the information systems security engineer performs the following functions:
  1. Uses systems engineering techniques to identify the boundaries of the system to be protected
  2. Allocates security functions to the system as well as to external systems by analyzing the flow of data among the system to be protected and the external systems, and using the information compiled in the IPP and IMM.
In the next lesson, you will learn about the types of activities and attacks to which an Internet server is vulnerable.
[1]Information Protection Policy: Information protection policy is a document which provides guidelines to users on the processing, storage and transmission of sensitive information.
[2]CONOPS: CONOPS is used to communicate the quantitative and qualitative system characteristics to all stakeholders. CONOPS are widely used in governmental services and fields of information security.