HostedDB - Dedicated UNIX Servers

-->
Network Computing INDM Network Security

The Interactive Network Design Manual

How To Secure Your Network

by Peter Morrissey

Introduction

Providing access to your network services and providing access to the outside world through your organization gives your staff and company many benefits. However, the more access that is provided, the greater the danger that someone will exploit the increased vulnerability that results.

In fact, every time a new system, application or network access is added, potential vulnerabilties are added and protection becomes increasingly more difficult and complex. However, if you're willing to realistically confront the serious risks, it is possible to reap the benefits of greater access while minimizing the hazards. To accomplish this, you will need a comprehensive plan as well as the resources to execute it. You also must have detailed knowledge of the exposure that can occur in all the possible places, as well as the measures that can be taken to prote ct them.

In some ways this may appear to be an overwhelming burden, and it might very well be, especially in smaller organizations that do not have staff on hand versed in all the issues. You might be tempted to hire a security consultant and be done with it. Although this might be a good task to outsource, you still need to know enough to keep the consultant honest. After all, you may be be entrusting them with your organization's most important assets. Additionally, you may want to take over ongoing maintenance once you are over the initial setup hump.

To secure your network properly, you not only need a deep understanding of the technical nuances of the network protocols, operating systems and applications that are accessed, but also up front planning. The plan is the first step and is the basis for ensuring that all the bases are covered.

Why do I need a security policy?

The image that most frequently comes to mind when discussing security is that of the great firewall standing guard at the opening to your network, fending off attacks from malevolent hackers. Although a firewall, (covered in Chapter 10 of the Interactive Network Design Manual) will play a crucial role, it is only a tool that should be part of a more comprehensive strategy that will be necessary in order to responsibly protect the data on your network. For one thing, knowing how to set up a firewall to allow the communications you want to come through while safeguarding other data is a very tough nut to crack.

Even if you do have the skills and expertise necessary to set up the firewall correctly, it may be impossible to know the risks management is willing to take with the data and to determine the amount of inconvenience to withstand in order to protect it. You also must consider how to secure the hosts being accessed? Even with firewall protection, there is no guarantee that some vulnerability won't develop. And most likely there is than the one device at stake. Modems, for example, may provide an access point for your network that completely bypasses your firewall. In fact, a firewall may increase the likelihood that someone will set up a modem for access to the Internet through another Internet service provider (ISP), because of the restrictions that your firewall may impose upon them, (something to keep in mind when you are setting up your firewall to begin with). You may be providing restrictions or "protection," that can turn out to be unnecessary once the consequences are clearly understood as a business case. On the other hand, the risks may justify the increased restrictions and ensuing inconvenience. But, unless the user has some awareness of these dangers and understands clear consequences for adding risk, there may not be much you can do.

Legal issues also arise. What legal obligations do you have to protect your data? If you are in a publicly traded company you have some definite responsibilities in this regard.

Securing your data involves more than plugging in a firewall with a slick GUI interface. What you need is a comprehensive plan of defense. And you need to communicate this plan in a manner that will be meaningful to management and end users. This requires education and training along with clearly spelled out consequences for violations. It is called a "security policy" and is the first step to responsibly securing your network. The policy may include installing a firewall , but you will want to define your security policy first. You should not have to design your security policy around the limitations of your firewall.

Writing the security policy is not a trivial task. It not only requires that technical personnel understand all the vulnerabilities that are involved, but also requires that they effectively communicate with management. Management must ultimately decide how much risk should be taken with the company's assets, and how much expense shou ld be incurred both in real dollars and inconvenience, in order to minimize the risks. It is the responsibility of technical personnel to make sure that management understands the implications of adding access to the network and to applications on the network, so that management has enough information to make these decisions. If the security policy does not come from the top, it will be difficult to enforce even minimal security measures. For instance, if employees may become upset if they suddenly have to supply logins and passwords where they did not before, or are prohibited from particular types of Internet access. It is better to deal with these issues ahead of time and put the policy in writing. The policies can then be communicated to the employees by management. Otherwise, employees will not take it seriously, or you will have constant political battles within the company regarding this issue. Not only will these battles have a negative impact on productivity, it is less likely that rational decision-making will be able to prevail in the heat of political turf wars.

The development of a security policy can be a highly charged political process, but once such a policy is in writing you'll find that less time will be spent debating it. This does not mean that it can be done in a vacuum and imposed upon the organization. The needs of all groups within the company most be realistically considered. Employing the services of a reputable outside contractor may help to provide some needed objectivity that can overcome some of these difficulties.

Updated November 15, 1996