'7 steps' for network security: being prepared and knowledgeable is the best defense against hackers and data thieves - Local Area Networks

Communications News,  Feb, 2003  by Chris Ellis

• E-mail
• Print
• Link

A wide variety of network devices and servers must be tested and audited to ensure network security. Attack codes and hacker methods are moving targets, as newer, more complex attacks seem to be on a fast-track development curve. So, what are the best-practice methods for assuring that a corporate network, from both an Internet-facing as well as an internal-networking perspective, is free from vulnerabilities? Here are seven best practices to follow:

1. Understand the security environment. Become familiar with the network security environment, at least enough for communication with vendors and those implementing your security. From a high-level perspective, there are three main categories of attacks: (A) those that attempt to disrupt service on your network; (B) those that attempt to destroy data on your network; and (C) the theft of data or corporate secrets from your company.

The first type of attack (A) most commonly is denial of service (DoS). While DoS attacks can be achieved in various ways, they always have the same effect: they slow down your network devices (routers, mail servers, Web servers), making access to your network by legitimate users difficult, if not impossible.

The second type (B) destroys or changes data on your network. Viruses and worms fit into this category, typically ruining data on your servers and preventing legitimate users from doing business with you.

The third type of attacker (C) wants to gain access to corporate information. These attackers sniff (copy) your traffic as it moves through public or private networks. Their attacks originate from either the outside or from within your organization.

2. Be familiar with security defense tools. Even if you never have to handle these devices directly, having a good understanding of what they do and how they fit into the big picture is essential.

Category A problems are countered using network intrusion detection systems (NIDS), firewalls, security information management systems (SIMS) and vulnerability assessments (VA). A vulnerability assessment is one of the most important activities to perform on your infrastructure, giving you clear insight into your server, router and browser vulnerabilities.

NIDS look for attack patterns and alert your security team to anything suspicious. NIDS observe packets as they whiz past on the wire, alerting you if malicious packets were seen. Using NIDS and VAs together provides a "defense-in-depth" strategy.

Category B attacks are contained using desktop firewalls, antivirus software and host intrusion detection systems. Vulnerability assessments play a role here because they can identify known configuration or server problems.

Category C attacks are preventable using encryption techniques while the data is in transit. Because log files can generate volumes of data, the industry has seen the introduction of SIMS to gather, correlate and normalize this data. These tools use powerful consoles to identify and sort threats by severity, allowing a security officer to quickly see the big picture and take appropriate corrective action.

3. Know your vulnerabilities. Vulnerability scanning is one of the most useful defense tactics in your security toolkit, identifying important weaknesses on NIDS, firewalls and routers, but especially on e-mail, Web, data and e-commerce servers. These scans determine a device's vulnerability to worms, viruses, attack code and malicious attackers, and whether effective countermeasures (reconfiguration, patches, service packs) have been applied correctly.

4. Develop and publish a security policy. Establishing a security policy is paramount to understanding your aversion to risk. Your policy is based on how much risk you are willing to take; the tradeoff is between cost vs. protection.

Your security policy is the result of your risk assessment. During the risk-assessment phase you should:

* Identify your important assets (firewalls, e-mail and Web servers, as well as your data);

* identify the threats they are exposed to;

* perform a vulnerability assessment to understand current risk levels;

* identify the costs of rectifying vulnerabilities vs. the cost to repair an attack should one successfully destroy/steal data, or otherwise render your network inoperable; and

* take into consideration negligence lawsuits, due to the inadvertent exposure, theft or loss of client data.

If a risk assessment is a way of conveying security issues to management so that they understand the cost/benefit relationships, then the resulting decision on how to rectify or strengthen your infrastructure is detailed in your security policy. That policy will guide your network-security team in its network configuration (or reconfiguring) efforts, ensuring effective countermeasures are in place. This may include the purchase of new defense tools, as well as training on those tools.

Employees need to understand security policies in a clear and meaningful way, so that prior abuses (e.g., illegal IRC servers or P2P programs) can be safely removed without the need to fire employees on a first-offense basis.