Security Best Practices

Enterprise Networks & Servers,  Jan 2004  by Welcher, Peter J,  Reece, Carole Warner

• E-mail
• Print
• Link

The past two articles have been about some ideas from Cisco and elsewhere for using , network devices to help deal with viruses and worms. We've suggested that peoples' perceptions and approaches have changed. There is not only an increased emphasis on security, but new techniques, new concerns, and a broad interest in new tools.

The previous two articles in this series are:

Vaccination Against Worms and Viruses www.netcraftsmen.net/welcher/papers/worm01.html

Network Detection of Worms and Viruses www.netcraftsmen.net/welcher/papers/worm02.html

In this article, we're going to look at security best practices. This is a huge topic, so the end of the article will contain the usual collection of good links, representing some of our sources of information, and locations where you can get more good information.

We'd also like to note that one very important Best Practice is to regard security as part of your daily business practices. See the forthcoming article by Carole in Cisco's Packet Magazine. (Link not available yet.)

Changing Times

We'd like to revisit a couple of themes briefly. As we've noted, people's thinking about security is changing.

One theme is what might be called "Classic Firewall Design" (and changes to it). The idea to Classic Firewall Design is roughly that you have some sort of perimeter which is guarded. Some people have done this with the true classic approach, a couple of firewall entry points, well-guarded. Others have scattered firewalls about all their external entry points, which begs the question, is it an architected design or a quick fix? We question the wisdom of having many points of entry to the network, especially managed by different groups. It's better than nothing. It's reasonable as an intermediate state. But it may not be where you should wind up for the long term.

Having said that (and perhaps offended a few), the Classic Firewall Design is the hard shell around the soft chewy middle. This design model can unravel in various ways.

One situation that causes issues with this design model is if different groups wish to share links but remain isolated from each other. There's a tension there; networks are about connectivity, and security is to some extent about denying connectivity. You'd like to share a link, but if you do, you share security and access (or have to maintain lots of access lists).

One solution is to use MPLS for isolation of routing even when shared links and routers are used. Large organizations with parallel links and routers owned by different business units but in common locations might want to consider moving to an MPLS architecture to cut WAN and support costs, and simplify routing. The second change to the Classic Firewall Design stems from recent infestations of viruses and worms. The recent worm storms were often caused by laptops importing the problem into the corporate environment. The Classic Design is static, assuming the enemy is outside.

You can think of it as a castle wall and moat. But if somebody inside opens a door to the enemy, or if there is a turncoat within, the enemy gets free run of the interior. Consider that classic castles had separate compartments to them, so that even if the enemy breached parts of the castle, the remainder might be defended (probably with a diminished number of combatants). Does your network have internal barriers so that the enemy within only gains partial access to the interior?

We also now see an emphasis on what might be thought of as security and id checks at the gate: virus scanners, personal firewall enforcement, and so on. Some related links follow.

Cisco CSA has been receiving a lot of customer interest lately. The Network Admission Control program shows Cisco was listening to customers saying they needed control of what connects to their network (and seeing that it may work better if it is not purely an end-system software solution).

Cisco Security Agent www.cisco.com/en/US/products/sw/secursw/ps5057/index.html

Cisco Network Admission Control Program www.enterpriseitplanet.com/security/news/article.php/3111341

Cisco Press Release about Network Admission Control http://newsroom.cisco.com/dlls/prod_111803d.html

Perhaps security designs should also include some common sense access lists and controls, recognizing that employees in most cases do not need to send all types of traffic to any other location in the network. (Exception: IP telephony and other peer-peer networking tools.)

Up Front

Okay, so what are some up front best practices that you should implement? The following are some of the things you should be considering.

Tripwire. After you've been hacked, it may be hard to confirm what, if anything, has been compromised. Products like Tripwire (commercial or freeware version) snapshot the clean state of the system using file checksums. You can then re-scan after compromise and see what's changed. Otherwise, the only way you can be really sure the system is clean is to rebuild it from scratch or from backup, both of which are time-consuming.