Tactical Advice

7 Tips for Safeguarding Networks

Network security has evolved with the times. Keep pace with these steps.
7 Tips for Safeguarding Networks

The evolution of borderless networks renders a single-perimeter defense woefully inadequate. Instead, it’s better to sustain multiple security points and various types of security.

Here are some steps for strengthening the security of existing enterprise networks to keep pace with new challenges.

1. Build a “starter” security policy to describe appropriate access controls to and from critical points in the network

Security professionals often sound like a broken record when it comes to security policy, but experience has shown that policy must come first. Without policy as a guide, there’s no hope of successfully following this path. The policy doesn’t have to be fully fleshed out; in fact, it’s better to leave out some of the details. What is needed early on are broadly defined access controls among various parts of the network (for example, branch offices, production systems, Internet systems, headquarters, guests and executive staff) or various roles within the network (customer service, management, clerks, development, quality control).

One point to remember: Security policy should be written assuming total visibility. The technology may not fully support the security policy, but the policy should not be limited to what is easily done. Technology changes quickly, and what is difficult today may be easy tomorrow.

2. Divide the network into security zones

The policy will help to identify different zones in the network, areas where multiple systems or applications have similar security policies and access controls. Then, the hard work of moving systems and users begins. Many networks grow based on physical topology because that is the simplest way to manage things. But to apply access controls, it’s necessary to segregate systems and users into appropriate security zones, which may require some rearranging or deployment of more sophisticated technologies such as VLANs.

For example, it’s common for servers to be grouped within data centers based on acquisition date — everything bought at the same time goes into the same cabinet. But if those servers represent production, test and development systems for the same application, then they have very different security requirements and may need to be segregated physically or logically so that appropriate access controls can be applied.

3. Ensure that hosts do their part

Pushing access controls to the network is a smart way to add security, but self-protecting end systems, especially servers, would be even better. In an ideal environment, the network should be secure even if all firewalls failed to open to the Internet.

Most organizations have been somewhat lackadaisical in their application and host configurations, thinking that their firewalls will protect them. That point of view must change. While additional access controls will add protection, hosts should have a good dose of self-protection. This includes host-based firewalls, good password and service management discipline, and best practices for secure configuration of the host operating system.

4. Identify logical points for access control and appropriate technologies

Now that the network is divided into zones, access controls can be put into place between the zones. This is the point at which IT managers need to select the appropriate technologies, including switch/router access control lists, firewalls, intrusion prevention systems and other in-line access control tools. If switch or router upgrades or equipment purchases are required, now is the time to make sure that the hardware or software is ready to go. This step is more about finalizing details of security planning because most of the hard work happens in the first three steps.

5. Push policy by using centralized management tools

Once everything is in place, security policy should be pushed to the access control points. There are two important things to remember here. First, centralized tools are a must. No organization can manage security effectively and without errors if someone has to manually connect to dozens of devices and try to maintain a coordinated policy. Second, it’s best to start small. If the first “policy” includes only a single rule or access-control-list entry, that’s a good start.

The method of successive approximation — moving forward carefully by building on what’s tried and true — is the safest way to add security to a borderless network, both from an operational and a political standpoint. The work may take longer, but safer is better.

6. Monitor for exceptions and errors, and test for compliance

Every policy push should be accompanied by a period of time allocated to examining logs, listening to user feedback and testing to be certain that the new policy is actually effective.

7. Refine and tighten the security policy

At this point, the process enters an infinite loop. The security policy document should be revisited to see what areas of policy have not yet been implemented and what areas of policy need more definition. Furthermore, the policy being pushed to the network should be tightened to more closely represent the policy document. The policy on paper and on the network should have as narrow a gap between them as possible.

Sign up for our e-newsletter

About the Author

Joel Snyder

Joel Snyder

Joel Snyder, Ph.D., is a senior IT consultant with 30 years of practice. An internationally recognized expert in the areas of security, messaging and networks, Dr. Snyder is a popular speaker and author and is known for his unbiased and comprehensive tests of security and networking products. His clients include major organizations on six continents.

Security

Three Ways to Integrate Fire... |
Follow these tips to align the devices with log management and incident tracking systems.
Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...

Storage

The New Backup Utility Proce... |
Just getting used to the Windows 8 workflow? Prepare for a change.
How to Perform Traditional W... |
With previous versions going unused, Microsoft radically reimagined the backup utility in...
5 Easy Ways to Build a Bette... |
While large enterprises have the resources of an entire IT department behind them, these...

Infrastructure Optimization

Why Cloud Security Is More E... |
Cloud protection services enable companies to keep up with security threats while...
Ensure Uptime Is in Your Dat... |
Power and cooling solutions support disaster recovery and create cost savings and...
The Value of Converged Infra... |
Improvements in security, management and efficiency are just a few of the benefits CI can...

Networking

Securing the Internet of Thi... |
As excitement around the connected-device future grows, technology vendors seek ways to...
How to Maximize WAN Bandwidt... |
Understand six common problems that plague wide area networks — and how to address them.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Mobile & Wireless

Now that Office for iPad Is... |
After waiting awhile for Microsoft’s productivity suite to arrive, professionals who use...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
Linksys Makes a Comeback in... |
The networking vendor introduced several new Smart Switch products at Interop this week.

Hardware & Software

New Challenges in Software M... |
IT trends such as cloud, virtualization and BYOD pose serious hurdles for software...
Visualization Can Help Busin... |
Companies need to put their data in formats that make it consumable anytime, anywhere.
The Tools That Power Busines... |
Ever-evolving analytic software can greatly improve financial institutions’ decision-...