Eight Top Tips For Network Security

It's a safe bet that any enterprise that's serious about networking --- in other words, most enterprises --- have finally started to take network security seriously. In this age of zero-day exploits, malware and zombie bots, sales of security technologies and services have skyrocketed; virtual private networks (VPNs) and intrusion protection systems have become standard tools of the trade.

However, having the hardware and software isn't enough, says James Hurley, the Aberdeen Group's Vice President Risk, Security, and Compliance. Having the tools is not the same as knowing how to use them. "Looking at security only from a technology perspective leads organizations down the wrong path," Hurley says. "The most common error is the assumption that the security capabilities on network hardware and routers is all you need. Organizations that approach security solely from a technology perspective do it very poorly."

The bottom line is that protecting your network is, more than anything else, a question of policy, strategy and execution. Networks, says In-Stat group research analyst Victoria Sodale, are not insecure by definition, but by accident. "There are some basic steps all organizations can take to protect themselves," she says. It just takes the will and commitment to take them.

Here, the experts say, are eight ways to protect your network:

Define policies and ensure governance: With new regulations like the Sarbanes-Oxley Act raising the bar for corporate responsibility, governance has become particularly critical. "It's broader than just security," Sodale says. "It's not just making sure that you have it, but also that it's documented and enforced."Exactly how an organization manages security depends on the organization, but it is imperative to have clear rules and procedures for how the network is used and secured. "The steps you should take are different if you're the Pentagon and if you're the University of Michigan," Hurley says. Nevertheless, "more than technology, this is the critical issue in determining if security works."

Policies have to be backed up with technology, but they have to be made explicit. They are the starting point for everything else Sodale says. "It really is common sense," she says. "You have to have rules if you're going to enforce rules."

Educate users: The rules themselves are useless if no one knows what they are. An essential step in protecting your network on the outside is to ensure that users on the inside know what they have to do. With the explosive growth of malware in the last year, users themselves have become a particularly important component in network security. They have to know what they can and cannot do safely, and that ostensibly "free" downloaded software comes at a price.

This is particularly important, Sodale says, now that spyware has been found to infect systems through phishing e-mails and spam. "I don't think users are doing things to jeopardize security on purpose," she says. "They're just curious. Sometimes they come across a phishing message so weird that they just have to click through. They have to be educated so that they don't."

Put someone in charge: The days when security was something the IT group could look after are past. Protecting your network is a full-time job, and someone in the organization has to be in charge of and responsible for it."Security needs constant oversight," Sodale says. "Organizations need to appoint security specialists --- chief security officers if necessary, or someone in the IT group. They have to be able to go to conferences and build expertise. Security has to be their only job."

Configure your hardware: Despite the proliferation of network security appliances promising plug-and-play functionality, things are still a bit more complicated than just dropping a new box into the network. Sometimes you have to turn it on.

"If you have an intrusion prevention system (IPS), you need to turn your blocking protection on and know how to configure it," Sodale says. "The problem is that many organizations don't, or they find that the default settings block everything and they turn it off. But if you've gone to the trouble of installing an IPS and you're not using blocking protection, then why bother?"

Even basic network hardware and software not directly related to security have to be properly configured, whether it's a question of closing unnecessary or redundant Web server ports or setting up routing tables. "The simple thing is to make sure the addresses you're opening ports for are appropriate for who you're doing business with," Hurley says. "This has nothing to do with security, but everything to do with routing configuration."

Keep an eye on remote users and portable devices: This, says Sodale, is where most of the malware finds its way onto your network. You could have the perimeter sewn-up tightly, but users who log into unprotected Wi-Fi networks at the local coffee emporium or in the hotel rooms on the road can bring nasties through the back door when they connect back at the head office.

"People go home with the company laptop on the weekend, where they have a broadband connection and unrestricted access to file sharing and spyware," Sodale says. "You have to have some kind of process in place to deal with the vulnerabilities that they introduce to the corporate network when they come back on Monday morning."Protect your e-mail: An unencrypted e-mail is like a postcard; in theory at least, anyone who wants to read it can. According to Sodale, however, e-mail is the most vulnerable network application because it is the most ubiquitous and trusted application. "What is really scary is that something like 75-80% of a company's intellectual property comes through e-mail," she says. "Although there are technologies like e-mail firewalls and add-ons to Exchange and Lotus Notes, the e-mail content itself has been ignored in the emphasis on perimeter security measures like firewalls."

The bottom line is that, with e-mail bouncing around between servers, there are many opportunities for trouble. Encryption should not be an afterthought, but an essential part of business communication.

"Some organizations like financial services companies and government use a lot of encryption, but apart from that, it doesn't get a lot of use," Sodale says "That's because it's complicated and if e-mail isn't easy, it sort of defeats its purpose. But that's not an excuse. Companies have to look at the bottom line and make some practical choices."

Embrace diversity: While all of the major network equipment vendors are preaching the virtues of end-to-end systems, there's still a lot to be said for heterogeneity. The problem is that a homogeneous network solution is easier to crack. Interconnected systems from the edge to the core make it easy for intruders to exploit a single vulnerability the entire length of the network, according to Sodale.

"It almost looks like a biological way to look at diversity," she says. "But a heterogeneous solution is harder to compromise; you can't just crack one box and let the rest fall like dominoes."Lock down the physical premises: With so much business going on on-line, it's easy to forget that the network itself exists in the physical world. And it is there that companies are often the most vulnerable. Hundreds of thousands of dollars worth of network countermeasures aren't going to be much use if your database server is sitting next to an open door, or if a dumpster-diving miscreant can harvest this month's passwords from the trash.

"It's so obvious that many, many companies just don't think about it," Sodale says. "It's just common sense. You can have everything electronically locked down, but you'll still be incredibly vulnerable if someone swipes the box containing all of your data."