Five Ways to Engineer Better Network Security

When it comes to investing in network security, there are three types of IT philosophies.

"There are the ones that value technology and see it as a strategic advantage in their environment, and they'll invest heavily in it. There are the ones that know they need it and they're willing to invest where they need to," says Rick Norberg, president of Atrion Networking SMB, an IT service provider. "And then there are the ones that just see it as the cost of doing business. And those are the ones that tend to be unprotected, unmanaged and dedicate inadequate staff resources in order to plan through security."

Don't get pegged in that third group, Norberg warns. According to Norberg and several other IT experts, there are a number of ways to revamp your thinking and your network design for better IT functionality and improved security. Here's where they say to start.

Build Backward from Mandates

According to Norberg, before designing your network it's important to take a step back and think about a couple of critical variables, including:

Then design back from there, he suggests. When taken into consideration early in the design process, these elements should have significant bearing on the choices you make in infrastructure and deployment options.

"Sometimes, people will just buy cheap switches, network gear, firewalls and things like that because they're inexpensive. And they throw them in," says Norberg. "Then when they have a breach, they realize they just paid a zillion dollars to the government or to a credit card company or something like that in order to remediate it. And then they have to go buy the more expensive gear anyway. Taking an 'it can't happen to me' approach is probably not the best way to design a system."

Know Where Data Sits

One of the biggest weaknesses of many organizations is the lack of visibility into where exactly important data sits on the network.

Scott Laliberte, managing director at global business consulting and auditing firm Protiviti, says, "Among the things that clients we are working with are spending more time on is not only data leakage prevention--making sure it doesn't go out on the front end--but also what I call 'data discovery,' which is being more confident and clear on where the data for sensitive information really does reside and then organizing it in such a way that you can manage it in a segmented way."

According to a Protiviti survey earlier this year, organizations still struggle with data discovery and classification--just 50% of respondents said they have a specific plan in place to categorize data. And according to Laliberte, when he engages with clients to do data discovery on their network for the first time, surprises are common.

"In almost every instance there is a surprise found by the client as to where some of the sensitive data is," he says.

Next: The Importance of Modularity, Firewalls and Patches

Modularity Is the Name of the Game

The more modular you can design a network, the easier it is to control and monitor traffic, according to Norberg.

"You want a network that you're able to functionally monitor and secure, so you're controlling the traffic on the network. You want one that can grow with the users," he says. "A lot of times, you start with a flat network and then you start to modularize the phone traffic, the PC traffic and, if they're in a retail environment, some of the POS terminals to make sure they're secure and separated from each other. And then you want to get more granular from there."

When done efficiently, network segmentation and modularity give a lot more flexibility in prioritizing risky segments of the network so you can focus your monitoring and security efforts on the most critical areas rather than having to worry about all of the infrastructure in aggregate. That's a step up from what most organizations are used to, says Norberg.

"Traditionally, you might just slap a firewall into there and when it goes down, the customer calls you," he says. "These days, we're actually looking at the logs and doing proactive monitoring on the devices to make sure that they're not only secured and updated with the latest firmware, but you're also looking at what's happening with the firewall and the connection itself."

Manage Firewalls More Intelligently

Speaking of firewalls, organizations have to take an active management approach to their firewall rules if they're going to get the most out of these assets. With most enterprises today depending on thousands of firewalls dispersed throughout their network fabric, firewall management has become an important element both for efficient IT operations and effective IT security.

"The core of network complexity begins with a firewall," says Kevin Beaver, founder and principal information security consultant at Principle Logic.

Beaver says that, all too often, he sees organizations that believe that their security is OK. However, once he starts digging into their firewall rule sets and configurations, security holes are discovered.

"[We find] system configuration problems, weak passwords, network segments that shouldn't be talking to one another, ports that are open," he says. "I often see database servers that are sitting out on the public Internet wide open for attack."

Patch

Patch management isn't just for endpoints. Smart organizations need to have utilities in place that can automate system patching across all IT infrastructure.

"If I'm the IT director for the company, I want to make sure I'm using every tool capable of doing updating firmware and software on an immediate basis and alerting and reporting on it," says Norberg. "Generally, you want to buy a third-party product that's capable of doing more than just one particular manufacturer. Otherwise, you run into problems where you've got some of this gear, some of that gear, some of these servers, and then you end up spending a lot of your time not being very efficient in the way you're patching things."