Should the 10 steps be followed in rigid order? Which steps might be done in a different order, depending on the circumstances?

Depending on how far into the security policy process you are and how your organization works in general, the order of some of the steps could change. For example, step 3 (product evaluation) could wind up being split into two stages: one that would stay early and focus on the technology in general, and another to come after step 4 that focuses on finding the products to match the requirements.

Can you rely on vendor-supplied performance numbers for security technology?

As a rule, no. Your specific environment has its own requirements, which will dictate custom testing. These days, some vendors are providing more in-depth performance data. The more detail that is provided in these numbers, the better. Packet sizes, configured features, media types, and so on all give you more data to make good decisions in your system design. The testing in step 5 is always useful, though, to confirm these numbers in your own network.

When does it make sense to deploy to a noncritical area instead of a critical one?

Generally, if you are doing a massive overhaul of your security system and the most critical area from a security standpoint is also the most critical area from an availability standpoint, caution is warranted. As defined in step 8, a critical area is one in immediate need of security improvement. Usually you get the most benefit by implementing your security system in the area of greatest need first. If, however, that area is also an absolutely critical area from a network function standpoint, you might wish to implement first in an area with less stringent availability requirements. This ensures that any missteps that aren't discovered in the test phase are fixed on a less essential part of your network. For example, say you determine that your management network, user access network, and e-commerce network are all in dire need of security improvements. Your organization is an e-commerce company, so the e-commerce network is the most critical. As a result, you could decide that testing your improvements in your user access network would cause a less catastrophic failure if something went wrong. After increasing your confidence level in the user access network, security updates to the e-commerce network could be done next. To a certain extent, the lessons learned in the user access network might not apply to the e-commerce network because different security technology likely will be used. However, there should be enough similarities to make the extra caution worthwhile, particularly if you are making radical changes to the design or function of the critical area in question.

Based on your completed security policies (or what you imagine they will become if they are still in process), are there any areas that will be particularly hard to implement in your network security system? How might you address them?

Which areas of your current network require the most work to properly implement security? Must you redesign the network from scratch, or are you able to add security to the existing designs?

Based on the information you've read so far in this book, are there product or technology choices you could make that could minimize redesign?

Based on the way your organization is set up, what do you think will be the biggest organizational impediments to implementing a secure network? How do you plan to deal with them?

If you are operating under significant financial pressures, what are some technologies you can focus on in your design to lessen the financial impact on the network?

Focus on the security controls that can be added to the devices you already have deployed. Take care to ensure that these controls do not add significantly to the operational requirements of the network, or you might be adding more hidden cost than you realize. Provided you have the expertise in your organization, you can consider open source tools, as discussed in Chapter 7, "Network Security Platform Options and Best Deployment Practices." Just make sure you document extensively.