Foreword

Not too long ago it was thought that the only secure network was a network that was completely disconnected, or one that had no power. While that may still be true today, it does not help our local administrator deal with problems he or she never had to deal with in the past. Prior to the World Wide Web, most of our computer networks were islands unto themselves. Organizations may have exchanged e-mail, or hosted bulletin boards, but for the most part Company A's network was completely separate from Company B's network. The biggest problems an information technology professional may have had were someone, stealing floppy disks or hacking the company's telephony switch. With today's Internet, or network of networks, distributors or suppliers can look into their customers' inventory databases, employees can telecommute with broadband connections, students can submit or receive homework without ever leaving home, and thousands of other things are possible that we could not do prior to the advent of http and the World Wide Web. These advances are great for changing the way we all live, work, play and learn; however, it begs the questions: Are my distributors looking past the databases for which they have authority? Is there someone other than my employees accessing my network without my knowledge? Who else is trying to communicate with my child over the Internet?

For the above reasons and many others it becomes apparent that all organizations need to have a plan for securing their assets, both physical and electronic. The corporate, or organizational, security policy is an administrator's strength in applying rules and policies about how the network is to be used. The technology that companies, schools, or other private and public institutions deploy is, by itself, not enough to prevent their networks from being compromised. Once the policy is in place and a plan is set out to secure the network, it becomes apparent that security will never again be point product or niche solution. Instead, network security must become a process, one that is reviewed and updated with each change of the physical, or logical, network that it applies to.

As one starts his or her journey down the path of security, it becomes apparent that network security can no longer be thought of as an after-thought, or a "bolt-on" solution. Security must become a fabric of the network that strikes the balance between security and usability. Policies, architectures, and processes need to be noninvasive to legitimate users, but impenetrable to would-be attackers.

Craig Tiffany
Network Security Consultant
Cisco Systems, Inc.

Craig Tiffany is a security specialist working in the field for Cisco Systems, Inc. for more than four years. Craig earned his CCIE certification for routing and switching in March of 1998. Since then, he has worked with several Fortune 100 companies, and has consulted with hundreds of small to medium businesses, cities, counties, schools, universities, as well as other large enterprises. Prior to working for Cisco Systems, Inc., Craig was a technical marketing engineer for Intel Corporation in the Intel Architecture Labs. Craig also spent several years as a network engineer and technical operations lead at one of Intel Corporation's fabricating sites.