Organizational Realities

When faced with the daunting task of network and security management, organizations generally do one of two things, neither of which is ideal for the type of security system advocated in this book. First, they might try to integrate security into their existing network management framework and tools without a lot of thought for the security elements individually. This generally results in security information being mixed in with general networking events, which makes both network security and general network management more difficult.

The other option many organizations adopt is to relegate security management to dedicated security devices such as firewalls or IDS appliances and to have that management occur on separate systems from general network management. This is often born out of organizational realities with the security operations (SECOPS) team separate from network operations (NETOPS).

To manage the type of secure network discussed thus far in the book, you need to incorporate elements of both approaches. Because security functions exist on general network devices as often as they exist on specific security devices, a proper security management system must incorporate a diverse set of inputs from hosts, routers, firewalls, switches, and so on. In this way, it mimics the first approach just mentioned. That said, it must support different prioritization for the data from these systems, mimicking the latter approach. For example, the security events generated by a Layer 2 (L2) switch inside the campus network are not generally as critical as those coming from the corporate firewall, but there are times when the reverse is true. If L2 attacks are launched within your campus, switch management capabilities (and IDS, if available) are often your only means to determine what is going on.