1.2 What Types of Network Security Are Important?

When a company first sets out to create a network security plan, there are usually two questions asked: Where should we start, and what is the most important part of the network? The answers depend on many factors, and the answers are different for every network.

Generally speaking, one person, or department, will not be able to answer both of these questions and one department should not develop the network security policy. The network security policy, as all security policies, should be disseminated through the CIO, and should be approved by the legal department and signed off on by the heads of all other departments. Network and server administrators may be called on to develop the first draft of the policy, but it is up to senior management to finalize, implement, and enforce the network security policy.

There are some questions administrators can ask to begin the development of the corporate network security policy.

1.2.1 How Sensitive Is the Data?

Any business has confidential data. Whether it is the customer database, proprietary software, a product design, or some other sensitive data, there is undoubtedly something that has to be protected. Such data should always be your first priority when developing a security strategy. In some cases, especially for companies that deal with medical or financial records, there are legal ramifications for not properly securing this data.

Of course, core data is useless if no one can access it. Second to protecting the core data is protecting the means by which people within an organization, or customers, access that data. The lines of communication to data ”the network ”have to be kept available.

In addition, employee phone lists or human resource records, important data but not as critical, need to be protected. The protection for this information does not need to be as draconian as the measures you should take for your core data, but it absolutely must be in place.

The involvement of the CIO and other groups is necessary at all levels of network security. One group cannot be sure how to rank the various databases within an organization. Someone from senior management will need to assign ranks to all data sources, so it can be determined how limited resources should be deployed.

Of course the less sensitive the information is, the more difficulty there is in securing it. Employee phone lists generally need to be accessed by other people within the company, and an internal website is probably available to everyone.

In some ways, the more available the data, the harder it is to secure. It is easy to prevent anyone from accessing information. It is harder to allow only certain people to access information, and enforce those access restrictions.

1.2.2 Secure Your Servers

The first step in securing your corporate data is to secure the servers where the data is stored.

How you go about securing a server depends largely on what operating system you are running. There are some guidelines, however, you can follow that apply to any operating system and any server, no matter what its function. These steps are discussed in greater detail in Chapter 12, but this should give you a good overview.

There are two levels of server security: access to the server and environmental control. Access covers who can access the server and how they can do it. Environmental control covers the level of access that users can have ”what they can do once they are on the server. These two types of server security are intertwined. If good access policies are enforced, but all users are allowed access to system files after they have logged onto the server, a security breach is waiting to happen. Should an attacker gain access he or she would have no limitations on what he or she could do to the server.

A server access policy should:

• Control who can log into your servers.

• Never send clear text passwords. ^[2]

  ^[2] Expect to see this comment about 30 times throughout the book.

• Force minimum password lengths.

• Impose character restrictions on passwords (mixed case, numbers , and punctuation).

• Force passwords to be changed at regular intervals.

• Set a maximum number of login tries before locking out an account.

Once a user has access to a server, there should be environmental limits that prevent users from gaining unauthorized access to system files or secured data. A good environmental control policy will include:

• Running virus scanners on all servers, especially e-mail servers. If a virus never makes it to an end-user's system it can't spread.

• Using, whenever possible, single-function servers (e.g., don't use the same server for mail and web services).

• Not storing proprietary information on public servers (e.g., do not put your customer database on your web server).

• Disabling all unused services, and if possible uninstalling those services.

• Closing all ports not being used.

• Changing all default passwords.

• Deleting unnecessary user accounts.

• Limiting users who have administrative access to the server.

• Deleting any sample files that ship with installed programs.

• Storing user files separate from administrative files (either on a separate partition or file system).

• Logging all movements by administrative users.

• Updating the system frequently with vendor security patches.

These steps are a good start toward securing your server, and protecting the data on those servers.

1.2.3 Secure the Network

Of course, the sooner you can stop a potential intruder, the better. This is especially true when dealing with server attacks. Ideally, you would like to prevent a potential intruder from ever reaching your server. Later parts of this book discuss strategies for securing your network in detail. Here are some useful guidelines that should be implemented on any network to help stop attacks:

• All machines in the network, except for the edge routers, should be behind a firewall.

• Authenticate all network protocols in use on the network (BGP, OSPF, VRRP, etc.).

• Restrict access to secure parts of the network by Media Access Control (MAC) address.

• Do not allow external traffic into the secure network areas.

• Use virtual local area networks (VLANs) for added levels of switch security.

• Change default passwords. ^[3]

  ^[3] This is another comment you can expect to see repeated.

• Use virtual private networks (VPNs) for employees who need to access sensitive information remotely.

These are general guidelines that should help administrators start forming a network security policy that works for an organization. As the book progresses, the policy can be refined.

1.2.4 Monitor it All

Never be complacent when it comes to network security. No matter how great the security measures taken, the fact is that a skilled and determined hacker will probably find a way into your network.

If that does happen, it is best to know about it quickly, and be prepared to stop it. To do that, monitor everything on the network. Anything that may be deemed as suspicious has to be brought to your attention. Monitoring is discussed in detail in Chapter 16.

In addition to monitoring, extensive logging of network activity should take place. It is unrealistic to expect the administrator's staff to have the time to scour hours of log files every day, but if an incident does occur, good, uncorrupted log files will be essential in tracking down how security measures were breached, and in trying to track down the attacker. At that point, you will be grateful for extensive logging.

A good monitoring strategy involves collecting a lot of data, and recognizing patterns within that data that may resemble attacks. These patterns generate an alarm, which will allow administrators to manually investigate the network or servers, and determine if there really is an intruder, or if it is simply a logging anomaly.

Some security experts advocate the use of honeypots as part of a monitoring strategy. A honeypot is a system that is intentionally left open to attract potential intruders. An attacker takes the bait and tries to break into the system. All interaction with the system is extensively monitored , and the honeypot becomes a tool to help network administrators learn more about security flaws in their system.