Establishing a network defense that can handle the needs of applications in a secure manner is important. It's one thing to design a defense that meets your current needs, but it's quite another to design one that can handle future needs. Obviously, you can't anticipate everything, but you can take some proactive steps:
- Choose firewalls and border routers that are sophisticated and robust enough to securely support various types of applications. For example, some devices have built-in capabilities to support multimedia protocols, dynamic port allocation, multicasting, and other methods that applications might use. If you choose a firewall that cannot support multicasting, for example, what will you do when your business requires an application that uses it?
- Business needs often occur unexpectedly, especially from the perspective of IT staff. It's a good idea to have extra interfaces in your firewalls, not only so you can quickly recover from an interface failure, but also so you can create additional subnets quickly if an application requires them. In addition, plan for future growth.
- Understand the basics of various areas of securityincluding host, network, application, and database securitywell enough to evaluate a design, identify the security weaknesses, and recommend ways to reduce or eliminate them. Staying current with the latest security technologies and products is also very important.
If you will need to make major changes to your network defense to accommodate an application, you should answer the following questions and present them to the application owners for consideration:
What impact will these changes have on the security of this application? On the security of other applications? On overall network security?
How will these changes affect application performance, reliability, and usability?
What is the cost of making these changes, in terms of time and resources?