Chapter 1: Introduction | Network Perimeter Security: Building Defense In-Depth

1.1 Who Is This Book For?

I previously worked for a networking company that specialized in designing and installing Windows NT systems for customers who did not have their own IT staff. I was constantly haunted by our company's complete lack of security awareness regarding our customer installations. The network to our own company's Internet connection had absolutely no packet filtering or other security mechanisms of any type installed on our routers — and search as I might, there was no indication of a firewall anywhere on our own network.

When I inquired of management about not consulting with customers about their own network security and the frightful lack of any on our own network, I received an interesting response: "Customers are not interested in paying for security consulting." Why customers were not interested in paying was explained by management's response to the second half of my question. "We don't have a firewall because it is too expensive — and then I'll have to pay for someone to configure it."

Today, this laissez-faire attitude toward network security is thankfully becoming increasingly rare. While many network security experts give a knowing nod and an "I told you so!" every time there is another high-profile computer crime — the press has begun to make our jobs a lot easier. No longer are top-secret government agencies the only organizations interested in the state of their network security. Any customer my company consults with, from the smallest SOHO start-up business to Fortune 500 ISPs, now has network security on the top of the priority list.

Despite this awareness and the abundance of press, the task of securing networks has not gotten any easier over the past few years. Increasingly connected networks, cheap high-speed Internet access, and complex applications requirements have made the task of securing networks more complicated than ever before. Network security is becoming more complex because our networks are becoming more complex. Each time a network professional increases the security on his or her network, a network hacker is taking the time to figure out a new weakness to exploit.

This book will help both the novice and experienced network administrator and manager determine the appropriate defenses to incorporate into their network. While network security is complex, the network "bad guys" can be slowed down quite a bit with a thoughtfully laid-out security policy.

I purposefully used the term "slowed down" in the previous paragraph. If you are new to the network security game, here is something to remember: in general, the more money you spend, the more you can secure your network. At the same time, no matter how much money you spend, you will never completely secure your network.

Network security will cost money; but be clear, no matter how much money you spend, you will never have a 100-percent secure network. It is this slight bit of doubt, the wondering what the other guy is doing, that keeps the job interesting for security professionals. While interesting for people like me, this truism creates a particular problem for those attempting to implement their own security policy. How much should I spend on security so that I can secure my network? But how do I know how much "too much" is? In other words, what is the point of diminishing returns for my network security program?

The first section of this book helps to answer this question. We review what steps can be taken in the creation of a security policy. This process will help determine how much what we are trying to protect is worth. From that value, we will then examine the various elements that go into implementing the security policy — otherwise known as the security model. This examination will assist us in creating a security policy that will not only satisfy a network security professional, but also make the accounting department happy.