There are four phases to a hacking exercise. In the first phase, the hacker gathers information about his target. In the second, he exploits any vulnerabilities that have been uncovered. In the third phase, he carries out whatever illicit activity was intended - altering Web pages or copying information. And in the fourth, he covers his tracks, erasing and altering audit logs.
Most information security measures primarily consider phases two, three and four - stopping hackers from getting in, and raising alarms if specific files are changed. To make a computer network hacker-proof, it is important to address the first phase and deny the hacker access to those initial information sources.
There are many specific recommendations one could make. Don't support ping or traceroute through your routers, for example, as both of these tools provide vital information about system types and relative positions in your network. And screen for port scanners, in particular for so-called "stealth" scanners such as the "FIN/SYN" facility in nmap. This is important, because information on open ports allows a hacker to deduce what type of system you are running.
The important point here, though, is not the specific recommendation, but rather the approach. Understand how a hacker starts to move against you, and make it as difficult as possible for him to begin.
These measures won't provide 100% security - nothing will. But they will encourage him to try his luck on other, less well-protected sites, and that is all we can ever hope to achieve.
Neil Barrett is technical director of security specialist IRM