In this conclusion of our Network security 101 primer, we discuss five more elements that are critical to address when it comes to today's enterprise network.
- Weak passwords and strong security do not mix
If everyone already knows that strong passwords, backed up by an equally robust password management policy, are a prerequisite to a secure network, then why have surveys, such as Imperva's January 2010 report: "Consumer Password Worst Practices," revealed the most commonly used passwords include "123456," "password" and "admin?" If you want to keep unauthorised users out of the network, then you need passwords that are of an adequate length and secure construction. Users should be required to change their passwords by appropriate management tools. However, don't undo your best of intentions by making the password policy too stringent: If security is too much of a hassle to end users, they will endeavour to ignore it. So password policy best practices dictate password changes four times a year and no more, while still requiring passwords with a minimum of eight mixed-case alphanumerics with at least one additional keyboard symbol character.
- Enable logging, and don't ignore the logs
The simple things are not only the best, but also the most likely to be overlooked. As such seemingly simple tasks, such as keeping a detailed log of all network activity and monitoring exactly how and when users are accessing the network, are critical. The same applies to intrusion detection and other security systems logs. There are a few good reasons for doing this. First, it can help spot potential weaknesses by highlighting how users are really utilizing the network . For example, someone could use a proxy server to bypass URL filtering in order to access porn or torrent sites, both of which can create huge holes in the best-laid of network security plans.
Second, in the case of any breach, you not only have evidence of what happened, but also a blueprint of what needs to be fixed to prevent it from happening again. Correlating all the event logs from various security systems manually, though possible, can be a tedious task. It won't be as time consuming and complex if you deploy an appropriate network-wide security management system to handle it for you. Invest in a product that can turn raw log data into meaningful information. As the attack profile has matured, and along with it the attack strategies which use multiple vectors to breach your systems, in order to properly defend against them, you must monitor and understand suspicious network activity.
- Antivirus software is not optional
Yes, it's true that no antivirus or antimalware software is perfect, and none can honestly claim to be 100% effective when it comes to detection and removal. It's also true that, of late, some big names in the antivirus software world have issued faulty updates -- most notably the recent bad McAfee antivirus updates -- which have done as much short-term harm as the threats they were meant to protect against. However, we also know from hard-earned experience that antivirus software for all hosts (client and server) is not optional when it comes to 360-degree security. Good security is layered security, and host-level intrusion prevention complements and hardens other defences.
Important to note, however, is that out-of-date antivirus software is often worse than none at all: When an antivirus product is installed, you trust it to be defending your systems, and if that confidence is misplaced due to expired licenses or poor update scheduling, then it can lead to risky behaviour by proxy. For example, an end user might think it's ok to visit a suspicious site as the antivirus will pick up any threats, which could lead to serious infections.
- Get into the zone
The value of creating carefully thought-out and appropriately applied security zones should never be underestimated. The layering/tiering of Web, application and database servers is now considered standard security practice, but also consider implementing specific Web application firewalls for good measure. Always consider what data you are protecting and why, as protecting too much data can be both expensive and difficult to manage. Risk and sensitivity should be the driving forces when deciding what goes into which zone: The mail server does not need to be on the same network segment as the finance or ecommerce server, as such a configuration provides another port of entry for attackers. Remember to apply the same risk-assessment logic to internal server assets and not just to those potentially endangered by an external source. Having multiple zones of differing functionality levels, such as a public DMZ and a management zone, a client zone and a server zone, is a wise idea. Implementation doesn't have to be tricky either: Use VLANs and firewalls to segregate and route data.
- Create policy documents, and update them
However you secure your own network -- and everyone will have different priorities and requirements -- don't forget to ensure that your security policies are properly documented, regularly updated to take account of technology changes and properly understood by all staff, including management. If management is not aware of the risks, they will be equally unaware of the proper investment required to mitigate them. Make sure you have an acceptable use policy (AUP) for end users in order to define what is both acceptable and unacceptable with regard to network connectivity and resource usage. Without the clarity of a sensible AUP, your users cannot be expected to understand what kind of behaviour is deemed risky, both to your data and their job tenure.
About the author:
Davey Winder has worked as a freelance technology journalist for nearly 20 years. He is based in South Yorkshire.