In this paper, we will attempt to cover some the essential process and procedures to help provide a more secure environment, both for corporate networks and home users. At first glance, many people will feel that these two target audiences have little in common, yet the underlying concepts and implementation details remain largely congruous. Perhaps an analogy can help: to protect a homeowner’s assets, he ensures the doors and windows are locked when he leaves for the day, stops the mail and newspaper deliveries, and arranges with a neighbor to check on the house when he takes his family on vacation. A corporation provides many of the same techniques to provide security for their assets: door locks, sophisticated access-control systems, hired security personnel, and video surveillance to fulfill the function of a good neighbor. Yet, these fundamental security practices were not always common.
Everyone has heard stories for friends and relatives who, in the past, never locked their doors at night, and could leave their keys in their cars without fear. In fact, many businesses relied heavily on the honor system to receive payment. Times have changed in the world of physical security, and the desire to protect assets as well as life and health have led nearly everyone in all areas of the country to step-up the level of security in their daily lives. Locking doors at night is beyond a common occurrence: it is a standard practice. Security systems in homes and cars have become commonplace, and that preoccupation with security in the home has led to an increasing acceptance with the inconveniences caused by security systems in the workplace.
This same evolutionary change in the need and function of security has not yet occurred in the IT world, however. Today, a staggering number of systems on the Internet have not even received the necessary attention to ensure they are operating at the latest level of security patches. On
That is where the disjoint comes in. Today, when CNN or ABC runs a story on a hacking, it invariably deals with the big-name targets. Microsoft, the Whitehouse, or E-Trade all make good headlines. But every day, all throughout the world, servers, PC’s, and networks are probed for vulnerabilities, and a staggering number of them are exploited, often times without the knowledge of their owners. The key to this is improved security.
Any comprehensive security plan needs wide support if there is any hope of success. One of the best methods for gaining support is the establishment of an enterprise-wide security committee. This committee should have representatives from each department that can voice users’ concerns during the creation of the plan, as opposed to learning of them during deployment. The committee also provides a communication vehicle for all aspects of information security. Through the initial assessment and information gathering, the committee can garner and provide feedback on the asset and information valuations, as well as determining the level of acceptable risk. By ensuring corporate officers are on the committee, this risk assessment is better guaranteed to be acceptable not just to the users directly affected, but to the corporation as a whole.
One of the main benefits of an enterprise-wide security committee is the ability to institute change to business practices where necessary to provide an increase in security. It is important to look at existing practices, and find ways security can provide an increase in productivity, quality, and efficiency, and have a means to make these practices a part of the company culture. Examples of this are implementing a VPN (Virtual Private Network) to allow employees to check email and work on documents from home, or splitting a job function between two employees/departments. This concept of ‘separation of duties’ is a core tenant of security, and may often be seen as redundant work or a loss of productivity, but time has shown this can often increase the quality and effectiveness of employees. Knowing another is checking on, and directly responsible for, work you may do often gives employees an increased drive to do a good job the first time around. This increase in productivity can often positively impact a corporations bottom line, while at the same time providing the checks and balances necessary for good organizational security.
This committee should not end after the initial security rollout, but should remain as a sounding board for future security discussions, issues, and improvements. Security in any enterprise is constantly evolving, and a method for communicating security issues between different departments needs to exist for security to maintain in its place as a critical issue to the survivability and success of an organization.
Before embarking on any type of security implementation, you must first audit what is in place. This is a comprehensive audit, including not only the devices and systems involved in the security implementation, but also the assets and information protected. This audit also must include a comprehensive review of a corporations’ security policies and procedures, as well as any Disaster Recovery or Business Continuance plans in place.
Begin at the highest-risk entry into your networks: from the Internet. A full External Assessment conducted by a reputable firm can provide the information necessary to evaluate the current security provided by the firewall ruleset and server configurations. This is the same information that is gathered and shared among hackers on a daily basis, and not knowing how you appear to the rest of the world makes it difficult, if not impossible, to determine how vulnerable you are.
If you company has recent audit data regarding the value and sensitivity of assets and information,
Take the results from the first step (the assets, the External Assessment report, and the security policy), and look at the three from a common vantage point. Start to ask some tough questions.
The answers to these questions provide a starting point for a comprehensive analysis of the thoroughness of your policy. Perhaps the most important information gathered from this step is the combination of the value of the asset and the corresponding risk. By taking this information, you can generate a ‘hit list’ of the areas requiring the most immediate attention, and look for solutions that can help with the global requirements, rather than getting micro-focused onto the individual problems.
Finding a plug-and-play ‘security solution’ is an impossible task in today’s world. There is no silver bullet that can address all of the issues facing today’s IT staff, nor a single vendor that can provide the necessary tools. By limiting the search to best-of-breed technologies from all vendors in the security space, a company has the best chance of providing the level of security commensurate with the risk/value, while still allowing the business to function at a level necessary to insure profitability. With all of that said, there are a few key areas all organizations need to address when searching for their proper plan.
This should be the starting point for any security tool/technology evaluation. This single piece of hardware/software is responsible for blocking more direct attacks on valuable information than any others. However, choosing a firewall is not as easy a choice as it once was. Questions like feature sets, appliance- versus server-based, and application or packet-filtering firewalls cloud the issues more than ever. Coupled with that is the need for more and more organizations to deploy a multi-layer firewall implementation to properly address their security needs, creating a wide assortment of possible technologies, vendors, products, and implementation possibilities. Sifting through this potpourri of information and propaganda to find the products that satisfy the business goals and security policies is the only task that matters. Ignore the fluff and focus on the basics.
Network Intrusion Detection System (IDS)
A firewall is only as potentially good as what it blocks, yet is always as weak as what it lets through. That is where an IDS comes into play. If you think of a firewall as a damn blocking a river, you can consider the IDS as the systems monitoring the flow of water that makes it through. An IDS, by not becoming actively involved in the forwarding of packets, spends its cycles analyzing the packets the firewall does allow through, looking for signatures of known attacks a firewall can’t detect or successfully block. It is the first line of defense behind the firewall, and provides the necessary auditing and information to ensure the firewall is configured and working as it should
This is another area that must never be neglected. The two most important things to consider when picking an AV vendor are management of multiple severs and workstations on a corporate scale and the vendor’s ability to respond to new virus threats.
Virtual Private Network (VPN)
Using a VPN to provide employee access to company resources from home or the road can provide a great level of security, as an overall increase in employee productivity. This does not come without risk, however. Anytime a VPN is implemented, you are in effect extending the reach of your corporate, unprotected network to all nodes connected to the VPN termination point. To put this another way, that same PC an employee uses to play games and browse newsgroups is now a trusted part of a corporate network. To ensure the security of this system, the home users systems must adhere to the same security policies and procedures as a corporate system. This can be accomplished through the use of a VPN vendor support client security profiles. By restricting the applications that can run on a home machine, the network ports that can be open, disabling split-tunneling, and forcing an updated anti virus engine to be running on the remote system, this risk can be minimized.
Passwords provide little security. Worse, increasing password security often has a reverse effect: forcing users to frequently change long, difficult-to-guess passwords creates a situation where users are forced to write down long, difficult-to-remember passwords. Augmenting or replacing passwords with any of the multi-factor security tokens and system on the market can greatly augment user-level security. The issues to consider when choosing a two-factor security system are application and operating-system support and system/device management overhead.
While biometrics have advanced greatly over the past several years, they still present many difficulties for a wide-reaching deployment as an e-security measure. Fingerprint, retina, voice, iris, and hand-geometry sensors all provide security above passwords or two-factor alone, but as of today they are best left as barriers to physical access as opposed to system-level access. Look for technological and management advances over the next several years to create the necessary affordability, scale, and tools to make biometric-identification a viable option for desktop authentication.
Smart cards have come a long way in terms of support, manageability, and implementation over the past couple years. While not quite the ubiquitous security technology, a push by credit-card companies has resulted in a heightened level of awareness, as well as an increase in the affordability, of this technology. Windows 2000 provides native support for smart cards as a primary means of login authentication, making it truly viable for enterprise-wide rollout in some organizations. Additionally, the combination of multiple technologies (i.e. proximity, mag-stripe, and smart card) in a single card finally presents organizations with a comprehensive approach to both logical and physical access control.
A constant practice of auditing the level of security provided by servers is essential to proper security management. This auditing should, as previously discussed, begin from the Internet. Any time a new exploit is published or vulnerability is discovered, every server in an enterprise should be audited from the Internet to determine if it is exposed. Additionally, internal auditing and assessment of servers on a scheduled basis is necessary to minimize the security risk should a firewall fail or another server or system be compromised.
The selection of an operation system and application is a very tricky process in most organizations. The ‘Microsoft vs. UNIX’ battle is, in many cases, likened to a religious fervor, and has deep-seeded feelings on all sides. When choosing an operation system, the particular vendor is not nearly as important as the vendors’ ability to timely repair security issues and the ease with which the repairs can be implemented. Any operating system from two years ago is insecure by today’s standards, and keeping your servers and applications updated will help minimize the risks presented, regardless of the vendor.
Once the necessary support has been garnered for the security plan, it is time to begin rollout. The technical details of any implementation will vary greatly depending on the environment, technologies, and skill sets of those involved, but there is one global part to security implementation that must never be overlooked: training. For any security initiative to be successful, the end users must receive training. This training should include:
· Details on the operation of the new security systems/procedures
· An understanding of the effect of the new procedures on company data/assets
· Explanation of the procedures and how they fulfill the goals of the security policy
In short, do not just train your users on how to do something, but explain why what they are doing is important to the company as a whole. Once they believe the extra steps involved in providing information security can directly affect the company’s bottom line, they will be much more likely to accept and adhere to the new procedures.
The single most important aspect of any security system is the religious monitoring of system and device events. Constant consolidation and analysis of all event messages from firewalls, IDS’s, VPN devices, routers, servers, and applications is the only way to truly evaluate the continued effectiveness of a security implementation, and the only way to detect many of the most common breaches of security.
These six steps are not a one-time checklist to better security; rather they are a staring point to create a comprehensive, enterprise-wide outlook towards the protection of company assets and information. It is important to remember that at no time can you rest on your previous actions or decisions, because regardless of your current actions, new security issues, vulnerabilities, and exploits are constantly being created. Security is nothing if not an evolutionary process: a vulnerability is discovered, an exploit is created, and a patch is applied. This process occurs over and over again in today’s technological world, and the timeframe between vulnerability discovery and exploitation is constantly dropping.
With this recurring theme in mind, the most important of method of protecting your assets it the diligent monitoring of any and all security measures in place. Firewalls, IDS’s, servers, and applications all provide volumes of information regarding attacks, both successful and unsuccessful. By constantly monitoring and analyzing this information, it becomes possible to understand the level of threat faced by your organization, and respond in a timely manner to the true threats that occur.
Up to this point, we have concentrated mainly on the logical and systematic steps necessary to provide an enterprise security system. From here, we will address some of the specific steps that can be taken to improve security, based on the results of External Perimeter Assessments and Internal Security Assessments conducted by Solutionary, Inc. We are limiting the scope of these recommendations to common issues seen over the last six months, to provide a more accurate description of the issues and challenges facing corporate networks today. To better help the IT professional, these recommendations are divided into platform sections.
General Firewall Configuration