Network Security – An Introduction
Network security covers a range of topics. It is a wide area that covers everything from the design of a network to security all the entry points to group policies to educating users about using the network safely. Network security also includes auditing security policies and redesigning these policies to meet the advancements in technology and to counter the possible threats to the central database. The following paragraphs offer tips on each of these factors, including the security design life cycle.
The network security design life cycle begins with the design of the network or sometimes even prior to designing the network. This helps in selecting the right components for the network based on the network scale and use. These components include both software (encryption software, etc.) and hardware (routers, firewalls, etc). Once the network is created, the security design is implemented to keep the network and its components (hardware, software, and users) safe. The security design also includes the creation of group policies and assignment thereof. Another important part of network security implementation is to keep an eye on the activities on the network – both to find flaws and to locate users who are trying to manipulate the network from within. Another important aspect is to keep on testing the network for possible vulnerabilities in a network and create patches to deal with each such vulnerability.
Please read my article, Best Practices in IT Risk Management, for more information on network security design implementation.
Securing the Network – Hardware and Auditing
As explained in the previous section, auditing is an integral part of securing the network. It helps in checking out the possible problems in your current network. Once identified, network engineers can alter the network design or use special software/hardware to eliminate the problems. Auditing can be done in several ways. The best method is logging, which is where the admins can study the behavior of each component in the network and log it in different files. The files should never be stored on the main server or on any computer connected to the network. The best method is to store these logs on a standalone computer so that no one can access it except the network admins. Plenty of software exists to make auditing easier. Check out this review of GFI LANGuard and see if it meets your audit needs.
Network printers often contain Telnet, FTP, and WEB as part of their firmware. These can easily be exploited. Most admins neglect this factor as they do not think that the printers can be exploited. But hackers can damage the entire network if they gain access to the firmware. It is always better to block the printer ports using a boundary firewall thereby reducing the chances of exploitation. If these services are not required, the best way is to turn them off.
Network Perimeters and Firewalls are an important part of any network and hence, admins should stress more security on these factors. These serve as the primary line of defense so they should be more tightened to reduce infiltration possibilities. Some of the basic tips while dealing with these defense lines are:
- Close down any unnecessary TCP/UDP servers on the router/firewalls;
- For active servers employing TCP/UDP, you need to ensure that the access is very limited – only to the highest level of network administration;
- Check out the services on the active servers. Shut down any service that is not required. These include source routing, remote configuration, etc;
- Keep a watch on all the interfaces of the router/firewalls. Shut down any un-used interface. Provide ample protection to the active interfaces to prevent exploitation – both from within and outside the organization;
- Most importantly, make sure that the password on each of the pioneer defense lines (routers/firewall) are set to expire at regular intervals.
While these can be considered best network security practices, please read our article on Limitations of Firewalls to understand that you also need to keep a manual watch on these interfaces.
Please turn to next page for more general but important tips for maximum network security.
Practical Tips for Maximum Network Security
This section will cover the lower levels of network security that are often ignored by network administrators who are focused on the higher levels of the network.
Please note that these tips are taken from the recommendations in whitepapers released by National Security Agency’s Systems and Network Attack Center. You can find all the recommendations at the website: https://nsa.gov/snac. The whitepaper was devised in order to help those network administrators who do not have much experience in network security, so you might find some of the tips familiar.
First of all, we will talk about the network security policy. A security policy is defined as a set of rules that the people using the network should adhere to. The network admins should always devise a security policy keeping in mind that some users may need to get into the main database to extract or manipulate data. This is where group policies come in. A good policy must define proper roles for each user group and should also be flexible so that changes can be made as and when required. Before devising the group policy, sound research should be carried out to get an understanding of how to offer rights to people working at different levels of the organization. If possible, a monitoring system should be in place to note if any user is trying to manipulate the policy.
The NAC (Network Attack Center) recommends using the most stable and latest versions of operating systems. It also asks you to keep the OS updated to prevent exploits. While on Windows, it recommends special protection on applications such as IIS, Outlook, Browsers, Adobe Acrobat, and Media Players as these are more prone to attacks than any other application.
Passwords are an important part of a network security policy. The passwords should be at least 12 characters long in Windows. In a UNIX environment, you can have passwords up to 255 characters (earlier versions of UNIX allowed passwords up to eight characters). Regardless of the number of characters and operating systems, the NAC recommends:
- Unbreakable passwords: Usage of alphanumeric passwords that also contain one or two special characters.
- NO to password generators – If passwords are generated by software and word gets out, hackers can use the same software to try cracking the system
- Password Expiry: Password life should be not more than three months. This will compel users to change their passwords every three month, thereby offering maximum security.
Finally, the network admins must include the network security in the introductory training sessions of the new hires. These sessions must emphasize the need for security and must give a feeling that each user is equally responsible for breaches. They must be educated on possible threats and how to take precautions. Some examples are locking the computer when users leave the workstation and not to share or write down the password anywhere.
Internet Access and Network Security
I would like to add this to the NAC recommendations. None of the internal computers should be able to connect to the Internet directly. If a user needs to connect to the Internet, it should be via the servers. This way, you can log the activities of the user while reducing the possibilities of virus or malware downloads.
These are some of the common network security tips. If you have anything that you would like to add, please use our comments section to share it with others.