The threat is from within
These days it's not simply the network perimeter your should be worrying about.
By Louise McKeag, Techworld | Published: 11:00, 21 December 2004
Secure the edge of your network from nastiness by all means, but don’t assume that you’re now safe. Someone may still be able to break through your defences, and if you’re not monitoring what’s going on in the depths of your network, they’ve got free rein to trawl about to their heart’s content.
Alternatively, the danger could come from within. Networks have users, and they’re probably our greatest concern. It doesn’t have to be a particularly disgruntled soon-to-become ex-employee - just someone being thoughtless, or trying to circumvent the rules and inadvertently causing chaos.
Divide and conquer
If you have a network of any size, you’ll already have segmented it into separate subnets. But don’t expect that on its own to provide any security. It’s likely that your routers are set by default to route traffic between the different VLANs without any form of restriction. However, if there’s no need for users of one subnet to access devices on another, explicitly prevent them, using firewalls or routers with filtering capabilities.
This admittedly works best if you have your user workgroups divided into segments, which, typically, we’re being told not to do, with the focus nowadays on geographical, rather than logical boundaries within the network. But for particularly vulnerable resources, or those which it would cause most damage to your company to lose, it may be worth the effort of a bit of reorganising.
This can be done pretty effectively in your server farm, for instance. If there’s never any need for your admin servers to communicate directly with the R&D ones, put them in different subnets, and firewall between them. Private/Super VLANs may also be an option here (though remember that VLANs in themselves aren’t inherently designed for security). If someone does manage to compromise one server, why make it easy for them to pop out all over the network from the comfortable launching pad of a known, trusted internal address?
Similarly, IPSs aren’t just for external links and DMZs. If something unpleasant hits your network from within, you won’t spot it, never mind stop it, if you don’t see it. You probably can’t afford to put one on every segment in your network, but at least make sure they’re covering your servers and any other important resource, such as the CEO’s LAN.
Speaking of trust, make sure yours isn’t misplaced. You have all sorts of security checks in place for remote access users, but what about links to remote offices or partners? Just because they are over secure leased lines, say, doesn’t mean they’re infallible. If you don’t have control over the physical and logical security at those other sites, treat them as if they were insecure, and put extra measures in place. Even if it’s one of your own branch offices, it might be a serviced building, where there’s no knowing who can wander up to the comms room and plug a PC into a console port…
Where possible, don’t set up your servers so that they’re handling multiple tasks. Okay, no one’s hardware budget is infinite, but if one server is compromised, how many applications would you lose? And remember that the more services you have running, the more vulnerabilities you’re creating. Multi-purpose servers can also give you a problem when it comes to upgrades and patches, and you find that a fix for one aspect conflicts with something else you’ve got running on the same server.
We’ve not spoken about patching so far - that’s a topic in its own right and one that’s well covered, as for example in Patch Management . Up-to-date code, timely patching and anti-virus software should be second nature by now.
As should passwords, but they’re still an issue. All guest and service passwords should be disabled, or at the very least, have non-default passwords set. Users should be ‘encouraged’ to follow the password guidelines which form part of your security policy (you DO have a security policy don’t you?) by the use of strong password enforcement tools - there’s the generic strong password functionality of Windows, for starters, or a myriad of add-ons, such as those from Waveset or London-based Little CatZ .
It should also go without saying that your network devices themselves - routers and switches - need to be secured. Restricted access, centralised login facilities, and authentication on your routing protocols will help to stop anyone hijacking the proper operation of your network.
It’s not enough to stick a firewall and a couple of IPSs on your Internet link and assume you’re okay. Make sure that the inside of your network is equally well-protected, and you’re more liable to be able to sleep (or at least get to the pub) at night.