An alchemists view from the bar

Network Security Alchemy

Leon’s ten rules for improved network security

with 12 comments

Last week I was asked to comment on a top ten list of the “rules of network security”, and unsurprisingly I disagreed with many of them :p

This probably isn’t a shock and it’s not to say that the other list was wrong, it’s just the nature of such a subjective list. Nevertheless, I thought I would share my response here in case it stimulates thought.

Prerequisite :  Hire smart people, and trust them to do their job.

I think that’s key to getting anything done in business and not specific to network security at all, however it’s worth considering before you do any of the below.

1) Management and user education

Without educating management to the risks associated with modern network connectivity, insufficient effort and budget will be assigned to the task. This directly leads to fail. Network security education must also be presented in an enabling way, for example, “This is how to do stuff safely”, or “Implementing this security measure will allow us to conduct business with this partner while maintaining our security posture”, rather than a disabling “Don’t do that it’s naughty”.

This first point includes the education associated with AUP (Acceptable usage policies) for network connectivity and resource usage. Without defining acceptable and unacceptable usage of resources users will never know if they are misbehaving.

2) Enforce sensible access controls

This point exists at many layers within the network, including user account management (with good passwords) via role based access (RBAC) and network access controls (and by network access controls, I refer to Firewalls not a NAC-like deployment).

Firewalls should be configured to only allow the required ingress and egress ports for communication through network segments while controlling the direction of trust.

3) Patch, patch, patch, and then patch again.

Always keep up to date with security specific software updates, and automate this process wherever possible.

4) Harden systems that do not operate in a “secure by default” model.

Make sure systems that operate in areas of high risk have the appropriate lock down applied to them including

  • Disabling non-required services
  • Remove/rename system or default user accounts
  • Remove un-required applications

5) Enable logging, audit system, network and user behaviour in the context of the AUP. Monitor and react to violations and security events.

Central and sane event logging and its management is key to accomplishing this goal. Intrusion detection / Network security monitoring also fit in with this point as they are key to detecting the misuse or security violations on the network.

6) Anti-ware (the modern equivalent of Anti-virus)

This is a must on user desktops and servers (where appropriate). Even though some AV software has lower than desirable virus detection rates, having something is better than nothing as long as it’s kept up to date (see point 3)!

7) Segment the network into trust zones

Every network should be made up of multiple zones with differing functions, e.g Management, Public DMZ, Servers, Clients. VLAN’s can be used to implement much of this segregation, and firewalls should be used to route data between those networks.

8) Physical security

Make sure that the correct physical security controls are in place in your data-center. Consider and mitigate the risk of when a user’s laptop get stolen or “lost” after a four-hour business meeting in a high-class wine bar.

9) Take Backups and test them!

Not taking and checking the quality of your backups *will* cause a lot of pain. Fact. Loosing data could mean losing the company, and therefore loosing your job.

10) Use the correct tools to do the job.

If budget is tight (and it always is), look for lower cost software alternatives. There is an amazing resource of high quality open source security software available that can help address many of the security points above. Make sure you research select good tools that your are comfortable with and can scale to meet future requirements.

-Leon

Advertisements

Written by leonward

May 11, 2010 at 4:07 pm

Posted in Uncategorized

12 Responses

Subscribe to comments with RSS.

  1. Nice post there Leon.

    Joel Esler

    May 11, 2010 at 7:06 pm

  2. […] Leon’s ten rules for improved network security « An alchemists view from the bar. Hello there! If you are new here, you might want to subscribe to the RSS feed for updates on this topic. blog comments powered by Disqus var disqus_url = ‘http://blog.joelesler.net/2010/05/leon%e2%80%99s-ten-rules-for-improved-network-security.html ‘; var disqus_container_id = ‘disqus_thread’; var facebookXdReceiverPath = ‘http://blog.joelesler.net/wp-content/plugins/disqus-comment-system/xd_receiver.htm’; var DsqLocal = { ‘trackbacks’: [ ], ‘trackback_url’: ‘http://blog.joelesler.net/2010/05/leon%e2%80%99s-ten-rules-for-improved-network-security.html/trackback’ }; (function() { var dsq = document.createElement(‘script’); dsq.type = ‘text/javascript’; dsq.async = true; dsq.src = “http://finshake.disqus.com/disqus.js?v=2.0&slug=leons_ten_rules_for_improved_network_security&pname=wordpress&pver=2.33”; (document.getElementsByTagName(‘head’)[0] || document.getElementsByTagName(‘body’)[0]).appendChild(dsq); })(); « Chromes Unconventional Speed Tests Are Incredible, oh, and fake. […]

  3. My only issue with this list is before you complete number 3, TEST THE PATCH!

    Jim

    May 11, 2010 at 8:11 pm

    • I agree on two fronts.
      – The obvious: Does the patch break something?
      Patches need to be tested on real systems, not old devices in the labs. Create a rolling window of test servers and clients. They may have the ocasional outage, but it can be distributed over many different systems and could save you larger problems before rolling out en-masse.
      – Does the patch fix the problem?
      This is harder to check, but correct application needs to be tested along with any other post install actions (reboot etc). Active patch scanners that look for the existence of a registry key or a package version do not solve the problem.

      leonward

      May 12, 2010 at 10:16 am

  4. I like how #8 is a 8) glasses face

    Brad

    May 11, 2010 at 8:33 pm

  5. In addition to firewalls and VLANS for number 7, you can also use IPsec rules to implement server/domain isolation. Much easier than people realise to implement, and implementing IPsec on the network anyway is a great part of the defense in depth setup.

    SteOleary

    May 11, 2010 at 9:25 pm

  6. About some specific software: Patch&&Clean.
    Patch Java *AND* remove old Java environment.

    Great post Leon

    Francois

    May 13, 2010 at 9:39 am

  7. […] décalogue de la sécurité réseau, par Leon Ward : simples à comprendre… parfois complexes à mettre en œuvre. Lire aussi […]

    - CNIS mag

    May 14, 2010 at 12:10 am

  8. Good Post. I don’t agree with #3 from a systems perspective. I come from the never patch always re-provision. My one exception is when exploits are in the wild. Patch in that case until a new image is built. With a good set of admins and a decent provisioning system you can reload a desktop in about 12 minutes, a server in 6.

    From a switch and network device perspective. I think its ok to patch. Test, then patch as mentioned above.

    Jerry Gallagher

    May 27, 2011 at 2:05 am

  9. Good one, I have bookmarked your post so that I can review it later. Network security has become very important in order to provide overall security to computer and prevent leakage of our personal information. Hence, I have bought the services of Sourcefire.com. I think you should also try it out. For more info, browse http://www.sourcefire.com

    shikhak

    January 20, 2012 at 7:37 am


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: