Network Security Model: Defining a Business Security Strategy

Overview

These are the top 5 security groups to consider with any enterprise security model. These include security policy, perimeter, network, transaction, and monitoring security. These are all part of any effective business security strategy. Any business network has a perimeter that represents all the computers and circuits that connect to external networks, both public and private. The internal network is made up of all the servers, applications, data, and devices used for business operations. The demilitarized zone (DMZ) represents a location between the internal network and the perimeter made up of firewalls and public servers. This allows some access for external users to those network servers and denies the traffic that would reach the internal servers. That does not mean that all external users will be denied access to internal networks. In contrast, a proper security strategy specifies who can access what and from where. For example, telecommuters will use VPN concentrators at the edge to access Windows and Unix servers. In addition, business partners could use a VPN Extranet connection to access the company’s S/390 Mainframe. Define what security is required on all servers to protect company applications and files. Identify the transaction protocols necessary to protect data as it travels through secure and non-secure network segments. Next, monitoring activities must be defined that examine packets in real time as a defensive and proactive strategy to protect against internal and external attacks. A recent survey revealed that insider attacks by disgruntled employees and consultants are more prevalent than attacks by hackers. Virus scanning needs to be addressed as allowed sessions could have an application layer virus with an email or file transfer.

Security Policy Document

The security policy document outlines various policies for all employees who use the corporate network. Specifies what an employee is allowed to do and with what resources. The policy includes non-employees as well as terminated consultants, business partners, customers and employees. In addition, security policies for Internet email and virus detection are defined. Defines which cyclical process, if any, is used to examine and improve security.

security perimeter

This describes a first line of defense that external users must deal with before authenticating to the network. It is security for traffic whose source and destination is an external network. Many components are used to protect the perimeter of a network. The assessment reviews all currently used perimeter devices. Typical edge devices are firewalls, external routers, TACACS servers, RADIUS servers, dial-up servers, VPN concentrators, and modems.

network security

This is defined as all legacy host and server security that is implemented to authenticate and authorize internal and external employees. When a user has been authenticated through perimeter security, it is the security that needs to be addressed before launching any application. The network exists to carry traffic between workstations and network applications. Network applications are deployed on a shared server that might be running an operating system such as Windows, Unix, or Mainframe MVS. It is the responsibility of the operating system to store data, respond to requests for data, and maintain the security of that data. Once a user authenticates to a Windows ADS domain with a specific user account, they have privileges that have been granted to that account. Those privileges would be to access specific directories on one or more servers, launch applications, and manage some or all of the Windows servers. When the user authenticates to the distributed Windows Active Directory services, it is not a specific server. There are tremendous management and availability benefits as all accounts are managed from a centralized perspective and backup database copies are maintained on multiple servers across the network. Unix and Mainframe hosts will generally require a login to a specific system; however, network rights could be distributed to many hosts.

Network operating system domain authentication and authorization

Windows Active Directory Services Authentication and Authorization

Unix and Mainframe Host Authentication and Authorization

Authorization of applications by server

Authorization of files and data

transaction security

Transaction security works from a dynamic perspective. Try to secure each session with five main activities. They are non-repudiation, integrity, authentication, confidentiality, and virus detection. Transaction security ensures that session data is secure before it is transported across the enterprise or the Internet. This is important when it comes to the Internet, as data is vulnerable to those who would use the valuable information without permission. Electronic commerce uses some industry standards, such as SET and SSL, which describe a set of protocols that provide non-repudiation, integrity, authentication, and confidentiality. In addition, virus scanning provides transaction security by examining data files for signs of virus infection before they are transported to an internal user or sent over the Internet. The industry standard transaction security protocols are described below.

Non-Repudiation – RSA Digital Signatures

Integrity: MD5 Path Authentication

Authentication – Digital Certificates

Privacy – IPSec/IKE/3DES

Virus detection: McAfee/Norton antivirus software

security monitoring

Monitoring network traffic for security attacks, vulnerabilities, and unusual events is essential to any security strategy. This evaluation identifies what strategies and applications are being used. The following is a list describing some typical monitoring solutions. Intrusion detection sensors are available to monitor traffic in real time as it arrives at your perimeter. IBM Internet Security Scanner is an excellent vulnerability assessment testing tool to consider for your organization. Syslog server messaging is a standard Unix program found in many companies that writes security events to a log file for your examination. It is important to have audit trails to record network changes and help isolate security issues. Large companies that use many analog dial lines for modems sometimes employ dial scanners to determine open lines that could be exploited by security hackers. Facility security is typical card access to computers and servers that host mission-critical data. Badge access systems record the date and time each specific employee entered and left the telecommunications room. The cameras sometimes also record what specific activities took place.

Intrusion Prevention Sensors (IPS)

Cisco markets intrusion prevention sensors (IPS) to enterprise customers to improve the security posture of the company’s network. The Cisco IPS 4200 Series uses sensors at strategic locations on the internal and external network to protect switches, routers, and servers from hackers. IPS sensors will examine network traffic in real time or online, matching packets with predefined signatures. If the sensor detects suspicious behavior, it will send an alarm, drop the packet, and take some evasive action to counter the attack. The IPS sensor can be implemented in inline IPS, IDS where traffic does not flow through the device, or a hybrid device. Most sensors within the data center network will be designated IPS mode with its dynamic security features that thwart attacks as soon as they occur. Note that IOS intrusion prevention software is available today with routers as an option.

Vulnerability Assessment Tests (VAST)

IBM Internet Security Scanner (ISS) is a vulnerability assessment scanner focused on enterprise customers to assess network vulnerabilities from an external and internal perspective. The software runs on agents and scans various network devices and servers for known security holes and potential vulnerabilities. The process is comprised of network discovery, data collection, analysis, and reporting. Data is collected from routers, switches, servers, firewalls, workstations, operating systems, and network services. Potential vulnerabilities are verified through non-destructive testing and recommendations are made to correct any security issues. A report generation function is available with the scanner that presents the results of the information to company personnel.

Syslog server messaging

Cisco IOS has a Unix program called Syslog that reports a variety of device activities and error conditions. Most routers and switches generate Syslog messages, which are sent to a designated Unix workstation for review. If your Network Management Console (NMS) uses the Windows platform, there are utilities that allow you to view log files and send Syslog files between Unix and the Windows NMS.

Copyright 2006 Shaun Hummel All Rights Reserved