Build a line of defense with these network security tips
This feature first appeared in the Summer 2014 issue of Certification Magazine.
Criminals lurk in many of the Internet’s dark corners, scouting out victims and eager to pounce whenever they identify a network vulnerability. Organizations that fail to apply basic security controls to their networks face a multitude of risks from anonymous attackers, including theft of sensitive information, destruction of critical resources and interference with business processes.
Network security is a broad field that includes a variety of controls designed to protect both the confidentiality of information transmitted over networks, and the availability of those networks to authorized users. Certified network security professionals work to protect networks from potential attackers, detect attacks in progress, and react swiftly and surely to successful network intrusions. They have a variety of technology at their disposal to assist with these challenges. Deploying a few simple advance precautions, however, can tilt the playing field in a good network security manager’s favor. Consider taking these five steps to protect your network against attackers.
1. Watch for intruders and prevent common attacks.
One of the most important activities undertaken by network security professionals is monitoring their networks for the signs of attacks in progress. To achieve this, they rely on a technology known as an Intrusion Detection System (IDS). These systems sit at critical points on an organization’s network and monitor all of the traffic passing that point. The IDS contains a signature database with information about thousands of known attacks. It compares the network traffic that it sees to those signatures, looking for potential attacks on the network. Once an IDS detects a potential attack, it alerts network administrators to the possible intrusion so that they may take appropriate action. Security professionals often describe intrusion detection systems as the “burglar alarms” of the network.
Once you’ve wired your network with an IDS “burglar alarm,” you can take things to the next level by giving the system the ability to proactively respond to detected security threats. Systems run in this mode, known as Intrusion Prevention Systems (IPS) are able to block suspicious traffic before it enters the protected network. One word of caution — make sure that you test this functionality rigorously before deploying it on your network. A misconfigured IPS that accidentally blocks legitimate network traffic can cause serious issues in your data center!
2. Implement consolidated network, server and application logging.
In the event of a security incident, organizations shift into incident response mode, where they are seeking to contain and assess damage to the networks and restore operations to a normal state as quickly as possible. Successfully completing these steps requires reconstructing the events surrounding a security incident. That reconstruction is often only possible if your organization has been maintaining adequate network logs. These logs should contain not only error and security messages created by network devices, but also a record of activity that took place on the network.
While space constraints normally prevent logging the detailed content of all network communications, many organizations do maintain network flow data. These flow records provide a level of detail often compared to that found on a telephone bill — which systems talked to each other, the date and time of the communication and the amount of data exchanged. Those records can be extremely useful when trying to identify the source(s) of an attack, or determine the amount of data that left an organization’s network.
In addition to ensuring that network devices generate adequate logs, you should also take steps to protect those log entries in a safe location. It is not sufficient, for two reasons, to keep the logs on the device that generated them. First, an intruder who gains access to a network device may be able to delete or modify the logs stored on that device. Second, the event may render the device itself inaccessible or nonfunctional. You can work around these limitations by creating a centralized log server that provides a protected refuge for log data — it’s easy to send data in but difficult to remove or modify existing log entries. This centralized server then acts as a single point for the collection and analysis of log records from a variety of sources, including network devices, servers and applications.
3. Encrypt sensitive information in transit on the network.
Networks often carry sensitive information that requires added protection against eavesdropping. This is especially true when the data crosses the public internet. The use of encryption technology to protect this information allows administrators to rest easy, knowing that their data is safe from prying eyes, inaccessible to anyone lacking the correct decryption key.
The first way that you can implement encryption is at the application level — through the use of Secure Sockets Layer (SSL) and/or Transport Layer Security (TLS). These protocols are used to add encryption to other application protocols. For example, the HTTPS protocol uses SSL and TLS to add encryption to standard HTTP-based web communications.
The second way encryption can secure your network is by creating encrypted links between locations that are geographically separate. Virtual Private Networks (VPNs) use encryption to connect remote users and sites to a central location over an encrypted tunnel. Once set up, the tunnel is transparent to the end user, but protects all traffic sent over the encrypted link.
4. Build redundancy into your network.
One of the biggest mistakes that organizations make when thinking about network security is focusing exclusively on the confidentiality of data. While it is certainly important to protect sensitive information, network security strategies must also include controls that preserve the availability of the network to authorized users. Network outages can cause significant losses in productivity, sales and efficiency.
An important way to improve the availability of your network is to identify any single points of failure in your network, and implement redundancy where practical. For example, if you have only a single device routing traffic at your network border, are you prepared in the event that the router fails? If it’s financially practical, adding a second router can protect you in the event of a device failure. If that’s not in the cards, then consider improving the redundancy of critical components in that device. For example, power supplies are one of the components most likely to fail. Most network devices are now available with either standard or optional dual power supplies — that’s a good investment!
5. Scan networks for vulnerabilities regularly.
The last tip that you should follow when securing your network is to regularly scan it for vulnerabilities. Remember, your network is a changing environment and new vulnerabilities are introduced every day. You should have a network vulnerability scanner installed on your network and use it to test the security of devices connected to your network on a regular basis. System and device administrators should review reports quickly and address any vulnerabilities they identify.
Most organizations choose to run vulnerability scans on either a daily or weekly cycle. You’ll need to choose the interval that makes sense and balances your security requirements with the resources available to both conduct scans and act upon the results. Remember, a scan is not a helpful security tool if nobody reads the report and addresses security issues! One helpful tip is to configure your scanner to only inform administrators when a new vulnerability is detected. This stems the tide of “everything is OK” reports and increases the likelihood that administrators will take actual reports seriously when they occur.
Securing your network is an important way that you can protect the confidentiality and availability of your organization’s computing resources and sensitive information. Taking the time to follow these five network security tips will put you well on the way to providing a secure network infrastructure.