Security (Part 2) - There's safety in layers

Security This topic is huge because there are many aspects of security in an IT infrastructure. I have broken down this topic and will address various areas below. Please realize there are typically ...

Print Email


This topic is huge because there are many aspects of security in an IT infrastructure. I have broken down this topic and will address various areas below. Please realize there are typically many layers in an IT infrastructure and so today's IT environment's large or small, needs to have proper security planning. Security is an aspect of IT that you never totally complete. It always seems to be a work in progress because there are so many forms of malicious attacks cropping up everyday.

There are many layers to a network and so security typically includes different physical (i.e. appliances, servers) and logical (i.e. software, firmware) services. So, a good place to start the discussion of security starts at the outer edge of the network. Below you will find some devices typically used for securing the "front door" to your business communication infrastructure. These devices screen for viruses, or any other kind of malicious activity bound for your network.

Outer edge of the Network

I refer here to the first line of defense from attacks that come from the outside of your network. So the devices listed here operate at this layer and provide a great means of preventing unwanted network traffic.

  • Internet Gateway

    - Protection at the outer edge of the network involves a device that scans any and all internet traffic across many types of protocols i.e. SMTP, HTTP, FTP, and POP3. This scanning prevents most types of virus and malicious code threats, including macro viruses, Trojans, Internet worms, and even finds hidden threats buried in .zip and other compressed file types. Very good low-cost products are available from most major vendors and in particular one that I have had some success with is McAfee's WebShield product.

  • Firewalls

    - A very important device which protects and controls traffic throughout your network and specifically from unauthorized intrusion into your network. There are many very good low cost firewalls which provide some great functionality. This layer of defense can come in the form of an appliance such as from SonicWall i.e. TZ170 firewall or from Cisco i.e. 515E PIX firewall. Firewall's also come in the form of software such as what Microsoft provides for its IIS web server i.e. URLScan and what Trend Micro provides with its Anti-Virus suite of software for the desktop.

Server layer

The next layer of defense is making sure to secure the servers within your environment. First, make sure proper anti-virus and anti-spyware software services exist on each server within your environment. Another very good practice is to make sure the servers have all the latest security bulletins and software patches as well as any service packs that are available. Additionally, provide windows folder level (file level is necessary) security for the user's in your organization. Try to keep this at a high level when specifying i.e. create groups in Active Directory and place user's within those groups. Then give access to folders by group so that as a user is added to the domain you do not have to worry about specifying all the folders they need access to but simply join them to a group to give them respective file/folder level access. Another very good practice is to use Group Policies which allows many domain level specifications to be set for all users within your organization. One good practice performed at the Group Policy level is specifying that all users must have a complex password, i.e. 8 characters including numbers and letters and password expiration every 30 days. Another group policy might have the user's desktops locking-up after 10 minutes of sitting idle requiring user name and password to unlock it.

The Desktop and the User

As I mentioned above, anti-virus software is a must nowadays. Anti-spyware is another must especially at the desktop. Making sure that all desktops are always up to date is also very important so care must be taken to ensure desktops are grabbing updates daily. Secondly, software that controls internet traffic coming from your network should be used to keep your employees out of trouble and to make sure their productivity is not inhibited by too much web surfing. There are many great products in the market such as WebSense and Surf Control that can help in this area. These products are referred to as Content Filtering services and they control the amount of time a user can surf the web, and/or the sites that they are allowed to visit keeping them away from black listed sites, and phishing related sites as an example. These products also provide very rich user level reports so you can easily spot those individuals that spend too much time on the internet.

Additional considerations...

  • Web Site Hosting

    - Internet connectivity for Web sites, running web-based applications and even providing for e-commerce require further planning to make sure that the sensitive data being stored and/or processed is not contaminated, stolen or compromised in any manner. Typically when running your own web server you will want to follow much of what was mentioned above and also think about segmenting the server into its own virtual network called a DMZ or demilitarized zone. Within the DMZ the server will provide application or web site hosting but not have any critical data on it. It should also be protected by its own software based firewall and when running an IIS web server URLScan should be used.

  • Email Server

    - Running your own email server also provides additional challenges as well. Making sure that the email server is not used maliciously as a relay point for SPAM and that it isn't victimized by SPAM itself is important. Where possible, you may want to think about having email either hosted outside exclusively, or partially hosted with a service such as Postini to provide a layer of security i.e. excerpt from the Postini website - Postini delivers preemptive threat prevention that identifies connection and content threats before they can reach your corporate network. Postini stops spam, phishing, viruses, directory harvest attacks...

  • VPNs

    - When having users from remote locations entering the network, i.e.VPNs, you need to take extra precautions that these users are managed properly. First, make sure that these users are always protected with anti-virus and anti-spyware on their remote machines, laptops, PDAs, etc. You should also require that their VPN account passwords get changed on a frequent basis. Making sure to audit the users who connect remotely is also key since if someone leaves or is terminated and they have access to the network there is a great potential for disgruntled employee cyber-vandalism.

  • Wireless Network

    - When employing the use of a wireless network there are a few simple configurations that can be made right away; 1) making sure that data communications are encrypted, 2) making sure that only specific computers are allowed to connect, i.e. MAC address filtering, RADIUS - device level authentication, 3) do not broadcast the SSID of the access points, 4) throttle down and where possible redirect the radio signal so as to broadcast only as much and in the direction of where the signal is needed.

Concluding thoughts...

As I had mentioned earlier, security is an ever evolving process that always needs to be thought about when planning any IT related activity. The best defense is to be on the offense and make sure to audit and manage your IT environment. One of the best ways to do this is to set up a procedure for Daily maintenance and monitoring. If you want to contact me I can send out a plan and worksheet on what has worked very effectively for me.

So, I will end with a definition of what it means to be proactive in order to provide for a secure IT environment. This is an excerpt from a procedure that I use on a day to day basis.

Daily Monitoring

- Daily operational and performance monitoring to ensure that there aren't any unexpected errors occurring within the environment specifically making sure a) that proper backups have been performed, b) that Virus protection is up to date with the latest pattern files and engines, c) verification of email system to ensure proper routing and spam filtering are performed, d) check server system resources for disk space, fragmentation, memory usage and CPU usage, e) checking and applying if necessary, any newly released security bulletins, f) user account audits. Refer to Daily Systems Maintenance and Monitoring Standard Operating Procedure.