Security is a fundamental requirement of any network. Unfortunately, although most system managers are aware of some of the basic requirements of a secure network, unless one has spent time (and probably some of the training budget) on formal investigation into security issues, it's common to miss some of the less obvious aspects of network security.
In this feature we'll touch on the key factors one needs to consider when trying to keep the bad guys out of the corporate network.
The importance of locks
The most basic security approach you can take is to lock the door when you're not there. It may sound obvious, but anyone who has had equipment stolen from a heavily populated office in broad daylight will appreciate that there's no point having expensive equipment preventing someone hacking in over the Internet when a thief can simply walk off with the computer itself. Physical security is an issue and when you think of the commercial value of your data you'll realise that locks, alarms and insurance policies are the first order of the day.
The most common security relating to employee action is the sharing of passwords and other authentication information. With today's systems, there's no reason why Bob needs to log in under Cheryl's user ID - if Bob needs access to something, this can be achieved by the security access policy of the system itself. More often than not, when user A gives user B their password, user B not only gets to access the stuff he needs but also gains access to loads of extra stuff to which A has access but B ought not to be able to access.
When someone joins, make sure they know the rules of using your network and be firm with the way you implement them. More importantly, though, when someone leaves you must ensure that their access is curtailed immediately. Harking back for a moment to the password-sharing concept described above, if Bob is sacked and you turn off his user ID, you're still at risk if Cheryl has told him her ID and password.
Anotherunpalatable fact of life is that you sometimes discover that members of your own staff are perpetrating security breaches. We'll look later at the idea that you should restrict access for a given user ID on a need-to-know basis, in case someone hi-jacks a user account, but another motive for doing so is to ensure that a hacker who happens to be on your payroll does as little damage as possible (also another reason to discourage password sharing).
Particularly in larger offices, it's common for visitors to be able to find a corner with a network outlet, plonk themselves down, and connect up their laptop to the corporate network. With the increasing popularity of wireless LANs, you can sometimes even sit in the car park and surf the company network. It's essential, then, to make sure that unknown computers are not permitted to join the network. If you run DHCP address allocation, ensure that it permits only known network adaptors to join the network, and if you're running wireless LAN protocols, turn on the encryption features.
Incidentally, it should be taken as read that you should never, ever have "guest" accounts turned on the network. Although it's tempting to use them to (say) allow visitors to print to the network printers, it's a recipe for disaster.
Some companies have "private" links between sites - and sometimes these links are to external companies. In such situations it's essential to consider the implications of the links being used for nefarious purposes. A remote link adds a level of complication to tracking down illicit activity, as well as circumventing many of your own physical security measures such as building access. There have been instances in my personal experience where company A has maintained one of company B's systems via a leased line, and an intruder to company A has managed to cause actual financial losses to company B.
If you insist on using direct dial-up for remote users, consider the problems with stolen usernames and passwords. We'll talk later about limiting an intruder's access once they're in, but give strong consideration to some other form of authentication such as one-time password mechanisms such as SecurID which alleviate the issues with users having someone watching over their shoulder as they type their ID and password.
The most obvious type of intrusion into the corporate network is someone hacking their way in over the Internet. Perhaps you're surprised that we've made it half-way into this feature before even mentioning this issue, but hopefully it's helped you realise that there's much more to security than plonking a firewall on the Internet link.
There are three key issues with Internet link security.
Viruses generally find their way into the corporate network as email attachments, although they can also get in when users unwittingly choose to download them from websites.
Step one, then, is to employ a virus checker at the point data enters your network. Some firewalls can support add-on virus modules within the firewall itself, whereas with others you'll have to have a separate virus checker system. Step two is to make sure that every computer on the network also runs virus scanning software. The best way to go is to use a corporate virus checking package - these systems allow the workstations to talk to the virus checker server and collate information about what's crept in, and allow the network manager to quickly learn about the scale of risk when something does manage to get in. It should go without saying that you must keep the virus scanner software and its signature files (the data it uses to identify viruses) up-to-date; one of my clients does an update every 15 minutes, which sounds like overkill but it does work.
There are always likely to be bugs in one or other of your corporate systems, and the way to prevent outside intruders from exploiting such bugs is with a device that prevents all incoming connections except those you want to take place. With today's firewall products it's child's play to keep out unwanted connection attempts from outside the network. Whatever firewall you choose, the trick is to deny everything by default - both incoming and outgoing - and only enable access from A to B if you really need to. When you do open a hole through the firewall, ask yourself whether you have to enable connections to everywhere (e.g. for internal users to surf arbitrary websites) or whether you can restrict access based on the user and/or the source/destination computers (e.g. user "bob" can access remote FTP server X only from Bob's own PC's IP address).
As we've already touched on, if you need to enable remote access for your users, ensure you don't just base life on a username and password. Use not just a username and password but also a one-time password token, or some other mechanism that can't easily be stolen.
Denial of service
Some intrusion attempts aren't aimed at stealing or destroying data but have the purpose of preventing a system from working - generally by making it so busy answering nefarious connection requests that it can't cope with legitimate accesses. These are called "denial of service" attacks and, fortunately for us, most modern firewall systems cope admirably with spotting such attacks and quietly killing them off.
Preventing unwanted code
We've mentioned viruses already, but it's worth bearing in mind that some viruses work by installing a program on the user's PC that makes a connection out over the Internet and sends confidential information over it to the hacker's repository of stolen stuff. One way to prevent such issues is not to permit such connections through the firewall, but this isn't always practical if the illicit program uses (say) the web connection port, since you have to keep this port open for legitimate access. The trick here is to ensure that you exploit the security mechanisms available to you in users' desktop operating systems, most notably by ticking the box that says "User is not allowed to install programs". Operating systems such as Windows 2000 and Windows XP have the ability to restrict program installation to administrators only, and you should make the most of such facilities.
What if &
The final thing to consider on the security front is that despite all your best efforts, someone might still be able to get into your corporate network. You therefore need to cater for such instances so that you can restrict their access and banish them as quickly as possible. The first thing to do is ensure that your user accounts have only the level of access they need and no more - which means that if a password is stolen, you always know the extent to which the intruder can use that password to get at stuff on the network. Users should be made to choose sensible passwords, and change them regularly (but no too often, or they won't be able to remember them!). High-access-level passwords should be changed more frequently than normal user passwords, and knowledge of them should be restricted on a need-to-know basis; err on the side of not telling deputy system managers the password if they don't need it day-to-day, but store the current admin password list in a sealed envelope in the company safe with the understanding that it's only to be revealed to appropriate people should you be hit by a bus and disclosure is absolutely required.
Finally, log files are your friend. If it moves, make sure logging is turned on, and if it doesn't move log it anyway. Bearing in mind that intruders who are any good will alter log files to cover their tracks, give serious consideration to having your systems log to a write-only file system such as a CD/DVD.
You've probably read this feature and said to yourself: "That's all really obvious," which it is. But it's easy to forget one or more of the key aspects of securing your system, so it doesn't do any harm to enumerate the issues. The most important thing to remember is: security is something that everyone in the business has to work at if you're to stand a chance of keeping everything secure. The users don't have to be blinded with science, but they do have to do their bit, and the owners/directors of the company need to be involved in implementing your desires because the IT guy is rarely able to exert sufficient managerial authority over staff outside his or her own department.
Don't be frightened by security. Consider what I've written and convince yourself that what you need to do is implement a set of relatively simple concepts. Remember, even if you're 90 percent toward a completely secure network, the intruder's likely to give up and try somewhere else, but if you need to employ external resources or expertise, do it, as that extra 10 percent could still make the difference.