Network Security Model – Defining an Enterprise Security Strategy

OverviewThese are the 5 primary security groups that should be considered with any enterprise security model. These include security policy, perimeter, network, transaction and monitoring security. These are all part of any effective company security strategy. Any enterprise network has a perimeter that represents all equipment and circuits that connect to external networks both public and private. The internal network is comprised of all the servers, applications, data, and devices used for company operations. The demilitarized zone (DMZ) represents a location between the internal network and the perimeter comprised of firewalls and public servers. It that allows some access for external users to those network servers and denies traffic that would get to internal servers. That doesn’t mean that all external users will be denied access to internal networks. On the contrary, a proper security strategy specifies who can access what and from where. For instance telecommuters will use VPN concentrators at the perimeter to access Windows and Unix servers. As well business partners could use an Extranet VPN connection for access to the company S/390 Mainframe. Define what security is required at all servers to protect company applications and files. Identify transaction protocols required to secure data as it travels across secure and non-secure network segments. Monitoring activities should then be defined that examine packets in real time as a defensive and pro-active strategy for protecting against internal and external attacks. A recent survey revealed that internal attacks from disgruntled employees and consultants are more prevalent than hacker attacks. Virus detection should then be addressed since allowed sessions could be carrying a virus at the application layer with an e-mail or a file transfer.Security Policy DocumentThe security policy document describes various policies for all employees that use the enterprise network. It specifies what an employee is permitted to do and with what resources. The policy includes non-employees as well such as consultants, business partners, clients and terminated employees. In addition security policies are defined for Internet e-mail and virus detection. It defines what cyclical process if any is used for examining and improving security.Perimeter SecurityThis describes a first line of defense that external users must deal with before authenticating to the network. It is security for traffic whose source and destination is an external network. Many components are used to secure the perimeter of a network. The assessment reviews all perimeter devices currently utilized. Typical perimeter devices are firewalls, external routers, TACACS servers, RADIUS servers, dial servers, VPN concentrators and modems.Network Security This is defined as all of the server and legacy host security that is implemented for authenticating and authorizing internal and external employees. When a user has been authenticated through perimeter security, it is the security that must be dealt with before starting any applications. The network exists to carry traffic between workstations and network applications. Network applications are implemented on a shared server that could be running an operating system such as Windows, Unix or Mainframe MVS. It is the responsibility of the operating system to store data, respond to requests for data and maintain security for that data. Once a user is authenticated to a Windows ADS domain with a specific user account, they have privileges that have been granted to that account. Such privileges would be to access specific directories at one or many servers, start applications, and administer some or all of the Windows servers. When the user authenticates to the Windows Active Directory Services distributed it is not any specific server. There is tremendous management and availability advantages to that since all accounts are managed from a centralized perspective and security database copies are maintained at various servers across the network. Unix and Mainframe hosts will usually require logon to a specific system, however the network rights could be distributed to many hosts.· Network operating system domain authentication and authorization· Windows Active Directory Services authentication and authorization· Unix and Mainframe host authentication and authorization· Application authorization per server· File and data authorizationTransaction Security Transaction security works from a dynamic perspective. It attempts to secure each session with five primary activities. They are non-repudiation, integrity, authentication, confidentiality and virus detection. Transaction security ensures that session data is secure before being transported across the enterprise or Internet. This is important when dealing with the Internet since data is vulnerable to those that would use the valuable information without permission. E-Commerce employs some industry standards such as SET and SSL, which describe a set of protocols that provide non-repudiation, integrity, authentication and confidentiality. As well virus detection provides transaction security by examining data files for signs of virus infection before they are transported to an internal user or before they are sent across the Internet. The following describes industry standard transaction security protocols.Non-Repudiation – RSA Digital SignaturesIntegrity – MD5 Route AuthenticationAuthentication – Digital CertificatesConfidentiality – IPSec/IKE/3DESVirus Detection – McAfee/Norton Antivirus SoftwareMonitoring Security Monitoring network traffic for security attacks, vulnerabilities and unusual events is essential for any security strategy. This assessment identifies what strategies and applications are being employed. The following is a list that describes some typical monitoring solutions. Intrusion detection sensors are available for monitoring real time traffic as it arrives at your perimeter. IBM Internet Security Scanner is an excellent vulnerability assessment testing tool that should be considered for your organization. Syslog server messaging is a standard Unix program found at many companies that writes security events to a log file for examination. It is important to have audit trails to record network changes and assist with isolating security issues. Big companies that utilize a lot of analog dial lines for modems sometimes employ dial scanners to determine open lines that could be exploited by security hackers. Facilities security is typical badge access to equipment and servers that host mission critical data. Badge access systems record the date time that each specific employee entered the telecom room and left. Cameras sometimes record what specific activities were conducted as well.Intrusion Prevention Sensors (IPS)Cisco markets intrusion prevention sensors (IPS) to enterprise clients for improving the security posture of the company network. Cisco IPS 4200 series utilize sensors at strategic locations on the inside and outside network protecting switches, routers and servers from hackers. IPS sensors will examine network traffic real time or inline, comparing packets with pre-defined signatures. If the sensor detects suspicious behavior it will send an alarm, drop the packet and take some evasive action to counter the attack. The IPS sensor can be deployed inline IPS, IDS where traffic doesn’t flow through device or a hybrid device. Most sensors inside the data center network will be designated IPS mode with its dynamic security features thwarting attacks as soon as they occur. Note that IOS intrusion prevention software is available today with routers as an option.Vulnerability Assessment Testing (VAST)IBM Internet Security Scanner (ISS) is a vulnerability assessment scanner focused on enterprise customers for assessing network vulnerabilities from an external and internal perspective. The software runs on agents and scans various network devices and servers for known security holes and potential vulnerabilities. The process is comprised of network discovery, data collection, analysis and reports. Data is collected from routers, switches, servers, firewalls, workstations, operating systems and network services. Potential vulnerabilities are verified through non-destructive testing and recommendations made for correcting any security problems. There is a reporting facility available with the scanner that presents the information findings to company staff.Syslog Server MessagingCisco IOS has a Unix program called Syslog that reports on a variety of device activities and error conditions. Most routers and switches generate Syslog messages, which are sent to a designated Unix workstation for review. If your Network Management Console (NMS) is using the Windows platform, there are utilities that allow viewing of log files and sending Syslog files between a Unix and Windows NMS.Copyright 2006 Shaun Hummel All Rights Reserved

Manned Security Guarding – Price Or Service?

You have probably noticed yourself, that most shops and offices now employ security officers. Generally these security officers will be located somewhere near the front door, either sitting at a reception desk, monitoring CCTV or standing at the front door.Having worked in security for most of my life, it is now second nature for me to look at what security is in place when I visit somewhere. This usually takes the form of just having a look at how the security officers operate.If you are going to employ security service, then you obviously have something specific in mind that you want them to do. I recently visited a well-known high-street supermarket that I have been to many times in my local area. I know that they employ one security officer. On entry there was no security – nothing wrong with that so far. Having a quick look around I couldn’t see security anywhere. I could however see who I thought was a traffic warden thumbing through the newspapers. However, on closer inspection I noticed a tiny badge on her hat that said security. By the time I left the supermarket, she was standing by the front door looking totally disinterested in what was going on. She looked in a world of her own.I understand that this store uses security as more of a deterrent rather than to catch shoplifters, but for this to work your security officer needs to be seen as being alert and proactive. Having a security officer completely disinterested in what they are doing can have the reverse effect, making your premises an easier target.Security in this store would have been arranged by head office, who possibly have never even been to the shop. The store manager won’t get a say and will just have to make do with whoever he gets sent.Security officers are still ambassadors for the store / business they are working in. They may be asked for their recommendations on how security can be improved, and if the security officer doesn’t know, who does?The security company who hold this contract are a recognized company. The problem today, is that it is more important for large companies to secure the contract and protect the bottom line, than supply quality security officers who actually have an interest in what they are doing. Protecting the bottom line usually comes at a cost to the client. Just because someone holds an SIA licence, doesn’t necessarily mean they know anything about security.But sometimes security can be misunderstood. You have proactive security officers but the person arranging security doesn’t really know how to deploy them properly.Take my recent visit to the cinema. It was a large 15 screen cinema with a bar and a few uniformed male security officers. On the front door to the cinema was one officer standing at a table just inside the doorway looking in women’s bags as they entered. The first problem was that there were two separate ways in to the building, so if you wanted to bring something in, you could just take the lift from the car park! There were also no signs posted on the way in informing people they may be subject to a bag search. It was good that security were being proactive, but they did need some direction from a person who understands how security works.I once heard someone say ‘If I can’t get a job, I’ll just go and work in security’. That is the person who will work for minimum wage for a large security company, who will then be posted at a clients premises expected to look after their best interests.Over the years, the way security contracts are procured has changed. Clients are now more likely to be talking about their security requirements with a salesman, rather than with someone who actually understands what they need. A key accounts manager in charge of securing new contracts will start on a salary of £42,000, while the person you really need to look after your business could be working for £5.75 per hour.It’s not just about supplying ‘bodies’There is of course a place for the large security companies, but sometimes it might be better to work with the smaller professional security companies who are usually able to offer the same services as the larger companies, but who keep their emphasis on the work rather than the profit margin.