improving firewall security.png

Big companies have significantly improved the security of the network perimeter, and despite considerable investments in this area, most enterprise networks remain vulnerable at their core. Techniques that have deployed and proved highly successful at defending the network perimeter have not been sufficient for protecting the internal system, because of both scalability and perception issues. Despite this, security practitioners can make significant steps in shielding their internal networks by aligning their tactics with the realities of internal network security.

The following ten tips explain ways to tackle the security challenges of large, active internal networks. Furthermore, since these tips involve defensive tactics, they offer a workable a tactical plan for improving the security of an extended enterprise network.

1. Internal security is different from perimeter security.

There is a stack of difference in the threat model between internal security and perimeter security. Perimeter security defends your networks from Internet attackers, armed with zero-day exploits of standard Internet services like HTTP and SMTP. However, the access a maintenance man has to your network, just by plugging into an Ethernet jack, dwarfs the access a sophisticated hacker gains with scripts. Deploy “hacker defences” at the perimeter; configure and enforce tight but flexible policy to address potential internal threats.

2. Tighten VPN access.

vpn-pix001.jpegVirtual private network clients are a substantial internal security threat because they position poorly locked down desktop operating systems outside the protection of the corporate firewall. Therefore, be unambiguous about what VPN users can access by ensuring there is a clear policy in place. Do not give every VPN user unfettered access to the entire internal network. Apply access-control lists to limit classes of VPN users’ access to only what they need, such as mail servers or limited intranet resources.

3. Perform due diligence on business partners and build internet-style perimeters for extranets.

Partner networks contribute to internal security challenges. Although highly experienced security administrators know how to configure their firewalls to block MS-SQL, the Slammer worm penetrated defences and brought down networks because companies had given their partner’s access to internal resources without proper risk analysis. Since you can’t control the security policies and practices of your partners so, create a DMZ for each partner, place resources they need to access in that DMZ and disallow any other access to your network.

4. Automate security policy tracking.

Intelligent security policy is the key to active security practice. The challenge is that changes in business operations significantly outpace the ability to adapt security policy manually. This reality demands that you devise automated methods of detecting business practice changes that require reconciliation with security policy. This can be as in-depth as tracking when employees are hired and fired, and as simple as monitoring network usage and observing which computers talk to which file servers. Most importantly, ensure your security policy is not too limiting to impact its day-to-day operational use.

5. Closed off unused network services and ports.

Network switch and ethernet cables in rack cabinet

Multiple numbers of servers might be deployed just for delivering email service alone, but a typical corporate network might also have upward of 100 other servers listening on the SMTP port alone. It would help if you audited the network for services that shouldn’t be running. If a server is acting as a Windows file server but has never been used as a file server in a long time, turn off file-sharing protocols on this server.

6. Protect your business-critical assets first.

It is not realistic to expect that every system on a network with 100,000 systems can be locked and patched at all times. A typical large network has a triage security challenge. To ascertain your business critical assets, you need to perform a business impact analysis. It might take some time to audit, find, catalogue, patch and harden every Web server on a network of 100,000 systems. That fact shouldn’t keep you from finding critical Web servers (for instance, the one tracking all your sales leads) and locking them down first. You can identify your organisation’s most vital assets after you have performed the business impact assessment very quickly. Once identified, locate them on the network and lock them down.

7. Build protected wireless access.

Perform a complete audit of your network for wireless connectivity, and eliminate rogue wireless access points. It would help if you recognised that wireless network access is a compelling and useful facility, and offer secure wireless access to your network users. You should Position an access point outside your of your perimeter firewalls and allow users to access your VPN through it.  The chances of your users trying to install and use rogue access points are eliminated if you already provide wireless access on the network.

8. Build protected visitor access.

Open access to the internal network should be strictly prohibited to visitors. In many organisations, security administrators and engineers attempt to enforce a No Internet Access from certain areas, like the conference rooms. This policy can force employees to give unauthorised access to visitors from alternative desks areas that are harder to track. To mitigate the chance of this happening, build visitor network segments for conference rooms, outside the perimeter firewalls.

9. Install virtual perimeters.

Hosts will remain vulnerable to attack as long as human beings are operating them. Instead of creating unrealistic goals like “no host should ever be compromised,” make it the intention that no one host gives an attacker complete access to the network if it is compromised. Analyse how your network is used and build virtual perimeters around business units. If a human resources user’s machine is compromised, the attacker should not be able to pivot to other business units, such as IT, for example.  So, implement access control between HR and IT. Organisations have experienced network staff who knows how to build perimeters between the internet and internal networks. It’s, therefore, time that these skills are put to use in deploying boundaries between different business user groups on the network.

10. Streamline security decisions.

Network users are a critical ally in the efforts to improve network security. Typical users may not know the difference between RADIUS and TACACS, or proxy and packet filtering firewalls, but they are likely to cooperate if you are honest and straightforward with them. Make the network readily accessible to use for typical users. If users never have bad experiences with convoluted security practices, they will be more responsive to evolving security practices put in place to protect the organisation.

Posted by Dan K Jatau Sr. MSc, PhD, MBCS, MInstLM

Dan K Jatau is a Nottingham, UK-based Information security and technology infrastructure expert and researcher who likes to write about technology subjects from both a business and technical perspective. His current interests are business-driven security architectures, identity and access, the Cloud, virtualization security and all aspects of security. He currently works in security program development and architecture and develops enterprise security programs for SMEs.