Chapter 2: Managing Network Security | Network Perimeter Security: Building Defense In-Depth

Overview

Let us clarify something right from the beginning. Technology alone is not going to secure your network. A trip to your local networking superstore will not necessarily make your network secure, even if you have to back up the minivan to take everything back to the office. The problem is that underlying all security technologies is a single inconsistency that tends to skew all of our hard work and planning — people. That is correct — you, I, and that guy or gal down the hall who is constantly dumping his or her trash in your trash bin. People screw things up. Of course, that is also part of our charm; but people will misconfigure firewalls, tell friends their passwords, make a programming error that causes a server to crash when unexpected input is entered; and odds are that it was another person who typed in the unexpected input in the first place!

The point of this is that we cannot rely on technology to protect our network because the people who create the technology are not perfect. We cannot expect technology to protect us against computer crime. Crime and technology have a long history together. The invention of the wheel did not eliminate crime; it just made it easier to get away from the scene. We should not fool ourselves into thinking that we have finally arrived at the generation that has finally figured out a way to make us immune to crime through the use of technology.

When we start thinking about network security, we need to think about security as a system — not a single technology. By reading this book, you will hopefully be convinced that your information is secured through the use of your information security policies, and not any single piece of technology that you are using. Sadly, I have had more than one conversation with a customer that went like this:

"Well, we have a firewall. Won't that make my network secure?" the client responds.

"It certainly is a good start, but a firewall does not imply a secure network. We can't, however, determine what you need for security until we can determine what you need to secure," I counter, sitting down to a conference table and giving my pen a twist to expose the tip.

A couple of scratches on the notepad later and I am confident that the pen is working. I look up to see the customer still looking at me.

"What do you mean, what we want to secure? We want to secure our network against hackers."

Most people clearly understand the need to secure their network. Looking at any poll of IT professionals, CIOs, and managers, the need to secure their network against "hackers" generally tops the top-three concerns that these people have about their network. Unfortunately, this high priority generally leads to technology that drives the security.

When technology drives the security, you have a situation in which the IT staff looks around and thinks, "What do I have that can secure my network?" In general, their gaze eventually falls upon a firewall — perhaps even a VPN (virtual private network). While I will never be one to argue that a firewall is not a good idea to include in a security model, this is not the proper approach to creating network security. It creates a security model that is built around what security a particular device can provide, rather than the security the network needs. I counsel my clients that, instead of talking about hardware and software, the first order of business should be to create a security policy. A security policy is a high-level statement of principle and describes the needs of the network. Once we know what we need to do, we can then discuss the security model. The security model is the actual hardware, software, and configuration guidelines that will be used to enforce the policy.