1.2 The Path to Network Security

1.2 The Path to Network Security

A secure network is not an accident. Secure networks generally are not the product of random changes, additions, and additional network functionality. While there is no doubt that someone would be able to point to a friend or associate who has a "secure" network that happened to "organically grow" out of years of trial and error and switching things around according to the zodiac, this is really the exception. Secure networks are built out of a solid understanding of how networking works: How does a packet of information get from a client to a remote server? What happens at the server to make it return another packet to the client? How does this return packet of information get back to the client?

A secure network is built from policy. I am the type of person who cringes when I hear the term "policy." Sometimes, Dilbert-esque policies leave me mystified as to their intent and reason, other than to annoy the average end user. Despite this policy aversion of my own, I am the first to ask a customer to help me create their security policy. This ensures that you and your customer/client/boss/management all understand what you need to do. A security policy is a broad statement of principle. Once the policy is completed, then the security model can be implemented. This is the step-by-step guide that puts the principle into practice. Chapter 2, "Managing Network Security," addresses the critical issue of creating a security policy. It also provides critical tips to avoid your transformation into the pointy-haired manager type as well. By creating a policy that has input, is well understood, and is fairly enforced, most of the negative connotations of "policy" will disappear.

In my experience, the most difficult part of creating a security policy is this initial step. This step needs the most participation, the most research, the most input, and the most thought. Done correctly, implementing the security model is a relatively straightforward matter of choosing the hardware, placing it in strategic points in your network, configuring it, and continually testing and monitoring it. Simple enough. Right?

Without a basic understanding of this process, it is difficult to create a system that can reliably secure your network. If you are missing this information or feel that you could stand a refresher, Chapter 3, "The Network Stack and Security," will be a good place to start. One place that I find even some seasoned security professionals failing is a solid understanding of routing and routing issues. Chapter 3, in addition to the normal presentation of network hardware and protocol operation, such as TCP/IP, also examines some of the more commonly encountered routing protocols and how they can play a part in the secure network.

While there is no shortage of obscure and confusing acronyms, protocol types, hardware, and software vendors to confuse the issue of implementation, for the most part, all of network security only uses about half a dozen different technologies. While the names of who wrote the programs and the decals on the side of the hardware may change, network security uses the same basic ideas over and over again. A series of chapters on access-control, firewalls, VPNs (virtual private networks), and intrusion detection systems cover all of the basics of each technology. Once the basics are reviewed, we then examine how they fit into our network security policy: how do they assist us in creating our security model? It is in these chapters that we will learn the amount and type of protection that each technology affords us and, more importantly, how to wisely invest in the technology to maximize security for minimum cost.

In addition to the material covering the common security technologies, we also examine some network applications and designs that, while not directly related to security, do affect the security of our network through their very operation. Wireless networking — all the rage for its ease of deployment and user friendliness — is one example. How can a wireless network with security that has been demonstrated over and over again to be faulty be part of the "secure" network? We examine our options and explore other applications that need special consideration in Chapters 4-11.

Comparing our security policy with the technologies available to us will then allow us to examine a number of case studies to put all the pieces together. For four networks, ranging from a small SOHO to enterprise-class networks, we examine the process of creating a sample security policy and then build a security model around that policy.

Finally, the book concludes with perhaps the most satisfying element of network security — penetration testing. When you attempt this on someone else's network, you are considered a criminal; but when you test your own network for vulnerabilities, you are providing valuable insight into your own network because you see it as it is seen by the rest of the world or by others utilizing your internal network. By performing network penetration testing — either through a contracted third party or by yourself — you ensure that the fruits of your labor, starting with the first meeting that discussed security policy, have been worth your time and effort. Chapter 12, "Network Penetration Testing," discusses the process of testing your own network, points you in the direction of some common tools (which changes frequently) and techniques for penetration testing, and discusses what to expect from a third party if you were to hire them to test the security of your network.