Happy Halloween to All!
This month's topic is about what techniques are available to harden or secure your network perimeter.
We are all aware of how today's Internet based threats can effect our day to day lives. They can arrive and you have no defense for them. Fortunately, there are some basic, common sense steps you can take to harden your network and provide layers of security. You may not know exactly what the threat is, but you can certainly deploy some proactive steps like these that might stop such a problem right in its tracks.
One of the easiest ways for malicious software or Internet users to access your network is not through holes in your firewall, brute-force password attacks or anything else that might occur on your network. It is through your remote, mobile users when they try to connect to your business network while on the road or through kiosks. Neither of these categories of machines are subject to your stringent security policies and that is a major problem.
IPsec encapsulates communications in a layer of encryption that is difficult to break, but it also allows you to restrict communications to and from certain machines based on whether their machine certificates are signed and valid. By doing this, the machines restricted by IPsec would simply ignore it, even if an exploit was introduced into your network. Using IPsec in this way also forms the basis for using network access control.
VLANs are essentially multiple logical boundaries created within one physical network. VLANs are an easy way to divide critical areas of your network from others. For instance, you could have one VLAN for servers and another for client machines, or ou could segregate machines based on department, or any other scheme you choose. Creating a VLAN in and of itself doesn't necessarily create a layer of protection, but it forms the basis for any number of other hardening techniques, and it provides a way to limit the scope of security procedures to only the most critical areas of a network.
Intrusion detection/prevention systems often use heuristics that can detect malicious activity on your network before an actual definition is created by anti-virus and anti-malware vendors. IDS/IPS systems also provide a solid foundation for forensic analysis in case you care to examine how an exploit entered your network or penetrated your network defenses.
Simply using media access control (MAC) filtering and not broadcasting your service set identifier (SSID) are methods that just do not cut it anymore in a corporate setting. WEP has been cracked numerous times and even the ankle biters will have no trouble gaining access to your wireless network protected only by WEP. Look into WPA2 to really filter out the bad guys.
This almost goes without saying (which is why I put it at the end of my list), but perimeter defense is the first, best and most effective way to protect against zero-day exploits in a variety of forms. To help prevent your network from being a vector of delivery for a nasty vulnerability, deploy a firewall immediately. Better yet, deploy a security appliance and perform regular audits of that firewall if you aren't doing audits already.
There you have it. To better protect your electronic assests, you must approach this from a layered prospective or principle of least privilege model.
To respond to this or previous newsletters or to inquire about an on-site
presentation, please feel free to call us at 508-995-4933 or email us at
We Manage Risk, So You Can Manage Your Business
Got something to add? Send me email.
More Articles by Michael Desrosiers © 2009-11-07 Michael Desrosiers
Technology is both a tool for helping humans and for destroying them. This is the paradox of our times which we're compelled to face. (Frank Herbert)