Information Security Basics

Whether you run your own home network or are part of the IT shop administering the corporate network, there are some basic information security protocols which should always be followed. These tips are designed to help you, the administrator, adequately protect the network from the myriad of attacks available today. Ensuring your network is free of compromise is vitally important for all network users because it allows for the continued, uninterrupted operation of the very network they rely upon to perform their job.

This list is, by no means, designed to be all-inclusive. It is merely a small subset of tips which should help set most people in the right direction. These tips are generally married with more complex solutions, producing a far more comprehensive effort than the mere implementation of these basics.

1. Defense-In-Depth

Defense-in-Depth is the foundation of all information security programs. It is a comprehensive strategy for protecting a network through layers. These layers are generally network areas such as the network perimiters (ie. premise router), DMZ, physical security, authentication mechanisms, auditing, logging and more. This list is by no means inclusive.

By placing multiple layers of defense throughout your network you will increase the complexity required to break through those defenses while simultaneously hardening your network defenses. By itself, the statement sounds like all you do is slap in some defense-in-depth and you’re off and running. That is not the case. An IT shop must have someone on staff who clearly comprehends information security and defense-in-depth for the program to succeed.

As I said, defense-in-depth is a framework. The majority of the remaining tips, while doable on their own, are ultimately layers within this theory. Merely implementing them individually may very well increase your network security posture, however it is advisable to implement all measures to protect your network at the highest degree possible.

2. Network Security Perimeter – Deny by Default, Allow by Exception

All good networks have strong perimeter defenses. Every network connection must have a premise router, the router which is connected to the upstream internet service provider. The premise router should make use of access-lists (ACL) to only allow the minimum required TCP/IP connections both in and out of the network. This is known as a “deny by default, allow by exception” policy.

If your network does not run a web server accessible by the public, there is absolutely no need to allow 80/tcp inbound from the world. If there is no SSL server accessible by the public, do not allow 443/tcp inbound. More than likely, 1024-65535/tcp and 1024-65535/udp are not required inbound at all.

Allowing the possibility for these connections is a huge and unnecessary vulnerability. Essentially, you deny all connections by default and build an ACL which only allows required connectivity in or out of the network.

Along with a strong premise router ACL, all networks should employ at least a stateful firewall sitting right behind the premise router. The firewall should be configured identically to the premise router, following the “deny by default, allow by exception” policy.

The reason a stateful firewall is important is because we need to be able to inspect the packets, and keep track of the state of the network connections traversing the firewall. This allows the firewall to adequately distinguish between legitimate and potentially harmful connections or connection attempts.

3. Anti-Virus

If there is one security application which is a must-have, anti-virus protection is it. Not using anti-virus software will definitely do way more harm than you ever thought possible.

At the minimum, install an anti-virus client on all workstations and servers on the network and have those clients report to a corporate anti-virus server. It is important to install anti-virus software on all servers and clients. If even a single machine is left not running anti-virus software then that one vulnerability may cost you in the end.

These basic information security tips are just that – basic. There are far more advanced techniques for protecting your network. In a future installment I plan on covering some of the more complex methods.

For now, enjoy reworking your premise router to a “deny by default, allow by exception” policy. It will do wonders for the amount of help desk phone calls you are going to receive. After all, if your users are suddenly unable to use bittorrent or instant messaging, after having been able to for so long, they’re going to wonder what’s going on. Be prepared for the onslaught of questions!

Does your network currently employ any of the aforementioned techniques? If not, do you envision ever implementing such measures? Do you do something not mentioned?

  • http://techmiso.com/271/dod-has-no-desire-to-mitigate-windows-dependency/ TechMiso :: DoD Has No Desire to Mitigate Windows Dependency

    [...] are many strategies for mitigating this type of vulnerability. I previously spoke about defense-in-depth, whereby a layered approach to security strengthens the overall security of the network. Being [...]

  • http://www.k9stud.com Dogs For Sale

    Every day the numbers of hacker is increasing. So, we need to be more careful to prevent it and always needed to store our confidential information in safe places.