How do you secure a network?

John, that's an extremely open ended question, and the answer above seems to be right on target; however, the ultimate way to secure a network is to unplug it. ;) (Broad question, broad answer)

"What is the meaning of life?"

:-)

On a more serious note, if you truly know NOTHING about it, maybe read PCI DSS or maybe a few basic security books.

And, of course Ranum's Ultimate Firewall helps: http://www.ranum.com/security/computer_security/papers/a1-firewall/

I secure networks the same way as I secure modems and telephone lines: the famous AirGap product. Insert one of these and your problems are over. I do insist on looking at networks (VLANs and subnets) as secured highways. And I am quite critical of maintenance NICs attached to general access networks. The configuration and maintenance ports have little or no security (SANs, firewalls, switches, iLO, computer consoles) yet grant access to the heart of the appliance, including the ultimate DOS attack: remote power off. These connections require a separate and unrouted network with DMZ-style access. As far as the general networks, there are simply too many variations for simple rules and configurations.

The most simple and effective way to secure a network is to turn it off. Seriously.

Failing that, you need to engage the services of a qualified security expert who can evaluate the threats and vulnerabilities of your network, assess the risks to your specific scenarios, prescribe appropriate mitigations to reduce the risks to an acceptable level, and implement the solutions. You will also need to establish an ongoing program of risk management, vulnerability testing, operational oversight, user security education, and periodic testing to provide assurance that the risks are in fact being mitigated.

Layers. Bill likened a network to a secured highway. Think about how federal buildings are physically secured. Switchback roads, concrete barriers, manned checkpoints. All of these have analogs in network security. In fact, all of the previous answers start with just these items - physical security. The use of edge devices, that funnel external traffic into choke points, combined with firewalls to isolate middleware from the edge, and databases from the middleware, together with a solid multi-part authentication and hardened hosts, are all part of the solution.

Ultimately, though, it all starts with the mindset of the organization. Seperation of roles and responsibilities and the rule of least access will go a long way to guide you. Also remember to keep easily exploited tech, like wireless, on the perimeter, and question anything that would open holes in your armor once it is in place.

1) Start with your policies. Overall general IT policies, then granular down to IT security, physicsal security, acceptable use policies, etc.

2) Utilize the concept of "defense in-depth", by layering security on your computer networks and systems. Having overlapping layers can help prevent attacks (in case one layer doesn't catch it, maybe another layer will).

3) Think Web 2.0. It's no longer enough security to have just a firewall and antivirus. For securing the border between your private network and the Internet, start with a firewall, and add technologies such as VPN, intrusion prevention, web filtering, anti-spam, network antivirus, data loss prevention, etc.

4) Educate! Your end users are your biggest threat. You can have the best network security around, and your users can easily circumvent it just by bringing their laptop home and then back to the office. Make sure your users know about the latest threats and best practices on safe computing.

5) Security is a living, breathing process. Regularly test, evaluate, and update your policies. Utilize 3rd party experts to help you.

6) Don't forget compliance, disaster recovery, and business continuity in your plans.