Share what you know with millions of people
Focus is the best place to turn what you know into remarkable content
0
What are the basics for building a secure network?
I have an office of 50 people and want to create a network with excellent security. What are the key issues I should be aware of and what will I need to make things as secure as possible?
Events
- Dos and Don'ts of Small Business Marketing May 29 @ 11 am PT
- Lead Nurturing 202: The Next Generation May 31 @ 11 am PT
- The Tricks to Paid Media June 6 @ 11 am PT
- Display Advertising for Brand Awareness June 20 @ 11 am PT
Related Activity
4 Answers
Building a secure network is quite relative as everything depends on the requirements which do surround this specific installation. In general any isolated network which does not connect to Internet or to other networks can be defined as really secure.
In a nutshell when implementing a secure network the following key principles should get considered:
- create a security policy which defines your (or your projects) understanding of "secure".
- all systems / workstations connecting to this network should run an OS which runs on a most recent patch level.
- all systems / workstations connecting to this network should run an up to date virus scanning product and probably a personal firewall product.
- connectivity between your internal secure network to public Internet or other "untrusted" networks should be filtered through additional security devices (Firewalls).
- if possible you should not allow "inbound" access from outside to your internal network - if this is required you need to think about building specific DMZ areas leveraging additional security devices for protection.
- outbound communication established from internal systems back to public Internet should be filtered through suitable proxy servers which can provide additional layers of security (e.g. Virus Scanning, Content Filtering etc.).
- inbound e-Mail should be processed by systems using SPAM and Virus filters.
A list of items you'll need:
1.) A firewall to prevent unwanted SPAM and intrusion. But keeping in mind that crackers can get through a firewall by posing as some other protocol (like HTTP or HTTPS) that looks normal to you, you'll also need:
2) An IDS/IPS (Intrusion Detection System/Intrusion Prevention System). Also must-haves but these work based on rules, so you have to know ahead of time what you want to look out for. This doesn't help when crackers find new ways to penetrate your network and there is no rule set up to prevent. So you'll need:
3) An NFAT (Network Forensic Appliance Tool) such as Sandstorm's NetIntercept that lets you monitor your network, capture traffic, and reconstruct sessions so you can perform analysis if your network is hacked into. I work for Sandstorm so warning, a shameless plug coming, but I have seen this product in action for real data breaches and there is nothing else like it out there (and it's cheap, starting at under $10K)
4) All the usual software McAffee, Norton utilities
5) Networking Know-How. I like to think of the OSI model when discussing security... think of each layer (Physical, DataLink, MAC, Network, Transport, Presentation, Session, Application) and then think about what could go wrong at each of those layers.
For the Physical, you'll need to think about securing your computer room with a card reader, etc. and be concerned about employee theft, or someone shutting the machines down. Then go up through each layer. There was one data breach incident that used ARP (Address Resolution Protocol) to hack into a CISCO router to spoof an IP address, making the imposter look legit. For the Transport Layer, you'll want to make sure you use TCP instead of UDP. TCP is secure, UDP isn't. (Still, TCP can also be vulnerable b/c the 3-way handshake happens at the beginning of a connection, so foul play could ensue further down in the connection process.) Then keep going all the way up to Application, making sure your policy covers user training on secure passwords, etc.
Network security is more of an art than a science, and it absolutely cannot be an afterthought. It needs to be on the minds of every individual at the company, healthcare facility, or educational institution. Every employee must be trained to do their part.
Can I suggest that you take very strong head of the first part of the first response. A secure network can theoretically be created if it isnever connected in any way to another network. The better approach is to consider that your network is untrusted ( by all means invest in security to minimise unwanted traffic on anetwork but more for QoS reasons! )
if you design your security assuming that the network is insecure and you have added with new security layers
For designing a secure network you should look for :
1. Network segmentation of critical areas and resources like servers etc.
2. Determine what to protect? and who to protect?
3. Determine the security devices to implement
4. Determine redundancy policy for critical devices and links
5. Determine effective incident management environment
6. User management environment.
Answer This Question