Security attitudes in the firing line

The relative safety of the playground is consigned to the past. This is the big bad world. Lurking in every corner of the web are people who will try to hack your network.

But what should we do to protect ourselves? Many will quote the amount of money they have lavished on Check Point Firewall-1 and Cisco IDS. But this is not the whole story. Buying equipment left, right and centre and proudly declaring: "We have a firewall and intrusion detection," is plain stupid.

If you don't know what you're guarding against or prohibiting users from doing, how can you configure these devices to maximum effect?

Security isn't achieved by accident. It needs to be carefully planned. You wouldn't buy a house, and then suddenly realise that while 'Door version 1.1' adequately stops stray animals from entering, you needed to configure the 'Lock add-on' to stop 'Joe Burglar'.

But many administrators apply this logic to networks, fiddling with firewall rules after every alert. We decided that it was time to write about the importance of a decent security policy.

Simplicity is the key
All a security policy needs to be is a list of what you want to achieve. It makes the process of buying and configuring security products much easier, and even if you outsource the configuration, you can still present your security policy and say: "This is what we want to enforce."

It's not a tough job and the only cost is your time. It will make purchase and management decisions more cost-effective.

For a reasonable idea of what to look at, British Standard (BS) 7799 is a good starting point. Despite being a long and arduous read, it lays out a good grounding for all companies that want to take security seriously. Reading the document - available from the British Standards Institute at www.bsi.org.uk - will highlight some of the issues that need to be considered when implementing IT security.

The standard has been well received by the industry, and looks set to be adopted internationally. It helps companies to understand risk and cost, and asks questions such as how much money would we lose if this server is hacked, and how much does it cost to protect?

Them and us
It eventually comes to a point where additional security is simply not cost effective, and other methods, such as insurance to cover loss, should be employed. Security is no longer a simple 'us and them' equation - it really needs to cover everything.

Beyond reading the BS 7799 standard, we would also make the following suggestions.

Create your policy from the ground upwards. Users are a good place to start when defining acceptable behaviour. Think about how passwords should be enforced and for how long they should be valid. Think about how users will be grouped.

After you have considered this simple and fundamental step to watertight security, it's time to move on to the next level. You now need to determine what your users will or will not be permitted to do.

Look at the servers that you have installed. Do they need to be seen from the outside, and do they meet with your password policy? Which users should have access, and what kind of access should they get?

A security policy on communications is also vital. The huge mess that was caused by the Melissa and Love Bug viruses is evidence of this. Despite many companies issuing warnings that documents should not be opened, many users persisted in doing so. Their general response was: "I wanted to see what would happen."

If this highlights one thing, it's that users can't be trusted. It's up to the administrator to carefully design the relevant virus prevention and protection policy to stop general user stupidity - harsh but true.

The policy should govern the local machines, as users are likely to bring in their own files. Once a virus is behind your firewall, the damage can be devastating. Enforcing acceptable use on individual machines is the way to go. This means making sure that users cannot tamper with client antivirus software.

With a knowledge of how the network should run, you can see what software and hardware you will need. This will help with configuration as you'll know what you hope to achieve by installing a firewall in the first place.

With a security policy in place, it's time to turn your attention to the firewall, which can be notoriously difficult to tame. While the installation is often seen as the be-all and end-all of your security job, it isn't. Careful installation is needed.

One of the biggest areas that is often overlooked is the usefulness of a so-called demilitarised zone (DMZ). This receives protection from the firewall in the same way as that of the internal network, but is firewalled from the network as well.

Invisible security
Even if a machine sitting on a DMZ is breached, it can't touch the internal network. This makes a DMZ ideal for protecting machines such as web servers that need to be externally visible.

Many firewall vendors now provide support for multiple network cards, which is especially useful for creating multiple DMZs.

Externally visible machines can be spread across these zones, and for each machine that falls under attack, the others remain protected. The second biggest job, after protection, is to make it as difficult as possible for intruders to cause damage. Protecting machines from each other does this job for you, and the DMZ is at the heart of this.

It is important to lose the attitude that a firewall is all the protection you need. Firewalls only block traffic types that they have been told about. If traffic is technically legal, but ends with a system being breached, you can find yourself in serious trouble.

We can't help but stress again and again how important it is to have some kind of goal in mind when security is considered. Spend the time looking at exactly what you want in the network, because once you've done it, the results will pay for themselves.