A security policy designates an organization’s security controls, without specifying technologies, as well as offers high-level directives on acceptable and unacceptable actions to protect critical assets. A policy should also be applied throughout the organization in a consistent manner and provide a reference for employees to operate their typical activities. The previous article dealt with data privacy and integrity norms, and in the continuation of this series, this article provides a complete understanding about how to impose network security policies onto devices, protocols, communication or else in generic and uniform manner. This part will focus on best practices and methodologies of network security in the form of policies, instead of the actual implementation
Network Security Policy
There is no definitive mechanism for protecting a network because any security system can be subverted or compromised, if not from the outside then certainly from the inside. Ultimately to secure a network is to implement different layers of security so that an attacker must compromise two or more systems to gain access to critical assets. The first step in enforcing policies is to define the policies that will be enforced. Security measures often restrict personnel in their operating practices and make some activities less convenient which results in a temptation to boost security regulations. Network policies are, therefore, govern how a network should be implemented and configured to streamline employee’s operation in ordinary conditions as well as guides how to react during the occurrence of abnormalities. In this context, the following section explains the imposition of policies measures of each term or principle of network security to protect information and systems.
You will most likely identify different network segments with different security requirements while designing security for your network. For instance, some servers will need to be accessible by the employees. Some of on the other hand will be openly accessible. Hence, to implement security for different divisions or subdivision, you will erect perimeters that can only be crossed by certain types of traffic in the form of Public network, Private network, and semi-private network. The limitations of such network segments are founded by devices such as a router, gateway, bridge, and switch which are capable of regulating and controlling the flow of packets into and out of the segment. Communication and monitoring devices are typically deployed in the network for various purpose, must be configured properly according to requirement and accessed on the ground of given privilege and profile of users as well as, their inbuilt software most up to dated. Apart from that following measure should be taken in the context of device security as
- The company must sign an NDA to each employee about not disclosing the details of deployed devices inside the perimeter.
- Regularly applied patches and security updates released by vendors.
- ACL should be maintained to permit or deny TCP and UDP traffic.
- Services must be disabled if they are not in use.
Internet access policies include automatically blocking of all websites identified as inappropriate (especially social media related sites) for company user. Moreover, internet access should be based on the work nature of the employee. The Internet constructs a network topology in itself and connects various crucial assets of the company for example server, account sections, etc. therefore, must be filtered, and monitored properly before wielding.
VPN provides a means to protect data while it travels over an untrusted network. VPN is intended for employee use of organization-owned computer system only. All kind of remote access to corporate network should be routed via VPN with a valid corporate-approval, standard operating system along with appropriate security patches. Access to company computer from home via the internet should not be allowed. To protect the network when VPN are used for remote user access, the security administrator should ensure that adequate protection is implemented over endpoints by applying L2TP with IPSec. Moreover, VPN vendors include firewalling functionality in their client to filter traffic.
Port Communication Policy
Communication ports either inbound or outbound at the workstation for unnecessary services must strictly be in the blocked state apart from essential service such as HTTP, HTTPS, etc. as it being mostly noticed that ports open for several services opened needlessly, that typically induces the hacker to breach the system with ease. Such security measures could be applied by the system administrator at Firewall end as the first line of defense. Hence, a workstation that does directly communicate to the internet must be limited to use only authorized communication services or ports in inbound connection.
Wireless LAN Policy
To stop the possible abuse of wireless network, there should be proper user authentication ensured along with the appropriate replacement of WEP and anomaly tracking mechanism on wireless LAN. Moreover, 802.11i security measures such as TKIP, CCMP should be employed for encryption. At the same time, there is the following list of suspicious events on wireless LAN which should always consider for intrusion detection as;
- Beacon frames from unsolicited access point
- Flood of unauthenticated frames (MITM attack)
- Multiple incorrect SSID on closed network
- Frames with duplicated MAC address.
- Randomly changing MAC address
Remote Connection Policy
Data security is becoming a vital issue as more organizations establish network links between their employees to share information and increase productivity. As personnel more often prefer to work from home, security begins with a terminal session between an authorized user and a remote host on a network and user can perform all functions as if he were actually on the remote host. At the same, mismanagement of user credentials can lead to exploitation too. Hence, direct access to critical server or system of an organization should be strictly in restricted mode via remote login or SSH utility in exception to authorized user. However, encrypted access could be permissible.
Firewall Rules Policy
When a user connects to an insecure, open network, such as the Internet, he opens a large doorway for potential attacks. One of the best ways to defense against exploitation from the insecure network is to employ firewalls at the connection point end, as it is a necessity to safeguard their private networks and communication facilities. There should be rules enforcement policy varies to the type of firewall and resource deployment on the network as.
- In the case of dedicated server access, an application proxy firewall must be placed between the remote user and dedicated server to hide the identity of the server.
- Secondly, if the requirement of traffic filtering based on source and destination IP/Port address, packet-filtering firewall placement is quite useful which augment speed of transmission too.
- On the other hand, when speed is not a concern, state table (stateful inspection firewall) filters configuration at the network is an appropriate choice which dynamically validates the connection and forwards the packet.
- Moreover, NAT should also be employ as it complements the use of firewalls in providing an extra measure of security for an organization’s internal network, especially preventing DDOS or many SYN flooding attacks.
- If you need a higher level of control than is available by preventing an IP address from communicating with your server, IP packet filtering can be used.
Date Established: 5/1/2020