Network Security Policy – Abstract
The organization’s network security policy is an official document that lays out the security expectations of the organization. The Network Security Policy outlines the security processes and the sanctions to be faced by those who fail to comply with the stated doctrines. Lack of a well-defined network security policy may lead to a loss of resources and opportunities for the organization. An ill-defined policy lacks any usefulness to the organization and only makes security an ad hoc process governed by the person in charge at that given moment.
Loosely, a security policy is a formal set of rules that those who are granted access to organizations technology, assets and resources must abide. The main purpose of a security policy to an organization should be to inform staff members and users of their obligatory requirement for protecting data, information and technology assets within or outside the premise. The policy should define the mechanism through which these expectations are to be met. Second, a security policy should outline the baseline from which to acquire, configure and audit network and computer systems for compliance with the policy. Therefore, an effective security policy should be applied all through the organization consistently, with detailed guidelines for employees to use as a reference for their typical activities.
The main intent of this article is to provide a complete understanding of how to impose network security policy onto protocols, communication, devices in both generic and uniform manner. The article will also focus on some of the best practices and methodologies of an effective network security policy in the form of policies rather than the actual implementation. Before jumping into the main areas of focus, lets first have a brief look into some of the reasons why we need a network security policy.
Why create a Network Security Policy
Some of the benefits accrued in developing a well-structured policy include:
- Provides a blueprint for security purchases and implementations
- Details steps to follow in case of a security breach or incident
- Defines what kind of technologies to use or those that can and those that cannot be added to the network.
- Crates a basis for an enforceable legal course of action
- Defines responsibility for every level of the organization for sanctioning, implementing, funding, supporting, monitoring and auditing of the policies.
- Acts as a baseline for the next step in the evolution of Network Security.
Network Security Policy
There is no single definitive mechanism for completely protecting a network because, virtually, any security system can be compromised or subverted. Intrusions may be from outside or internally orchestrated. Therefore, the most effective way to secure a network system may be to implement different layers of security barriers. This makes an attacker will have to by-pass more than one system to gain access to critical assets of the target.
The first basic step in enforcing a security policy is to define the specific policy that you aim at enforcing. Security measures are implemented to restrict personnel in their day-to-day operations. In some cases, the measures prove to be “extremely” limiting hence temptation to boost security regulations. These network measures are put in place to streamline employees’ operation in ordinary conditions and should, therefore, be well defined such that they provide guidelines on how to react in the occurrence of an abnormality. In this context, the section below is an explanation of how policy measures of each principle of network security are to be imposed to protect systems and other valuable information.
While designing security infrastructure for your network, you will have to prioritize various network segments as per their extent of security requirements. For instance, certain servers will be accessible and open for all, while others will be restricted to a section of employees. Hence, to implement effective security for different subdivisions and categories, you will put up barriers that can only be navigated by certain types of traffic in the form of Private networks, Semi-private networks, and Public networks. Such limitations from different network segments can be founded by devices such as switches, gateway, bridges, and routers which have the capability of controlling the in-flow and out-flow of packets into the various segments.
Every communication and monitoring device deployed in the network system must be properly configured as per the policy requirement, and access should be based on the assigned privilege of the user. Besides, the inbuilt software or the operating systems of the deployed device must be up-to-date. Apart from the guidelines mentioned above, the following measures should also be taken into account in the context of device security;
- Patches and security updates should be applied regularly as soon as vendors release them.
- All services that are not in use should be disabled.
- Each employee should be assigned an NDA about not sharing the details of devices deployed within the perimeter.
- The company should maintain ACL to regulate UDP and TCP traffic.
Policies relevant to internet access include all hose that automatically blocks all websites identified as inappropriate, especially those related to social media platforms. Access to the internet should be based on the work nature of the user. In an organization, the internet and network are the same things as it connects crucial assets of the organization such as account sections, server, and so on. Before wielding, access to the internet should be thoroughly monitored and filtered appropriately
VPN is designed to be used exclusively on organization-owned computers as it provides a way to secure data as it travels over an untrusted network. Every remote access to the corporate network should be via a standard operating system accompanied by a VPN with valid corporate approval. Remote access of company computers from home over the internet is to be denied to avoid malicious access. L2TP with IPSec should be applied to provide adequate protection for those who are trying to access organizations’ computers remotely. Firewalls should also be set to filter client traffic.
Port Communication Policy
Only essential services such as HTTP should be left open even when they are not in use, otherwise, all other ports, whether outbound or inbound, should be strictly blocked for unnecessary services. Presence of several needless ports running open increases the chances of a breach to a system. Therefore, ports that are linked directly to the internet should be limited to or marked as ports in inbound connection or use only authorized communication services.
Wireless LAN Policy
An effective network policy should have guidelines on proper user authentication, a mechanism for anomaly tracking on wireless LAN and a technique for appropriate replacement of WEP to stop possible abuse of the wireless network. For encryption purposes, 802.11 security measures should be employed such as CCMP, TKIP, etc. Below is a list of some of the suspicious events over a wireless network that you should always consider for intrusion detection:
- MAC address which changes randomly
- Closed network with multiple incorrect SSID
- Beacon frames from the unsolicited access point
- Duplicated MAC addresses on frames
Remote Connection Policy
As more organizations increase network links between their employees to boost productivity, so does data breaches become more rampant. In most instances, an attacker takes over the session by blocking the remote user and using their credentials to access the Company’s network as if they were the remote host on a network. Mismanagement of remote users’ confidential may also lead to an exploitation of the system. Only authorized users should be granted direct access to the critical server of an organization while others should be strictly in restricted mode through SSH utility or remote login.
Firewall Rules Policy
Every time a user connects to an insecure open network, they open access gates for potential attackers to infiltrate the system. In such cases, the use of firewalls at the connection point end may be necessary as they safeguard communication facilities and private networks. The following guidelines should come in handy while deploying a firewall to various segments of the network;
- For dedicated server access, the identity of the server is hidden by employing a proxy firewall between the remote user and the dedicated server.
- In case of traffic filtering based on destination and source port/IP address, then a packet-filtering firewall should be placed as it also increases the speed of transmission as well.
- However, when transmission speed is not of importance, then the configuration of state table inspection may be appropriate as it validates the connection dynamically and as well forwards the packet.
- Where there is a need to provide extra security measures for an organization’s internal network, NAT should be used as a complement to the firewall.
- Finally, you can employ IP packet filtering if there is a need for a higher level of regulation other than preventing communication between an IP address and your server.
For the extreme line of defense, IDs should be housed for anomaly monitoring and detection of unauthorized access as antivirus and firewall measures are not sufficient. Also, security personnel or risk managers must check the system regularly for any suspicious activity. To mitigate elevated privileges, altered permission, inappropriate auditing rights, inactive users, change of registry and much more, use Advance Antivirus with inbuilt IPS/IDS. IDS software’s are configured over OS while intercepting IDS for software’s are deployed as hardware application fundamentally due to performance reasons
Proxy Server Policy
Proxy servers are used for both defensive and offensive purposes and typically reside between a user and a server. The following checklist must be adhered to while deploying a proxy server.
- All services should have a logging facility
- A proxy should not accept outside connections
- The proxy should run on the most up-to-date software and patches.
Secure Communication Policy
Data conveyed in an unencrypted form through various channels such as routers and switches on the network is susceptible to attacks such as SYN flooding, session hijacking, spoofing and sniffing. You cannot be in full control of the device that data is being conveyed through, but at least you can secure the data itself from breach or the conveying channel from being data accessible to a certain level or degree. To counter such attacks, you can employ the use of ciphering tactics such as SSh, IPsec, SSL, and TLS as they can virtual encrypt every type of communication such as HTTP, IMAP, POP, FTP, and POP3. This is because SSL packets can easily navigate through NAT servers, set firewalls, and any device within the network as long as appropriate ports are left open on the device. If there is a need to transmit data that is valuable to your organization, then there are specific initiatives that one needs to take. Below are some of the initiatives;
- Ensure that MITM attacks will not tamper data being conveyed.
- Make sure that any unauthorized individual between the source and the server will not breach the conveyance channel.
- The identity of computers and people who will send packets must be authenticated.
Servers or systems such as emails, databases, web servers, and so on, that require access to the public internet, must be deployed on a specific subnet that separates outside from inside. This is to avoid the possibility of attacks by black hats, as public domains are easy to access.
The primary goal of network security is to ensure the confidentiality, availability, and integrity of every asset within the network’s perimeter. Therefore, the remaining part of this article will now focus on components of network security policy, give a typical outline and finally show how to monitor network security by outlining some simple methods to carry out the task.
What Belongs in a Network Security Policy?
Every organization is expected to develop a policy based on a variety of factors after conducting an exhaustive study. The policy, though, is subject to changes, adjustments as new technologies emerge, and other advanced technologies become financially feasible. A good policy may entail the following components.
- Scope and statement of authority – should include who funds and authorizes the policy as well as those whom it directly impacts.
- Access policy – defines acceptable access rules for management staff, network operation staff, and users. It also outlines specific privileges and responsibilities relevant to various categories of network users. The policies defined should cover procedures on how to modify software, how to adjust OS settings, the addition of software to systems, and, most significantly, how to bring in new devices to a network. Significant elements’ of access policy might be included as part of network policy.
- Acceptable use policy – state out the expected behavior of users and define technologies to be included, such as cell phones, pagers, computers and so forth.
- Wireless access policy – states circumstances under which a wireless device can be used within a company network.
- Password policy – defines how passwords will look and the frequency at which they are to be changed.
- Authentication policy – it is more of an advanced password policy that defines local access password policy and provides directives for the remote authentication process.
- Availability statement – states out what users should expect about resource availability. It should outline known risks, recovery issues, and redundancy. Contact information for reporting network or system malfunctions should also be included.
- Switch and router security policy – explains how routers and switches connecting to a production network should be configured.
- Antivirus policy – states tools to be used and how they are to be implemented.
- Network and IT systems maintenance policy – defines the extent to which both external and internal personnel are allowed to handle and access the company’s technology. The policy should define whether remote maintenance of technology is allowed and what circumstance is it allowed. It should also detail out whether outsourcing can be done, how it is to be managed and the legitimate process to follow in case it is necessary.
- Violations reporting policy – categorizes violations into those that should be reported and specifies the person they are to be reported to. The policy should provide guidelines on how to handle external security incidents, the person to respond to the incident, and the mechanism to respond to the situations depending on the point of contact.
Example of an Outline for Network Security Policy
Wireless Communication Policy
This company does not grant access to <Company Name> network via unprotected wireless communication. Only those systems with an exclusive waiver or those which meet the demands of this policy will be allowed to connect to <Company Name> network.
The policy covers every device that is connected to <Company Name> internal network. This is inclusive of all wireless communication devices capable of conveying packet data.
This is what every wireless implementation must do to comply with this policy:
- Maintain a registered and traceable hardware address, i.e. MAC addresses.
- Maintain point-to-point hardware encryption of 56 bits minimum.
- Support a strong user authentication that verifies against external databases such as RADIUS, TACAS+ or something similar.
Violation of these policies by any employee will attract disciplinary action, up to and including termination of employment.
- User authentication – should entail the methodology of verifying the wireless system as a legitimate user separate from OS or computer being used.
- Revision History
Only the client or the company would replace the reference to <Company Name>. This policy is standardized to make it easy for the addition of policies that are unique to the organization or those that would perfectly fit in.
Monitoring Network Security Policy
A comprehensive network security policy should entail a criterion for monitoring the network as a routine activity. The main intent of monitoring a network is to point out areas of weakness that are susceptible to exploitation by hackers. Primarily, network monitoring should be put in place to ensure that the network users are adhering to the policies.
The process of monitoring can be as simple as an organized collection and review log files generated by the network in the course of its normal mode of operation. The occurrence of several failed logins may be an indication of an individual (user) that needs further training or a malicious break-in attempt. Sophisticated augmented systems are housed at the end of the spectrum to monitor network traffic. Devices such as IDS are used to look out for indications such as signatures that would signal that something is amiss. In the case of a red flag, the IDS sensor notifies the IDS director management console, which in turn initiates the mitigation process to shun the attack. Mitigation measures may be an action such as the creation of a list in a firewall or router to distinctively block contact from that source.
Network security policies rotate around protecting every resource on a network, right from threats to further exploitation. The policy should be inclusive of all essential network devices, conveyed data, media used for transmission and ought not to only major on the machine established on the network. By the end of this article, you should have understood the various policy aspects where you can impose policies for reliable, secure, and robust network architecture. The policy should be designed by an organization to comply with all its entities to improve its performance and as a defense to possible network vulnerability. Network policy should be strong enough to protect your system against several ways through which it can be compromised such as through code injection, software bugs, malware
Joseph Ochieng’was born and raised in Kisumu, Kenya. He studied civil engineering as first degree and later on pursued bachelors in information technology from the technical university of Kenya. His educational background has given him the broad base from which to approach topics such as cybersecurity, civil and structural engineering. When he is not reading or writing about the various loopholes in cyber defense, the he is probably doing structural design or watching la Casa de Papel . You can connect with Joseph via twitter @engodundo or email him via [email protected] for email about new article releases”