11 Critical Items for a Network Security Policy

By Joseph Ochieng •  Updated: 11/30/19 •  14 min read

The organization’s network security policy is an official document that lays out the organization’s security expectations.  The Network Security Policy outlines the security processes and the sanctions faced by those who fail to comply with the stated doctrines. Lack of a well-defined network security policy may lead to a loss of resources and opportunities for the organization. An ill-defined policy lacks any usefulness to the organization and only makes security an ad hoc process governed by the person in charge at that given moment.

Loosely, a security policy is a formal set of rules that those who are granted access to organizations’ technology, assets, and resources must abide by. A security policy’s main purpose should be to inform staff members and users of their obligatory requirement for protecting data, information, and technology assets within or outside the premises. The policy should define the mechanism through which these expectations are to be met. Second, a security policy should outline the baseline from which to acquire, configure, and audit network and computer systems for compliance with the policy. Therefore, an effective security policy should be applied all through the organization consistently, with detailed guidelines for employees to use as a reference for their typical activities.

The main intent is to provide a complete understanding of how to impose network security policy onto protocols, communication, devices in both generic and uniform manner. The article will also focus on some of the best practices and methodologies of an effective network security policy in the form of policies rather than the actual implementation. Before jumping into the main areas of focus, let’s first briefly look into some of the reasons we need a network security policy.

Why create a Network Security Policy

Some of the benefits accrued in developing a well-structured policy include:

Network Security Policy

There is no single definitive mechanism for completely protecting a network because, virtually, any security system can be compromised or subverted. Intrusions may be from outside or internally orchestrated. Therefore, the most effective way to secure a network system may be by implementing different layers of security barriers. This makes an attacker have to bypass more than one system to gain access to critical assets of the target.

The first basic step in enforcing a security policy is to define the specific policy that you aim at enforcing. Security measures are implemented to restrict personnel in their day-to-day operations. In some cases, the measures prove to be “extremely” limiting hence the temptation to boost security regulations. These network measures are put in place to streamline employees’ operations in ordinary conditions and, therefore, be well defined. They provide guidelines on how to react to the occurrence of an abnormality. In this context, the section below explains how each principle of network security measures is to be imposed to protect systems and other valuable information.

  1. Device Security

While designing your network’s security infrastructure, you will have to prioritize various network segments as per their extent of security requirements. For instance, certain servers will be accessible and open for all, while others will be restricted to a section of employees. Hence,  to implement effective security for different subdivisions and categories, you will put up barriers that can only be navigated by certain types of traffic in the form of Private networks, Semi-private networks, and Public networks.  Such limitations from different network segments can be founded by devices such as switches, gateway, bridges, and routers that can control the in-flow and out-flow of packets into the various segments.

Every communication and monitoring device deployed in the network system must be properly configured as per the policy requirement. Access should be based on the user’s assigned privilege. Besides, the inbuilt software or the operating systems of the deployed device must be up-to-date. Apart from the guidelines mentioned above, the following measures should also be taken into account in the context of device security;

  1. Patches and security updates should be applied regularly as soon as vendors release them.
  2. All services that are not in use should be disabled.
  3. Each employee should be assigned an NDA about not sharing the details of devices deployed within the perimeter.
  4. The company should maintain ACL to regulate UDP and TCP traffic.
  1. Internet Access

Policies relevant to internet access include all hose that automatically blocks all websites identified as inappropriate, especially those related to social media platforms. Access to the internet should be based on the work nature of the user. In an organization, the internet and network are the same things as it connects crucial assets of the organization such as account sections, servers, etc. Before wielding, access to the internet should be thoroughly monitored and filtered appropriately.

  1. VPN Policy

VPN is designed to be used exclusively on organization-owned computers as it provides a way to secure data as it travels over an untrusted network. Every remote access to the corporate network should be via a standard operating system accompanied by a VPN with valid corporate approval. Remote access of company computers from home over the internet is to be denied to avoid malicious access. L2TP with IPSec should be applied to provide adequate protection for those trying to access organizations’ computers remotely. Firewalls should also be set to filter client traffic.

  1. Port Communication Policy

Only essential services such as HTTP should be left open even when they are not in use. Otherwise, all other ports, whether outbound or inbound, should be strictly blocked for unnecessary services. Presence of several needless ports running open increases the chances of a breach to a system. Therefore, ports linked directly to the internet should be limited to or marked as ports in inbound connection or use only authorized communication services.

  1. Wireless LAN Policy

An effective network policy should have guidelines on proper user authentication, a mechanism for anomaly tracking on wireless LAN, and a technique for appropriate WEP replacement to stop possible abuse of the wireless network. For encryption purposes, 802.11 security measures should be employed, such as CCMP, TKIP, etc. Below is a list of some of the suspicious events over a wireless network that you should always consider for intrusion detection:

  1. Remote Connection Policy

As more organizations increase network links between their employees to boost productivity, data breaches become more rampant. In most instances, an attacker takes over the session by blocking the remote user and using their credentials to access the Company’s network as if they were the remote host on a network. Mismanagement of remote users’ confidential may also lead to an exploitation of the system. Only authorized users should be granted direct access to an organization’s critical server, while others should be strictly in restricted mode through SSH utility or remote login.

  1. Firewall Rules Policy

Every time a user connects to an insecure open network, they open access gates for potential attackers to infiltrate the system. In such cases, the use of firewalls at the connection point end may be necessary as they safeguard communication facilities and private networks. The following guidelines should come in handy while deploying a firewall to various segments of the network;

  1. Intrusion Policy

For the extreme line of defense, IDs should be housed for anomaly monitoring and detection of unauthorized access as antivirus and firewall measures are not sufficient. Also, security personnel or risk managers must check the system regularly for any suspicious activity. To mitigate elevated privileges, altered permission, inappropriate auditing rights, inactive users, change of registry, and much more, use Advance Antivirus with inbuilt IPS/IDS. IDS software’s are configured over OS while intercepting IDS for software’s are deployed as hardware application fundamentally due to performance reasons

  1. Proxy Server Policy

Proxy servers are used for defensive and offensive purposes and typically reside between a user and a server. The following checklist must be adhered to while deploying a proxy server.

  1. All services should have a logging facility.
  2. A proxy should not accept outside connections.
  3. The proxy should run on the most up-to-date software and patches.
  1. Secure Communication Policy

Data conveyed in an unencrypted form through various channels such as routers and switches on the network is susceptible to attacks such as SYN flooding, session hijacking, spoofing, and sniffing. You cannot be in full control of the device that data is being conveyed through. Still, at least you can secure the data itself from breach or the conveying channel from being data accessible to a certain level or degree. To counter such attacks, you can employ ciphering tactics such as SSh, IPsec, SSL, and TLS as they can virtual encrypt every type of communication such as HTTP, IMAP, POP, FTP, and POP3. This is because SSL packets can easily navigate through NAT servers, set firewalls, and any device within the network as long as appropriate ports are left open on the device. If there is a need to transmit data valuable to your organization, you need to take specific initiatives. Below are some of the initiatives;

  1. DMZ Policy

Servers or systems such as emails, databases, web servers, and so on that require access to the public internet must be deployed on a specific subnet that separates outside from inside. This is to avoid the possibility of attacks by black hats, as public domains are easy to access.

Network security’s primary goal is to ensure every asset’s confidentiality, availability, and integrity within the network’s perimeter. Therefore, the remaining part of this article will focus on components of network security policy, give a typical outline, and finally show how to monitor network security by outlining some simple methods to carry out the task.

What Belongs in a Network Security Policy?

Every organization is expected to develop a policy based on various factors after conducting an exhaustive study. The policy, though, is subject to changes, adjustments as new technologies emerge and other advanced technologies become financially feasible. A good policy may entail the following components.

Example of an Outline for Network Security Policy

Wireless Communication Policy

This company does not grant access to a network via unprotected wireless communication. Only those systems with an exclusive waiver or those which meet the demands of this policy will be allowed to connect to a network.

The policy covers every device that is connected to an internal network. This is inclusive of all wireless communication devices capable of conveying packet data.

This is what every wireless implementation must do to comply with this policy:

  1. Maintain a registered and traceable hardware address, i.e., MAC addresses.
  2. Maintain point-to-point hardware encryption of 56 bits minimum.
  3. Support a strong user authentication that verifies against external databases such as RADIUS, TACAS+, or something similar.

Violating these policies by any employee will attract disciplinary action, up to and including termination of employment.

Only the client or the company would replace the reference.  This policy is standardized to make it easy to add unique policies to the organization or those that would perfectly fit in.

Monitoring Network Security Policy

A comprehensive network security policy should entail a criterion for monitoring the network as a routine activity. The main intent of monitoring a network is to point out areas of weakness susceptible to exploitation by hackers. Primarily, network monitoring should be put in place to ensure that the network users adhere to the policies.

The monitoring process can be as simple as an organized collection and review log files generated by the network in its normal operation mode. The occurrence of several failed logins may be an indication of an individual (user) that needs further training or a malicious break-in attempt. Sophisticated augmented systems are housed at the end of the spectrum to monitor network traffic. Devices such as IDS are used to look out for indications such as signatures that signal that something is amiss. In the case of a red flag, the IDS sensor notifies the IDS director management console, which initiates the mitigation process to shun the attack. Mitigation measures may include creating a list in a firewall or router to distinctively block contact from that source.

Conclusion

Network security policies rotate around protecting every resource on a network, right from threats to further exploitation. The policy should include all essential network devices, conveyed data, media used for transmission.  By the end of this article, you should have understood the various policy aspects to impose policies for reliable, secure, and robust network architecture. An organization should design the policy to comply with all its entities to improve its performance and defense against possible network vulnerability. Network policy should be strong enough to protect your system against several ways through which it can be compromised, such as through code injection, software bugs, malware.

Joseph Ochieng

Joseph Ochieng’was born and raised in Kisumu, Kenya. He studied civil engineering as first degree and later on pursued bachelors in information technology from the technical university of Kenya. His educational background has given him the broad base from which to approach topics such as cybersecurity, civil and structural engineering. When he is not reading or writing about the various loopholes in cyber defense, the he is probably doing structural design or watching la Casa de Papel . You can connect with Joseph via twitter @engodundo or email him via josephodundoh@gmail.com for email about new article releases”