The organization’s network security policy is an official document that lays out the organization’s security expectations. The Network Security Policy outlines the security processes and the sanctions faced by those who fail to comply with the stated doctrines. Lack of a well-defined network security policy may lead to a loss of resources and opportunities for the organization. An ill-defined policy lacks any usefulness to the organization and only makes security an ad hoc process governed by the person in charge at that given moment.
Loosely, a security policy is a formal set of rules that those who are granted access to organizations’ technology, assets, and resources must abide by. A security policy’s main purpose should be to inform staff members and users of their obligatory requirement for protecting data, information, and technology assets within or outside the premises. The policy should define the mechanism through which these expectations are to be met. Second, a security policy should outline the baseline from which to acquire, configure, and audit network and computer systems for compliance with the policy. Therefore, an effective security policy should be applied all through the organization consistently, with detailed guidelines for employees to use as a reference for their typical activities.
The main intent is to provide a complete understanding of how to impose network security policy onto protocols, communication, devices in both generic and uniform manner. The article will also focus on some of the best practices and methodologies of an effective network security policy in the form of policies rather than the actual implementation. Before jumping into the main areas of focus, let’s first briefly look into some of the reasons we need a network security policy.
Why create a Network Security Policy
Some of the benefits accrued in developing a well-structured policy include:
- Provides a blueprint for security purchases and implementations
- Details steps to follow in case of a security breach or incident
- Defines what kind of technologies to use or those that can and those that cannot be added to the network.
- Crates a basis for an enforceable legal course of action
- Defines responsibility for every level of the organization for sanctioning, implementing, funding, supporting, monitoring, and auditing the policies.
- Acts as a baseline for the next step in the evolution of Network Security.
Network Security Policy
There is no single definitive mechanism for completely protecting a network because, virtually, any security system can be compromised or subverted. Intrusions may be from outside or internally orchestrated. Therefore, the most effective way to secure a network system may be by implementing different layers of security barriers. This makes an attacker have to bypass more than one system to gain access to critical assets of the target.
The first basic step in enforcing a security policy is to define the specific policy that you aim at enforcing. Security measures are implemented to restrict personnel in their day-to-day operations. In some cases, the measures prove to be “extremely” limiting hence the temptation to boost security regulations. These network measures are put in place to streamline employees’ operations in ordinary conditions and, therefore, be well defined. They provide guidelines on how to react to the occurrence of an abnormality. In this context, the section below explains how each principle of network security measures is to be imposed to protect systems and other valuable information.
While designing your network’s security infrastructure, you will have to prioritize various network segments as per their extent of security requirements. For instance, certain servers will be accessible and open for all, while others will be restricted to a section of employees. Hence, to implement effective security for different subdivisions and categories, you will put up barriers that can only be navigated by certain types of traffic in the form of Private networks, Semi-private networks, and Public networks. Such limitations from different network segments can be founded by devices such as switches, gateway, bridges, and routers that can control the in-flow and out-flow of packets into the various segments.
Every communication and monitoring device deployed in the network system must be properly configured as per the policy requirement. Access should be based on the user’s assigned privilege. Besides, the inbuilt software or the operating systems of the deployed device must be up-to-date. Apart from the guidelines mentioned above, the following measures should also be taken into account in the context of device security;
- Patches and security updates should be applied regularly as soon as vendors release them.
- All services that are not in use should be disabled.
- Each employee should be assigned an NDA about not sharing the details of devices deployed within the perimeter.
- The company should maintain ACL to regulate UDP and TCP traffic.
Policies relevant to internet access include all hose that automatically blocks all websites identified as inappropriate, especially those related to social media platforms. Access to the internet should be based on the work nature of the user. In an organization, the internet and network are the same things as it connects crucial assets of the organization such as account sections, servers, etc. Before wielding, access to the internet should be thoroughly monitored and filtered appropriately.
VPN is designed to be used exclusively on organization-owned computers as it provides a way to secure data as it travels over an untrusted network. Every remote access to the corporate network should be via a standard operating system accompanied by a VPN with valid corporate approval. Remote access of company computers from home over the internet is to be denied to avoid malicious access. L2TP with IPSec should be applied to provide adequate protection for those trying to access organizations’ computers remotely. Firewalls should also be set to filter client traffic.
Port Communication Policy
Only essential services such as HTTP should be left open even when they are not in use. Otherwise, all other ports, whether outbound or inbound, should be strictly blocked for unnecessary services. Presence of several needless ports running open increases the chances of a breach to a system. Therefore, ports linked directly to the internet should be limited to or marked as ports in inbound connection or use only authorized communication services.
Wireless LAN Policy
An effective network policy should have guidelines on proper user authentication, a mechanism for anomaly tracking on wireless LAN, and a technique for appropriate WEP replacement to stop possible abuse of the wireless network. For encryption purposes, 802.11 security measures should be employed, such as CCMP, TKIP, etc. Below is a list of some of the suspicious events over a wireless network that you should always consider for intrusion detection:
- MAC address which changes randomly
- Closed network with multiple incorrect SSID
- Beacon frames from the unsolicited access point
- Duplicated MAC addresses on frames
Remote Connection Policy
As more organizations increase network links between their employees to boost productivity, data breaches become more rampant. In most instances, an attacker takes over the session by blocking the remote user and using their credentials to access the Company’s network as if they were the remote host on a network. Mismanagement of remote users’ confidential may also lead to an exploitation of the system. Only authorized users should be granted direct access to an organization’s critical server, while others should be strictly in restricted mode through SSH utility or remote login.
Firewall Rules Policy
Every time a user connects to an insecure open network, they open access gates for potential attackers to infiltrate the system. In such cases, the use of firewalls at the connection point end may be necessary as they safeguard communication facilities and private networks. The following guidelines should come in handy while deploying a firewall to various segments of the network;
- For dedicated server access, the server’s identity is hidden by employing a proxy firewall between the remote user and the dedicated server.
- In case of traffic filtering based on destination and source port/IP address, then a packet-filtering firewall should be placed as it also increases the speed of transmission.
- However, when transmission speed is not important, then the configuration of state table inspection may be appropriate as it validates the connection dynamically and forwards the packet.
- Where there is a need to provide extra security measures for an organization’s internal network, NAT should complement the firewall.
- Finally, you can employ IP packet filtering if there is a need for a higher level of regulation other than preventing communication between an IP address and your server.
For the extreme line of defense, IDs should be housed for anomaly monitoring and detection of unauthorized access as antivirus and firewall measures are not sufficient. Also, security personnel or risk managers must check the system regularly for any suspicious activity. To mitigate elevated privileges, altered permission, inappropriate auditing rights, inactive users, change of registry, and much more, use Advance Antivirus with inbuilt IPS/IDS. IDS software’s are configured over OS while intercepting IDS for software’s are deployed as hardware application fundamentally due to performance reasons
Proxy Server Policy
Proxy servers are used for defensive and offensive purposes and typically reside between a user and a server. The following checklist must be adhered to while deploying a proxy server.
- All services should have a logging facility.
- A proxy should not accept outside connections.
- The proxy should run on the most up-to-date software and patches.
Secure Communication Policy
Data conveyed in an unencrypted form through various channels such as routers and switches on the network is susceptible to attacks such as SYN flooding, session hijacking, spoofing, and sniffing. You cannot be in full control of the device that data is being conveyed through. Still, at least you can secure the data itself from breach or the conveying channel from being data accessible to a certain level or degree. To counter such attacks, you can employ ciphering tactics such as SSh, IPsec, SSL, and TLS as they can virtual encrypt every type of communication such as HTTP, IMAP, POP, FTP, and POP3. This is because SSL packets can easily navigate through NAT servers, set firewalls, and any device within the network as long as appropriate ports are left open on the device. If there is a need to transmit data valuable to your organization, you need to take specific initiatives. Below are some of the initiatives;
- Ensure that MITM attacks will not tamper with data being conveyed.
- Make sure that any unauthorized individual between the source and the server will not breach the conveyance channel.
- The identity of computers and people who will send packets must be authenticated.
Servers or systems such as emails, databases, web servers, and so on that require access to the public internet must be deployed on a specific subnet that separates outside from inside. This is to avoid the possibility of attacks by black hats, as public domains are easy to access.
Network security’s primary goal is to ensure every asset’s confidentiality, availability, and integrity within the network’s perimeter. Therefore, the remaining part of this article will focus on components of network security policy, give a typical outline, and finally show how to monitor network security by outlining some simple methods to carry out the task.
What Belongs in a Network Security Policy?
Every organization is expected to develop a policy based on various factors after conducting an exhaustive study. The policy, though, is subject to changes, adjustments as new technologies emerge and other advanced technologies become financially feasible. A good policy may entail the following components.
- Scope and statement of authority – should include who funds and authorizes the policy and those whom it directly impacts.
- Access policy – defines acceptable access rules for management staff, network operation staff, and users. It also outlines specific privileges and responsibilities relevant to various categories of network users. The policies defined should cover procedures on modifying software, adjusting OS settings, adding software to systems, and, most significantly, bringing in new devices to a network. Significant elements’ of access policy might be included as part of network policy.
- Acceptable use policy – state out the expected behavior of users and define technologies to be included, such as cell phones, pagers, computers, and so forth.
- Wireless access policy – states circumstances under which a wireless device can be used within a company network.
- Password policy – defines how passwords will look and the frequency at which they are to be changed.
- Authentication policy is more of an advanced password policy that defines local access password policy and provides directives for the remote authentication process.
- Availability statement – states out what users should expect about resource availability. It should outline known risks, recovery issues, and redundancy. Contact information for reporting network or system malfunctions should also be included.
- Switch and router security policy – explains how routers and switches connecting to a production network should be configured.
- Antivirus policy – states tools to be used and how they are to be implemented.
- Network and IT systems maintenance policy – defines the extent to which external and internal personnel are allowed to handle and access the company’s technology. The policy should define whether remote maintenance of technology is allowed and what circumstance is it allowed. It should also detail whether outsourcing can be done, how it is managed, and the legitimate process to follow if necessary.
- Violations reporting policy – categorizes violations into those that should be reported and specifies the person they are reported to. The policy should provide guidelines on handling external security incidents, the person to respond to the incident, and the mechanism to respond to the situations depending on the point of contact.
Example of an Outline for Network Security Policy
Wireless Communication Policy
This company does not grant access to a network via unprotected wireless communication. Only those systems with an exclusive waiver or those which meet the demands of this policy will be allowed to connect to a network.
The policy covers every device that is connected to an internal network. This is inclusive of all wireless communication devices capable of conveying packet data.
This is what every wireless implementation must do to comply with this policy:
- Maintain a registered and traceable hardware address, i.e., MAC addresses.
- Maintain point-to-point hardware encryption of 56 bits minimum.
- Support a strong user authentication that verifies against external databases such as RADIUS, TACAS+, or something similar.
Violating these policies by any employee will attract disciplinary action, up to and including termination of employment.
- User authentication – should entail the methodology of verifying the wireless system as a legitimate user separate from the OS or computer being used.
- Revision History
Only the client or the company would replace the reference. This policy is standardized to make it easy to add unique policies to the organization or those that would perfectly fit in.
Monitoring Network Security Policy
A comprehensive network security policy should entail a criterion for monitoring the network as a routine activity. The main intent of monitoring a network is to point out areas of weakness susceptible to exploitation by hackers. Primarily, network monitoring should be put in place to ensure that the network users adhere to the policies.
The monitoring process can be as simple as an organized collection and review log files generated by the network in its normal operation mode. The occurrence of several failed logins may be an indication of an individual (user) that needs further training or a malicious break-in attempt. Sophisticated augmented systems are housed at the end of the spectrum to monitor network traffic. Devices such as IDS are used to look out for indications such as signatures that signal that something is amiss. In the case of a red flag, the IDS sensor notifies the IDS director management console, which initiates the mitigation process to shun the attack. Mitigation measures may include creating a list in a firewall or router to distinctively block contact from that source.
Network security policies rotate around protecting every resource on a network, right from threats to further exploitation. The policy should include all essential network devices, conveyed data, media used for transmission. By the end of this article, you should have understood the various policy aspects to impose policies for reliable, secure, and robust network architecture. An organization should design the policy to comply with all its entities to improve its performance and defense against possible network vulnerability. Network policy should be strong enough to protect your system against several ways through which it can be compromised, such as through code injection, software bugs, malware.
Joseph Ochieng’was born and raised in Kisumu, Kenya. He studied civil engineering as first degree and later on pursued bachelors in information technology from the technical university of Kenya. His educational background has given him the broad base from which to approach topics such as cybersecurity, civil and structural engineering. When he is not reading or writing about the various loopholes in cyber defense, the he is probably doing structural design or watching la Casa de Papel . You can connect with Joseph via twitter @engodundo or email him via email@example.com for email about new article releases”