Safer Networks: Keeping the Security Willies at Bay
By Sharon Nelson and John Simek
Can you really design and build a completely safe network? The short answer is no—but you can keep it as secure as possible if you follow this advice.
Can you really design and build a completely safe network? The short answer is no. Nothing's perfect, regardless of how hard you work at it. Nonetheless, you can keep your network as secure as possible if you avoid complacency and install the right devices.
It would be nice if Microsoft could simply wipe out the bad guys who threaten the security of our systems through its operating software. But the truth is that the bad guys just keep coming, all with the goal of getting at our data. Although Microsoft has paid increasing attention to security, it can never get away from its own prominence. Face it. If you want to boast that more than 90 percent of the world's computers use your operating system, you have to live with the fact that 90 percent of the hackers, crackers and business espionage experts are coming after you.
All organizations—including law practices of every size—need to recognize that their networks are vulnerable and learn how to design safer ones. So what drives a network design? Sometimes, it's regulatory measures or laws. As an example, you may have to take steps to retain, log and secure instant message communications if you are subject to SEC regulations. There are now more than 14,000 federal and state statutes and regulations dealing with the preservation of data. This is one of the prime factors in network design today. So, of course, are cost, performance and capabilities. And they all have an impact on security.
How should you approach this complicated area? For starters, understand that absolute safety is the Holy Grail, and you're just about as likely to find it. But if you realize that security is an ever-shifting target and you're receptive to monitoring events and making adjustments, you can get very, very close to being well secured. Here are key tactics and tools you should consider implementing.
Policies to Address the Human Factors
The number one threat to data security comes from inside of organizations—this means the folks you see at work every day. A recent Ponemon Institute survey of the IT departments at 461 major U.S. organizations found that the average annual cost of managing data security from inside threats equaled $3.4 million per organization. Most of us are not at this level of expenditure, but it should drive home the point that the first step in securing our data is to address inside access. Roughly 70 percent of data breaches stem from an internal source. Seriously, keep an eye on the woman in the next cubicle.
Something to consider, which is standard fare for government entities, is to institute background checks as part of the hiring process. As a minimum, you should verify the accuracy of the information provided on employment applications or resumes. Also, it's wise policy to have some document or contract that defines employees' obligation regarding confidentiality and nondisclosure of sensitive data. Should you monitor employees? Of course you should, and most large companies do. The point is not to invade anyone's privacy, but to protect your network. If you have an appropriate Internet and e-mail use policy in place, there should be precious few private materials to stumble onto in any event.
And for heaven's sake, pay attention to access rights. Does the receptionist truly need access to your law firm's books? No, no, no. Consider carefully who needs to have access rights to what and develop a policy.
Speaking of access, you'd be amazed at how often employers fire employees and forget to "yank the plug" on their access to the network. This is a critical step. No one who's being terminated is in a happy frame of mind, and the unhappy occasionally find that revenge, at least at the time, seems like a splendid idea. They may become guests of the state at a later stage, but if your data is already gone or compromised, you're going to have some serious explaining to do about the absence of good security policies.
Above and beyond the human elements in securing data, there are several technical alternatives to provide for a safer network. Let's look at those now.
Hubs and Switches
A hub is a network device used to aggregate the connections for all of the computers on the network. In the early days of Ethernet, all the computers were connected using coaxial cable in a daisy-chain arrangement. Today, unshielded twisted pair (UTP) cable is widely used with LAN hubs to provide the necessary connectivity. If your office uses a hub, the first step in securing your network is to have the hub installed in a closet or area that can be physically secured. If the hub is sitting on someone's desk, it is very easy to tap into the network or disconnect a critical computer.
While hubs remain in use in the most basic of networks, their day has really passed. Why? Hubs connect all computers into a single network where all devices "see" the traffic for everyone on the network, and this is not a very secure or efficient way to communicate. That's why switches are now used as the replacements for hubs.
Switches set up a very fast communications connection between two devices at the time that it is needed. This means that the network traffic moves between the originator and recipient and is not "seen" by all of the other computers on the network. This makes for a more efficient and secure communication environment. A switch is much more intelligent than a hub and can provide for some level of network traffic segregation.
As with all critical computing components, switches should be physically secured. Switches can be viewed as the core connection component for the computers on the network and, accordingly, should be thoroughly protected from tampering or compromise.
Virtual LANs (VLANs) have been around for many years. You normally see VLAN implementations in larger firms, but they can also be effectively used in small offices, especially in a shared office environment, where multiple people need to share a common Internet connection. Simply stated, VLANs are a way to virtually define which ports participate in a particular LAN. Network traffic is only allowed to communicate between those devices that are configured for the same VLAN. This means that you can define multiple VLANs to a single switch and restrict traffic to selected groupings of ports on the switch.
Think of situations in which multiple law firms share office space to reduce the overall cost to the individual firms, an arrangement that is quite common these days. VLANs are an excellent way to provide network traffic isolation yet allow the firms to use a common communication connection, such as a high-speed Internet link.
It really doesn't matter if you only have one computer connected to the Internet via a broadband connection—it should be connected through a router. Routers provide a very good first line of defense and are relatively inexpensive. Okay, there are routers that cost several thousands of dollars, but that expense is usually left to the midsize and large firms.
By default, most small office routers will use a process called Network Address Translation (NAT). This creates a private internal network and does not advertise your real IP address to the outside world. When you connect the router to the Internet, whether it is via a cable modem, DSL or some other method, the registered IP address for the Internet connection is translated to a private address on the local network. This means that the outside world only sees the address for the Internet connection and not the internal address. This method of translation also allows multiple computers to share a single IP address for the Internet connection.
Another default operation is to block all unsolicited traffic from coming in to your network. Communications are allowed if they are initiated from a device internal to your network, but requests from the "outside world" are blocked. This operation acts as a type of firewall, preventing "snooping" of your network resources. Of course, you will have to override some of these defaults if you host your own e-mail or Web server. You have to allow unsolicited connections to your mail server because you don't know when someone—say, a prospective client—may want to send an e-mail message to you.
There are other TCP/IP ports that you may need to allow through as well. As an example, you may need to allow the inbound traffic for access to your Exchange server when you are using a browser. This is normally known as Outlook Web Access (OWA) and is very common in Exchange mail environments. Since we're speaking of OWA, consider changing the default TCP port 80 to something else. There are constant scans on the Internet for port 80 devices, and moving the port number will reduce the potential for attack and compromise.
Larger and more expensive routers will have increased capabilities and features. You may, for example, be able to connect multiple internal networks to the router, thereby providing some internal level of isolation. Large firms use these higher-end routers to provide fault tolerance, alternate network paths and faster handling of traffic routing decisions.
Firewalls can be of the hardware or software variety. Software firewalls are typically installed on a single computer and used to protect that computer from external attacks as well as some operating system compromises. The firewall will look to see if an application is trying to send data out (perhaps as a spam engine) without user intervention.
Hardware firewalls are more complicated to implement—and more costly. It wouldn't be unusual to spend thousands of dollars on one. The hardware firewall is a specialized piece of equipment that runs a very specific software application, which is designed to rapidly investigate each packet of data and make decisions about whether or not to allow the data to enter or leave the network.
Organizations that currently have no firewall or intrusion detection installed should give serious consideration to implementing a Unified Threat Management (UTM) device. A UTM device is a single device that can handle all the traffic decisions for the network, combining firewall functions and intrusion detection and prevention capabilities. It can contain antivirus and anti-spyware software, too, so you don't have to have those programs separately installed on each computer.
The UTM is a very specialized device and is probably most cost-effective if you don't have any security systems currently in place. Because UTMs are a combo-solution, some components are often better than others, and our choice, frankly, is to take the best of breed to develop a custom solution rather than installing a UTM.
A Few Words on Wireless
Wireless networking comes with special considerations, including specific security measures that are only used in a wireless network design. We could write an entire article (and we have) on wireless network security, but, in brief, there are some basic techniques to consider with all wireless networks.
The first configuration change should be to disable the broadcasting of the network presence by disabling the broadcasting of the SSID, which stands for service set identifier and is nothing more than the name of the network. Two other changes involve encryption of the data transmissions and restriction of the devices that can connect to the network. Encrypting data transmissions can be done using WEP (for Wired Equivalent Privacy) or WPA (for Wi-Fi Protected Access). Restricting those computers that can connect to the wireless network is done through MAC (for Media Access Control) filtering.