Handbook of Local Area Networks, 1998 Edition:LAN Security Click Here! Search the site:   ITLibrary ITKnowledge EXPERT SEARCH Programming Languages Databases Security Web Services Network Services Middleware Components Operating Systems User Interfaces Groupware & Collaboration Content Management Productivity Applications Hardware Fun & Games EarthWeb sites Crossnodes Datamation Developer.com DICE EarthWeb.com EarthWeb Direct ERP Hub Gamelan GoCertify.com HTMLGoodies Intranet Journal IT Knowledge IT Library JavaGoodies JARS JavaScripts.com open source IT RoadCoders Y2K Info Previous Table of Contents Next 8-2Writing a Network Security Policy MICKI KRAUSE An organization’s ability to communicate with partners, competitors, suppliers, information resources, and especially customers is fundamental to business. The ability to do so faster, more reliably, and at less cost can provide a competitive advantage. However, this competitive edge can quickly diminish if the information and resources are not adequately secured. Reliance on the integrity and confidentiality of the transmitted information and the reliability and availability of the communications resources is crucial. Networks expand vulnerabilities beyond the host resource. Transmission media, interfaces such as routers, bridges, and gateways, public and private networks, remote and dial-up access, and multiple interconnected hosts are all areas of potential exposure. The failure of just one component within a network can render an entire system unavailable. Additionally, prevailing Internet and Intranet technologies pose risks that must be addressed by the organization, such that potential exposures are identified and security issues are resolved. This chapter discusses the key factors in developing an effective LAN and communications security policy. A sample policy is provided at the end of the chapter. CHANGES IN THE WORKPLACE AND WORK FORCE Traditionally, organizations owned and controlled a single computing platform, where all of the critical data was stored. There were limited paths of access within this environment and a well-defined and well-controlled community of users. Today’s computing enterprise consists of multiple paths of access and a heterogeneous community of users. Many networks and distributed systems are developed outside the realm of the information systems department. Innovative work methods impose additional security challenges. An increasing number of users carry portable processors in their briefcases. Users demand connectivity to live production data for more timely and accurate information, regardless of their physical location. Electronic teaming in the “virtual corporation” promotes a productive, cooperative effort by persons who share data within and outside the core organization. Changes in work force demographics have led to increased requirements for access to data across phone lines—for example, the phenomenon of telecommuting that links host systems to microcomputers in the home. Network links across traditional boundaries are becoming more common as businesses seek opportunities to reduce costs and improve responsiveness to their suppliers and customers. The exploding use of the Internet and the emergence of Intranets (private corporate networks), are also changing the way in which communications are configured and eventually secured. At the same time, current and proposed privacy legislation places new burdens on companies that rely heavily on computing and communications. The requisite security and controls are not yet in place for distributed systems. The foundation of an information and communications security program must be built on a strategy that combines effective use of existing technologies with sound business practices. Establishing the network security policy is a logical first step. WHY A COMMUNICATIONS SECURITY POLICY IS NECESSARY During recent years, the majority of new systems and applications have been designed and developed to run on networked, distributed platforms. Regardless of this increasing trend to decentralize computing, vendors have not made significant headway in developing effective strategies for enterprisewide security. Thus, it is up to users to promote and maintain an adequate level of distributed systems security using existing control techniques. Explicit security policies must provide the direction for establishing appropriate controls. Security policy must address issues as diverse as administration across disparate platforms, the threat of computer viruses, and privacy of network traffic across multiple media using various topologies and protocols. A communications security policy should be directed toward the following goals: •  Applying access controls appropriate to the risk exposure. •  Ensuring that unauthorized activity does not interfere with the integrity and availability of the network. •  Providing appropriate levels of confidentiality and integrity of data transmissions. •  Physically securing hardware and line connection points. •  Implementing access controls for network devices. •  Controlling the implementation of configuration modifications to network software. •  Maintaining control over network equipment. •  Providing for unobtrusive business resumption. ESTABLISHING A COMMUNICATIONS SECURITY PROGRAM Securing the large, distributed network requires a commitment of time, proper tools, and sufficient operational funding. Recognizing this, many organizations have established a communications security program, managed by information security personnel with support by communications personnel and other operating functions as needed. The carter of the communications security program is to address emerging security issues arising from technological advancements and new requirements for dial-up computer access, LANs, integration of divisional and corporate broadband networks, interconnectivity to noncompany networks, E-mail systems, the Internet, and Intranets. The program’s ultimate objective is to increase productivity through improved communications and ensure security. As connectivity requirements increase, the communications security program staff should assist in weighing productivity objectives against security requirements. The responsibilities of the program personnel include: •  Protecting dial-up access. •  Developing network security guidelines. •  Establishing network monitoring, packet filtering, and application firewall recommendations. •  Performing network intrusion detection. •  Broadcasting security alerts. •  Assessing the need for network encryption. Previous Table of Contents Next Use of this site is subject certain Terms & Conditions. Copyright (c) 1996-1999 EarthWeb, Inc.. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of EarthWeb is prohibited. Please read our privacy policy for details.