Opinion: How to develop blueprints for network security.

by Marcia J. Wilson, CCSP Staff Writer
March 4, 2004

"Reprinted from February 27, 2k3"

A blueprint is a detailed plan or program of action. When thinking in terms of a network security blueprint, one would think of the overall architecture first and then the individual components of the system. Oftentimes, we focus on individual technologies such as a firewall or intrusion-detection system. Everyone needs a firewall, right? Wrong. The firewall will do absolutely no good if security can be breached through a poorly configured virtual private network (VPN) connection or if you have a disgruntled employee who has access to critical information systems.

Think of network security architecture in the same way you think of your home's architecture. How many doors and windows are there? How are they secured? Who is allowed in and out of each opening? Must people in your home identify themselves in some way before going out and coming in? Do family members have a key to enter the home, or do they just turn the knob? Do you have possessions that you are concerned about protecting? Do you have children or an elderly family member who needs protection? Do you leave the back door cracked open so the puppy can get in and out? Networks and employees need protection in the same way a home and family do. Understanding what you need to protect is the first step in the process of defining your security architecture and documenting that with a blueprint or detailed plan.

If you go to Google.com and type in the words "security blueprints," you will find many vendor listings. Foremost on the list will be Sun Microsystems Inc., which provides detailed plans for securing the Solaris operating system and offers information on interesting subjects such as "how hackers do it."

Cisco Systems Inc. comes in a close second. Cisco's blueprint program is called Safe Blueprint and includes detailed instructions for securing enterprise networks, small to midsize networks, remote user connections, VPNs, wireless LANs and IP telephony networks.

Search engine results give very few links to Microsoft, however I did find a highly publicized account of their network being hacked two years ago. Bill Gates, co-founder of Microsoft, issued an "executive e-mail" on July 18, 2002, calling upon the Internet community to work together to build a "Trustworthy Computing" ecosystem. Microsoft purports to have made dramatic changes in how it writes its code and develops its programs, with the promise that Windows .NET Server 2003 will ship "secure by default." In seach of Microsoft security blueprints, I went directly to Microsoft's site and ran a search on "security." From the list of links I found that Microsoft has a Security & Privacy homepage. If you go to that page you are presented with a myriad of choices for IT professionals, developers, home users and business. I really had to hunt around for a "blueprint". It appears that the most comparable information to Sun and Cisco's offerings, is a white paper called Best Practices for Enterprise Security.

How does a company decide on an overall network security architecture? What if your company has been in business for 25 years, and the network sprawls across the country? It's not so hard to architect a secure network when you have plenty of money and are working with a clean slate. The rub comes when you have to rearchitect the network for security's sake. Most security technologists responsible for leading a project of this nature tend to focus on individual components of a larger system that can be unwieldy. Network security vendors will come out in force if they get word that you're contemplating such a project. I can hear it now: "Our company offers the XYZ system that will actually prevent security breaches from ever happening. Just install our system, and you won't have to worry about a thing! That will be $400,000, please." Reminds me of the unsolicited calls I get at home about home security systems.

Here's my advice, which is a boiled-down strategy for risk analysis. Put together a cross-functional team from across the organization and take the time to define your information assets. (This is a high-level analysis. Give the team enough time, but don't let the process drag on and on.) Ask yourself, "What are our most critical pieces of information that, if the information fell into the wrong hands, our reputation, our customers, our partners and possibly the legal authorities would file suit against us in a court of law, or we would be otherwise out of business?" Rate those information assets on a scale of 1 to 5, with 1 being the most critical and 5 being the least critical.

The next step is to review the current security posture of the network regarding the location of information assets. For example, do you have customer or cardholder data sitting out in a DMZ on an unsecured server? That is what we call a "ki-ki-no-no." A good information-security audit will provide the information you need to move to the next step. The hardest part is the last part, and the longest: securing the network. This is the actual rearchitecture phase that begins with having a very clear picture of the assets in need of protection and the current state of network affairs. Let's review:

• Step 1: Identify the information assets.
• Step 2: Engage an independent firm to perform an information security audit.
• Step 3: Rearchitect and secure the network.

Now you're ready to design your organization's security architecture, which is the blueprint. This is backwards, I know. But this is what organizations today are faced with. You can't put a square peg in a round hole, and there is no such thing as "one size fits all." There are helpful guidelines provided by the vendors of various products. There is some work being done by organizations and individuals who are trying to define that perfect template that, once applied, will ensure a secure network. But that's just not going to happen. Each environment requires its own custom-built template based on best practices. Each company or organization needs to face and meet the challenge of securing the environment. Just remember: It's all about the information assets, not the technology.



*Note: Some links to stories may no longer function or now require you to register to view.





by Marcia J. Wilson ComputerCops Staff Writer

Marcia J. Wilson is a Certified Information Systems Security Professional and the founder and CEO of Wilson Secure LLC, a Pleasanton, Calif.-based company focused on providing independent network security auditing and risk analysis. She can be reached at .