Network Security Model - Defining an Enterprise Security Strategy

<h1>Network Security Model - Defining an Enterprise Security Strategy</h1>Author: <a title="Shaun Hummel" href="http://www.articlesbase.com/authors/shaun-hummel/234893.htm">Shaun Hummel</a> Overview These are the 5 primary security groups that should be considered with any enterprise security model. These include security policy, perimeter, network, transaction and monitoring security. These are all part of any effective company security strategy. Any enterprise network has a perimeter that represents all equipment and circuits that connect to external networks both public and private. The internal network is comprised of all the servers, applications, data, and devices used for company operations. The demilitarized zone (DMZ) represents a location between the internal network and the perimeter comprised of firewalls and public servers. It that allows some access for external users to those network servers and denies traffic that would get to internal servers. That doesn't mean that all external users will be denied access to internal networks. On the contrary, a proper security strategy specifies who can access what and from where. For instance telecommuters will use VPN concentrators at the perimeter to access Windows and Unix servers. As well business partners could use an Extranet VPN connection for access to the company S/390 Mainframe. Define what security is required at all servers to protect company applications and files. Identify transaction protocols required to secure data as it travels across secure and non-secure network segments. Monitoring activities should then be defined that examine packets in real time as a defensive and pro-active strategy for protecting against internal and external attacks. A recent survey revealed that internal attacks from disgruntled employees and consultants are more prevalent than hacker attacks. Virus detection should then be addressed since allowed sessions could be carrying a virus at the application layer with an e-mail or a file transfer. Security Policy Document The security policy document describes various policies for all employees that use the enterprise network. It specifies what an employee is permitted to do and with what resources. The policy includes non-employees as well such as consultants, business partners, clients and terminated employees. In addition security policies are defined for Internet e-mail and virus detection. It defines what cyclical process if any is used for examining and improving security. Perimeter Security This describes a first line of defense that external users must deal with before authenticating to the network. It is security for traffic whose source and destination is an external network. Many components are used to secure the perimeter of a network. The assessment reviews all perimeter devices currently utilized. Typical perimeter devices are firewalls, external routers, TACACS servers, RADIUS servers, dial servers, VPN concentrators and modems. Network Security  This is defined as all of the server and legacy host security that is implemented for authenticating and authorizing internal and external employees. When a user has been authenticated through perimeter security, it is the security that must be dealt with before starting any applications. The network exists to carry traffic between workstations and network applications. Network applications are implemented on a shared server that could be running an operating system such as Windows, Unix or Mainframe MVS. It is the responsibility of the operating system to store data, respond to requests for data and maintain security for that data. Once a user is authenticated to a Windows domain with a specific user account, they have privileges that have been granted to that account. Such privileges would be to access specific directories at one or many servers, start applications, and administer some or all of the Windows servers. When the user authenticates to the Windows Active Directory Services distributed it is not any specific server. There is tremendous management and availability advantages to that since all accounts are managed from a centralized perspective and security database copies are maintained at various servers across the network. Unix and Mainframe hosts will usually require logon to a specific system, however the network rights could be distributed to many hosts. ·  Network operating system domain authentication and authorization ·  Windows Active Directory Services authentication and authorization ·  Unix and Mainframe host authentication and authorization ·  Application authorization per server ·  File and data authorization Transaction Security  Transaction security works from a dynamic perspective. It attempts to secure each session with five primary activities. They are non-repudiation, integrity, authentication, confidentiality and virus detection. Transaction security ensures that session data is secure before being transported across the enterprise or Internet. This is important when dealing with the Internet since data is vulnerable to those that would use the valuable information without permission. E-Commerce employs some industry standards such as SET and SSL, which describe a set of protocols that provide non-repudiation, integrity, authentication and confidentiality. As well virus detection provides transaction security by examining data files for signs of virus infection before they are transported to an internal user or before they are sent across the Internet. The following describes industry standard transaction security protocols. Non-Repudiation - RSA Digital Signatures  Integrity - MD5 Route Authentication Authentication - Digital Certificates  Confidentiality - IPSec/IKE/3DES Virus Detection  - McAfee/Norton Antivirus Software Monitoring Security Monitoring network traffic for security attacks, vulnerabilities and unusual events is essential for any security strategy. This assessment identifies what strategies and applications are being employed. The following is a list that describes some typical monitoring solutions. Intrusion detection sensors are available for monitoring real time traffic as it arrives at your perimeter. IBM Internet Security Scanner is an excellent vulnerability assessment testing tool that should be considered for your organization. Syslog server messaging is a standard Unix program found at many companies that writes security events to a log file for examination. It is important to have audit trails to record network changes and assist with isolating security issues. Big companies that utilize a lot of analog dial lines for modems sometimes employ dial scanners to determine open lines that could be exploited by security hackers. Facilities security is typical badge access to equipment and servers that host mission critical data. Badge access systems record the date time that each specific employee entered the telecom room and left. Cameras sometimes record what specific activities were conducted as well. Intrusion Prevention Sensors (IPS) Cisco markets intrusion prevention sensors (IPS) to enterprise clients for improving the security posture of the company network. Cisco IPS 4200 series utilize sensors at strategic locations on the inside and outside network protecting switches, routers and servers from hackers. IPS sensors will examine network traffic real time or inline, comparing packets with pre-defined signatures. If the sensor detects suspicious behavior it will send an alarm, drop the packet and take some evasive action to counter the attack. The IPS sensor can be deployed inline IPS, IDS where traffic doesn't flow through device or a hybrid device. Most sensors inside the data center network will be designated IPS mode with its dynamic security features thwarting attacks as soon as they occur. Note that IOS intrusion prevention software is available today with routers as an option. Vulnerability Assessment Testing (VAST) IBM Internet Security Scanner (ISS) is a vulnerability assessment scanner focused on enterprise customers for assessing network vulnerabilities from an external and internal perspective. The software runs on agents and scans various network devices and servers for known security holes and potential vulnerabilities. The process is comprised of network discovery, data collection, analysis and reports. Data is collected from routers, switches, servers, firewalls, workstations, operating systems and network services. Potential vulnerabilities are verified through non-destructive testing and recommendations made for correcting any security problems. There is a reporting facility available with the scanner that presents the information findings to company staff. Syslog Server Messaging Cisco IOS has a Unix program called Syslog that reports on a variety of device activities and error conditions. Most routers and switches generate Syslog messages, which are sent to a designated Unix workstation for review. If your Network Management Console (NMS) is using the Windows platform, there are utilities that allow viewing of log files and sending Syslog files between a Unix and Windows NMS. <a href="http://www.amazon.com/s/ref=nb_ss?url=search-alias=aps&field-keywords=shaun+hummel" target="_blank" title="Network Planning and Design Guide">Network Planning and Design Guide </a>is available at Amazon.com and eBookmall.com Shaun Hummel is an author of various technical books and has a web site focused on information technology job search solutions and certifications. <a href="http://www.networkjobsolutions.com/" target="_new"><a target="_blank" href="http://www.networkjobsolutions.com">http://www.networkjobsolutions.com</a></a>About the Author: Shaun Hummel, CCNP, is a Senior Network Engineer with 11 years experience in enterprise network planning, design, and implementation. He has worked for various private and public companies in Canada and the United States improving infrastructure, security, and management. He has written Network Planning and Design Guide, Cisco Wireless Network Design Guide and Network Assessment Guide. <a href="http://www.networkjobsolutions.com" target="_blank">www.networkjobsolutions.com</a> Article Source: <a href="http://www.articlesbase.com/">ArticlesBase.com</a> - <a href="http://www.articlesbase.com/security-articles/network-security-model-defining-an-enterprise-security-strategy-1263260.html" title="Network Security Model - Defining an Enterprise Security Strategy">Network Security Model - Defining an Enterprise Security Strategy</a>

Overview

These are the 5 primary security groups that should be considered with any enterprise security model. These include security policy, perimeter, network, transaction and monitoring security. These are all part of any effective company security strategy. Any enterprise network has a perimeter that represents all equipment and circuits that connect to external networks both public and private. The internal network is comprised of all the servers, applications, data, and devices used for company operations. The demilitarized zone (DMZ) represents a location between the internal network and the perimeter comprised of firewalls and public servers. It that allows some access for external users to those network servers and denies traffic that would get to internal servers. That doesn't mean that all external users will be denied access to internal networks. On the contrary, a proper security strategy specifies who can access what and from where. For instance telecommuters will use VPN concentrators at the perimeter to access Windows and Unix servers. As well business partners could use an Extranet VPN connection for access to the company S/390 Mainframe. Define what security is required at all servers to protect company applications and files. Identify transaction protocols required to secure data as it travels across secure and non-secure network segments. Monitoring activities should then be defined that examine packets in real time as a defensive and pro-active strategy for protecting against internal and external attacks. A recent survey revealed that internal attacks from disgruntled employees and consultants are more prevalent than hacker attacks. Virus detection should then be addressed since allowed sessions could be carrying a virus at the application layer with an e-mail or a file transfer.

Security Policy Document

The security policy document describes various policies for all employees that use the enterprise network. It specifies what an employee is permitted to do and with what resources. The policy includes non-employees as well such as consultants, business partners, clients and terminated employees. In addition security policies are defined for Internet e-mail and virus detection. It defines what cyclical process if any is used for examining and improving security.

Perimeter Security

This describes a first line of defense that external users must deal with before authenticating to the network. It is security for traffic whose source and destination is an external network. Many components are used to secure the perimeter of a network. The assessment reviews all perimeter devices currently utilized. Typical perimeter devices are firewalls, external routers, TACACS servers, RADIUS servers, dial servers, VPN concentrators and modems.

Network Security

This is defined as all of the server and legacy host security that is implemented for authenticating and authorizing internal and external employees. When a user has been authenticated through perimeter security, it is the security that must be dealt with before starting any applications. The network exists to carry traffic between workstations and network applications. Network applications are implemented on a shared server that could be running an operating system such as Windows, Unix or Mainframe MVS. It is the responsibility of the operating system to store data, respond to requests for data and maintain security for that data. Once a user is authenticated to a Windows domain with a specific user account, they have privileges that have been granted to that account. Such privileges would be to access specific directories at one or many servers, start applications, and administer some or all of the Windows servers. When the user authenticates to the Windows Active Directory Services distributed it is not any specific server. There is tremendous management and availability advantages to that since all accounts are managed from a centralized perspective and security database copies are maintained at various servers across the network. Unix and Mainframe hosts will usually require logon to a specific system, however the network rights could be distributed to many hosts.

· Network operating system domain authentication and authorization

· Windows Active Directory Services authentication and authorization

· Unix and Mainframe host authentication and authorization

· Application authorization per server

· File and data authorization

Transaction Security

Transaction security works from a dynamic perspective. It attempts to secure each session with five primary activities. They are non-repudiation, integrity, authentication, confidentiality and virus detection. Transaction security ensures that session data is secure before being transported across the enterprise or Internet. This is important when dealing with the Internet since data is vulnerable to those that would use the valuable information without permission. E-Commerce employs some industry standards such as SET and SSL, which describe a set of protocols that provide non-repudiation, integrity, authentication and confidentiality. As well virus detection provides transaction security by examining data files for signs of virus infection before they are transported to an internal user or before they are sent across the Internet. The following describes industry standard transaction security protocols.

Non-Repudiation - RSA Digital Signatures

Integrity - MD5 Route Authentication

Authentication - Digital Certificates

Confidentiality - IPSec/IKE/3DES

Virus Detection - McAfee/Norton Antivirus Software

Monitoring Security

Monitoring network traffic for security attacks, vulnerabilities and unusual events is essential for any security strategy. This assessment identifies what strategies and applications are being employed. The following is a list that describes some typical monitoring solutions. Intrusion detection sensors are available for monitoring real time traffic as it arrives at your perimeter. IBM Internet Security Scanner is an excellent vulnerability assessment testing tool that should be considered for your organization. Syslog server messaging is a standard Unix program found at many companies that writes security events to a log file for examination. It is important to have audit trails to record network changes and assist with isolating security issues. Big companies that utilize a lot of analog dial lines for modems sometimes employ dial scanners to determine open lines that could be exploited by security hackers. Facilities security is typical badge access to equipment and servers that host mission critical data. Badge access systems record the date time that each specific employee entered the telecom room and left. Cameras sometimes record what specific activities were conducted as well.

Intrusion Prevention Sensors (IPS)

Cisco markets intrusion prevention sensors (IPS) to enterprise clients for improving the security posture of the company network. Cisco IPS 4200 series utilize sensors at strategic locations on the inside and outside network protecting switches, routers and servers from hackers. IPS sensors will examine network traffic real time or inline, comparing packets with pre-defined signatures. If the sensor detects suspicious behavior it will send an alarm, drop the packet and take some evasive action to counter the attack. The IPS sensor can be deployed inline IPS, IDS where traffic doesn't flow through device or a hybrid device. Most sensors inside the data center network will be designated IPS mode with its dynamic security features thwarting attacks as soon as they occur. Note that IOS intrusion prevention software is available today with routers as an option.

Vulnerability Assessment Testing (VAST)

IBM Internet Security Scanner (ISS) is a vulnerability assessment scanner focused on enterprise customers for assessing network vulnerabilities from an external and internal perspective. The software runs on agents and scans various network devices and servers for known security holes and potential vulnerabilities. The process is comprised of network discovery, data collection, analysis and reports. Data is collected from routers, switches, servers, firewalls, workstations, operating systems and network services. Potential vulnerabilities are verified through non-destructive testing and recommendations made for correcting any security problems. There is a reporting facility available with the scanner that presents the information findings to company staff.

Syslog Server Messaging

Cisco IOS has a Unix program called Syslog that reports on a variety of device activities and error conditions. Most routers and switches generate Syslog messages, which are sent to a designated Unix workstation for review. If your Network Management Console (NMS) is using the Windows platform, there are utilities that allow viewing of log files and sending Syslog files between a Unix and Windows NMS.

Network Planning and Design Guide is available at Amazon.com and eBookmall.com

Shaun Hummel is an author of various technical books and has a web site focused on information technology job search solutions and certifications.

http://www.networkjobsolutions.com

Shaun Hummel, CCNP, is a Senior Network Engineer with 11 years experience in enterprise network planning, design, and implementation. He has worked for various private and public companies in Canada and the United States improving infrastructure, security, and management. He has written Network Planning and Design Guide, Cisco Wireless Network Design Guide and Network Assessment Guide. www.networkjobsolutions.com

Rate this Article:

0 / 5 stars - 0 vote(s)

Re-Publish

Article Source: http://www.articlesbase.com/security-articles/network-security-model-defining-an-enterprise-security-strategy-1263260.html

Article Tags: network, network design, networking, firewall, router, cisco, microsoft, network security, monitoring, transaction, perimeter, security policy, microsoft windows, unix, ips, vast, vpn, virus, telecom, internet security, gateway, lan, wan, secure, internet

Related Videos
Related Articles
Ask / Related Q&A

Play

How to Secure Network Endpoints - Part 2

Play

What's the Weakest Link in Network Security?

Play

How to use Secure Firewall to protect your network

Play

Learn About Secure Computing

Play

How to Encrypt emails using Voltage Security Network

Latest Security Articles
More from Shaun Hummel

High Encryption 256 Bit AES Personal VPN Servers now offered by SurfBouncer

By: Alberto Stellpflug | 04/01/2010
SurfBouncer Personal VPN service is now offering High Encryption servers for mission critical applications. These servers are offered at no additional charge to Personal VPN customers. This is the same state of the art, maximum encryption as used by governments and major corporations for top secret work. These are offered in addition to their standard servers located worldwide.

Some Latest Information about mini sd 8 gb

By: Beerbohm Max | 04/01/2010
Whenever consumers visit the shop for buying handset always take care of buying memory card suitable according to the handset. In the same way mini sd 8 gb provides the user more space for their daily purposes in the market. Also the mini sd 8 gb helps in storing large amount of data, music and software applications on their phone.

Download LEGO Indiana Jones 2 The Adventure Continues PSP and PSP GO Game

By: Jack Corner | 03/01/2010
Are you seeking to download LEGO Indiana Jones 2 The Adventure Continues PSP game? Do you want to know how and where you can download the game for less than $0.01? Do you want to get access to more than 150,000 PSP game titles for unlimited downloads? This article will show where and how you can download the newest and your favorite PSP games. Visit PSP GO Download Center

DVR vs VCR: A Battle in the Security and Spy Equipment Industry

By: Vellard | 01/01/2010
The DVR seems to be the technology that wins the match. There is no room for melancholy in the ever-evolving world of security and spy equipment. You can keep up with the surveillance technology at Vellard. Visit now their website at www.vellard.com.au.

How to Delete Antispyware Shield Pro, Quickly and Easily. Uninstall this Spyware Before Certain Destruction!

By: Bob Walker | 31/12/2009
One of the top concerns I have while browsing the internet is what files are secretly being transferred via websites of questionable content. Antispyware Shield Pro is an example of a virus that can be installed in this stealth manner through a Trojan. Once installed, this malware will attempt to trick you into purchasing a "full version", which will do nothing but sap you of your money.

Uninstall Malware Defense Easily - How To Remove Malware Defense Quickly

By: Bob Walker | 31/12/2009
What's the deal with Malware Defense? Is it legitimate or is it a scam? If you're familiar with viruses, then you know that this software is malicious. It's the kind that will try to corrupt your entire system, block your programs, and scare you into purchasing what it claims as "full protection". It provides nothing of the sort. Its cousins are FakeAlert and AntiMalware spyware. You will want to get rid of this spyware immediately, because if you do not, you will be harrassed with fake warnings

Get In Touch With Norton Antivirus

By: James | 31/12/2009
Antivirus has become one of the most essential software these days. Norton antivirus is considered as the most reliable antivirus software. There are many people who want to contact Norton antivirus before buying one. It can be quite easy to get in touch with them either through website or via phone.

Rising demand for Investigating services

By: Sleuth India | 30/12/2009
The changing life style reveal the secret. Life today has gained such a tremendous pace that people rarely have time for themselves. This ultra-busy lifestyle coupled with extremely tense job requirements make people very impatient and intolerant. No wonder smallest of issues today lead to major differences.

How Telecommuting Can Be Cost Effective to Corporate America

By: Shaun Hummel | 11/11/2009 | Business
The work from home option often called telecommuting is not an easy sell to employers who have used a work model that has consisted of employees commuting daily during the work week. The fears that employees wont do the assigned tasks and not continue communicating with co-workers is a concern. The work goals should be defined as specifically as possible whether your working from home part-time or at the office each day.

Wireless Network VLANS - How to Implement Wireless VLANS

By: Shaun Hummel | 10/11/2009 | Networks
The wireless access points operate as bridges with no routing defined anywhere on the wireless network segment. All VLANs are defined on the wired switches and mapped with specific SSIDs at each access point. The maximum number of VLANs and SSIDs per access point that can be mapped is 16. The wireless client attaches or associates with a specific SSID which in turn will map client with membership in a specific VLAN.

Network Switch Selection - How to Select a Network Switch

By: Shaun Hummel | 10/11/2009 | Networks
The network switch is the most common network device with most network infrastructure and as such selection of new switches or upgrading is a key part of most network design projects. Wireless designs will have switches interfacing with access points. That will in some cases have an affect on the switch such as increased utilization, assigned switch ports, access lists, trunking, Power over Ethernet (PoE) wattage draw or spanning tree protocol. The decision to buy new switches or upgrade will be determined after considering the network assessment and design features specified. The 5 network switch components include switch chassis, supervisor engine, switching modules, power supplies and IOS/Cat OS software.

Online Job Interview - How Desktop Conference Software is Cost Effective

By: Shaun Hummel | 06/11/2009 | Interviews
Web conferencing is available FREE of charge allowing recruiters to interview candidates from their office and setting up video interviews between their distant clients and candidates at the recruiter office. Some recruiters often have to interview candidates for 10 minutes at their office before approving resume submittal and clients of course want to do personal interviews unless it is a contract. Having the option to offer personal interviews is a selling point.

Wireless Network Security

By: Shaun Hummel | 23/09/2009 | Networks
This article discusses how to secure your home and business wireless network. The process of a client associating and authenticating to an access point is standard. The security requirements vary from a home network, standard small businesses to government departments requiring stringent network security.

Firewall Internet Security - The Basics of a Firewall

By: Shaun Hummel | 23/09/2009 | Security
Enterprise companies today employ firewalls that do stateful inspection of sessions between external and internal hosts and devices. Cisco employs a patented ASA algorithm that utilizes source IP address, destination IP address, TCP sequence numbers, port numbers and TCP flags to examine and prevent unauthorized sessions.

Wireless Network Standards - 802.11a, 802.11b, 802.11g, 802.16, 802.11n

By: Shaun Hummel | 23/09/2009 | Networks
802.11a standard was approved in 1999 with the IEEE committee. It specifies a maximum data rate of 54 Mbps using 5.15 GHz - 5.35 GHz and 5.725 GHz - 5.825 GHz unlicensed bands in the United States. The advantage of 802.11a is higher throughput however the cell coverage is smaller and additional access points will be needed. There is much less interference from devices such as cell phones, microwaves and commercial devices using the 2.4 GHz band.

Troubleshooting Network Problems

By: Shaun Hummel | 23/09/2009 | Networks
The process of troubleshooting your network involves a methodology that starts with cabling and works through the OSI model to the application layer. The network devices have a network cable that terminates at a wired switch. Cabling is a source of a lot of network problems. The key with troubleshooting is to determine what has changed. Sometimes it is hardware that isn't working or some change was made such as new software, configured equipment or additional employees stressing the network.