Chapter 4. Overview of the Network Security Issues

Writing about network security is tricky when compared to writing about other network-related topics. Because effective security implementations rely on a high degree of secrecy, there seems to be an inherent contradiction in the process of openly discussing security issues. I've heard people say that those who thoroughly understand security simply don't or can't talk about it, and that those who do either don't know what they are talking about or are leaking sensitive and confidential information.

Applying this kind of an argument to the extreme could easily translate into an information blackout regarding network security solutions, thus depriving a small-medium business (SMB) of readily available means to protect network resources and information assets. That certainly would be foolish. Yet this type of argument is valuable in that it is true that not all of the information out there regarding network security is reliable. Moreover, after a security solution has been implemented by an SMB, only designated personnel should know the specific implementation details, and they should not discuss them openly.

The recommended middle-of-the-road approach regarding network security seems to be that available security solutions should be openly promoted—their features, capabilities, and perhaps even shortcomings clearly articulated. However, the specifics of each solution's implementation ought to be tightly guarded. Of course, those who provide security solutions should not make available for public consumption any proprietary algorithms that are inherent within their hardware or software.

SMBs need to be aware that implementing a security solution is not a static, one-time event. As technology advances and new threats emerge, you can't always rely on what worked yesterday to protect you from today's threats. Deploying network security is a process that involves an initial design and implementation followed by ongoing monitoring of the solution's performance, reassessing of existing and emerging threats, and keeping up with technological advances that might affect the viability of the existing solution.

In the extreme, perhaps, there is no such thing as achieving perfect security on a computer network as long as people must manage and use the network, and the network has to interface with other networks, including the Internet. However, an SMB can take numerous security measures to present a formidable challenge to any potential intrusion attempt from the inside or the outside.

Consider one aspect of a network security breach that many fear the most: disclosure of sensitive information. Through the global reach of the Internet and the 24×7 news coverage, information can be propagated almost instantaneously to large audiences. The act of wide dissemination of information that ought to be held close to an SMB's vest can be damaging, regardless of whether that information is ridiculously frivolous or highly proprietary and confidential. That is only one reason why doing nothing about network security places a business at risk.

Managing risk levels is the crux of dealing with network security. An SMB must be willing to take the time to determine the degree of risk that the business is willing to tolerate. If an intolerable risk level is reached because of security threats against the SMB's network and information assets, the SMB must proceed with prudent steps that will reduce the threat.

At a small enterprise, a security policy might be an unwritten policy that consists of information in someone's head (hopefully, the person who is responsible for network security). However, it is preferable for an SMB to create a network security policy in writing with input from the groups of stakeholders identified in Chapter 1, “Effective Networking Solution Design Process.”

A definition of a security policy and an example conclude this chapter. However, because the security vernacular tends to be cryptic, security threats need to be articulated in a language that is understandable to the network design professional and layman alike before a security policy is defined and developed. Those threats then need to be translated into a visible, understandable impact, from which security risk assessment analysis can be performed. An understanding of internal versus external security threats has to follow. Finally, the antidotes to the various threats need to be defined.

This chapter addresses all of the following issues:

• The broad security threat categories

• The meaning and impact of specific threats in SMB environments

• Which to fear more: internal or external security threats

• The security threat antidotes

• The importance of having a clearly defined security policy

Specific security solutions representing the various antidotes are the focus of Chapter 5, “Cisco Security Solutions.” When you read about those security solutions in Chapter 5, you should understand which threat category they address and how to make them fit effectively into a security policy.