7.2. A Team Security Blanket

An organization's network security team typically secures anything that's on, that connects to, or that even attempts connection to their enterprise network. The long and impressive list of items that connects or attempts connection to a network encompasses network devices, network monitoring (such as SNMP), file servers, print servers, applications servers, computing devices (particularly for their connections to the network), networked fax machines and printers, and so on. Basically, any device that connects to the network usually falls under the network security team's purview; in today's typical organization structure, those entities can include just about every device used in the organization.

In some organizations, the scope of the network security team even crosses over into covering network authentication or security devices, such as RADIUS servers or appliances, or network access databases or data stores. In other organizations, even Voice over Internet Protocol (VoIP) or networked e-mail devices, such as e-mail servers, fall under the auspices of the security team. Whether authentication or security devices are the bailiwick of the network security team really depends on your organization and their corporate make-up.

7.2.1. It's our policy

Security policies for any organization require a level of uniformity and conformity. Keep what the security policies control and how you enforce them consistent, regardless of the type, scope, or purpose of the device attempting to connect to the network. Consistency is a key — but only one of the keys — to defining security policies and making those policies enforceable.

The network security group needs to make sure that their organization has security policies in place, as well as ensuring that those policies are up to date. A network security team must understand the art of designing and defining a security policy that's robust and stringent, but also malleable and resilient. Any security policy that the network security team defines and deploys must be extensible and flexible because while the network — and its users, the devices and tools that they use to access the network, and their access methods — evolves, the network's security needs to evolve, as well. If you — through your organization's network security team, in most instances — don't define strong yet adaptive security policies, the threat of a hack or breach, such as unauthorized individuals or devices accessing the network, or unapproved hardware and software connecting to the network, can occur and spread quickly and exponentially throughout your network, threatening the security of the network, its applications and services, users and their devices.

In most organizations, the network security team determines who may be eligible for or requires administrative privileges and rights. An organization can grant administrative rights to specific users for their own devices or for the network. In this instance, the network security team typically focuses on granting network administrative rights. Device administrative rights usually fall under the control of an organization's desktop or device management team, which we discuss in the section "A Clean Desk(top)," later in this chapter.

7.2.2. The billing of rights

Administrative (admin) privileges and rights are the network security team's collateral — their cash, so to speak.

Admin privileges and rights are akin to the keys to the kingdom because these rights can gain a user access to many highly-confidential, secure areas on (and tools for) a network. Access to the nooks and crevices of the network may also be part of the admin rights grant, too. A person who has admin rights gains a level of unchecked, unfettered freedom and openness to the network — and its security. In the wrong hands, admin privileges and rights can be lethal to a network and organization.

With these privileges and rights, a malevolent user can breach confidential information, as well as access rights to applications, data, and devices. Such a user can even modify the network itself, leaving it in jeopardy from hack, breach, or other threat. The user can drill holes into the network's security and make the network easily accessible to hackers, whether those hackers are external or internal. Because of these issues — and more, the network security team considers admin privileges and rights collateral, and they guard those rights and privileges as securely as the keys to a safe, cash or jewels, or any other precious possession. The network security team doesn't grant these privileges or rights lightly. They make admin rights and privileges available only when required, ordered, or under great duress. The safety and security of their network kingdom — and its coveted crown jewels, such as information and accessibility — are at stake.

7.2.3. The team job description

The network security team, in all likelihood, is very actively involved in any investigation into or decision regarding a NAC solution. They

• Quickly stand behind your organization's adoption of NAC (if they don't make it happen themselves).

• Driving the NAC selection and adoption process from the start, determining the organization's and network's NAC need, defining the NAC solution criteria, and helping in the selection of vendors and products.

• Work with other organizational teams and groups to determine and define their access control needs.

• Lead the testing of a NAC solution, in conjunction with other organizational teams, all the way up to the selection and deployment of a NAC solution.

The network security team needs to do all these NAC implementation processes and tasks because that team usually defines and implements the security policies that drive the selected NAC solution, not to mention enforcing those policies and taking remediation actions against non-compliant devices or unauthorized individuals attempting to access the network.

This team needs to ensure the following:

• Any selected NAC solution has strong, powerful means to control who and how users and their devices can access the network and corporate resources.

• Robust, inclusive user and device authentication and authorization procedures secure network and application access as stringently as possible, without forcing users to contact the helpdesk because they can't access the network and its resources. After all, the network security team doesn't want to face the ire of angry helpdesk personnel!

• Any policy engine associated with the NAC solution needs a simple, easy-to-use user interface, particularly because the network security team most likely has to define, create, and implement the security policies.

• The selected NAC solution enables the network security team to reuse or repurpose existing security policies — either policies that they already have in place with existing policy servers, such as those for organizational antivirus or other anti-malware capabilities; or policies that they've already defined for other access methods, such as security and access policies for virtual private networks (VPNs); network infrastructure security devices (such as intrusion detection systems [IDS] or intrusion prevention systems [IPS]), or existing security appliances (such as firewalls, routers, or integrated security devices).

The network security team must adamantly demand that all network users and their devices — including all layers of organization management, as well as guest users, including contractors and partners — adhere to the security policies and access control procedures because the more unauthorized, unauthenticated users and devices denied network or application access, the lesser the chance of those same users or devices breaching network security and causing the network security team more work, aggravation, and heartburn.