How to Develop a Network Security Policy
February 23, 2010An Overview of Internetworking Site Security
Introduction
This document is for business executives, and others, who want to know more about Internet and internetworking security, and what measures you can take to protect your site. Presented is a high-level overview of the issues, realities, and technologies available to protect your business from unwanted intrusions and violations when connecting to the Internet. Most aspects of security, including network security and the creation of a security policy, are quite complex; however, gaining a basic understanding of the principles and tools involved is a straightforward exercise.
While this overview will give you a basic understanding of the need for a site security policy, and factors to consider in creating a security policy, it will not tell you what your security policy should be. The reason for this is simple – security is very subjective. Every business has a different threshold of well -being, different assets, different culture, and different technology infrastructure. Every business has different requirements for storing, sending, and communicating information in electronic form. No single site security policy is best for any two business. Just as your business evolves to adapt to changing market conditions, your site security policy must evolve to meet changing technology conditions.
This document is based on a publicly available document, RFC 1244, which discusses site security. However, there are a number of very good resources available on the subject of internetworking security, and they are listed in the References section. Information on how to obtain an electronic copy of RFC 1244 is contained there as well.
Why Do You Need a Site Security Policy?
With worldwide connections, someone can get into your system in the middle of the night when your building is locked up. The Internet allows the electronic equivalent of an intruder who looks for open windows and doors. Now, a person can check for hundreds of vulnerabilities in just a few hours.
Most network-based computer security crimes are unreported, yet the statistics are alarming:
According to Computer Security Institute (CSI), a member research organization that provides public service information, most breeches of Internet and data security are kept quiet. The most amazing stories are never printed – you never hear about them from anyone.
Most companies do not want to disclose – for reasons of bad publicity – that their computer infrastructure has been compromised.
- National Center for Computer Crime Data in Santa Cruz, California states that the annual loss from computer network crime is $950 million annually in the U.S. alone. The Yankee Group, an industry consulting firm, estimates that by taking into account associated productivity, confidence, and competitive advantage losses, the total financial loss for such security breaches is closer to $7 billion annually.
Companies are experiencing different types of losses. Examples include service interruption, whereby attackers effectively shut down your network gateway to the outside world, or someone wantonly removes a central password file; theft of online corporate assets or interception of sensitive e-mail or data as it is transmitted; and fraudulent misrepresentation of either data or someone as a user.
Many companies unknowingly increase the vulnerability to their computer network, all in the name of improving productivity:
-
By adding a remote access e-mail gateway such that employees can access e-mail while away from the office, companies may unwittingly provide a “side door” into their computer network, especially if strong authentication measures are not implemented.
-
By adding a World Wide Web site and ftp server so their customers can instantly retrieve product information and software fixes from anywhere in the world at any time of the day or night, companies may be unaware that they are providing a “electronic tunnel” to other, non-public corporate data.
- By embracing Electronic Data Interchange (EDI) as a state-of-the-art vendor order and payment system, a company could be allowing criminals access to either inventory or a checkbook. Yet, too much security can be as counterproductive as too little security. As companies come to rely on internetworking to lower the costs of doing business – e-mail for communications, WWW sites for information publishing, ftp for software update distribution, and EDI for supplier-vendor transactions – the productivity gains become too compelling to ignore. A site security policy is required to establish an enterprise-wide program of how both internal and external users interact with a company’s computer network, how the corporate computer architecture topology will be implemented, and where computer assets will be located. The policy will weigh possible threats against the value of personal productivity and corporate assets, which need different levels of protection. There are facets to a site security policy, and they will be explored in more detail in a later section.