Securing Company Network
The office network provides the core services to the company. Everyone utilitises this shared medium to do productive work, including file sharing, printing, emailing and web browsing.
General Network Protection
With networked or distributed applications, the security of multiple systems as well as the security of the interconnecting network are equally important, especially if public access wide area networks are used. The risks of connecting to outside networks must be weighed against the benefits. It may be desirable to limit connection to outside networks to those hosts that do not store sensitive material and keep vital machines isolated.
Some general network protection guidelines are provided below:
Keep network simple (i.e. minimise number of network interface points between "secured" network and "non-secured" network).
Only allow authorised traffic to enter the "secured" network.
Use multiple mechanisms to authenticate user (e.g. password system plus pre-registered IP/IPX network plus pre-registered MAC address/terminal number).
Manage the network with network management system.
Encrypt data with proven encryption algorithm before transmitting over the network.
Building A Secure Network
The following are some tips to build a secure network:
Plan for network security: address all security requirements and issues in selecting network and server and deployment including the management policy, technical training and outsourcing requirements and address security.
Design physical and environmental security: e.g. put critical assets such as network communication lines, servers, switches, firewalls and file servers in server room or a secured area.
Use private IP addressing scheme for internal networks: to prevent internal network from access by external network.
Design network security model by zoning i.e. segregation of network according to security requirements, e.g. the office network is totally isolated from the Internet, or the company servers and computers are located behind the firewall, or set up a demilitarised zone (DMZ) network. Unsecured or unmanaged systems should not be allowed to make connection to internal network.
Configure firewalls and network routers: harden the firewall and router by limiting the administrative access to specified locations, closing unnecessary network services for incoming and outgoing traffic or using encrypted communication channel for administration.
Configure servers: e.g. secure the server operating system by uninstalling unnecessary services and software, patch the system timely and disable unused accounts.
Secure the application: by means of installing security patch, enhance application settings or lock the environment in which applications operate.
Filter malware: anti-malware software with up-to-date definition file should be installed in desktop and network servers to prevent the spread of malware.
Manage accounts and access privileges: e.g. access rights should be granted on an as-needed basis and should be reviewed regularly.
Log security events and review regularly: Logging and auditing functions should be provided to record network connection, especially for unauthorised access attempt. The log should be reviewed regularly.
Develop a standard building of secure desktop: design a secured workstation configuration as the standard build of the company and make image backup of the build and replicate to the company desktops.
Develop backup and recovery strategies.
Develop security management procedure: e.g. security log monitoring procedure, change management procedure or patch management procedure.
Maintain good documentation of configuration and procedure.
Train the staff: training should be given to network/security administrator and supporting staff as well as users to ensure that they follow the security best practice and follow security policies.