Security by design beats ‘retro-fitting’
- 13 November, 2003 15:27
Corporate network security is increasingly becoming a design consideration rather than a matter of “retro-fitting” security appliances and software, according to industry consultants.
Alphawest’s national business continuity manager Tim Smith said the company has seen a new trend this year in networks being designed to meet security concerns.
“Like anything, if you have the opportunity to build it from the start it should be more secure. In some cases companies are doing complete network re-designs for security purposes,” Smith said.
Smith said the main security consideration is determining the critical assets which must be considered in network design.
“One of the turning points in secure network design is a move to tidy up what is in place,” he said. “Before you can continue to build in security you need to clean up.”
From an auditing perspective, enterprises need to weigh up the risks and design the infrastructure accordingly.
“Look at your audits from a risk perspective; performing a network audit with security in mind can make sure the organisation at least sees the issues,” Smith said.
Independent information security trainer Les Bell said levels of trust are playing a part in today’s networks.
Bell said his philosophy requires the architect to assign different levels of trust to different networks within an intranet and then install firewalls between the different trust levels.
“This can be done on a departmental basis: for example you might have a separate LAN or VLAN for HR, product design labs, and executive offices, with gateways between them.”
For the management of specific security appliances within the network, Smith said its success will depend on the vendor.
“If you look at the whole network appliance market, no one is infallible,” he said. “However, users should remember that the vendor is responsible for patches to appliances and the last thing you want is to visit the vendor's Web site for it.”
Smith said general network infrastructure, or servers being used for network security operations, are not inherently less secure than dedicated security appliances but may not be as manageable.
“The pure-play security vendors have more of a security agenda,” he said. “For example, Check Point has a secure platform for Red Hat Linux which allows any computer to act as a security appliance.”
According to Smith, specific network security technologies – such as intrusion detection systems – must be implemented in a holistic fashion.
“There is some confusion over IDS because it isn’t a generic product,” he said. “Just like network design, it must be managed appropriately.”
“When deploying IDS, make sure you have a security information management system that can correlate data as the market for this technology is mature,” Smith said.
Bell suggests better education combined with choosing a single vendor for equipment.
“In the short term, the easy answer is to stick to products from a single vendor, which are generally designed with at least a similar interface and terminology, if not reasonably tight integration,” he said. “In the longer term, standards are emerging and most vendors are learning to ‘play nice’.”
Overall, Alphawest’s Smith sees network security as a task that shouldn’t be left to technology alone.
“Although they are helpful, relying on third-party tools can be a danger,” he said. “Experience and keeping abreast of the field are most important.”