Network security policy: best practices

Download Report

Transcript Network security policy: best practices

Network security policy:
best practices
Ref: document ID 13601
www.cisco.com
Process

Preparation




Prevention



Create usage policy statement
Conduct a risk analysis
Establish a security team structure
Approving security changes
Monitoring security of your network
Response



Security violation
Restoration
Review
Preparation: Create usage
policy statement (1)


Outline user’s roles and responsibilities with
regard to security
General policy : cover all network system and
data within your company, by providing :




Understanding of the security policy, its purpose
Guidelines for improving their security practices
Definitions of their security responsibilities
Identify specific action that could result in
punitive
Preparation: Create usage
policy statement (2)

Partner acceptable use statement : it provides




Partner with an understanding of the information
that is available to them
The expected disposition of that information
The conduct of the employee of your company
Clearly explain any specific acts that have been
identified as security attacks and the punitive
action
Preparation: Create usage
policy statement (3)

Administrator acceptable use statement: to explain






The procedures for user account administration
Policy enforcement
Privilege review
It should be clearly presented specific policies
concerning user passwords and handling data
Check the policy with the partner acceptable use and
user acceptable use statement to ensure uniformity
Make sure that admin requirement listed in policy are
reflected in training plan and performance evaluation



Preparation: Conduct a risk
analysis (1)
A risk analysis should identify the risk to

Network , resources and data
To identify portion of your network, assign a threat rating to
each portion and apply appropriate level of security
Each network resources can be assigned as 3 risk level

Low risk:



system or data that if compromised would not disrupt the business or cause
legal or financial ramification, not provide further access to other system
The targeted system or data can be easily restored
Medium risk



system or data that if compromised would cause a moderate disruption in
the business or minor legal or financial ramification, provide further access
to other system
The targeted system or data requires a moderate effort to restore
The restoration process is disruptive to the system
Preparation: Conduct a risk
analysis (2)

High risk





system or data that if compromised would cause an
extreme disruption in the business or major legal or
financial ramification,
Threaten the health and safety of a person
provide further access to other system
The targeted system or data requires a significant effort
to restore
The restoration process is disruptive to the business or
the other systems
Preparation: Conduct a risk
analysis (3)

Identify the type of users as 5 most common
types:





Administrators : internal users responsible for
network resources
Privileged: internal users with a need for greater
access
Users: internal users with a general access
Partners: external users with a need to access
some resources
Others: external users or customer
Preparation: Establish team
structure


Create a cross functional security led by a Security
Manager with participants from each of your
company’s operational area
The security team has 3 areas of responsibilities



Policy development : establishing and reviewing security
policies for the company
Practice: conduct the risk analysis, the approval of security
change requests, review security alerts from both vendor
and the CERT (Community Emergency Response Team)
and turn the policy to implementations
Response: to do the troubleshooting and fixing of such a
violation, each team member should know in detail the
security features provided by the equipment
Prevention: Approving security
changes (1)

Recommendation on reviewing the following
types of changes:




Any changes to the firewall configuration
Any change to access control list (ACL)
Any change to Simple Network Management
Protocol (SNMP) configuration
Any change or update in software that differs from
the approved software revision level list
Prevention: Approving security
changes (2)

Recommended guidelines



Change passwords to network devices on a routine
basis
Restrict access to network devices to an approved
list of personnel
Ensure that the current software revision levels of
network equipment and server environments are
in compliance with the security configuration
requirement
Prevention: Monitoring
security of your network (1)


Similar to network monitoring except it focuses on
detecting changes in the network that indicating a
security violation
In the Risk analysis matrix


the firewall is considered as high risk network device –
monitor it in real time
From the Approving security changes


Any changes to the firewall should be monitored
It means SNMP agent should monitor such things as
failed login attempts, unusual traffic, changes to the
firewall, access granted to the firewall and connection set
up through the firewall
Prevention: Monitoring
security of your network (2)

Following this example, create a monitoring
policy for each area identified in your risk
analysis




Low-risk equipment : monitoring weekly
Medium-risk equipment : monitoring daily
High-risk equipment : monitoring hourly
Lastly, security policy should address how to
notify the security team of security violations
such as email, SMS
Response:
Security violation (1)

First action after detection of an intrusion is the
notification of the security team


Define a procedure in security policy that is available 24
hours a day, 7 days a week
Next define the level of the authority given to the
security team to make changes, possible corrective
actions are



Implementing changes to prevent further access to the
violation
Isolating the violated systems
Contacting the carrier or ISP in an attempt to trace the
attack
Response:
Security violation (2)






Using recording devices to gather evidence
Disconnecting violated systems or the source of
the violation
Contacting the police or other government
agencies
Shutting down violated system
Restoring system according to a prioritized list
Notify internal managerial and legal personnel
Response:
Security violation (3)

Lastly, collecting and maintaining information during
security attack



To determine the extent to which systems have been
compromised
To prosecute external violations
To determine the extent of the violation


Record the event by obtaining sniffer traces of the
network, copies of log files, active user accounts and
network connections
Limit further compromise by disabling account,
disconnecting the network equipment from the network
and disconnecting from the internet
Response:
Security violation (4)


Back up the compromised system to aid in a
detailed analysis of the damage and method of
attack
Look for other signs of compromise.


Often when system is compromised there are other
systems or accounts involved
Maintain and review security device log files and
network monitoring log files and the often
provide clues to the method of attack
Response: Restoration


Define in the security policy how to conduct
secure and make available normal backup
As each system has its own means and
procedures for backing up the security policy
should act as a meta-policy


detailing for each system security condition that
require restoration from backup
If approval is required before restoration can
be done include the process for obtaining
approval as well
Response: Review (1)


It is the final effort in creating and maintaining
a security policy
3 things to be reviewed


Policy / Posture / Practice
Security policy should be a living document


Reviewing against known best practices
Check the CERT website for useful tips, practices
security improvement and alert
Response: Review (2)

Review network posture in comparison with the
desired security posture



Outside firm that specializes in security can attempt to
penetrate the network and test not only the posture of the
network but the security response of organization as well
For high-availability networks, recommend conducting such
a test annually
Finally, practice is defined as a test of the support
staff to insure that they have clear understanding of
what to do during a security violation


Often the test is unannounced and done conjunction with
the network posture test
It show the gaps in procedure and training of personnel so
that corrective action can be taken