The Importance Of Layered Network Security

As enterprises look to streamline their operations by integrating the diverse aspects of their business and using networked computing architectures to provide a consistent platform and medium for this to take place, their need to guarantee the security of these networks becomes that much greater. In today’s environment, breaches, bottlenecks or downtime leading to the slowing or stopping of network activity can mean the difference between economic prosperity and collapse.

 

For years, security professionals have been preaching the benefits of a “layered” approach to network defense – and in this article we’ll be looking at what this means, and the implications it may have for your business.

Defense In Depth

The layered approach to network security is based on the concept of “defense in depth” – a vaguely cool and military-sounding phrase which simply means that since any barrier you put up to guard against something may one day be breached, it’s a good idea to have several barriers so that anyone attacking you has a lot more work to do.

 

In terms of security modeling, these barriers translate into a set of layers which make up a complex and protective “skin” around the network (rather like the layers of an onion). Each layer is dedicated to a specific aspect of the network, and each has its own set of protections and security controls. Opinions differ as to what comprises each layer, but here’s a summary of the prevailing wisdom.

Physical Layers

These layers deal with the first interface between humans and machines: The three-dimensional barriers that control access to the sites where networks are housed, set hardware in its appointed place, and ensure the physical integrity of the connections between different network components.

 

On the access control side, defense in depth here may include the provision of surveillance cameras or CCTV, security guards and patrols, turnstiles and metal detectors, key card or keypad access points, as well as device-specific measures like port block-outs, movement-triggered alarms, and location-tracking applications (“low jacking”).

 

The physical integrity of network elements may be maintained through proper wiring, connections, and hardware configuration, isolation of critical components, and environment controls like cooling and ventilation.

Electronic Layers

Closely associated with the physical layers (and considered by some as part of them), protocols like Ethernet, Frame Relay, and PPP are concerned with sending bits of data using various communication mechanisms via analog and digital pathways.

 

Unauthorized users must be prevented from gaining access to these modes of transmission. So access control measures should be put in place to govern this, as well as surveillance and warning systems to monitor this access and give alerts in the event of any breaches.

Procedural Layers

More of a conceptual matter than an actual element of the network itself, procedural layers are made up of the policies and best practices governing a system’s IT management and security protocols. These would include the drawing up of rules to determine access rights, the configuration of firewalls or intrusion detection systems, and the establishment of schedules for updates, maintenance, and patch management.

Network Security

This layer comprises the actual software and hardware dedicated to protecting the network in part or whole. Protection here extends from enabling the on-board security features of routers and switches to the installation and configuration of firewalls, intrusion prevention systems (IPS), and intrusion detection systems (IDS).

 

Defense in depth layering is further enhanced by dividing the network into segments or zones, each with its own requirements for establishing domains of trust and security access. This approach also makes it easier to monitor and manage data traffic on the network.

Computer Hardening

Exploits targeting specific software vulnerabilities (in both operating systems and working applications) are a favored tool of cyber-criminals, and computer hardening aims at making systems proof against such attacks. Tools and methods include:

· Anti-virus and anti-malware applications

· Whitelisting of approved applications and workloads

· Endpoint security measures and Host Intrusion Detection Systems (HIDS)

· The removal of redundant or unused applications, services, and protocols

· Effective management of ports

Application Security

Best security practices should be followed with control system applications, like a Role Based Access Control System that bars access to critical process functions and forces user authentication via password, token, or some other protocol.

 

A comprehensive policy on software patching – which might include the pre-testing of patches on “sheep dip” systems not connected to a network, verification of the authenticity of patches from vendors, and other measures – also applies here.

Device Hardening

This layer of protection derives from the simple act of changing the default settings on system hardware. Measures would include resetting of passwords, and the reconfiguration of security settings on firewalls, switches, routers, and other embedded devices.

The Need For Monitoring

A system-wide policy of monitoring, reporting, event logging, and alerts completes the picture. To reduce the burden on administrators and IT managers, automating as many of these activities as possible is usually advised.

Des Nnochiri has a Master’s Degree (MEng) in Civil Engineering with Architecture, and spent several years at the Architectural Association, in London. He views technology with a designer’s eye, and is very keen on software and solutions which put a new wrinkle on established ideas and practices. He now writes for markITwrite across the full spectrum of corporate tech and design. In previous lives, he has served as a Web designer, and an IT consultant to The Learning Paper, a UK-based charity extending educational resources to underprivileged youngsters in West Africa. A film buff and crime fiction aficionado, Des moonlights as a novelist and screenwriter. His short thriller, “Trick” was filmed in 2011 by Shooting Incident Productions, who do location work on “Emmerdale”.


Posted

in

,

by

Tags: