Network security policy:best practices

Ref: document ID 13601www.cisco.com

Process Preparation

Create usage policy statement Conduct a risk analysis Establish a security team structure

Prevention Approving security changes Monitoring security of your network

Response Security violation Restoration Review

Preparation: Create usage policy statement (1)

Outline user’s roles and responsibilities with regard to security

General policy : cover all network system and data within your company, by providing : Understanding of the security policy, its purpose Guidelines for improving their security practices Definitions of their security responsibilities Identify specific action that could result in

punitive

Preparation: Create usage policy statement (2)

Partner acceptable use statement : it provides Partner with an understanding of the

information that is available to them The expected disposition of that information The conduct of the employee of your

company Clearly explain any specific acts that have

been identified as security attacks and the punitive action

Preparation: Create usage policy statement (3)

Administrator acceptable use statement: to explain The procedures for user account administration Policy enforcement Privilege review

It should be clearly presented specific policies concerning user passwords and handling data

Check the policy with the partner acceptable use and user acceptable use statement to ensure uniformity

Make sure that admin requirement listed in policy are reflected in training plan and performance evaluation

Preparation: Conduct a risk analysis (1)

A risk analysis should identify the risk to Network , resources and data

To identify portion of your network, assign a threat rating to each portion and apply appropriate level of security

Each network resources can be assigned as 3 risk level Low risk:

system or data that if compromised would not disrupt the business or cause legal or financial ramification, not provide further access to other system

The targeted system or data can be easily restored Medium risk

system or data that if compromised would cause a moderate disruption in the business or minor legal or financial ramification, provide further access to other system

The targeted system or data requires a moderate effort to restore The restoration process is disruptive to the system

Preparation: Conduct a risk analysis (2)

High risk system or data that if compromised would cause

an extreme disruption in the business or major legal or financial ramification,

Threaten the health and safety of a person provide further access to other system The targeted system or data requires a

significant effort to restore The restoration process is disruptive to the

business or the other systems

Preparation: Conduct a risk analysis (3)

Identify the type of users as 5 most common types: Administrators : internal users responsible

for network resources Privileged: internal users with a need for

greater access Users: internal users with a general access Partners: external users with a need to

access some resources Others: external users or customer

Preparation: Establish team structure

Create a cross functional security led by a Security Manager with participants from each of your company’s operational area

The security team has 3 areas of responsibilities Policy development : establishing and reviewing

security policies for the company Practice: conduct the risk analysis, the approval of

security change requests, review security alerts from both vendor and the CERT (Community Emergency Response Team) and turn the policy to implementations

Response: to do the troubleshooting and fixing of such a violation, each team member should know in detail the security features provided by the equipment

Prevention: Approving security changes (1)

Recommendation on reviewing the following types of changes: Any changes to the firewall configuration Any change to access control list (ACL) Any change to Simple Network Management

Protocol (SNMP) configuration Any change or update in software that

differs from the approved software revision level list

Prevention: Approving security changes (2)

Recommended guidelines Change passwords to network devices on a

routine basis Restrict access to network devices to an

approved list of personnel Ensure that the current software revision

levels of network equipment and server environments are in compliance with the security configuration requirement

Prevention: Monitoring security of your network (1)

Similar to network monitoring except it focuses on detecting changes in the network that indicating a security violation

In the Risk analysis matrix the firewall is considered as high risk network

device – monitor it in real time From the Approving security changes

Any changes to the firewall should be monitored It means SNMP agent should monitor such things

as failed login attempts, unusual traffic, changes to the firewall, access granted to the firewall and connection set up through the firewall

Prevention: Monitoring security of your network (2)

Following this example, create a monitoring policy for each area identified in your risk analysis Low-risk equipment : monitoring weekly Medium-risk equipment : monitoring daily High-risk equipment : monitoring hourly

Lastly, security policy should address how to notify the security team of security violations such as email, SMS

Response: Security violation (1)

First action after detection of an intrusion is the notification of the security team Define a procedure in security policy that is

available 24 hours a day, 7 days a week Next define the level of the authority given to

the security team to make changes, possible corrective actions are Implementing changes to prevent further access to

the violation Isolating the violated systems Contacting the carrier or ISP in an attempt to trace

the attack

Response: Security violation (2)

Using recording devices to gather evidence Disconnecting violated systems or the

source of the violation Contacting the police or other government

agencies Shutting down violated system Restoring system according to a prioritized

list Notify internal managerial and legal

personnel

Response: Security violation (3)

Lastly, collecting and maintaining information during security attack To determine the extent to which systems have

been compromised To prosecute external violations

To determine the extent of the violation Record the event by obtaining sniffer traces of the

network, copies of log files, active user accounts and network connections

Limit further compromise by disabling account, disconnecting the network equipment from the network and disconnecting from the internet

Response: Security violation (4)

Back up the compromised system to aid in a detailed analysis of the damage and method of attack

Look for other signs of compromise. Often when system is compromised there are

other systems or accounts involved Maintain and review security device log

files and network monitoring log files and the often provide clues to the method of attack

Response: Restoration Define in the security policy how to

conduct secure and make available normal backup

As each system has its own means and procedures for backing up the security policy should act as a meta-policy detailing for each system security condition

that require restoration from backup If approval is required before restoration

can be done include the process for obtaining approval as well

Response: Review (1)

It is the final effort in creating and maintaining a security policy

3 things to be reviewed Policy / Posture / Practice

Security policy should be a living document Reviewing against known best practices Check the CERT website for useful tips,

practices security improvement and alert

Response: Review (2) Review network posture in comparison with the

desired security posture Outside firm that specializes in security can attempt to

penetrate the network and test not only the posture of the network but the security response of organization as well

For high-availability networks, recommend conducting such a test annually

Finally, practice is defined as a test of the support staff to insure that they have clear understanding of what to do during a security violation Often the test is unannounced and done conjunction

with the network posture test It show the gaps in procedure and training of personnel

so that corrective action can be taken