Upload
imogen-summers
View
224
Download
0
Tags:
Embed Size (px)
Citation preview
Network security policy:best practices
Ref: document ID 13601www.cisco.com
Process Preparation
Create usage policy statement Conduct a risk analysis Establish a security team structure
Prevention Approving security changes Monitoring security of your network
Response Security violation Restoration Review
Preparation: Create usage policy statement (1)
Outline user’s roles and responsibilities with regard to security
General policy : cover all network system and data within your company, by providing : Understanding of the security policy, its purpose Guidelines for improving their security practices Definitions of their security responsibilities Identify specific action that could result in
punitive
Preparation: Create usage policy statement (2)
Partner acceptable use statement : it provides Partner with an understanding of the
information that is available to them The expected disposition of that information The conduct of the employee of your
company Clearly explain any specific acts that have
been identified as security attacks and the punitive action
Preparation: Create usage policy statement (3)
Administrator acceptable use statement: to explain The procedures for user account administration Policy enforcement Privilege review
It should be clearly presented specific policies concerning user passwords and handling data
Check the policy with the partner acceptable use and user acceptable use statement to ensure uniformity
Make sure that admin requirement listed in policy are reflected in training plan and performance evaluation
Preparation: Conduct a risk analysis (1)
A risk analysis should identify the risk to Network , resources and data
To identify portion of your network, assign a threat rating to each portion and apply appropriate level of security
Each network resources can be assigned as 3 risk level Low risk:
system or data that if compromised would not disrupt the business or cause legal or financial ramification, not provide further access to other system
The targeted system or data can be easily restored Medium risk
system or data that if compromised would cause a moderate disruption in the business or minor legal or financial ramification, provide further access to other system
The targeted system or data requires a moderate effort to restore The restoration process is disruptive to the system
Preparation: Conduct a risk analysis (2)
High risk system or data that if compromised would cause
an extreme disruption in the business or major legal or financial ramification,
Threaten the health and safety of a person provide further access to other system The targeted system or data requires a
significant effort to restore The restoration process is disruptive to the
business or the other systems
Preparation: Conduct a risk analysis (3)
Identify the type of users as 5 most common types: Administrators : internal users responsible
for network resources Privileged: internal users with a need for
greater access Users: internal users with a general access Partners: external users with a need to
access some resources Others: external users or customer
Preparation: Establish team structure
Create a cross functional security led by a Security Manager with participants from each of your company’s operational area
The security team has 3 areas of responsibilities Policy development : establishing and reviewing
security policies for the company Practice: conduct the risk analysis, the approval of
security change requests, review security alerts from both vendor and the CERT (Community Emergency Response Team) and turn the policy to implementations
Response: to do the troubleshooting and fixing of such a violation, each team member should know in detail the security features provided by the equipment
Prevention: Approving security changes (1)
Recommendation on reviewing the following types of changes: Any changes to the firewall configuration Any change to access control list (ACL) Any change to Simple Network Management
Protocol (SNMP) configuration Any change or update in software that
differs from the approved software revision level list
Prevention: Approving security changes (2)
Recommended guidelines Change passwords to network devices on a
routine basis Restrict access to network devices to an
approved list of personnel Ensure that the current software revision
levels of network equipment and server environments are in compliance with the security configuration requirement
Prevention: Monitoring security of your network (1)
Similar to network monitoring except it focuses on detecting changes in the network that indicating a security violation
In the Risk analysis matrix the firewall is considered as high risk network
device – monitor it in real time From the Approving security changes
Any changes to the firewall should be monitored It means SNMP agent should monitor such things
as failed login attempts, unusual traffic, changes to the firewall, access granted to the firewall and connection set up through the firewall
Prevention: Monitoring security of your network (2)
Following this example, create a monitoring policy for each area identified in your risk analysis Low-risk equipment : monitoring weekly Medium-risk equipment : monitoring daily High-risk equipment : monitoring hourly
Lastly, security policy should address how to notify the security team of security violations such as email, SMS
Response: Security violation (1)
First action after detection of an intrusion is the notification of the security team Define a procedure in security policy that is
available 24 hours a day, 7 days a week Next define the level of the authority given to
the security team to make changes, possible corrective actions are Implementing changes to prevent further access to
the violation Isolating the violated systems Contacting the carrier or ISP in an attempt to trace
the attack
Response: Security violation (2)
Using recording devices to gather evidence Disconnecting violated systems or the
source of the violation Contacting the police or other government
agencies Shutting down violated system Restoring system according to a prioritized
list Notify internal managerial and legal
personnel
Response: Security violation (3)
Lastly, collecting and maintaining information during security attack To determine the extent to which systems have
been compromised To prosecute external violations
To determine the extent of the violation Record the event by obtaining sniffer traces of the
network, copies of log files, active user accounts and network connections
Limit further compromise by disabling account, disconnecting the network equipment from the network and disconnecting from the internet
Response: Security violation (4)
Back up the compromised system to aid in a detailed analysis of the damage and method of attack
Look for other signs of compromise. Often when system is compromised there are
other systems or accounts involved Maintain and review security device log
files and network monitoring log files and the often provide clues to the method of attack
Response: Restoration Define in the security policy how to
conduct secure and make available normal backup
As each system has its own means and procedures for backing up the security policy should act as a meta-policy detailing for each system security condition
that require restoration from backup If approval is required before restoration
can be done include the process for obtaining approval as well
Response: Review (1)
It is the final effort in creating and maintaining a security policy
3 things to be reviewed Policy / Posture / Practice
Security policy should be a living document Reviewing against known best practices Check the CERT website for useful tips,
practices security improvement and alert
Response: Review (2) Review network posture in comparison with the
desired security posture Outside firm that specializes in security can attempt to
penetrate the network and test not only the posture of the network but the security response of organization as well
For high-availability networks, recommend conducting such a test annually
Finally, practice is defined as a test of the support staff to insure that they have clear understanding of what to do during a security violation Often the test is unannounced and done conjunction
with the network posture test It show the gaps in procedure and training of personnel
so that corrective action can be taken