Network security policy : plan it

     Call to order at

     +66-2-353-9000

As you begin to establish your network security policy, you need to address several issues that deal primarily with internal users' ability to access Internet-based resources and services. Many users automatically assume that if they have a computer connected to a network then they must also have Internet access. Unfortunately, the insecurities and threats of cyberspace have made unrestricted access to the Internet a thing of the past in most organizations.

Before you begin planning your network policy, take a hard look at what Internet resources company users need to do their jobs (such as access to e-mail or basic Web pages), as opposed to those resources they might like to have (such as access to streaming audio and video). Internet access is not an all-or-nothing entity; instead, it is comprised of innumerable individual information services. You are probably familiar with many of these services: Web, FTP, chat, messaging, newsgroups, e-mail, telnet, streaming audio, and video. Firewalls can be employed to individually grant or restrict traffic based on each of these services, and your network security policy should address usage of each service individually.

E-mail is the most widely used Internet information service. Unfortunately, it has also become the most popular delivery mechanism for viruses, Trojan horses, and other malicious code attacks. E-mail primarily consists of three protocols: SMTP, POP3, and IMAP. SMTP (Simple Mail Transfer Protocol) is the protocol used by clients to submit outbound messages to e-mail servers and by e-mail servers to move e-mail from server to server on its way to its destination (i.e. the recipients e-mail inbox). E-mail clients use POP3 (Post Office Protocol version 3) and IMAP (Internet Message Access Protocol) to retrieve e-mail from an inbox on an e-mail server. POP3 is the more widely used, but IMAP natively supports encryption.

You may want to write your network security policy so it requires the use of IMAP instead of POP3. You'll also need to specify that IMAP and SMTP should be allowed to pass through the firewall, although you may want to use content or source/destination filters to restrict abuses.

Another important aspect of e-mail you must consider is attachments. An attachment allows an e-mail message to deliver just about any object from the sender to the receiver. Unfortunately, an attachment can just as easily contain malicious code, such as a virus, as it can contain a harmless and useful document such as a sales presentation. As part of your security policy, you should require, at the least, virus scanning on all IMAP and SMTP traffic. You may also need to consider whether to allow attachments at all. If your network and your data are highly sensitive and valuable, stopping attachments at the border firewall may be a worthwhile safeguard against damage, theft, and infection.

Content filtering must be addressed in a network security policy. You must decide whether to allow all traffic through the firewall without restriction or to filter traffic based on a clearly defined set of acceptable use traffic and content rules. An acceptable use list tells users what they can and cannot do on the local network and on the Internet when using company equipment. To establish your acceptable use policy, create an exhaustive list of acceptable and unacceptable activities. Some items you might include are:

• No trafficking or trading in copy-protected files (such as audio and video).
• No pornography.
• No mailing distribution lists originating from the local network.
• NNTP newsgroups are restricted.

From this list, you can easily create firewall specific rules to control and manage inbound and outbound traffic. However, before you set up your content and traffic rules and configure your firewall appropriately, be sure you run the list of acceptable content by the people who it will most affect -- the organization's employees.

You may find that prohibiting certain kinds of content (like zip files or executables) may have a negative affect on the way some employees do their jobs. This doesn't mean you have to change your security rules -- you may be able to find other, more secure ways for employees to receive those files -- but gathering input from employees early in the process will save you time in the end.

Virtual Private Networks (VPNs) are a means to establish a normal network connection between distant systems and allow remote users to connect to the office network without compromising network security. The remote user connects to the Internet via a local connection (modem dialup, cable, DSL, etc.) then establishes a VPN link with the network over the Internet.

If you have employees that need to work remotely -- either from home or while on the road -- then VPN is a necessary component of your network security system. As you begin to formulate a policy for VPN access, you'll need to define what VPN protocols are allowed and exactly who can use VPN connections.