Planning for network security

Network security is a critical aspect of your network planning. Your network connection must securely allow legitimate traffic through the door while keeping illegitimate traffic out.

Before you begin your network security planning tasks, complete these tasks.

Before you begin
__ Develop a list of all of the points of entry into your network.
__ Create a corporate security policy that network security policy will follow. Include policies about access to confidential and sensitive information, what actions are taken in the event of a breach, and by whom.
Network security planning tasks
__ Develop a network security policy
You can develop a network security policy by starting with your corporate security policy, develop a network security policy. These elements are recommended for your plan:
  • Create a firewall

    Include a firewall in your security policy to filter traffic in and out of the network. The firewall should restrict data according to the protocol that it uses and terminate traffic if the protocol does not match the port that it is to travel through. Your firewall should also strictly limit open ports to prevent intruders from entering the corporate network.

  • Isolate confidential information

    Any system that has confidential or sensitive information should not be directly accessible from the outside. Access to these types of systems should be restricted from the inside; only authenticated users should gain access.

  • Create a demilitarized zone

    A demilitarized zone is an area that is outside of the firewall where transactions can take place without putting the network in jeopardy. All anonymous access to the network should remain in the demilitarized zone.

  • Develop an authentication scheme

    Authentication is the process of requiring a user ID and password, or some form of certificate-based authentication, to access a network domain. All direct access to the corporate intranet should require authentication. All direct access through the firewall should also require authentication. Plan to follow user ID and password best practices, which include long passwords (at least 8 characters), mixed passwords (a combination of letters, numbers, capitals, and lower case symbols), and regularly changed passwords (every two or three months).

  • Develop an encryption system

    Encryption is the process of turning all data into a code that is only decipherable by a system of private and public keys. All sensitive data that exits the corporate network should be encrypted. All sensitive data that arrives from remote offices into the network should also be encrypted.

  • Develop a social engineering blocking system

    Social engineering is the process of impersonating trusted individuals, over the phone, to gather sensitive information, such as passwords and corporate organizational information. This is a common technique used by hackers to gain access to networks. You should train employees to never give out this information over the phone. Proper training is the only defense against this type of security breach.

To learn more about how to develop a network security policy, see the chapter on IP security in the IP Network Design Guide.Link to a PDF
__ Plan for IP Security Architecture

IP Security Architecture (IPSec) is an open, standards-based security architecture that provides these features:

  • Data integrity, which prevents attacks that are based on ill-formed data
  • Replay protection, which prevents attacks that are based on replaying messages
  • Secure creation and automatic refresh of encryption keys
  • Strong cryptographic algorithms
  • Certificate-based authentication
IPSec includes several protocols that each perform one of these functions. Many security products use IPSec as a foundational architecture.

To learn more about IPSec, see the chapter on IP security in the IP Network Design Guide.Link to a PDF
__ Plan for virtual private networks

Virtual private networks (VPNs) use IPSec to create a secure, private connection, or tunnel, through a public network such as the Internet. You can use several tools on each platform to turn ordinary Internet connections into VPNs. VPNs encrypt and authenticate information between remote nodes of the corporate network for communication between remote users, branch offices, and corporate partners.

To learn more about how to implement a VPN, see the chapter on IP security in the IP Network Design Guide.Link to a PDF
__ Plan for virus and spyware protection

Viruses and other harmful software, called malware, disguises itself as legitimate business content, only to run malicious activity after it is inside the company network. Malware is the most pervasive form of network security breach. Each host on your network should be equipped with antivirus and antispyware applications that are updated weekly and run at least weekly. These programs are designed to block malware before it can replicate themselves over your network.

To learn how to prevent virus and spyware infections, see the chapter on IP security in the IP Network Design Guide.Link to a PDF

When you have completed these tasks, you should have a network security plan that identifies these elements:

__ Record a network security policy, which includes firewalls, demilitarized zones, access rules for sensitive information, authentication, encryption, and counter-social engineering training.
__ Record a topology of your security architecture, which includes the areas that require authenticated access, areas that are protected by firewalls, areas where your demilitarized zones are connected, and which remote users or offices use VPNs.
__ Record a list of antivirus and anti-spyware applications that you plan to load on host machines. Develop a policy for weekly updates and configure the hosts to automatically run the applications at least weekly.