Before developing your security policy, determine whether you will need to have different policies for different locations or if you will have only one. If you have a single security policy, you can enforce the same policy on all firewalls and other security devices, usually from a single management station. Otherwise, you will have to maintain a different policy for different locations.
Although for business reasons this might be necessary, it can add a level of complexity to your environment that could decrease your overall effective security. If it is necessary, make sure it is thoroughly documented. Some different types of organizations that may have differing access requirements include:
- SOHO - The Small-Office-Home-Office network is often more concerned with accessibility than security, since these organizations often do not have dedicated IT professionals on hand, or may have an “IT person” who is doing double-duty while performing accounting or other administrative duties.
In most cases, SOHO offices aren’t terribly concerned with accessing resources hosted by remote networks; most SOHO access rules will pertain to a self-contained environment. (One major exception to this is that many small businesses will outsource services such as e-mail rather than run their own local servers.)
Despite this focus on accessibility and ease of use, it’s just as critical to maintain the security of desktops and servers within a SOHO environment as in the largest of enterprise networks.
- Small/medium enterprise. When networks become larger than the typical SOHO configuration, you’ll begin to see networks that run more infrastructure services in-house, including DHCP, DNS, e-mail, and VPN services. Here you’ll also see the beginnings of access requirements that cross the boundaries of trusted networks, where you may need to configure a trust relationship or a federated access for a B2B arrangement between vendors or suppliers.
Small- to medium-sized enterprise networks will typically have one or more dedicated IT staff available of varying skill levels who can implement network security policies and procedures.
- Large enterprise. The largest organizations will typically have an extensive IT infrastructure to match. This typically means multiple layers of firewalls in place, both perimeter firewalls and internal firewalls to protect high security areas on an internal LAN such as Human Resources or Research & Development. Enterprise networks will also usually have IT personnel of several levels of expertise, ranging from desktop or help desk support representatives to specialized network, firewall, or e-mail server administrators.