It is not easy to define what a trusted network consists of, or what comprises a trusted network even within a single corporation or entity, since the concept of “trust” doesn’t apply equally even within a single company—you’ll still want to control access to sensitive information such as payroll or HR information.
The old concept of firewalls and networking dictated that we have an Internet connection coming into a firewall from a single point, and this firewall would protect our inside networks from all attackers. Today, the idea of the network perimeter is expanding and shifting; many technologies make this previous definition outdated.
Today we are remotely accessing our network via mobile phones, VPN clients from a personal DSL connection in our homes; we are also providing access to our network for our employees, and often for our suppliers and customers. The idea of perimeter security is disappearing because of the prevalence of wireless and home-based high-speed Internet connections in such a way that old concepts are no longer valid.
Attackers are not always coming from outside your network; insiders may become the most dangerous attackers, as they have access to the intranet and may get proprietary information. Therefore, it should be mandatory to restrict the accesses and privileges in a “Need to Know” or “Need to Access” policy, giving access and privileges just when necessary and not by default to all your users.
You have to update your mental schemas to protect your networks from today’s threats. As always, identify the data that is going through each network segment to be able to apply the appropriate security measures. This is a crucial step because, in a typical environment, an Engineering department’s requirements would differ from Human Resources’, and the network running the fileservers would be different from the network supporting the Web server.
And what about your financial departments, or the differences between the procurement and the sales departments? Each group of users needs different accesses and privileges, and you will have to provide them all in a way that is easy and productive.
Not every network segment is used by the same users or applications; moreover, usually the user defines which applications need to be run in a network segment. Each application has its own requirement regarding bandwidth and security, and the network security policy has to be defined with all those requirements in mind.
Let us imagine a hypothetical network that has been designed to support a large financial company. In our example, we have a company with:
- The Board of Directors and high-level executives. These are either non-technical users or ones whose computer knowledge is not very current (they may have left a technical position some years ago). The challenge here is that they usually want access to everything and want to be able to do what they want, no matters what it is; it’s incredibly common to find organizations with firewall and proxy server rule-sets that have exceptions called something to the effect of “Allow VPs All Access. ”You need to gain buy-in from these high-level executives for your network security policy to succeed, even when it means their own access needs to be curtailed.
- Engineering. These may be users with a high computer and networking knowledge, and possibly know more than you do! On the other hand, you may be dealing with people with a great deal of knowledge in their own specific field, but with no knowledge about computer networks or security.
- Sales, Procurement, Financial. These users usually do not have a strong technical and security knowledge, but may be managing valuable data such us provider information, future projects, products prices, confidential commercial operations, etc. These users usually require a fairly free level of Internet access to interact with and research customer and suppliers networks.
- Human Resources department. It is critical to secure this area, not because of any Internet access requirements, but because this department manages personal data. Depending on the country you are doing business in, there are numerous laws and regulations to protect employee and customer personal data. You will need to fulfill all the requirements of such laws while allowing your HR staff enough privileges to perform their jobs.
- Marketing, Public Relations, and similar departments. These users may have specific requirements of network access. Talk with them, analyze their answers, and define a policy that suits their needs and allows them to do their work without compromising the business security.