Complete network security: the products you need to consider
Various authors have written books about network security, but what is missing is a useful overview of the actions you can take and the products you can use to secure your network.
Why you should think about network security
Every modern organization relies heavily on digital equipment, which means that your daily workflow, reporting and data processing could be seriously disrupted in case of a cyber-attack. Sensitive information could get lost or stolen and, as a result, your company’s reputation may be damaged. Enough reason to prioritize cyber security.
Security is a process
It is important to realize that security is a continuous process and not a product. What that process should look like depends on the threats that apply to your systems and organization, including the risks you are willing to take. It is understood that in order to keep software up-to-date, a structured process is needed, but not every organization will require a team that monitors their network 24/7.
Security products can certainly help to reduce specific risks, but it is important to realize that the security software that is supposed to protect your network, such as a firewall for instance, could also contain vulnerabilities, which then run the risk of being exploited. Another possibility: the security software simply might not be aware of the latest vulnerability, which means it will be unable to protect you from it.
Network security in 9 steps
Before you look into which security products to implement, it would be wise to:
- Identify and prioritize threats (also known as threat modeling).
- Determine the risk you’re willing to take and the affordable level of financial damage after a breach.
- Organize regular awareness workshops, so your users understand the threats and policies you may want to enforce.
- Develop, communicate and enforce a security policy.
- Implement the least privilege (need-to-know) security model.
- Make sure hardware and software assets are inventoried and checked regularly.
- Keep your systems up-to-date.
- Securely configure existing software.
- Perform regular back-ups of your systems.
When considering the security of your network, stick to the principle of defense-in-depth: build several independent layers of protection. This way an attacker needs to have knowledge of each layer, needs more time to breach each layer, and runs a higher risk of being detected, making it less likely he or she will succeed.
Security products you can choose from
Standard networking devices, like switches, can provide a limited degree of security, but in this blog we will only discuss the products that have been specifically designed for , which are capable of a much higher level of protection.
This is software that scans for malware. If something malicious is detected – meaning everything from viruses to Trojans and worms, the software blocks it. Anti-malware software should be active on end points, servers, and gateways. Gateways have a central point where all incoming traffic, or a specific type of traffic such as emails, can be scanned. You usually also have the option of blocking content based on file extensions, which means you can block files that are known for causing problems, such as executables.
A firewall’s main function is to inspect packets and allow or deny entry. It is typically one of the first lines of defense at the network perimeter, but it can also be used to segment your network into subnetworks. Generally speaking, restrictions increase as the subnetwork sensitivity increases.
There are roughly 2 types of firewalls:
- A rule-based firewall enables you to specify rules based on network characteristics like IP addresses and port numbers to allow or deny packets.
- An application-aware firewall goes beyond simple rules. For example, this type of firewall can distinguish between streaming videos via HTTP and simple web browsing, and then only block the streaming activity. It can also block specific attacks, such as cross-site scripting or SQL injection attacks.
3. Vulnerability scanner
A vulnerability scanner regularly scans IP ranges on your network for known vulnerabilities. It reports back which vulnerabilities have been found, categorizes them based on level of severity and usually suggests a fix. This helps to keep your network free of the most common vulnerabilities.
4. Intrusion Detection and Prevention System
An Intrusion Detection System (IDS) can detect an attack while it’s happening. It analyzes network traffic to detect (potentially) malicious activity, and raises alarm if needed. The system usually receives a copy of the network traffic through a mirror port, meaning it is unable to intervene with the original traffic.
Intrusion Prevention Systems (IPS) are placed in a line so that they can inspect and stop an attack. .
5. Security Information and Event Management System (SIEM)
A SIEM system is a more centralized solution that collects logging and event data from multiple sources on your network. The system correlates this data and generates alerts. You will need qualified security analysts to make sense of all these events and alerts. Another option is to outsource this to a company that specializes in security monitoring.
6. Data diode
A data diode enforces a one-way flow of data and is generally used for two different scenarios:
- Protecting secrets, such as government documents or intellectual property (IP).
- Protecting assets in industrial environments.
A data diode is similar to a firewall, because you can use it to segment parts of your network. The key differentiator, however, is that a diode operates at the physical layer: there is only one physical, unidirectional path for the fiber and electrical signals to flow. Because a true data diode does not contain any software or logic, it can guarantee online hacks are impossible.
With the right processes and products you can significantly reduce the risks and impact of hacks and cyberattacks. Research and assess the procedures and products mentioned above to decide which ones best fit your needs.
Want to know more about the data diode? Contact the Fox DataDiode team for all your questions through firstname.lastname@example.org.