Network security policy: best practices Ref: document ID 13601 www.cisco.com

Process Preparation Prevention Response Create usage policy statement Conduct a risk analysis Establish a security team structure Prevention Approving security changes Monitoring security of your network Response Security violation Restoration Review

Preparation: Create usage policy statement (1) Outline user’s roles and responsibilities with regard to security General policy : cover all network system and data within your company, by providing : Understanding of the security policy, its purpose Guidelines for improving their security practices Definitions of their security responsibilities Identify specific action that could result in punitive

Preparation: Create usage policy statement (2) Partner acceptable use statement : it provides Partner with an understanding of the information that is available to them The expected disposition of that information The conduct of the employee of your company Clearly explain any specific acts that have been identified as security attacks and the punitive action

Preparation: Create usage policy statement (3) Administrator acceptable use statement: to explain The procedures for user account administration Policy enforcement Privilege review It should be clearly presented specific policies concerning user passwords and handling data Check the policy with the partner acceptable use and user acceptable use statement to ensure uniformity Make sure that admin requirement listed in policy are reflected in training plan and performance evaluation

Preparation: Conduct a risk analysis (1) A risk analysis should identify the risk to Network , resources and data To identify portion of your network, assign a threat rating to each portion and apply appropriate level of security Each network resources can be assigned as 3 risk level Low risk: system or data that if compromised would not disrupt the business or cause legal or financial ramification, not provide further access to other system The targeted system or data can be easily restored Medium risk system or data that if compromised would cause a moderate disruption in the business or minor legal or financial ramification, provide further access to other system The targeted system or data requires a moderate effort to restore The restoration process is disruptive to the system

Preparation: Conduct a risk analysis (2) High risk system or data that if compromised would cause an extreme disruption in the business or major legal or financial ramification, Threaten the health and safety of a person provide further access to other system The targeted system or data requires a significant effort to restore The restoration process is disruptive to the business or the other systems

Preparation: Conduct a risk analysis (3) Identify the type of users as 5 most common types: Administrators : internal users responsible for network resources Privileged: internal users with a need for greater access Users: internal users with a general access Partners: external users with a need to access some resources Others: external users or customer

Preparation: Establish team structure Create a cross functional security led by a Security Manager with participants from each of your company’s operational area The security team has 3 areas of responsibilities Policy development : establishing and reviewing security policies for the company Practice: conduct the risk analysis, the approval of security change requests, review security alerts from both vendor and the CERT (Community Emergency Response Team) and turn the policy to implementations Response: to do the troubleshooting and fixing of such a violation, each team member should know in detail the security features provided by the equipment

Prevention: Approving security changes (1) Recommendation on reviewing the following types of changes: Any changes to the firewall configuration Any change to access control list (ACL) Any change to Simple Network Management Protocol (SNMP) configuration Any change or update in software that differs from the approved software revision level list

Prevention: Approving security changes (2) Recommended guidelines Change passwords to network devices on a routine basis Restrict access to network devices to an approved list of personnel Ensure that the current software revision levels of network equipment and server environments are in compliance with the security configuration requirement

Prevention: Monitoring security of your network (1) Similar to network monitoring except it focuses on detecting changes in the network that indicating a security violation In the Risk analysis matrix the firewall is considered as high risk network device – monitor it in real time From the Approving security changes Any changes to the firewall should be monitored It means SNMP agent should monitor such things as failed login attempts, unusual traffic, changes to the firewall, access granted to the firewall and connection set up through the firewall

Prevention: Monitoring security of your network (2) Following this example, create a monitoring policy for each area identified in your risk analysis Low-risk equipment : monitoring weekly Medium-risk equipment : monitoring daily High-risk equipment : monitoring hourly Lastly, security policy should address how to notify the security team of security violations such as email, SMS

Response: Security violation (1) First action after detection of an intrusion is the notification of the security team Define a procedure in security policy that is available 24 hours a day, 7 days a week Next define the level of the authority given to the security team to make changes, possible corrective actions are Implementing changes to prevent further access to the violation Isolating the violated systems Contacting the carrier or ISP in an attempt to trace the attack

Response: Security violation (2) Using recording devices to gather evidence Disconnecting violated systems or the source of the violation Contacting the police or other government agencies Shutting down violated system Restoring system according to a prioritized list Notify internal managerial and legal personnel

Response: Security violation (3) Lastly, collecting and maintaining information during security attack To determine the extent to which systems have been compromised To prosecute external violations To determine the extent of the violation Record the event by obtaining sniffer traces of the network, copies of log files, active user accounts and network connections Limit further compromise by disabling account, disconnecting the network equipment from the network and disconnecting from the internet

Response: Security violation (4) Back up the compromised system to aid in a detailed analysis of the damage and method of attack Look for other signs of compromise. Often when system is compromised there are other systems or accounts involved Maintain and review security device log files and network monitoring log files and the often provide clues to the method of attack

Response: Restoration Define in the security policy how to conduct secure and make available normal backup As each system has its own means and procedures for backing up the security policy should act as a meta-policy detailing for each system security condition that require restoration from backup If approval is required before restoration can be done include the process for obtaining approval as well

Response: Review (1) It is the final effort in creating and maintaining a security policy 3 things to be reviewed Policy / Posture / Practice Security policy should be a living document Reviewing against known best practices Check the CERT website for useful tips, practices security improvement and alert

Response: Review (2) Review network posture in comparison with the desired security posture Outside firm that specializes in security can attempt to penetrate the network and test not only the posture of the network but the security response of organization as well For high-availability networks, recommend conducting such a test annually Finally, practice is defined as a test of the support staff to insure that they have clear understanding of what to do during a security violation Often the test is unannounced and done conjunction with the network posture test It show the gaps in procedure and training of personnel so that corrective action can be taken