Practical Suggestions for Improving Network Security
Q3: What are your practical suggestions for improving security in networks?
A: Network security should start with developing a security policy that specifies both the requirements and responsibilities related to network security, and sets the framework for implementation. It's important to note that risks are not eliminated by network security; rather they are reduced to levels deemed acceptable to the organization. Therefore, as part of developing a security policy, a risk assessment and cost-benefit analysis should be performed.
The network security policy could be produced as a series of documents, such as an overall policy, a network access policy, an acceptable use policy, and so forth. These policies must then be disseminated to all employees (and contractors, etc); training on the policies should be mandatory for all. Policies should be written such that they are enforceable, and wherever possible automated ways to enforce them should be put in place. For example, companies should have a policy that nobody should surf "objectionable" websites. To enforce this, URL filtering software could automatically prevent users from visiting websites that have been listed as "objectionable". However, if users need to get to one of these listed sites (for work purposes), they should be able to make a special request to have that site removed from the filter's list.
Since risks, technologies, and requirements may change, the security policies should be living documents that are updated as necessary.
Network security implementation does not just mean putting a firewall on the Internet connection; security should be integrated into the network. For example, routers and switches with features such as integrated firewall, VPN, and intrusion prevention and detection are available, as are stand-alone security appliances. These devices can work together and with other devices and applications, to defend against threats both from within the network and from external sources.