While information security could be seen as a “business enabler” by allowing the organization to deploy innovating solutions, thus gaining competitive advantage, without exposing the organization to additional risk, incorrect design and implementation could have the opposite effect by placing unnecessary burden on the Information Technology department staff and the organizational employees. Therefor, implementation of security controls to protect network boundaries should be consistent with business needs, budget and the resources these controls are designed to protect. As a result, the security design should be based on a security assessment (threat risk assessment) of the current environment to identify corporate assets and resources, and the security risks they are exposed to. George Farah (2004) suggests a five phased approach to a security network architecture with threat risk assessment as an initial step. It follows by formulation of a network security architecture design to mitigate the identified risks. In the third phase, the organization develops a security policy and procedures to govern the deployment and maintenance of the proposed architecture. The forth phase includes the deployment of the architecture while int the last, fifth phase the organization implements the security polity through management processes such as patch management, configuration management, vulnerability management, etc.
Typical security components in the network infrastructure include a firewall, Virtual Private Network (VPN) concentrator and a proxy server. Additional devices could include Intrusion Detection System (IDS) or Intrusion Prevention System (IPS), Web Application Firewall, Anti-Spam & Email Security Software and Data Leakage Prevention (DLP). The logical location of these and other devices depends on the corporate assets requiring protection, business processes, existing (or proposed) network architecture. For example, Virtual Private Network is only necessary when employees are required to work from a remote location such as home or remote office. As stated early, incorrect architecture or deployment of unnecessary system components could mean additional burden on the IT staff which will impact the service provided by the organization.
Edge firewall is often regarded as “a workhorse” in securing internal network from unauthorized access via the Internet” (Patrick W. Luce, 2004). It often provides a number of security services such as access control, stateful inspection and Network Address Translation (NAT). In many cases, firewall devices have a build-in VPN and basic IPS/IDS capabilities such as Cisco PIX 500 series (Cisco, n.d.).
Edge firewall is often regarded as “a workhorse” in securing internal network from unauthorized access via the Internet” (Patrick W. Luce, 2004). It often provides a number of security services such as access control, stateful inspection and Network Address Translation (NAT). In many cases, firewall devices have a build-in VPN and basic IPS/IDS capabilities such as Cisco PIX 500 series (Cisco, n.d.).
Modern firewall devices offered by security vendors such as Palo Alto, Checkpoint and Cisco, allow organizations to extend the security services provided by the device using “plug and play” architecture. For example. Check Point Software Blade Architecture allows network administrators to extend the firewall functionality “without additional hardware, firmware or driver” (Checkpoint, 2012). The additional blades include services such as IPSEC VPN, IPS, DLP, Web Security, Antivirus & Anti-Malware, Anti-Spam & Email Security and Voice over IP (VoIP).
When considering the “expendable” security devices as oppose to “best of breed” architecture, the security experts are divided into two camps. On one hand, a unified management of the security architecture allows network administrators to correlate events and incidents, and better manage the security posture of the organizations. On the other hand, having security devices from a number of software and hardware vendors (best of breed) adds an additional layer of defense an attacker need to overcome when trying to exploit an identified vulnerability.
When considering the “expendable” security devices as oppose to “best of breed” architecture, the security experts are divided into two camps. On one hand, a unified management of the security architecture allows network administrators to correlate events and incidents, and better manage the security posture of the organizations. On the other hand, having security devices from a number of software and hardware vendors (best of breed) adds an additional layer of defense an attacker need to overcome when trying to exploit an identified vulnerability.
To conclude, the organizational security solution should meet targeted business security needs rather than on a trend and security “fashion”. Unnecessary complex solutions increase the pressure on the IT which can, in fact, reduce the overall security level of the entire organization.
Bibliography
- Cisco n.d. “Cisco PIX 500 Series Security Appliances” [online]. Available from: http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/index.html (accessed: April 7, 2012).
- Checkpoint, 2012. “Check Point Software Blade Architecture” [online]. Available from: http://www.checkpoint.com/products/softwareblades/architecture/index.html (accessed: April 7, 2012).
- George Farah, 2004. “Information Systems Security Architecture - A Novel Approach to Layered Protection” [online]. SANS Institute. Available from: http://www.sans.org/reading_room/whitepapers/auditing/information-systems-security-architecture-approach-layered-protection_1527 (accessed: April 7, 2012).
- Patrick W. Luce, 2004. “Network Security Architecture” [online]. SANS Institute. Available from: http://www.sans.org/reading_room/whitepapers/honors/network-security-architecture_1498 (accessed: April 7, 2012)
- Ross J. Anderson, 2008. “A Guide to Building Dependable Distributed Systems”. 2nd Edition. Wiley Publishing.
No comments:
Post a Comment