Focus on Data
The place to focus a security assessment is on the data itself. Data protection should be provided through centralization of location, systematic application of access controls, encryption and physical security. Centralizing data is a matter of simplifying security management and reducing the number of network access points and server locations where extensive security controls need to be implemented.Encryption of data on disk is a well-understood and well-supported practice among network operating systems, but network encryption is not as common. This is particularly an issue when using wireless networks. With Secure Sockets Layer encryption and VPNs so well supported for external traffic, theres no reason not to use these approaches internally. For example, Cranite Systems Inc.s Wireless-Wall Software Suite 2.0 earned an eWEEK Excellence Award for its ability to encrypt wireless traffic transparently yet effectively. Finally, physical protection—network gear, server hardware and data backups—must always be enforced in parallel with network access controls. Moving from data to the servers on which data resides raises the issue of sheer scope in large organizations. Security configuration, remote monitoring and patch management for thousands of servers and hundreds of thousands of connected network devices is an immensely daunting challenge for IT staff. This is a topic that eWEEKs Corporate Partner advisory board members have raised as a pressing issue, a factor that contributed to Foundstone Inc.s FoundScan Vulnerability Management System 2.5 winning in the Excellence Awards Enterprise Resource Protection category. The product provides rapid network vulnerability scanning and patch deployment monitoring for large networks—functionality that is highly useful for keeping far-flung networks secure. Firewalls have been the linchpin of network boundary security for many years, although threats have increasingly been shifting to application-level attacks over HTTP or other application-specific ports left unfiltered by most firewalls. A new breed of white-list-based Web application firewalls is emerging to deal with this threat from outside attacks. eWEEK Labs recently evaluated three such applications, which perform deep HTML protocol inspection to provide real-time monitoring and attack prevention. Protocol-based network security monitoring is very much the leading edge of network security practices. Major firewall vendor Check Point Software Technologies Ltd. is shipping this month its first protocol-specific traffic inspection and attack prevention firewalls; this effort signals a shift to greater intelligence in firewall products as application-level attacks become increasingly common. West Coast Technical Director Timothy Dyck can be reached at firstname.lastname@example.org.
Network and data access controls should be implemented using central directories such as LDAP, Microsoft Corp.s Active Directory, Novell Inc.s eDirectory or public-key infrastructure. A global directory provides that very valuable single point of administration for user rights, and organizations should bias their selection of network and application infrastructure toward products that provide solid directory support.