10 tips for improving security inside the firewall

ComputerWorld has published an article that illustrates 10 ways to address the security challenges of large, active internal networks. Additionally, since they involve defensive tactics, they provide a game plan for improving the security of a large enterprise network.

They could have went into greater detail, but to sum it up, the 10 tips are:

1. Remember that internal security is different from perimeter security.
   
2. Lock down VPN access.
   
3. Build Internet-style perimeters for partner extranets.
   
4. Automatically track security policy.
   
5. Shut off unused network services.
   
6. Defend critical resources first.
   
7. Build secure wireless access.
   
8. Build secure visitor access.
   
9. Create virtual perimeters.
   
10. Justify security decisions.
    

As I look at this list, I think this is too generic. (It makes more sense if you read the article). The defense of one's network is going to be different in each individual scenerio. Risk mitigation is not something that can be designed by following a checklist without first analysis of what needs protecting. The last bullet really needs to be near the top. Its to easy to throw money at technology to solve "security problems". This call to action to "bolt" on security after the fact is ineffective. Security is not a technology problem! It is a business ones, and will be different in every scenerio.

Although its easy to say things like "shut off network services" and "defend critical resources first", one has to evaluate WHAT is expected of the network. By applying the principles of least privilege when setting policy, you restrict the network with only those services needed, and then shore up and provide defense in depth layered security to critical business resources, based on its perceived value (each person in an organization will rank their stuff more important, so this process has to be more objective, and done by a bigger group).

This is one of the fundamental reasons so many Windows environments had the huge worm debocle this summer. After the first strain of RPC type vulnerabilities were attacked, policy should have been modified to secure this type of communcation from going on in the network. Simply "patching" the hole was not enough. They should have placed strict access control to RPC/DCOM ports and reduce the attack surface of each Windows host/server. If this was done, the secondary strains (there were what 3 different ones) would have been totally ineffective.

I could go on for hours, but you get the point. Information security is more about mitigating risks by learning from your mistakes (and those of others), and implimenting policy correctly. Technology is an enabler, not the solution.