This tip originally appeared on SearchSMB.com. For more IT articles and tips specific to small and midsized businesses, visit SearchSMB.com.
There is no doubt that network security has been and will remain a hot topic for years
This tip on network security basics aims to help you focus on strategic areas of your network and the services it provides to ensure you get the best possible results -- without blowing your budget (even though sometimes it's unavoidable). I'll explain network infrastructure, Active Directory, honey pots and several network security resources that can help secure your networks.
Network infrastructure: The heart of your network
With numbers of local network users constantly increasing, it is imperative that your network is segmented appropriately. If you have more than 50 users on your LAN, it's time to start considering virtual LANs (VLANs). With the use of VLANs, you can segment your network by creating separate broadcast domains, instantly providing an increased level of security. Sensitive departments and critical services can easily be isolated from the rest of the network and controlled access to your network's resources can play a vital role in a possible internal or external attack.
You can also provision for a Guest VLAN, another common requirement for most businesses. A Guest VLAN is one that visitors who require Internet access can connect to without us risking the exposure of the rest of our network. Here, the Guest VLAN can be configured in whatever way we like, whether that be limited Internet access or strict access to internal resources and services.
Layer 3 switches are a requirement if you wish to route packets between your VLANs. Prices start at a few thousand dollars, making them a good economical choice. If you're really on a tight budget, consider the 3550/3560 or 3750 Cisco Catalyst Series, which provide such features with the appropriate Internetwork Operating System. However, if there is room to push the limit a bit further, then the Catalyst 4500 Series is your best friend. Some models such as the 4507R provide full Supervisor Engine Redundancy so there is no single point of failure at the core of your network, making them an engineer's favorite.
Active Directory: Unleash the power of Windows
The Windows operating system certainly dominates the server market these days, and surely you'll have a few servers with at least Windows 2000 installed. By installing Active Directory, you automatically tie all your network resources together, providing a central point of management. While the planning and implementation can become a time-consuming (and stressful) process, the benefits and security Active Directory provides make it well worth it.
Restricting workstation modifications at the user level, installing programs, changing network settings and forcing security policies are easily done with a few clicks with Active Directory. Application updates, including operating system patches, antivirus updates and much more, are no longer tasks that need to worry you as all this can be set up to automatically be taken care of with Active Directory.
If you haven't worked with Active Directory as yet, take the time and do a bit of research on the topic -- it will surely prove an eye opener.
Network backup: If you don't test it, you don't have it
Surely everyone uses some type of backup technology today. If you don't, then it's time to consider it seriously.
No matter how you perform your backup, some simple practices can prove very helpful and save you a lot of time, stress and in some cases, your job! Even if you are using the latest technologies for your backups, you should always ensure that your latest backup works perfectly by performing a full restore.
A full restore once every week or two is considered mandatory, depending on the amount of work and type of data you're dealing with. I'm sure you wouldn't want to be stuck in a situation where the company's latest backup isn't restorable because of a defective media.
If you don't trust the traditional tape backup method because of its sensitivity, there is always a RAID solution that can support your backup needs -- RAID 10, the most redundant arrays, which consist of two mirrored RAID 5 arrays offering multiple drive failure redundancy. The downside is, of course, the cost of these drives.
What you pay for is what you get. So ask yourself (or your manager) this: How much is your data really worth?
Honey pots: Catching the bad guys
We all know that a firewall is designed to protect a network from attacks and unauthorized access. It's what we call a protection/prevention technology. Intrusion detection systems are devices used to monitor and detect break-in attempts, while intrusion prevention systems, based on prevention technologies, take action to prevent the unwanted.
Honey pots are a fairly new concept and unfortunately not widely used. While they can't really be defined, they fall somewhere between the detection and prevention technologies. Honey pots, as their name describes, are unpatched machines running special detection and auditing programs, portraying important severs that contain critical data, waiting to be hacked. As you can understand, they easily manage to attract the unwanted.
Honey pots are usually placed in critical areas such as public Web servers or internal farm servers, and are quickly discovered by attackers trying to break into these systems. Information on the attacks is then gathered and used to prevent the attackers from gaining access to the real machines. Since honey pots really have no security measures to prevent the attack or hacking, they usually are the first machines to be scanned and hit when placed on the Internet.
Resource and security monitoring
Finally, monitor your resources. It's amazing how you can prevent situations and attacks that prove catastrophic by simply monitoring the resources you're working with. The good news is that there are excellent open source tools out there such as Nessus, Snort, MRTG, Nagios, Cacti and more, all of which can fully cover your monitoring needs, from server resources to backbone network links to public Web servers and much more.
It's evident that network security doesn't only deal with firewalls. It involves hard work and a number of different protection levels depending on the complexity, size and needs of your network. No specific strategy is best for all networks -- every one is unique and must be treated that way to have the required result.
If you're new to network security or simply looking for a quick "all-in-one" guide, you can check out Firewall.cx and read "Introduction to Network Security," which covers topics such as threats to the enterprise, intrusion detection systems, tools an attacker uses, penetration testing and much more.
Keep up with the latest technologies and news covering various sectors of the network security world. There are plenty of excellent resources on the Internet -- all you have to do is search for them.
Chris Partsenditis is founder and senior editor of Firewall.cx. View his Introduction to Network Security article here, and also view his answers to questions on SearchNetworking.com's Ask the Experts section.
This was first published in April 2006