You Can Never Be Too Thin or Too Secure

Computerworld - When I think about our security strategy, I have to ask myself if we've done enough. Have we covered all the bases? If we haven't, do we have a work-around or some other risk-mitigation plan in place?

The best security approach is applied in layers. You can apply the layers from the inside out or the outside in, but most companies start from the outside, putting firewalls at every entry point to the network. At my state agency, though, we work from the inside out.

State systems are sprawling. When I came to work at this agency, the state-level WAN guys assured me that they had adequately protected the state network, including my agency. But when you realize how vast the network is, stretching to every state government office and university classroom, you wonder how secure it can be without assistance from the various agencies. And so we have taken responsibility for the agency's security, working from the inside out.

When you work from the inside out, the most important protection you can provide is at the host level: servers, switches, networked printers and desktop computers. As networks connect around the globe, making it hard to say where they truly begin and end, this may be the smart approach. I can't control the networks we connect to, but I can attempt to control our entrance and exit points and what goes on inside. Here's what we've been able to do:

• Servers: We have protected our servers by hardening them: keeping the operating system up to date, turning off unneeded services, not installing unnecessary applications, providing access on a need-to-know basis and making passwords industrial-strength.
• Patches: Patching is perhaps the single most important thing you can do in a Windows environment. Because we have a week to test operating system patches before implementing them, that takes priority, and we do it after hours to minimize disruption.
• Monitoring: We use software that allows us to cull event-log information from each server and review it in a single location. We can set up alerts based on certain changes in the logs. We also have software that lets us monitor services running on each server. If an unknown service that might be listening in on or sending data over the network starts up, we are alerted.
• Access: We use Active Directory's security policies to control access to resources and systems. This includes access to network multifunction devices that provide fax/copy/print capability.
• Firewalls: When I first came to the agency, we had no firewalls. We've purchased commercial firewalls for each entry point, and I am drooling at the prospect of getting them installed. We run intrusion detection with sensors attached everywhere possible. We are getting close to total visibility, but it has been expensive. In my last column, I described how I repurposed all-in-one security appliances as single-purpose tools. We paid too much, but it works.
• Wireless: Not allowed on the network. Period.
• Desktops: The operating system is locked down or hardened. End users can't install applications. We don't use Windows XP's built-in firewall, but we keep all desktops patched around the clock using automated tools. Each desktop system automatically updates antivirus and antispyware protection.