Computerworld - We've decided that as a corporate subsidiary, it's time to leave home and strike out on our own from an IT security perspective. Historically, because the parent organization owns us, we have trusted them completely. We have some 10 connections with no controls between our networks and theirs.
This arrangement has worked well until now, so we haven't done very much monitoring on the links between our networks. But we began to question this arrangement when the SQL Slammer worm infected our network recently. Their group feels pretty certain that we infected them, and my team thinks the opposite. Either way, going forward we need protections to make sure this can't happen again.
The simplest way to keep malicious code from spreading between our networks is to deploy firewalls and configure them so they limit traffic to what's needed and block everything else. So we announced our intentions to our colleagues and proceeded with the deployment. They weren't upset, since they feel that they will be protected from us.
Setting Up
Our first step was to identify all of the network links between our organizations. That was easy, but there were more than I expected. I think we found them all, but it will be interesting to see if we flush out any more links.
Once we had found the physical connections, it was a simple task to deploy the hardware firewalls. In fact, we surprised our parent company because we spent significant effort educating them that this was coming so they could help us with the rules. Once their key decision-makers gave us the green light, we went ahead with the deployment. We completed the work while the other group was still informing its IT troops that this had been approved.
Putting the hardware in place is the expensive part, but that alone doesn't give you any protection. For that you need a well-thought-out rule base that limits high-risk connections while allowing business-critical traffic to flow freely.
Our first approach was to enable intrusion-prevention system capabilities within the firewall. Firewall vendors put a great marketing spin on this feature: "You don't need an expensive burglar alarm to tell you about break-ins on your network, because our firewall just stops them all dead." I haven't done a wide review of intrusion-prevention systems in firewalls, but with our firewalls, it's pretty much rubbish. It will successfully identify and stop only about 20 known attacks. The list of attacks is built into the firewall operating system rather than using signature updates like
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
