Case Study: When management decides to listen

Securing your network is always going to be a battle of us against them. Unfortunately I don’t mean the simple one of us, the good guys on the inside, against those nasty hackers on those outside, but the battle between those whose job it is to secure the corporate secrets against those who actually have to build a business from those secrets.

Keeping the bad guys out is relatively simple, if the will is there within your company to do it. We have just been through an exhaustive IT audit, and the auditors could not break our perimeter. Obviously we are proud of this feat. But it was not a victory for the techies amongst us. The groundwork for our security was laid very early on as we were defining the ground rules for our network. Before we had even defined our first policy we had the CTO on our side, and he holds a load of sway on the board. Therefore we would be listened to at the very highest level. And even better, he understood the implications of weak security, which meant he was able to make the CEO understand it. We were in the first 10 minutes of the game, and we had an almost unassailable lead. Of course we had to capitalise.

Our rules are very simple:
• No access in to our network from outside. • Minimum number of Internet egress points. • No untrusted networks to have any access to our network. • All requests for outbound ports to be opened to be approved by a security committee. • No access in to our network from outside

The key rule here is to prevent IP conversations originating outside our network from touching our network. We have a DMZ where access is allowed, for example for standard protocols such as FTP and for IPSec access, as well as the edge and public elements of our Mail infrastructure. And these servers are then allowed access to our main network, again through another firewall. There is no way for an IP conversation initiated on the outside to get directly into our network. But of course, this does not on its awn guarantee good security and there are other ways for attacks to succeed.

This is where the second rule comes in. One of the main areas of weakness in a corporate network has more to do with sloppy administration than in true technical vulnerabilities, although both play a part. Therefore by reducing the number of administration points, i.e. the number of firewalls, then you reduce the likelihood of leaving a hole open by accident. We have split our offices into levels, with top level offices providing most services to the others, including internet access. This way the network engineering team for Europe only has one firewall to worry about and keep clean. The number of Egress points you have will depend on the size of your overall organisation and the size of your team. But as IT headcount numbers shrink against the numbers of staff supported, I would strongly advise that to secure your network you ensure the minimum of egress points.

Before a flurry of messages start flying about centralised management and distributed firewalls, I am aware that products such as Checkpoint can manage groups of firewalls from a single console, and that the Cisco Pix can have configs pushed from a central point, but each unit still needs monitored, software updates applied and supported. If you can tell me that you have the correct headcount for maintaining all your equipment, then congratulations. If like the rest of us you have to handle increased loads, then reduce your danger points.

Of course to ensure we keep the number of egress points to an absolute minimum, we have to know who is on our network. To do this we decided that unless a network was under our staff control, it could not connect directly to ours. We do provide individual remote access to third-party staff, but here again we keep control and do not allow split tunnelling.

Although this is inconvenient, and we recognise this inconvenience, we have made the company aware of why we have to take this stance. My personal favourite story involves a large software corporation which allowed split tunnelling on its RAS software. One day a software engineer had his machine infected with a Trojan and then hackers used this Trojan, from outside the corporate network to steal the highly secret source code to their latest and greatest OS. Somehow after such conversations people tend to appreciate our concerns.

Finally we only allowed approved outbound ports. This compliments our rules on inbound communication nicely. Trojans can always infiltrate your network and offer backdoors to unwanted visitors. It is the job of a small group of engineers to keep track on our outbound open ports and try and prevent opening a port that has a known weakness. We won’t always succeed, but we do limit the problems, and to date we have been successful.

To implement these rules, we formed a security committee very early on. We do not have a security officer, although we are looking for one. Realistically, and against all current advice, I honestly do not believe we need one, apart from to help with workload and be the point man for the committee. We have enough very good network techs who also understand security and who work together very well.

The committee was originally made up of techs - senior network managers and a few server bods. Therefore it was ignored and overruled by management. Then it was suggested that we let a VP sit on the committee. Fortunately, this VP is an IT VP, although originally a bean-counter. He understands our world, as well as the business world. We could make him see what would happen if our security was poor, and he could make us understand what the business needed.

It worked. By having a member of the senior management in on the discussions meant we could get an immediate decision and all parties could understand each other. The techies still had a veto on any requests that would truly compromise security and the managers could run the business efficiently. Heated discussions were also possible but the decisions always made sure that our network security was not compromised.

In that eternal battle between techies and the business team we have achieved peace, and at the same time formed a united front against the common enemy - the people who want to sneak a look at our deepest secrets. So far, the united front is winning, but we must stick to our policies, we must keep to our rules no matter how big the company grows if we are to keep our proud record intact.

*Michael Wallace is a network manager at a well-known UK company.

This story, "Case Study: When management decides to listen" was originally published by

Copyright © 2003 IDG Communications, Inc.

Shop Tech Products at Amazon