Constructing a Comprehensive Network Security Policy

One of the main reasons security breaches occur within an organization is the lack of a security policy or, if a security policy is in place, the lack of effectively communicating that security policy to all concerned. This section discusses the purpose of a security policy, what should be addressed in that policy, how to maximize its effectiveness, and how to create awareness and understanding of the policy.

Security Policy Fundamentals

A security policy is a continually changing document that dictates a set of guidelines for network use. These guidelines complement organizational objectives by specifying rules for how a network is used.

The main purpose of a security policy is to protect an organization's assets. An organization's assets include more than just tangible items. Assets also entail such things as intellectual property, processes and procedures, sensitive customer data, and specific server functions (for example, e-mail or web functions).

Aside from protecting organizational assets, a security policy serves other purposes, such as the following:

■ Making employees aware of their obligations as far as security practices

■ Identifying specific security solutions required to meet the goals of the security policy

■ Acting as a baseline for ongoing security monitoring

One of the more well-known components of a security policy is an acceptable use policy (AUP), also known as an appropriate use policy. An AUP identifies what users of a network are and are not allowed to do on the network. For example, retrieving sports scores during working hours via an organization's Internet connection might be deemed inappropriate by an AUP.

Because an organization's security policy applies to various categories of employees (such as management, technical staff, and end users), a single document might be insufficient. For example, managerial personnel might not be concerned with the technical intricacies of a security policy. Technical personnel might be less concerned with why a policy is in place. End users might be more likely to comply with the policy if they understand the reasoning behind the rules. Therefore, a security policy might be a collection of congruent, yet separate, documents.

Security Policy Components

As previously mentioned, an organization's security policy typically is composed of multiple documents, each targeting a specific audience. Figure 2-2 offers a high-level overview of these complementary documents.

Figure 2-2 Components of a Security Policy

Figure 2-2 Components of a Security Policy

Governing Policy

At a very high level, a governing policy addresses security concepts deemed important to an organization. The governing policy is primarily targeted at managerial and technical employees. Following are typical elements of a governing policy:

■ Identifying the issue addressed by the policy

■ Discussing the organization's view of the issue

■ Examining the relevance of the policy to the work environment

■ Explaining how employees are to comply with the policy

■ Enumerating appropriate activities, actions, and processes

■ Explaining the consequences of noncompliance Technical Policies

Technical policies provide a more detailed treatment of an organization's security policy, as opposed to the governing policy. Security and IT personnel are the intended targets of these technical policies, and these personnel use these policies in performing their day-to-day tasks. Typical components of technical policies include specific duties of the security and IT staff in areas such as the following:

■ Wireless networks

■ Remote access End-User Policies

End-user policies address security issues and procedures relevant to end users. For example, an end user might be asked to sign an acceptable use policy (AUP) for Internet access. That AUP might state that Internet access is only for business purposes. Then, if an end user is found using the Internet for personal reasons, he or she could face the consequences outlined in the governing policy.

More-Detailed Documents

Because the governing policy, technical policies, and end-user policies each target a relatively large population of personnel, they tend to be general in nature. However, a comprehensive security policy requires a highly granular treatment of an organization's procedures. Therefore, more-detailed documents, such as the following, are often contained in a security policy:

Standards: Standards support consistency within a network. For example, a standard f Key might specify a limited number of operating systems to be supported in the organization, because it would be impractical for the IT staff to support any operating system that a user happened to select. Also, standards could apply to configuring devices, such as routers (for example, having a standard routing protocol).

Guidelines: Whereas standards tend to be mandatory practices, guidelines tend to be suggestions. For example, a series of best practices might constitute a security policy's guidelines.

Procedures: To support consistency in the network, and as dictated by the previously mentioned standards, a security policy might include a collection of procedures. These procedures are very detailed documents providing step-by-step instructions for completing specific tasks (such as steps for configuring port security on a Cisco Catalyst switch).

Security Policy Responsibilities

The ultimate responsibility for an organization's security policy rests on the shoulders of senior management (for example, the Chief Executive Officer [CEO]). However, senior management typically oversees the development of a security policy, as opposed to being intimately involved with the policy's creation.

Senior security or IT personnel usually are directly involved with the creation of the security policy. These individuals might create the policy themselves or delegate its creation. Examples of senior security or IT personnel include

■ Chief Security Officer (CSO)

■ Chief Information Officer (CIO)

■ Chief Information Security Officer (CISO)

As soon as a security policy is created, the security and IT staff are responsible for implementing it within the organization's network. End users are responsible for complying with the security policy.

Risk Analysis, Management, and Avoidance

Network security concerns mitigating risks to the network. Therefore, network security designers need to identify threats facing the network. This process is known as threat identification.

However, beyond basic identification of threats, a key design decision revolves around analyzing the probability that a threat will occur and the severity of the consequences if that threat does occur. This analysis is called risk analysis.

When performing risk analysis, one of two broad approaches can be used: quantitative or qualitative.

Quantitative Analysis

A quantitative analysis mathematically models the probability and severity of a risk. As an example of one quantitative analysis formula, consider the following:

This formula calculates the annualized loss expectancy (ALE). The ALE produces a monetary value that can be used to help justify the expense of security solutions. The factors contributing to the ALE value are defined in Table 2-5.

Table 2-5 Annualized Loss Expectancy Factors

Table 2-5 Annualized Loss Expectancy Factors



Asset value (AV)

The asset value is the total cost of an asset, including a purchase price, recurring maintenance expenses, and all other costs associated with acquiring an asset.

Exposure factor (EF)

The exposure factor is a percentage that represents the percentage of loss that an asset experiences if an anticipated threat occurs.

Annualized rate of occurrence (ARO)

The annualized rate of occurrence represents how many times per year a specific threat occurs.

From two of these factors, another metric can be calculated. The single loss expectancy (SLE) value represents the expected monetary loss from a single occurrence of an anticipated risk. The SLE can be calculated from the following formula:

Qualitative Analysis

A qualitative analysis is often more appropriate than a quantitative analysis because of the large scale of the network being analyzed. For example, in a nationwide network deployment, it might be considered impractical to list all the assets installed in all facilities across the country. Therefore, a qualitative analysis uses a scenario model, in which scenarios of risk occurrence are identified.

Risk Analysis Benefits

The exercise of performing a risk analysis yields a variety of benefits:

■ It identifies a cost/value ratio for the cost of security measures versus the anticipated value of the security measures.

■ It justifies requested capital expenditures for security solutions.

■ It identifies areas in the network that would benefit most from a security solution.

■ It provides statistics for future security planning.

Risk Analysis Example: Threat Identification

As an example of the threat identification process, consider an e-commerce company that sells products online and collects customer credit card information as part of its transactions. Potential risks to such an e-commerce company might include the following:

■ An attacker could compromise one of the e-commerce servers and potentially gain access to customer credit card information.

■ An attacker could falsify transactions. This could, for example, cause the e-commerce server to inaccurately charge customers for products that customers did not purchase.

■ An attacker could launch a denial-of-service attack on one of the e-commerce servers, rendering it unusable for legitimate transactions.

Managing and Avoiding Risk

Risk mitigation involves risk management and/or risk avoidance:

■ Risk management: Risk management assumes that not all potential threats can be Topic eliminated. It attempts to reduce the anticipated damage from risks to an acceptable level. For example, in the previous lists of potential threats, IPS, IDS, HIPS, and firewall solutions might be introduced to reduce the likelihood and impact of the identified threats.

■ Risk avoidance: Risk avoidance can eliminate the identified risks by not exposing a system to end users. This would be impractical for the e-commerce application just mentioned. However, if network designers can identify a way to deploy a service while simultaneously eliminating potential risks, that approach could prove highly lucrative.

Factors Contributing to a Secure Network Design

A common temptation when designing a security solution for a network is to make the network so secure that it cannot easily be used for its intended purpose. Therefore, when designing a network security solution, designers should recognize that business needs supersede all other needs. However, other factors do enter into the design equation. Consider the following elements of a secure network design:

■ Business needs: Business needs dictate what an organization wants to accomplish with its network. Note that this need is the most important of all the needs.

■ Risk analysis: As previously discussed, a comprehensive risk analysis can be used to assign an appropriate level of resources (for example, an appropriate amount of money) to a potential security risk.

■ Security policy: Earlier in this chapter you read about the elements of a security policy. A security policy typically contains multiple documents, targeting specific audiences within an organization. These individual documents provide day-to-day guidance, relating to network security, for all organizational employees.

■ Best practices: Rather than the mandatory rules imposed by a security policy, a set of best practices (developed internally and/or externally) can offer proven methods for achieving a desired result.

■ Security operations: Day-to-day security operations entail responding to an incident, monitoring and maintaining a system, and auditing a system (to ensure compliance with an organization's security policy).

Design Assumptions

A system's security often becomes compromised because of incorrect assumptions made by the network designer or the person responsible for the initial network configuration. For example, the group of users assumed to be the routine users of a system might be incorrect. Also, the types of attacks to which a network might be subjected could be incorrectly assumed. To avoid making incorrect assumptions about network design and implementation, consider the following recommendations from Cisco:

■ Analyze how the failure of one system component impacts other system components.

■ Determine which elements in a network fail open. Specifically, suppose a security component of a network (such as an IPS appliance) fails. If that component defaults to a mode in which it forwards traffic, rather than performing its previous security function on that traffic, the component is said to be operating in fail-open mode. However, if a security component denies traffic that it cannot inspect, the component is said to be operating in fail-closed (also known as fail-safe) mode, which would be the more secure of the two modes.

■ Identify all possible attacks to which a network might be exposed.

■ Evaluate the likelihood that a particular attack will be launched against a network.

■ If an attack seems unlikely because of required processor resources, extrapolate to consider the fact that processor resources will be more readily available in the future.

■ Consider the inevitability of user error in compromising a system's security.

■ Subject your assumptions to review by other knowledgeable parties within your organization.

Minimizing Privileges

One approach to securing a network is to assign users the minimum privileges they require to complete their assigned duties. This approach, called the least-privilege concept, helps reduce potential system vulnerabilities resulting from a user being assigned too many privileges. Also, the least-privilege concept can expedite the identification of security weaknesses in a system.

In actual practice, however, the least-privilege concept is often challenging to implement consistently. For example, users might occasionally require a level of permission beyond that which they are currently assigned to accomplish a legitimate task. These "exceptions to the rule" might result in an unacceptable level of day-to-day configuration on the part of administrators and might also result in an overall loss of productivity.

To understand the least-privilege concept, consider Figure 2-3. The firewall only allows the user to communicate with the e-mail server via SMTP and/or POP3. This example of the least-privilege concept could result in an issue if web-based e-mail access were added. In such an instance, the user might attempt to connect to the e-mail server using HTTP to connect to the newly configured web-based e-mail feature. However, the user would be denied, because the firewall permits only SMTP and POP3 access to the e-mail server. Additional firewall configuration would then be required by the administrator to enable the web-based e-mail access.

Figure 2-3 Least-Privilege Concept












Simplicity Versus Complexity

A final principle of security network design considers the complexity of a security solution. A complex security solution, by its nature, can make it difficult for network administrators to effectively troubleshoot security-related issues. Additionally, if users are faced with a complex security procedure they must perform to accomplish their tasks, they might seek a simpler work-around to improve their productivity.

Therefore, Cisco recommends the simplest solution possible that still accomplishes the desired results. A comparatively simple security solution can do the following:

■ Help administrators more effectively troubleshoot security issues

■ Encourage users to follow security practices

■ Make security vulnerabilities more visible

User Awareness and Training

A properly written security policy and proper installment of security mechanisms can be rendered largely ineffective if the users of a system do not use security best practices.

Therefore, a critical component of an effective security deployment is a security awareness program.

For example, administrative assistants, accountants, and human resources employees might need periodic reminders to follow recommended security practices, because security is not the focus of their daily tasks. A security awareness program, which can provide continual reinforcement of security concepts for all end users, should do the following:

■ Identify the scope of the program: A comprehensive program should provide training to all users of a system and/or network.

■ Select trainers: The trainers should be competent at communicating current security issues.

■ Identify groups of users to receive training: Because different categories of users require different training (for example, different users require varying levels of technical training), the end-user community should be categorized into different audiences.

■ Encourage full participation: Obtaining management buy-in to a security awareness program can help motivate other users to participate.

■ Continually administer, maintain, and evaluate the program: As a system's security needs evolve, a security awareness program must be subjected to periodic review and be updated accordingly.

Table 2-6 lists the core components of a security awareness program.

Table 2-6 Components of a Security Awareness Program




Awareness makes the end-user community conscious of security issues, without necessarily any in-depth procedural training. For example, distributing an e-mail or pamphlet describing the issue of viruses and the importance of virus protection creates awareness of the issue.


Training creates competence on the part of the end user to perform a specific task or serve in a specific role. Conducting a class to educate network administrators about features on a Cisco Adaptive Security Appliance (ASA) is an example of training.


Education is more comprehensive than training, in that it covers a larger body of knowledge. Obtaining a college degree focusing on IT security would be an example of a comprehensive security education.

With proper awareness training in place, all categories of end users (such as executives, managers, staff, and temporary employees) can contribute to the network's overall security. Note that awareness training, a security policy, and properly installed network defenses are insufficient when used in isolation. However, these security elements complement one another when used together.

Was this article helpful?

+1 0

Post a comment