Belfast Telegraph

Ring-fence your IT network

By George Robertson

IN my last article I looked at what security should mean to an organisation that uses IT for business purposes.

IN my last article I looked at what security should mean to an organisation that uses IT for business purposes.

Today I am looking at some of the products available in the marketplace, how they should be evaluated, and how they can help.

The first and most important message to note is that no single product can possibly meet all your security needs, but it may meet enough to satisfy your requirements as a business.

In the security arena you can buy as much security as you want - there is always something else available which will offer a bit more protection.

So a risk analysis is essential to highlight the priorities about what is to be protected and its value.

In ideal circumstances security is an insurance policy. Unfortunately in today's environment it is an area that is frequently tested in most organisations.

One last comment before I go on to the products: security is at most 30% products - the rest is process, implementation and maintenance. Expect 70% of your budget to be involved in services of some description over a 12-24 month period.

The first product every organisation should consider is the firewall - essential when you are connecting to the Internet. This can range from £100 to £100,000.

So why the variation? If all you are doing is connecting one PC to the Internet to browse and send emails then a simple firewall will probably meet your needs. However, if you want to verify incoming traffic (ie video streams), control access, log access, encryption, IP address protection, email checking and so on, then it will cost more.

Typically firewalls come in two systems.

Firstly there is packet filtering - which in the past has been simple and fast but not always the most secure - and secondly there are gateway filters, which have been very secure but at times are difficult to implement and slow. These differences have largely disappeared, so today you should be choosing the firewall on its ability to perform the features and functions you need.

You should look at its ability to integrate with the rest of your security solution, the ongoing support requirements and the speed at which it can verify and pass packets.

The leading players in the higher end solutions marketplace are now the PIX firewall from Cisco and firewall-1 from Checkpoint.

Once you have chosen your first product the next question is who implements and maintains the product.

Unless there is a very specialised security need, this is usually outsourced as this resource is costly and keeping on top of all the upgrades and alerts is a time-consuming business.

Many organisations offer this service as either a standalone service or as part of an Internet access implementation.

Small organisations may only require a simple firewall – the equivalent of a front door lock.

But larger organisations may need to put a lock on the back door and indoor cabinets, keep rooms locked, have CCTV and alarm systems linked into the local police, and maybe even electrify fences and have armed guards walking around looking fierce! And, surprise, surprise, the equivalent to this in IT security is a lot more complicated and will cost a lot more than a simple firewall.

The first and most basic add-on to your security set is enforced anti-virus protection on all traffic that comes into and out from your organisation. This is usually already implemented so I will not dwell on this any more.

The next stage is intrusion detection - the alarm system of your network. This detects when people are doing things on your internal network that they should not be doing.

In advanced systems it can even shut down the user while you investigate what is going on. It can even talk to firewalls and routers to tell them to shut down services or users' access. This is potentially a very powerful tool but requires careful set-up to ensure the correct network events are being searched for. Now you are starting to become a bit more secure.

Some of the main players in this arena are Cisco Systems, Network Associates and

There is also the need to put individual protection on internal systems - after all, according to the FBI, 70% of all incidents are still from internal company users who do not go via any external access method to get into their network. So network/perimeter security works hand-in-hand with systems security.

If you want to talk securely across the Internet into your private company network, then you need to encrypt your data.

Normally this is done using a VPN - Virtual Private Network. There are a range of products available, from those that sit on a PC to dedicated boxes to sit at the entry point of a large organisation. The one thing they all have in common is that there must be some means of checking the authenticity of the person coming in over the Internet, and their access rights to your network.

Most, if not all, of the routing and security vendors have products that meet this functionality, but the levels of data protection and speed of throughput vary widely.

Careful consideration should therefore be given to the ability to inter-work with your standard routers and network equipment.

Analysing what is actually happening on your network requires good reporting and management systems and when choosing products this should be taken into consideration.

From the moment you start thinking about security you should be considering how scalable it is.

You must consider how easy is it to add in extra components, and once you have a number of components how easy is it to implement a new security policy across the entire network? Security is not a simple task - but it is an essential one.

Belfast Telegraph


From Belfast Telegraph