Some Easy Things To Do To Secure Your Network

I'm sure we all know IT managers who try their best to be proactive. They update their software as soon as possible, they apply patches as quickly as they can, and they make sure that they have updated firewalls, vulnerability scanners and intrusion prevention appliances. They also spend their time hopelessly backlogged with all of the work, and sometimes it comes home to haunt them as they find themselves being attacked through a opening they haven't patched yet or a vulnerability their scanner missed. But it doesn't have to be this way. According to Peter Tippett, CTO of the newly-formed security company Cybertrust (formed from TruSecure, BeTrusted and Ubizen), you're better off looking for good solutions instead of perfect answers. "A few solutions that are only 80 percent effective give an overall 99.9 percent solution," Tippett says. In fact, he says that the most effective security solutions require little time and less expense, and can reduce your exposure 40-fold.

The most effective solution, he said, is to simply set your routers to what he calls "default deny." By this he means that your routers should be set so that all traffic from outside your network is denied entry or exit, except for traffic that's specifically allowed. How do you know what traffic to allow? Tippett suggests checking your router logs. You'll see over the course of a couple of days what traffic leaves your network, where it goes and where it comes from. The same is true for incoming traffic.

For example, Tippett said, e-mail traffic should only be allowed to go to or from your e-mail server. E-mail attempting to get to the internet from other sources shouldn't be allowed, unless you have specific devices that require e-mail to communicate, such as some types of instrumentation.

The same is true of other types of communication. You can assume, for example, that your Web server will receive requests at port 80. So you should set your router so that it only lets incoming port 80 requests go to that one address, and that it restricts requests to that one port.

Tippett said he realizes that this solution isn't perfect, but it will solve about 80 percent of the problems with worms and other malware gaining access to your network, and it will largely prevent communication to the outside world for those that do get in.Another suggestion he made is to require all laptop users to reboot their computers before they access the network. He said in every instance where his customers got one of the recent worms, it was because someone's laptop got infected at home, and they then attached the laptop to the company network without rebooting. A simple sign posted around the building instructing laptop users to reboot can be highly effective, he said, and it's inexpensive.

Other options including configuring e-mail so that it does not display graphics, and blocking all e-mail attachments, except for a very limited list of file types.

Tippett also said that some common steps really don't help. He says his studies indicate that while it helps a lot to require passwords to the network, setting requirements such as long passwords or special characters doesn't. He agrees that in theory, they are more secure, but the problem is that users have to write them down to remember them, and that offsets any improvements. Worse, they add to your staff workload because users will then call for support when they lose the password they wrote down.

Once you have chosen some common sense network settings, it might make sense to take some additional steps, Tippett said. "If you really want a firewall, go get one," but it's more important to take the other steps first. As to more esoteric approaches such as vulnerability scanners, the value is questionable. Tippett suggested that then you could find yourself patching for vulnerabilities that aren't risks to you, and missing more basic steps that really matter.

Wayne Rash is based near Washington, DC and writes frequently about security. 0