| Today's business networks consist of numerous | | | | have access to essential network resources and how |
| remote access connections from employees and | | | | those resources can be copied or modified should be |
| outsourcing firms. Too often, the inherent security risks | | | | carefully monitored. |
| arising from these connections outside the network | | | | Specifications established by the Institute of Electrical |
| are overlooked. Continuous improvements have been | | | | and Electronics Engineers (IEEE) have resulted in what |
| made that can enhance security in today's network | | | | is known as the secure VLAN (S-VLAN) architecture. |
| infrastructure; taking particular focus on the users | | | | Also commonly referred to as tag-based VLAN, the |
| accessing the network externally and monitoring | | | | standard is known as 802.1q. It enhances VLAN |
| access end- points are critical for businesses to | | | | security by adding an extra tag within media access |
| protect their digital assets. | | | | control (MAC) addresses that identify network adapter |
| Installing the correct software for the specific needs of | | | | hardware within a network. This method will prevent |
| your IT infrastructure is essential to having the best | | | | unidentified MAC addresses from accessing the |
| security protection possible. Many companies install "off | | | | network. |
| the shelf" security software and assume they are | | | | Network Segmentation This concept, working |
| protected. Unfortunately, that is not the case due to | | | | hand-in-hand with VLAN connections, determines what |
| the nature of today's network threats. Threats are | | | | resources a user can access remotely using policy |
| diverse in nature, including the usual spam, spyware, | | | | enforcement points (PEPs) to enforce the security |
| viruses, trojans, worms, and the occasional possibility | | | | policy throughout the network segments. Furthermore, |
| that a hacker has targeted your servers. | | | | the VLAN, or S-VLAN, can be treated as a separate |
| The proper security solution for your organization will | | | | segment with its own PEP requirements. |
| neutralize virtually all of these threats to your network. | | | | PEP works with a user's authentication to enforce the |
| Too often, with only a software package installed, | | | | network security policy. All users connecting to the |
| network administrators spend a lot of their time at the | | | | network must be guaranteed by the PEP that they |
| perimeter of the network defending its integrity by | | | | meet the security policy requirements contained within |
| manually fending off attacks and then manually | | | | the PEP. The PEP determines what network |
| patching the security breach. | | | | resources a user can access, and how these |
| Paying network administrators to defend the integrity | | | | resources can be modified. |
| of your network is an expensive proposition - much | | | | The PEP for VLAN connections should be enhanced |
| more so than installing the proper security solution that | | | | from what the same user can do with the resources |
| your network requires. Network administrators have | | | | internally. This can be accomplished through network |
| many other responsibilities that need their attention. | | | | segmentation simply be defining the VLAN connections |
| Part of their job is to make your business operate | | | | as a separate segment and enforcing a uniform |
| more efficiently - they can't focus on this if they have | | | | security policy across that segment. Defining a policy in |
| to manually defend the network infrastructure all the | | | | this manner can also define what internal network |
| time. | | | | segments the client can access from a remote |
| Another threat that must be considered is the threat | | | | location. |
| occurring from within the perimeter, in other words, an | | | | Keeping VLAN connections as a separate segment |
| employee. Sensitive proprietary information is most | | | | also isolates security breaches to that segment if one |
| often stolen by someone on the payroll. A proper | | | | were to occur. This keeps the security breach from |
| network security solution must guard against these | | | | spreading throughout the corporate network. |
| kinds of attacks also. Network administrators definitely | | | | Enhancing network security even further, a VLAN |
| have their role in this area by creating security policies | | | | segment could be handled by it's own virtualized |
| and strictly enforcing them. | | | | environment, thus isolating all remote connections within |
| A smart strategy to give your network the protection | | | | the corporate network. |
| it needs against the various security threats is a | | | | Centralized Security Policy Management Technology |
| layered security approach. Layered security is a | | | | hardware and software targeting the different facets |
| customized approach to your network's specific | | | | of security threats create multiple software platforms |
| requirements utilizing both hardware and software | | | | that all must be separately managed. If done |
| solutions. Once the hardware and software is working | | | | incorrectly, this can create a daunting task for network |
| simultaneously to protect your company, both are able | | | | administration and can increase staffing costs due to |
| to instantaneously update their capabilities to handle the | | | | the increased time requirements to manage the |
| latest in security threats. | | | | technologies (whether they be hardware and/or |
| Security software can be configured to update multiple | | | | software). |
| times a day if the need be; hardware updates usually | | | | Integrated security software suites centralize the |
| consist of firmware upgrades and an update wizard | | | | security policy by combining all security threat attacks |
| much like that present within the software application. | | | | into one application, thus requiring only one |
| All-in-one Security Suites A multi-pronged strategy | | | | management console for administration purposes. |
| should be implemented to combat the multiple sources | | | | Depending on the type of business you're in a security |
| of security threats in today's corporate networks. Too | | | | policy should be used corporate-wide that is |
| often, the sources of these threats are overlapping | | | | all-encompassing for the entire network. Administrators |
| with Trojans arriving in spam or spyware hidden within | | | | and management can define the security policy |
| a software installation. Combating these threats | | | | separately, but one overriding definition of the policy |
| requires the use of firewalls, anti-spyware, malware | | | | needs to be maintained so that it is uniform across the |
| and anti-spam protection. | | | | corporate network. This ensures there are no other |
| Recently, the trend in the software industry has been | | | | security procedures working against the centralized |
| to combine these previously separate security | | | | policy and limiting what the policy was defined to |
| applications into an all-encompassing security suite. | | | | implement. |
| Security applications standard on corporate networks | | | | Not only does a centralized security policy become |
| are integrating into security suites that focus on a | | | | easier to manage, but it also reduces strain on |
| common goal. These security suites contain antivirus, | | | | network resources. Multiple security policies defined by |
| anti-spyware, anti-spam, and firewall protection all | | | | different applications focusing on one security threat |
| packaged together in one application. Searching out | | | | can aggregately hog much more bandwidth than a |
| the best stand-alone applications in each security risk | | | | centralized security policy contained within an |
| category is still an option, but no longer a necessity. | | | | all-encompassing security suite. With all the threats |
| The all-in-one security suite will save a company | | | | coming from the Web, ease of management and |
| money in reduced software purchasing costs and time | | | | application is essential to maintaining any corporate |
| with the ease of integrated management of the | | | | security policy. |
| various threat sources. | | | | Frequently asked Questions: |
| Trusted Platform Module (TPM) A TPM is a standard | | | | 1. I trust my employees. Why should I enhance network |
| developed by the Trusted Computing Group defining | | | | security? |
| hardware specifications that generate encryption keys. | | | | Even the most trusted employees can pose a risk of |
| TPM chips not only guard against intrusion attempts | | | | a network security breach. It is important that |
| and software attacks but also physical theft of the | | | | employees follow established company security |
| device containing the chip. TPM chips work as a | | | | standards. Enhancing security will guard against lapsing |
| compliment to user authentication to enhance the | | | | employees and the occasional disgruntled employee |
| authentication process. | | | | seeking to cause damage to the network. |
| Authentication describes all processes involved in | | | | 2. Do these innovations really create a secure |
| determining whether a user granted access to the | | | | environment for remote access? |
| corporate network is, in fact, who that user claims to | | | | Yes they do. These enhancements not only greatly |
| be. Authentication is most often granted through use | | | | enhance a secure VLAN connection but they also use |
| of a password, but other techniques involve biometrics | | | | widely accepted standards that are often integrated |
| that uniquely identify a user by identifying a unique trait | | | | into common hardware and software. It's there, your |
| no other person has such as a fingerprint or | | | | company only needs to start using the technology. |
| characteristics of the eye cornea. | | | | 3. My company is happy with using separate software, |
| Today, TPM chips are often integrated into standard | | | | that way each application can focus on a separate |
| desktop and laptop motherboards. Intel began | | | | security threat. Why should I consider an all-in-one |
| integrating TPM chips into its motherboards in 2003, as | | | | security suite? |
| did other motherboard manufactures. Whether or not | | | | Many of the popular software applications commonly |
| a motherboard has this chip will be contained within the | | | | used by businesses have expanded their focus to |
| specifications of that motherboard. | | | | identify all security threats. This includes solutions from |
| These chips encrypt data on the local level, providing | | | | both software and hardware appliance technology |
| enhanced security at a remote location such as the | | | | manufacturers. Many of these firms saw the need to |
| WiFi hotspot full of innocent looking computer-users | | | | consolidate security early on and purchased smaller |
| who may be bored hackers with malicious intent. | | | | software firms to gain that knowledge their firm was |
| Microsoft's Ultimate and Enterprise versions of the | | | | lacking. A security suite at the application level, will |
| Vista Operating System utilize this technology within | | | | make management much easier and your IT staff will |
| the BitLocker Drive Encryption feature. | | | | thank you for it. |
| While Vista does provide support for TPM technology, | | | | 4. Do I need to add a hardware requirement to the |
| the chips are not dependent upon any platform to | | | | authentication process? |
| function. | | | | Requiring the use of security tokens or smart cards |
| TPM has the same functionality on Linux as it does | | | | should be considered for employees accessing the |
| within the Windows operating system. There are even | | | | company network from a remote site. Particularly if |
| specifications from Trusted Computing Group for | | | | that employee needs to access sensitive company |
| mobile devices such as PDAs and cell phones. | | | | information while on the road, a simple flash drive |
| To use TPM enhanced security, network users only | | | | secure token prevents a thief from accessing that |
| need to download the security policy to their desktop | | | | sensitive data on a stolen laptop. |
| machine and run a setup wizard that will create a set | | | | 5. With all this concern about WiFi hotspots should |
| of encryption keys for that computer. Following these | | | | employees be required not to use these locations to |
| simple steps significantly improves security for the | | | | connect to the company network? |
| remote computer user. | | | | WiFi hotspots have sprung up nationwide and present |
| Admission Based on User Identity Establishing a user's | | | | the easiest method for your remote employees to |
| identity depends upon successfully passing the | | | | access the Internet. Unfortunately, hotspots can also |
| authentication processes. As previously mentioned | | | | be full of bored, unemployed hackers who have |
| user authentication can involve much more than a user | | | | nothing better to do than find a way to intercept a |
| name and password. Besides the emerging biometrics | | | | busy employee's transmissions at the next table. |
| technology for user authentication, smart cards and | | | | That's not to say employees on the road should avoid |
| security tokens are another method that enhances the | | | | hotspots. That would severely limit them from |
| user name/password authentication process. | | | | accessing the network at all. With technologies like |
| The use of smart cards or security tokens adds a | | | | S-VLAN and secure authentication in place, a business |
| hardware layer requirement to the authentication | | | | can implement technologies to reduce threats both |
| process. This creates a two-tier security requirement, | | | | now and in the future. |
| one a secret password and the other a hardware | | | | Implementing the latest network security technologies |
| requirement that the secure system must recognize | | | | is a high priority for IT Management. In today's network |
| before granting access. | | | | environment with many users accessing your digital |
| Tokens and smart cards operate in essentially the | | | | assets remotely, it's critical to get your network |
| same fashion but have a different appearance. | | | | security correct during the planning phase of the |
| Tokens take on the appearance of a flash drive and | | | | integration process. |
| connection through a USB port while smart cards | | | | Obviously, it should be noted that most large |
| require special hardware, a smart card reader, that | | | | companies have multiple operating systems running |
| connects to the desktop or laptop computer. Smart | | | | (Windows, Mac O/S, etc) and that for many of these |
| cards often take on the appearance of an | | | | companies all-in-one security suites face certain |
| identification badge and may contain a photo of the | | | | challenges in a mixed operating system environment. |
| employee. | | | | That is why I stress that you consider having layered |
| However authentication is verified, once this happens a | | | | security (both hardware and software) and don't |
| user should be granted access through a secure | | | | simply rely on software applications to protect your |
| virtual network (VLAN) connection. A VLAN | | | | digital assets. As technology changes so do the |
| establishes connections to the remote user as if that | | | | opportunities for security breaches. |
| person was a part of the internal network and allows | | | | As these security threats become more sophisticated, |
| for all VLAN users to be grouped together within | | | | hardware and software developers will continue to |
| distinct security policies. | | | | innovate and it's essential businesses keep up with, and |
| Remote users connecting through a VLAN should only | | | | implement these technologies. |