Relying on voluntary measures to keep your network secure is not acceptable. Authority to mandate security on the network is essential. A security policy that spells out the specific value of the information on your network, and what steps the company is willing to take to protect it, is required. Security measures on the network that reflect this policy must be implemented. Below is a description of key elements of security requirements that should be formally implemented by business management for LAN and remote computers.

Acceptable Use Recommendations
When business computers are connected to the Internet, due diligence, accepted practice, and the Sarbanes-Oxley Act require that specific precautions be undertaken to protect confidential business and consumer data from unauthorized access. Off-site PC's with any connection to a corporate LAN must also be just as secure as the corporate network. This includes PC's that are merely connected or have access to the same local area network as a PC that has trusted access to a corporate network, such as is common with home computer networks where a laptop is brought home from work.

Network security must deal with several issues: Firewalls, Intrusion Prevention, Anti-Virus, Spy Ware, Cookies, Unsafe email Attachments, Inappropriate Software, Wireless Access, Home/Remote Access, Security Auditing, and Acceptable Use Policy.

Firewalls
A firewall is a tool designed to prevent unauthorized access to computers from the Internet. The key word is "from". If someone or something on a network PC initiates an Internet connection, the firewall, by design, must let that data through, as well as the data returning in response from the initial action. If for any reason an unknown program, trojan horse, or similar action where to initiate a dialog without the user's knowledge, the firewall is helpless to prevent this type of security breech. In order to protect against intrusion, a firewall is required at two points: 1) at the Internet connection (DSL, T1, etc); and 2) on every PC on the local area network connected to the Internet. Alternately, firewall based Intrusion Prevention with deep packet inspection can fully inspect all incoming and outgoing traffic payload contents.

Intrusion Prevention
Evolving security exploits that can result in the compromise of corporate networks and confidential information require new defenses and counter-measures. Stateful packet inspection firewalls are no longer suitable to detect and block emerging blended threats such as the ADODB exploit. Corporations can implement Intrusion Prevention based firewall appliances that provide deep packet inspection. This provides the framework for bi-directional logging and/ or blocking of 50 categories and over 1800 signatures of known intrusion exploits. An awareness of this new avenue of defense by businesses of all sizes is important to the security of corporate networks.

Anti-Virus
Newer generations of the family of virus, worm and Trojan programs are much more sophisticated and damaging, consisting of "blended threats" such that multiple sources and steps are involved, most of which are not detectable by stateful packet inspection firewalls. The impact of virus, Trojan, worm, and blended attacks on a business network cannot only result in the loss of resources while recovery is undertaken. Confidential business data can be compromised as well. It is imperative that a uniform anti-virus system be implemented that includes every PC connected to any local area network so long as any one of those PC's may have trusted network access to corporate resources.

Spy Ware
Different from the category of virus programs, spy ware consists of programs that end up on a PC that enable a third party to gain information about activity on that PC, with or without that user being aware of the data collected. The collection of data can include personal information that should remain business confidential, including login accounts and/or passwords.

Cookies
These are web-browsing programs intended to identify the PC on which they are placed. Their functionality can be used in unintended ways to gather personal information similar to spy ware, and to result in spy ware and/or trojans ending up on a PC.

Unsafe email Attachments
Generally accepted network security practice does not allow accepting email attachments that are capable of running scripts, executing instructions, or otherwise initiating activity which could result in a compromise of the recipient, and/ or cause actions to occur on the recipient workstation unknown to the recipient. This is not directly related to virus, Trojan horse or worm issues, but rather to legitimate functions performed in a way that would be unacceptable if understood by the recipient. The most flagrant of these potentially unsafe files are: .doc .xls. Due diligence suggests that corporate acceptable use policy require the use of .rtf or .pdf files in lieu of .doc, and the use of .csv (comma delimited ascii) in lieu of .xls, thus avoiding potentially unsafe outcomes. Most of the time, .rtf does just fine for nicely formatted document exchange. It is very easy to tell Word to use .rtf as the document storage format. If there are lots of graphics in a document, .pdf is a better choice. There are many .doc to .pdf conversion programs available for free or very little cost.

Inappropriate Software
These are programs commonly used in home or school environments to do things like share or download music off the Internet, conduct "chat" activity with other Internet users, and many other seemingly harmless activities. However in a business environment, many of these programs are inappropriate. Some of these activities violate copyright laws and place the business at risk. If you don't think this is a real problem, you should know that even private individuals are being pursued in the courts for copyright violation. In other cases, these types of programs open a channel of communication through the firewall that then expose the business to network compromise by hackers. The list of specific inappropriate software is endless. In general, business network security issues require that all of the PC's connected to a local area network must adhere to an Acceptable Use Policy. This policy must not allow the downloading or sharing of any type of audio and/or video data, period. Also not to be allowed are Internet Chat programs. Programs freely available to feed weather, news, headlines, etc. must not be used on any PC connected or with access to any local area network that has so much a one PC with access to a corporate LAN. All of this type of computer use carries the risk of compromise by hackers, and must not be allowed.

Wireless Access
Almost all wireless access points in use today are security risks, even if Wireless Encryption Protocol (WEP) is being used. No wireless access devices are to be used on any local area network if that local area network has even one PC that has access to the corporate LAN. If you believe that you have a legitimate need for wireless access, approved, secure equipment and implementation of wireless access via IPSec is possible.

Home or Remote Access to Business Network Computers and/or Resources
This should not be allowed unless approved, secure means are being used that have the same level of security as if the PC is connected directly to the business network. This is the weakest link issue. Hackers now look for home PC's with trusted access to business networks, and then have the same access to confidential data as they would if they were sitting at a PC in the office of that business. PC's used to access business networks remotely must be as secure as if they where at the office. Programs like pcAnyWhere are not to be allowed due to known security risks. If business computing resources must be accessed by users not at the office, the access must only be done in an approved, secure manner. Arrangements for secure remote access can be made.

Security Auditing
Remote offices with corporate LAN access via the Internet must be audited for remote network security compliance by the use of network security auditing tools commonly used in business environments. Such auditing does not need to gather business or personal data at any remote location. This auditing should be conducted on a regular basis and performed in such a manner as to not interfere with normal business PC use. In the event that a security risk is discovered, there should be a pre-existing policy that defines a suitable response. Such response may include requesting a specific change be made at a remote location within a specified time period or if deemed a severe risk, discontinuing the access granted to a remote location in order to avoid a compromise that could adversely affect the corporate LAN or other remote users.

©2004, Nova Business Systems, Inc. Reproduction of this article is forbidden without prior consent from Nova Business Systems, Inc.