Network security: Multiple layers of protection (page 1 of 2)

By Jim Mortleman

Truth is, network security seems like a sprawl because that's what many company networks have become - a sprawl of different systems and devices that talk to one another in many different ways: across fixed local area networks (LANs), wireless and cellular networks, private wide-area networks (WANs), the fixed telephone network and the internet.

The only effective way to think about security in this nebulous world is in terms of 'layers' of protection.

Simon Young, general manager for server security EMEA at Trend Micro, says: "Security professionals, and indeed most business executives, fundamentally accept it takes multiple layers of defence to protect against the wide variety of attacks and threats.

'A single product or technique simply cannot protect against every possible threat. A layered approach gives an enterprise multiple lines of defence that will allow one product to catch things that may have slipped past the outer defences."

At the basic level, network security involves authenticating users, either using the familiar username/password combination, some form of physical authentication such as a card, USB key or biometric (fingerprint, retina scan, etc), or some combination of these approaches (appropriate for access to more sensitive parts of the network).

The next layer is the firewall, which governs the services authenticated users and applications are allowed to access. This can be based in on either the systems like PCs and servers at the edge of the network or on physical network hardware devices like routers and switches.

Beyond the firewall, intrusion prevention and detection systems then monitor networks for the presence or malware or suspicious behaviour, preventing particular types of activity according to rules and policies defined by the network administrator.

But again, these are by no means foolproof, and the difficulty of distinguishing between what's legitimate and what's not invariably means some level of additional human input.

Securing sensitive data

There's no doubt all businesses need to have adequate network security in place - not doing so is akin to an open invitation to hackers and criminals - but just as with the physical security of property, your network will only ever be as secure as the weakest point of entry.

Not only that, but the aforementioned sprawl also means there will almost undoubtedly be several doors with dodgy locks, windows that can be smashed, and dusty, hidden ventilation shafts that could lead straight to the room containing your top-secret filing cabinets.

And that's not to mention the fact that hackers also use clever social engineering techniques to gain access to physical buildings or persuade users to part with logins.

As a consequence of the inherent insecurity of networks, many believe it's far more important to concentrate most efforts on securing sensitive data.

Clive Longbottom, a senior analyst at Quocirca, says: "Make sure your data is impermeable - at rest, on the move, wherever it may be. It should be encrypted, with certificates around it. For example, if somebody's got it on their laptop and they don't touch the network for whatever you deem a suitable period, it should automatically delete itself. That's the approach I'd recommend."

Remote security management: Do cost savings outweigh concerns?

Many businesses are reluctant to offload something seen as critical as managing the security of their network to a third party, particularly one that may be located far from the apparent (though often illusory) security of their own premises.