By Barry Semple, Director of Technology
Many layers of security are needed to build a solid IT foundation for your organization. In our
last blog post, we discussed the Network Layer and the many components that ensure your organization’s computers can talk to one another and share data. Today we will be looking at the
perimeter layer.
When you look at any environment, IT or otherwise, it has boundaries that outline where that environment starts. This is the edge or
the perimeter.
The perimeter of an IT environment can be compared to the moat of a castle in days gone by. The moat surrounded the castle and protected everything important within the castle walls. The castle’s drawbridge was the single point of access, providing easy control of who was coming and going. Today, the perimeter layer of our
cybersecurity brick house is the network equipment which separates us from the outside world, with the network firewall
extending the drawbridge where appropriate and monitoring those that visit.
The firewall between your environment and the outside world is the primary point of protection and as such, deserves special attention and care. Access to the firewall should be very carefully controlled. Your organization must know who has access, when they need to access it and what changes are being made. But getting your modern firewall secure is only the first step – keeping it that way is also important.
The data crossing your firewall, between your internal environment and the outside world (AKA the Internet), can be compared to visitors crossing that drawbridge. Every bit of data ‘visiting’ you is passing through for a reason – knowing and understanding those reasons is critical to ensuring your firewall is secure. Firewall
rules are statements that control what data flows across and why.
You also need to check your firewall’s suitability for your environment and its age. Is it capable of providing the best levels of security available in current business grade firewall models? (such as IDS - Intrusion Detection System and IPS - Intrusion Prevention System – which were discussed in the Network Layer blog post.) Can it provide those levels of security while keeping up with the latest rates of internet access available?
As for device age, software on the firewall should have been updated in the past year, otherwise you may have security holes and vulnerabilities for which you aren't protected. We often see firewall devices that have been in place for many years and can no longer protect against modern threats. Outdated devices can also slow down the speed of internet access, as modern speeds of 100+ Mbps did not exist when they were designed. Keeping your equipment up to date is a very important step towards being and remaining secure.
If you are not familiar with firewalls, rules and software updates, be sure to discuss this with your IT professional Remember also to keep the guiding principles top of mind:
- security first (who has access and why),
- risk identification and reduction (check the validity of the firewall rules and the age of the equipment),
- keep it simple (if your IT professional can’t explain it or you can’t understand it, then it’s not simple!), and,
- be prepared if all else fails (you may consider redundant firewalls if you require zero downtime for internet access).
Continuing the castle analogy, back in the day storming the drawbridge was not the only means of assault -- outsiders would also try to attack over the walls and ramparts. This over the top access is very similar to a modern attack on your wireless or Wi-Fi network. By accessing your wireless network, unauthorized people can gain access to your internal IT environment, unless the correct controls are in place.
Some important security considerations for safe wireless operations:
- check who has access to your wireless network and ensure there is a secure password to access it.
- consider maintaining two wireless networks: one providing access to your internal network by company equipment only (for eg. company issued laptops), and a second guest network that cannot access your internal network – for use by visitors and used by staff for their own personal devices.
This dual wireless network approach keeps everything simple, and as long as the right levels of security and passwords are in place, keeps it all secure too. Like with the firewalls, ensure the wireless access is running the latest software and is capable of supporting modern mobile devices and speeds.
Getting your perimeter to a state of security is the first step. The next step is securing the processes around how it is accessed, changed or updated. These processes are part of the security policies that may include standards required for your industry. We’ll discuss that in the next installment: the application layer.
Read more in this Series: