According to the SANS Institute, a nonprofit that provides research and best practices for computer security, on average a computer will be attacked within four minutes on the Internet if its vulnerabilities are not patched. The most common attack is controlling a computer to send spam or viruses to other computers. These computers become part of a "botnet" — a network of computers controlled by malicious parties — which in turn will search for other vulnerable computers.
Since the attacks are automated and continuous, you need automated solutions to defend yourself. In most organizations, network devices should be the front line of defense, (along with properly patched computers). We'll discuss both technical and non-technical, or operational, considerations when acquiring and implementing a security device in your network.
Operational Considerations for a Security Device
Although we often dive in to the technical specifications of a new device, it's better to think about the management and maintenance of it first. You may think that you need a certain feature, but unless you dedicate the resources to setup, implement, and monitor it, you may be better off getting a less advanced piece of equipment.
Therefore, a primary factor in choosing a device is whether you have the in-house expertise to properly configure and manage it, or will you need external technology support. If you already use an external service provider, does it have certain recommendations or preferred devices? Measure your expertise against the size and complexity of the security device you're buying. That way, your network will be properly secured. If you have a device setup but left orphaned or with default settings, it could end up making your network even less secure.
Often, your service provider will configure and maintain your security device for a price. On the other hand, if you don't understand fundamental security concepts, you might end up paying your ISP for security device features that you don't actually need. Also, how responsive will your service provider be when you need to change the access rules on your security device? In other words, you have to know at least enough to ask the right questions and evaluate the answers.
Lastly, different devices have different prices, depending on how much functionality they have and how much traffic they can handle. Although the budget often is the biggest consideration for most organizations, you need to determine the most important feature based on your current and future requirements and resources.
Once you have determined your operational resources situation, you can look more closely at the technical details. A "firewall" is a device that has the highest level of protection and the widest range of options. However, many routers and switches also have basic security features. So it is important to pick a device that is appropriate based on the size of your network and your needs. You will encounter many specifications and acronyms. Here are some common ones and their explanations:
Basic Security Features
- DMZ — If you run a web server or email server on premise, then you should dedicate a certain area of your network as a "demilitarized zone," or DMZ. A device's support for DMZ, such as dedicated ports, is a feature you need to consider. The security device protects the servers in the DMZ and checks traffic to and from those servers. It also isolates the servers from the rest of your local area network as much as possible. There are several ways to set up a DMZ, and your DMZ architecture may affect the type of security device you decide to implement.
- VLANs — Virtual LANs allow you to group devices together in the same subnet, even if the devices aren't connected on the same router or switch. If you have a large and sprawling network, VLAN support should be a key consideration.
- ACL — Access control lists is a method by which traffic can be allowed or denied based on characteristics such as source, destination, or port. Network administrators commonly use this filtering capability to control and anticipate unwanted traffic.
Advanced Security Features
The following are more advanced security features for bigger organizations, or organizations that are looking to secure more traffic in and out of their network.
- VPN (virtual private network) — A VPN encrypts data sent between two or more locations when that data is sent over the Internet or another public network. Nonprofits often set up VPNs so that staff members who work remotely can securely access files and programs on the office network. In organizations with branch offices, a dedicated or "site-to-site" VPN would be setup for persistent secure communications. While your offices can share a dedicated secure line, using site-to-site VPN can be more cost-effective depending on the speed and bandwidth you desire. SSL VPN is a related feature that enables users to connect via a web browser.
- IPS (Intrusion Prevention System) — IPS is a set of technologies used by devices to detect and block suspicious behavior on the network. It is based on algorithmic analysis of the data coming in and out of the network.
- Content filtering — Given the rapidly changing environment for attacks, security device manufacturers offer subscription services to the latest security information. This information can include blacklisted sites, malware signatures, and other dynamic information to further protect your network. They can also filter content based on keywords. This feature may add to the cost of your security device, and it could slow down the performance of your network.
- Bandwidth management — If you are experiencing slowness in your network devices, you may need a device that can better manage your bandwidth and traffic. You may need to control bandwidth usage or limit the bandwidth available to particular users, applications, or network segments.
- Logging and alerts — Every security device should have logging capabilities so you can see what sorts of traffic the appliance is blocking and what traffic is going through. However, security devices differ somewhat in the information they record and the readability of the log files. Notification methods vary by device — some send alerts via SMS, others use email or network broadcast message.
Special thanks to Steve Shields of Shields Networking in Seattle, WA, Chris Jowaisas of the Texas State Library, and Chris Shipley of NutmegIT in Hartford, CT.
Image: Computer locked, Shutterstock