Security by design

If there are 50 ways to leave your lover, there are countless methods for compromising a corporate data network. The best perimeter defence in the world won’t hold if the attack doesn’t come from a strange machine out in the wild.

Every element of the network — from the desktop client PC to

the wide-area network router — has vulnerabilities that can be exploited to take over or disrupt your network.

It’s been said that the only truly secure computer is one that isn’t connected to anything else. Not only could you argue that even isolated machines aren’t wholly secure, in today’s interconnected business world, it’s simply not feasible to isolate your computers from the rest of the Net.

We can, however, isolate them from much of the malicious activity that goes on out there. If every individual element of the network has its weaknesses, there are also ways — often as simple as changing default configurations or enabling an existing encryption function — to protect every element on a box-by-box basis.

We assembled a fictional, unprotected network and asked security experts where the vulnerabilities were, and how to protect them.

The result — on the following pages — is a quick primer on the holes in a network, and the tools at your disposal to keep them closed.


A wireless networking environment has boundary issues — it leaks data beyond the office doors, where it can reach the listening antennae of others.

At an absolute minimum, wireless networks should enable the wired equivalent privacy (WEP) encryption that’s part of the 802.11b standard, as weak is it is by reputation. It should be hardened by more powerful proprietary solutions or by WiFi protected access (WPA), part of the 802.11i specification due to be approved this June.

802.1x is a protocol that adds authentication to the simple encryption scheme. Authentication information lives on a RADIUS server that prevents access on a port-by-port basis until the user identity is verified. If legacy apps only support WEP, Chris Kozup of Meta Group suggests isolating the wireless network from the wired network with firewalls, virtual LANs and Layer 3 routers. And be extremely careful using public WiFi hotspots like those in cafes and airports — they’re insecure by nature.


The desktops attached to the wired LAN are vulnerable to e-mail and network attacks. Minimally, each computer should have anti-virus protection. Personal firewalls are a consideration; there may even be a role for desktop instrusion detection systems.

User behaviour plays a huge role securing the desktop. Users should be educated about the behaviour of e-mail viruses and the social engineering that causes their spread. Good password hygiene is critical. Force password changes at regular intervals, and apply password policies that prevent weak passwords based on family names, birthdates, etc.

Use password-protected screen-savers in case the user steps away from the machine for a while.

Simon Tang of Deloitte & Touche notes that on a PC with a pre-Windows 2000 operating system, it’s easy to bypass the password log file with access to a floppy drive. Removing them might be overkill, though — it only turns over control of the local machine, not network access. Physical security’s important, too — consider locking devices.


Storage networks present a conundrum. Software encryption can compromise performance. Hardware appliances have minimal performance impact, but can be expensive. Should your SAN encrypt data? Weigh the costs of the technology against the value of the data, and also consider that data related to an obscure custom application might be adequately masked by the program. Encryption on archival tape is also a judgment call — it depends on the backup system and how its structured.

But if you’re data is hosted offsite, consider encryption a necessity.


High-risk machines because they’re used in a number of potentially unsecured environments — client visits, home offices, WiFi hotspots. Compromised machines can compromise the network. Enforce firewall, antivirus and intrusion detection regimens vigorously. Patches and management can be automatically updated through the virtual private network.

Physical security is also a bigger issue than with other devices. Password protection is necessary, but not enough — critical data should be encrypted on the hard drive.


Anything with an external visible address is continually scanned for holes — check your personal firewall log some time. External servers should be walled off

in a ‘demilitarized zone’ or DMZ, with firewalls not only between the server and the external network, but between the server and the internal network. One option that can be expensive, but possibly worth the cost, is using multiple firewalls from different vendors. That way, servers can’t be compromised by a single vulnerability.


Core servers have the additional vulnerability to attacks from within by employees. A good access control scheme can keep those who don’t need access out of particular machines, or specific files on those machines.

Hardening servers is another practice Tang recommends. Enhance the existing security of the box’s system by eliminating back doors. For example, get rid of any hidden drive shares that allow easy,  if not obvious, access to the server drives.


Routers are typically vulnerable to network-based denial-of-service attacks and hijacking by outsiders. Simple network management protocol (SNMP) allows efficient management, but if it isn’t configured correctly, it can give up naming conventions, addresses, routing tables — everything a hacker needs to commandeer and reconfigure the router. Configuration and patch management are critical here, says Tang.

Share on LinkedIn Share with Google+