© 1999, Cisco Systems, Inc. D-1 Evaluating a Security Policy Appendix D

© 1999, Cisco Systems, Inc. MCNS v2.0D-2 Objectives Upon completion of this chapter, you will be able to: Identify the purpose of a network security policy Identify the components of a network security policy Identify how to implement a network security policy Evaluate the XYZ policy and develop an implementation plan for it

© 1999, Cisco Systems, Inc. MCNS v2.0D-3 © 1999, Cisco Systems, Inc. D-3 Economics of Protecting the Network

© 1999, Cisco Systems, Inc. MCNS v2.0D-4 Security Wheel The Security Wheel Contains the security elements needed for an enterprise: (1) Corporate Security Policy (2) SECURE (3) MONITOR (4) TEST (5) IMPROVE

© 1999, Cisco Systems, Inc. MCNS v2.0D-5 Security Objective: Balance Transparent User Access Transparent User Access Maximum Security Maximum Security

© 1999, Cisco Systems, Inc. MCNS v2.0D-6 © 1999, Cisco Systems, Inc. D-6 Evaluating an Enterprise Network Security Policy

© 1999, Cisco Systems, Inc. MCNS v2.0D-7 What Is a Security Policy? A security policy is a formal statement of the rules by which people who are given access to an organization's technology and information assets must abide. (RFC 2196, Site Security Handbook)

© 1999, Cisco Systems, Inc. MCNS v2.0D-8 Why Create a Security Policy? Audit the current network security posture Set the framework for security implementation Define allowed and not allowed behaviors Help determine necessary tools and procedures Communicate consensus and define roles Define how to handle security incidents Reasons for a policy include its ability to:

© 1999, Cisco Systems, Inc. MCNS v2.0D-9 What Should the Security Policy Contain? Statement of Authority and Scope Acceptable Use Policy Identification and Authentication Policy Internet Use Policy Campus Access Policy Remote Access Policy Incident Handling Procedure

© 1999, Cisco Systems, Inc. MCNS v2.0D-10 Example XYZ Network Security Policy Intended Audience Scope of Security Policy Legal Authority of Security Policy Policy Stakeholders Responsibilities Network Administrator Responsibilities Security Policy Maintenance Procedure Implementation Procedure

© 1999, Cisco Systems, Inc. MCNS v2.0D-11 © 1999, Cisco Systems, Inc. D-11 Testing with a Security Audit

© 1999, Cisco Systems, Inc. MCNS v2.0D-12 Monitor and Maintain Security Patches and bug fixes Policies and Procedures New technology threats Security Awareness Incident Handling Internet Monitor and Maintain Audit your system to maintain security :

© 1999, Cisco Systems, Inc. MCNS v2.0D-13 Security Audit and Maintenance Develop a solid site-security plan and security policies, including audits Perform new system installation audits Conduct regular system audits Perform random audit checks Conduct ongoing audits and maintenance Conduct the audits with available audit tools

© 1999, Cisco Systems, Inc. MCNS v2.0D-14 © 1999, Cisco Systems, Inc. D-14 Improving the Security Posture

© 1999, Cisco Systems, Inc. MCNS v2.0D-15 Improving the Security Posture Monitor vendor websites for announcements about patches, maintenance releases, and new versions Evaluate product changes in the lab environment before installing them in the enterprise Perform regular and frequent analysis of attack profiles Reconfigure the network as needed based on the analysis of attack profiles

© 1999, Cisco Systems, Inc. MCNS v2.0D-16 © 1999, Cisco Systems, Inc. D-16 Chapter References

© 1999, Cisco Systems, Inc. MCNS v2.0D-17 Chapter References Site Security Handbook (RFC 2196) A Guide to Developing Computing Policy Documents The Politics of Information Management: Page of links on Information Security Policy: Digital Equipment Corporation's Security Policy and Procedure: Introduction to Computer Security Policy:

© 1999, Cisco Systems, Inc. MCNS v2.0D-18 © 1999, Cisco Systems, Inc. D-18 Network Security Case Studies

© 1999, Cisco Systems, Inc. MCNS v2.0D-19 Network Security Case Studies Enterprise Network Security Application Security Open Closed Restrictive Security Policy

© 1999, Cisco Systems, Inc. MCNS v2.0D-20 Case 1: Open Security Policy Permit everything that is not explicitly denied Easy to configure and administer Easy for network users Security cost: $70 per desktop Security Maximum Security Maximum Security Access Transparent User Access Transparent User Access

© 1999, Cisco Systems, Inc. MCNS v2.0D-21 ISDN Case 1: Open Security Policy (cont.) Public Server Dial-In Users Branch Office Corporate HQ Async ISDN Async Gateway Router WAN Router Network Access Server 56 kbps Minimum Enterprise Security Internet Public Network Campus

© 1999, Cisco Systems, Inc. MCNS v2.0D-22 Case 1: Open Security Policy (cont.) Authentication PAP (remote clients and branch offices) Passwords (campus and dial-in) Access control Access lists in WAN and gateway routers No standalone firewalls No encryption

© 1999, Cisco Systems, Inc. MCNS v2.0D-23 Case 2: Restrictive Security Policy More difficult to configure and administer More difficult for network users Security cost: $250 per desktop Access Security Maximum Security Maximum Security Transparent User Access Transparent User Access Combination of specific permissions and specific restrictions

© 1999, Cisco Systems, Inc. MCNS v2.0D-24 Case 2: Restrictive Security Policy (cont.) AAA/Token Server Frame Relay Public Server Dial-In Users Branch Office Async ISDN Frame Relay ISDN Gateway Router WAN Router Network Access Server 56 kbps Medium Enterprise Security Internet Public Network Campus Token Card Async

© 1999, Cisco Systems, Inc. MCNS v2.0D-25 Case 2: Restrictive Security Policy (cont.) Authentication One-time passwords (dial-in and Internet) Passwords (campus) Access control Access lists in WAN and gateway routers Firewall between Internet and enterprise Route authentication (branch offices and campus) Encryption on branch office links

© 1999, Cisco Systems, Inc. MCNS v2.0D-26 Case 3: Closed Security Policy Most difficult to configure and administer Most difficult for network users Security cost: $350 per desktop Access Security Maximum Security Maximum Security Transparent User Access Transparent User Access That which is not explicitly permitted is denied

© 1999, Cisco Systems, Inc. MCNS v2.0D-27 Case 3: Closed Security Policy (cont.) Certificate Authority Frame Relay Public Server Dial-In Users Branch Office Async ISDN Frame Relay ISDN Gateway Router WAN Router Network Access Server T1 M aximum Enterprise Security Internet Public Network Campus Smart Card Async Token Card

© 1999, Cisco Systems, Inc. MCNS v2.0D-28 Case 3: Closed Security Policy (cont.) Authentication Digital certificates (dial-in, branch, and campus) Access control Access lists in WAN and gateway routers Firewall between Internet and enterprise Route authentication (branch offices and campus) Encryption (dial-in, branch office, and some campus)

© 1999, Cisco Systems, Inc. MCNS v2.0D-29 Case Study Summary

© 1999, Cisco Systems, Inc. MCNS v2.0D-30 Blank for pagination