Everything in Information Security revolves around three goals: Confidentiality, Integrity, and Availability. Any defense you put into place links back to one or more of these goals. If your security measures don't cover all of these goals or they only partially cover them, you're wide open to attack.

Confidentiality is ensuring that information can be accessed only by those personnel who are authorized to do so. Can you imagine the CFO of a company mailing a financial report on a postcard? Anyone who handles that postcard can see the supposedly confidential information on it. Now, can you imagine the CFO e-mailing a financial report? Unless additional steps are taken, that information is just as easy to read as it travels the network as the postcard was.

Integrity is ensuring that information has not been tampered with. On Nov. 7, 2000, the day of the presidential election, hackers attacked the Republican National Committee web site and replaced the information there with statements that made it look like the RNC was supporting Al Gore. The original information was not confidential, but damage was done by attacking its integrity.

Availability is ensuring that when they need to, authorized people can get to information. In February 2000 several high-profile web sites including Yahoo!, CNN.com, Amazon.com, eBay, E*Trade, and Buy.com were forced off the Internet. Their information had not been deleted or modified, yet web surfers were unable to get to these sites to conduct business. These companies lost millions of dollars and the trust of consumers because an attack left the systems unavailable.

In order to provide the highest level of security for your network, we employ a comprehensive defense in depth strategy. This means that we secure everything from your connection to the Internet to user's workstations. If you only implement one security technology, you're not securing your network. Only by deploying security technology at every layer of your network can you be sure you're as safe as possible.

The complexity of your network will dictate the complexity of your security. For a small office you may only need a few products such as personal firewalls and anti-virus software. A large e-commerce site, however, might require a multi-layer firewall, distributed intrusion detection, VPN support for external users, enterprise anti-virus software, application proxy servers, content filtering, and out-of-band management. We'll design a security solution that fits your network and explain what protection each layer does and does not offer.

Connecting to the Internet

"But we have a firewall!" Firewalls are a great first line of defense, but they must be properly installed, configured, and maintained. Just like any other device on your network, new security problems are constantly being found in all firewalls. You need to make sure that you have the latest security patches for all your systems.

A firewall filters out requests for network services you don't offer. For example, if you don't have a web server, you don't want requests for web pages entering your network. If you do have a web server, you want to allow web page requests to only go to your web server. If you have an e-mail server, you only want it to send and receive e-mail.

A firewall does not, however, provide complete protection for your network. A firewall can't fully protect publicly accessible computers such as e-mail and web servers. As long as you have a system that needs public access, you have to punch a "hole" in your firewall to let that traffic through. The firewall has little control over the information that passes through the hole in the firewall. This still leaves the publicly accessible server open to attack. Wireless networks and modems connected to a phone line also provide attackers another simple mechanism to completely sidestep your firewall.

Approximately 70% of all network attacks originate from inside the network. As amazing as it sounds, it's true. Disgruntled employees, corporate espionage, hacker "wannabes", and just plain user error pose a greater threat to your network than anything else. If an attack on your network is launched from behind the firewall, there's no way for the firewall to stop it. Other security technologies must be employed to detect and stop these attacks.

If you need to provide secure access to your network to mobile users or external partners, you'll want to consider some form of Virtual Private Networking. A VPN allows authorized people outside your network to connect to your network as if they were on the inside. VPNs use encryption to protect your private information as it travels across the public Internet. VPNs can be hardware or software based and may possibly be integrated into your firewall.

Securing Your Network Equipment

We'll examine the configuration of all your routers and switches. This ensures that the hardware that controls your internal network is not subject to compromise or abuse. Your network will be resistant to tampering and information will flow only as your policies allow. We'll also examine your physical security and make recommendations to protect your critical equipment from unauthorized access.

Detecting Intruders

While a firewall protects you from most external threats, there are still vulnerabilities that exist. If you run a web server on your network, your firewall will have to have a "hole" in it to allow external users access to the web server. While necessary, this opens your web server up to attack and this is where an Intrusion Detection System, or IDS, comes in to play. It monitors all the network traffic that makes it through your firewall and stops known attacks before they get to your internal systems. An IDS also monitors connections that come from inside your network to protect against accidental or intentional abuse of your network by insiders.

If a firewall is the lock on your network, intrusion detection is the burglar alarm.

Protecting Your Servers and Workstations

Servers and workstations need special attention. If either was installed with default settings, those systems are wide open to attack. We'll reconfigure and patch your systems to close all the loopholes. We'll also ensure users are only granted the permission and access right that are required to do their job. For example, you don't want all your employees to have access to payroll data. We'll also implement application security on your systems. Primarily this is protection against malicious software such as viruses, Trojan horses, and worms by using anti-virus software that is up to date to protect against the most recent threats. It also means installing the latest patches for common programs such as Microsoft Office to protect against vulnerabilities in your software that may not be caught elsewhere.

Monitoring and Managing Your Security Architecture

After your security is in place, you're not done. As new vulnerabilities are found and new attacks launched, you have to update all your security layers to stay protected. By constantly monitoring the latest threats and vulnerabilities, we can apply new patches and update systems to keep your network safe. Routine network management also helps ensure the survivability of your network. If in the rare instance you are one of the first to be hit by a new attack or virus before a patch is developed, you need to be able to quickly recover. Only by having your finger on the pulse of your network can you know when something is wrong and what the problem is. Management software, redundant systems, and tape backups are all things that need to be considered when securing your network.

Seeing the Big Picture

At Carter Hill Technologies, we take the time to understand your goals, your business, and your network. We make sure we have all the pieces in place to provide effective, affordable network wide security. Call us today for you free initial consultation.