Hi Jeff,
As I understand it you need a framework that supports you in the process
of deciding which security measures to implement at perimeters.
The alternative to this is to employ security specialists and put them
in a room and don't let them out until they have defined and documented
a network security plan. If I had that kind of experts within my
organisation, I would seriously consider this alternative.
Since there are a risk of putting system configuration and technical
details in a policy framework (the data is getting old very fast, and is
never updated...) I like to control the process of reaching the decision
of which controls to use.
Another important issue is that you never can replace knowledge with
policy frameworks. A policy framework can only ensure the way that
knowledge is used to reach goals, and perhaps aid in determine when to
employ experts (consultants or employed personnel) and what to expect
from them. This is bleeding obvious, but very often overlooked.
But, to the point: the framework for perimeter security.
Firstly: Investigate and note the requirements and security measures
that already has been approved and implemented. Places to look is your
organisation's policys and quality framework, legal requirements,
contracts with customers, outsourcing arrangements, 3:d party access,
etc. etc. etc.
Then: define types of objects that you would like to control. This could
be "external perimeter router", "perimeter firewall", "perimeter
networks" (DMZ:s).
Now it is time to decide which rules and controls that you like to
impose on this kind of types of objects.
When that is done, you can go into risk analysis and decide on what
controls to implement to mitigate risks up to the point where the
residual risk matches the overall accepted residual risk of the
organisation.
Finally: Implementation...
Jeff McLaughlin wrote:
All,
Looking for some guidence/policy/best practices ideas for securing primary
inbound internet traffic. I posted here because I'm more interested in
setting policy and not the specific technical details. This is prompted by
my initial investigation into upgrading our infrasturcture and having to sit
down and define what I expect these devices to do or specifially perform and
determine which vendor performs those functions the best.
For example:
Edge Router: Do we look at the edge router as more of a performance based
device rather then a security device and rely on the enterprise firewall to
perform primary security functions? Given a "best of breed" firewall, what
should I expect my edge router to do? Should I only expect it to do address
filtering and other fundamentals or look more towards managing half-open
sessions (rates & numbers) or udp sessions and how long they should be
allowed to be opened etc...
Firewall: If I have a "best of breed" firewall, is centralizing security
into this box and maximizing its use more productive and allow the edge
routers to just pass traffic as fast as possible.
IDS: same kind of issues.
What kind of policies have you set that define what the role of the edge
router/firewall/ids/internal routers to ensure threats are mitigated. There
is (can be) overlap on the fuctions of all these devices i.e., running a
firewall feature set on the edge router.
Thanks for any insight.. sorry if I rambled.
-jeff
--
Jakob Fredriksson <jf@rfc.se> Network & Security
Phone: +46 733 776036
