Most internal private networks should be considered hostile even though they are suppose to be protected. This is why any policy protecting the network at the perimeter should also be used internally. A computer network should not be like an M&M -- hard on the outside and soft on the inside. Instead, all policy outside and inside should be the same.
Servers should be protected with a proper infosec policy, auditing, and management. Host IDS should be used at ALL critical servers -- even on the inside. If you follow these rules and harden ALL your devices no matter the location, than you will be protected. If you feel you have a threat internally, I suggest using IDS Network and Host, both on the external (or extranet) and Internet networks. Enable advanced logging and AUDIT those logs. Additionally, have your management buy into a policy that dictates the termination of people who attempt to hack or crash your internal systems. Most companies have a policy that says only infosec can run scanners and other hacker/cracker software.Create the policy and post it. That should cure most of your issues. Place logging devices (IDS), and enable logging on your servers. Finally, as stated, always assume your networks are hostile, even the inside systems and hosts/users.
For more information on this topic, visit these other SearchSecurity.com resources:
Best Web Links: Security Policy & Infrastructure
Security Policies Tip: Creating an information security policy
Security Policies Tip: Developing a network security policy
This was first published in February 2002