Five steps to controlling network access

Wes Noonan, author of "Hardening Network Infrastructures," reviews steps you can take from both a Windows and network perspective to protect your data regardless of what is occurring at the network perimeter.

One common security mistake is to treat the network and applications as separate entities that never interact. You may have separate people maintaining them, separate security policies, separate procedures and so on. Hardening Windows servers will go a long way toward protecting the integrity of the data on those servers, but you must also harden the network infrastructure itself. Start by taking the following five steps.

1. Implement access control lists (ACLs)

If someone can get inside your network, they can gain access to your Windows systems. You need to implement strict ACLs on your network equipment and grant access only to those users that require it. For example, do users in Houston ever need access to systems in New York? If not, chances are the traffic passing between those systems isn't essential to the business.

2. Implement network-based access control (NBAC)

Connecting systems to the network used to be a hassle: You had to build the network drivers, assign addresses and physically connect systems to get them to talk. Although this made it difficult for unauthorized systems to easily connect to the network, it created excessive administrative overhead. Then technologies like star-wired networks and Dynamic Host Configuration Protocol (DHCP) made it exceedingly simple to connect systems to the network. At first I rejoiced! But now I realize anyone can connect to the network. In fact, approximately 90% of the customers I visit have live network jacks that I can easily plug into to gain network access even if they have some written policy that states unauthorized connections are not permitted.

NBAC seeks to provide an enforcement mechanism to support those written policies. With NBAC, you want to define what is an authorized user and ensure connected systems are running the appropriate patches and software versions. If they aren't, they are placed in quarantine until the system is patched or updated.

3. Restrict remote connections

Implementing a VPN can be a risky endeavor. It permits network access for both users and viruses. Instead of allowing VPN access to your entire network, implement network ACLs that restrict remote users only to the servers and resources they need. For instance, using a VPN to connect Citrix or Terminal Server farms ensures that the only traffic allowed through the VPN is the Citrix traffic to the Citrix servers; if a remote client's system is infected, it will not infect your network.

4. Restrict and secure wireless connections

If implemented behind your firewall, wireless LAN connections create a particularly large, gaping hole in your network perimeter. As a result, your wireless LAN connections should be treated like any other remote connection: Terminate them outside your firewall and require a VPN connection to gain access to internal and protected resources.

5. Implement IPsec

Implementing IPsec on your network is a great way to protect data in transit from being compromised. But it's no panacea. For example, if a machine is infected with Slammer, IPsec will only ensure the Slammer traffic is encrypted before it is transmitted. When used in conjunction with the other hardening methods, however, IPsec can serve as an effective method for protecting your internal traffic from prying eyes.

Conclusion

Due to network de-perimeterization, you can no longer rely exclusively on the network perimeter to protect systems and data. Removing the perimeter entirely is not the solution, nor is hardening the perimeter alone. You must also harden your Windows systems and network infrastructures to protect data in the event that the network perimeter fails or is circumvented.

About the Author
Wesley J. Noonan has been working in the computer industry for over 12 years, specializing in Windows-based networks and network infrastructure security design and implementation. He is a senior network consultant for Collective Technologies, LLC (www.colltech.com). Wes recently authored the book "Hardening Network Infrastructures" for Osborne/McGraw-Hill and previously authored a chapter on network security and design for "The CISSP training guide" by QUE Publishing.

Note: This article originally appeared on SearchWindowsSecurity.com.

Rate this Tip To rate tips, you must be a member of SearchSecurity.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Tactics Exploring Microsoft's Network Access Protection policy options Screencast: How to use Wikto for Web server assessment How to avoid DLP implementation pitfalls Microsoft Baseline Security Analyzer: Do updates offer improved Windows security? How to patch Kaminsky's DNS vulnerability Directory services and beyond: The future of LDAP Screencast: Catching network traffic with Wireshark Enterprise role management: Trends and best practices Using Nessus Attack Scripting Language (NASL) to find application vulnerabilities Screencast: Recovering lost data with WinHex Network Intrusion Prevention (IPS) NitroSecurity covers its bases with RippleTech deal Network intrusion prevention systems: Should enterprises deploy now? If one server in a DMZ network gets attacked from outside, will the other servers be corrupted? What security risks do enterprise honeypots pose? What are the benefits of 'in-the-cloud' network security services? What is a 'top-down' IPS sensor search? Is a 'self-defending network' possible? Best practices for purchasing an intrusion detection device VeriSign, AirMagnet team up for wireless IPS Sourcefire, Nmap deal to open vulnerability scanning Network Intrusion Prevention (IPS) Research IPSec Is an IPsec VPN necessary when connecting remote servers that process financial transactions? What ports should be opened and closed when IPsec filters are implemented? DMVPN configuration: Is an additional firewall needed between the router and the Internet? How should the ipseccmd.exe tool be used in Windows Vista? Can Trojans and other malware exploit split-tunnel VPNs to infiltrate a network? IPsec tunneling: Exploring the security risks Should an IT staff be concerned with a network's physical security? How expensive are IPsec VPN setup costs? Do split-tunneling features make a VPN vulnerable? Will securing a wireless LAN make the data link layer vulnerable? IPSec Research RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Diffie-Hellman key exchange  (SearchSecurity.com) intrusion prevention  (SearchSecurity.com) network behavior analysis  (SearchSecurity.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.