Nmedia - Fotolia
Data center managers must work with their network, security and OS admins to devise data security best practices that exploit appropriate tools and settings.
Security administrators often implement specific, individual data security measures in an effort to protect the enterprise's network. Some of these measures are network-centric concepts such as intrusion detection system (IDS) rules, firewall rules, or virtual local area network configurations. Others are based on files -- file and drive encryption or policy configurations that dictate who or what can access which files.
To maintain IT infrastructure security, data center managers should ask: Are any of these options better than the other? If so, when should the IT team choose one option over others?
Network-based security controls
At its most fundamental level, a network-based security control dictates what can and cannot enter or exit a network. Network security is commonly addressed with a firewall, IDS or combination of the two. A firewall of the deep packet inspection (DPI) variety effectively examines binaries attempting to enter a given network, and data exiting the network.
The less expensive firewalls without DPI are effective, if the network administrator disallows certain types of traffic, in concert with the security administrator. For example, if a specific IP range such as 10.1.1.0 /24 is a known source of malicious activity, the network administrator should configure a firewall rule such as: # iptables -A INPUT -s 10.1.1.0/24 -j DROP.
Intrusion detection systems work similarly to network firewalls, but with some significant differences. An IDS and a traditional firewall have different roles within a network: While a traditional firewall is oriented toward denying and allowing, an IDS is geared toward alerting. For example, a security admin will use IDS if he becomes curious about a type of traffic entering the network, but is unaware if it is malicious. A network admin may be curious regarding any Web traffic entering the network from outside of the firewall.
An IDS rule, on the open source Snort tool for example, configured as: alert tcp any any -> any 80 (content:"GET";), alerts on any inbound HTTP GET requests to a given network. This traffic may be the first in a long trail of clues that leads to the discovery of something malicious.
Firewall and IDS concept
A concept known as the Cisco ASA with FirePower Services has recently gained a considerable amount of interest for data security. Developed by Cisco and Sourcefire, it combines the Cisco ASA series of firewalls with the granularity of the Snort IDS. Consequently, while intrusion detection administration and network administration were separate yet overlapping disciplines, a meshing of the two is just around the corner.
File-based IT security
Generally, file-based security controls are very granular. In most OSes, admins can place intricate policy restrictions on a single file or an entire directory of files. For example, a Linux administrator can apply the chmod 640 test.txt permissions to a file named test.txt. The chmod command indicates that the permissions on a given file will be modified. The 6 indicates that the owner of the file has read and write permissions. The 4 indicates that the group the file belongs to has read permissions, and all other users have no rights to the file.
This example is a very small subset of the larger discipline of file-based security, and IT teams should consider additional measures such as file encryption and host-based security products, including Microsoft Security Essentials.
Combining the two
A blending of network- and file-based security controls is common to define data security best practices, especially given the popularity of the defense-in-depth paradigm of a few years ago.
When the network, security and other specialists collaborate, security reaps the benefits. A Windows administrator is routinely called upon to allow or deny execution of certain file types based on a user's role within a network, for example. The admin may need to deny permission to run executables from end-users' workstations. This gives the enterprise a file-based security control. The network administrator also denies entry of certain executables at the firewall. In this case, network-based security controls are exercised in tandem with the file-based controls for multiple layers of IT security.
In the event of a network breach, the first question is: What type of data security best practices were in place at the time of the intrusion? It is in the best interest of network and security administrators to have a firm grasp of their respective areas of responsibility and where they should collaborate. This includes in no small part what type of IT infrastructure security controls were in place prior to the breach.
About the author:
Brad Casey is an expert on network security with experience in penetration testing, public key infrastructure, VoIP and network packet analysis. He also covers system administration, Active Directory and Windows Server 2008, with interest in Linux virtualization and Wireshark captures. Casey spent five years in security assessment testing for the U.S. Air Force. He can be reached at [email protected].
Catch malware threats with advanced network security monitoring tools
Discover key continuous security monitoring tips from CDM
10 must-have tools to protect your network against security breaches