Cyberspace is a dangerous place now days. There was a time when companies could protect themselves by putting a firewall on the network edge and they were protected. That time is long past and the “Bad Guys” have become very skilled and very aggressive. Today even the “Good Guys” (your employees) can cause damage to the company network. To protect companies today a strategy has been developed that looks at the network overall and provides protection at many levels. We will look at security protection levels from the end point out to the network edge although it can be designed the other direction as well.
The end user can protect themselves and their personal computer by having a strong password and up to date anti-virus and OS patches. This will protect the user from any casual encounter with a security threat that the user happens upon. This is not enough to protect a corporate network.
The company needs to put domain/network policies in place to protect the users from themselves. These policies enforce the strong password and only provide access rights to the users that need them. There is no reason the receptionist needs access to company financials or that the sales force to the HR files. The goal is to provide access to the files people need to do their job and nothing else. By having a PC update system in place to push patches to the end users the end user machines always stay current and protected without depending on the users to do it themselves.
To protect the corporate network from threats at the edge a company needs several types of protection. The main line of defense at the edge is the firewall. This firewall needs to be a “next generation or 2nd generation” firewall to protect against modern threats. The firewall needs to scan traffic more in-depth than just application type and port it is coming in on. Real time layer 7 scanning or deep packet inspections have become a requirement. The next line of defense is a corporate proxy server that is tied to network antivirus scanners and has the company polices for end user web surfing. This allows for all incoming web traffic is scanned for threats and enforce company polices as to the type of surfing that the end user can do. The third line of edge defense is an anti-virus on the corporate mail server and an active anti-spam program. These will make sure that threats are stopped before they go to the end user across the network. The forth line of defense that is needed is one that most companies don’t like to think about, “Data Loss Prevention”. This protects company intellectual property and sensitive data from leaving the corporate network either be negligence or through direct means.
By protecting themselves in-depth companies can stay ahead of the “Bad Guys” and not become the next headline.