Copyright 2020, Faulkner Information Services. All Rights Reserved.
Publication Date: 2001
Report Type: TUTORIAL
In today’s enterprise, voice and data networks
serve as essential conduits for communicating information
among employees, between employees and customers or business
partners, and between employees and other enterprise stakeholders. Not
surprisingly, the design, development, deployment, operation, and maintenance of secure
enterprise networks depends upon the formation of comprehensive
network management policies.
Information is essential to the modern enterprise, and enterprise networks
serve as an essential conduit for communicating data among employees, between employees
and customers, between employees and business partners, and between employees
and other enterprise stakeholders. Not surprisingly, the design, development, deployment, operation, and maintenance of secure enterprise networks
is a matter of enterprise policy and priority.
The enterprise Network Management Policy – and its subordinate
policies – are subject to rigorous standards. The policies must be
comprehensive, addressing all aspects of enterprise usage, and align with
(or otherwise support) the overall goals and objectives of the enterprise – not
just the information technology (IT) goals, but, more fundamentally, the
business goals of the enterprise.
Among these fundamental business goals is security. Secure network management polices generally share the same characteristics. They are:
Short, as brief as possible but no briefer.
Written in plain language, except where technical jargon is demanded.
Updated on a regular basis, at least annually (or more frequently based on business or network changes).
Backed by ample procedures (a policy is not a “how to” document).
Consistent with the enterprise-established IT governance standard, such as COBIT, ITIL, or ISO.
A note about nomenclature: Some network management polices may address
security explicitly (in which case the word "secure" or "security" will normally
appear in the title), or implicitly (in which case maintaining security is
considered a principal priority).
and practices for writing
network management (and other) polices differ from enterprise to
enterprise. For example, the following Network Firewall Policy template, offered by
Hewlett-Packard, consists of seven sections:
“Purpose – A
clear statement of the reason(s) the
security policy exists. For example: This document discusses the
security configuration baseline with which all firewalls deployed at XYZ
Corp should comply.
“Scope – Identifies which sections, divisions, or
departments of an organization are subject to the policy. The scope can also
define or indicate those sections that are exempt from the policy. For
example: This document applies to all departments of XYZ Corp. The
extranet department and the R&D department are exempt from this document
if their department specific policy defines a contradictory requirement.
“Policy – Clearly defines exactly what
requirements, conditions, configurations, and standards must be adhered to,
followed, or implemented. Items in this section of the policy might include
conditions under which VPN connections are enabled, what Internet services
are allowed to cross through the firewall, and what content is filtered.
– Identifies the individual or
group responsible for implementing the conditions of the policy.
“Enforcement – Discusses the consequences of
violating the policy.
“Definitions – Defines terms and acronyms to
ensure that everyone reading the policy will clearly understand exactly what
is being discussed.
“Revision History – Documents and dates all
changes to the firewall policy after its initial creation and deployment.
This essential part of any policy ensures that only the latest and most
up-to-date version is actually used.”1
In terms of network management, the “Network Management Policy” is
usually several policies. The “root,” or master, policy:
Describes the nature of network management.
Details the reasons why employees and other network users should adhere to
network management policy provisions.
Discusses the consequences of violating network management policies – both
for the enterprise and for the individuals involved.
Offers an index to subordinate polices.
Subordinate polices are usually developed according to their intended
audience. For example, while both users and technicians – primarily users
– must be cognizant of the “Acceptable Network Use Policy,” the
“Network Patch Management Policy” is germane only to IT and Security
personnel. Table 1 identifies some of the possible subordinate network
Table 1. Possible Subordinate Network Management Policies
Acceptable Network Use
how the enterprise network may be used. The ANUP is often employed
to define the limits of Internet usage, such as restricting access to
sites featuring inappropriate content.
Establishes Infosec responsibilities regarding
enterprise acquisitions, and defines the minimum security requirements
of an Infosec acquisition assessment.
Techs / Users
Network Backup and
how network data is protected against loss or contamination.
which devices may be connected to the network. This is becoming a
major issue as users petition to use their personal smartphones and
how network functions are continued or recovered in the event of a
network-related disaster, including the loss of commercial Internet
e-mail dos and don’ts, such as “Do not open e-mail attachments from
which source and destination IP addresses are allowed.
Techs / Users
Network Incident Response
how network problems are reported, investigated, and, if necessary,
Network Intrusion Prevention3
Specifies how intrusion prevention systems detect
and block network attacks and attacks on browsers, as well as protect
applications from vulnerabilities.
The LiveUpdate Content
policy and the LiveUpdate Settings policy
contain the settings that determine how and when client computers
download content updates from LiveUpdate.
Techs / Users
the rules for creating and changing login passwords. May also
specify related identity management requirements, such as two-factor
Network Patch Management
the interval between receiving and applying network patches,
particularly security fixes.
Network Remote Access
how remote users – including teleworkers – may safely connect to the
Network Router and Switch5
Specifies a required minimal security
configuration for all routers and switches connecting to a production
network or used in a production capacity at or on behalf of the
how the network – and network data – are secured, via encryption or
Network Virus and Spyware Protection6
Specifies how the network:
Detects, removes, and repairs the side
effects of viruses, spyware, and other malware.
Detects the threats in the files that users
try to download.
Detects the applications that exhibit
Techs / Users
Virtual Network Management
Specifies how virtual networks and virtual
network components and services are managed and secured.
Specifies the technical requirements that
wireless infrastructure devices must satisfy to connect to an enterprise
network. Only those wireless infrastructure devices that meet the
requirements specified in this standard or are granted an exception by
the InfoSec Team are approved for connectivity to an enterprise network.
Owing to their complexity, network management
policies are seldom written from scratch. “Canned” polices, which can
be easily modified to suit the needs of a particular enterprise, are
available for a fee from commercial sources. They are also available
for free from organizations such as the SANS Institute, the US National Institute of Standards and
Technology (NIST), or even the White House.
The Obama White House, for example, crafted a “BYOD Toolkit” that offers five
“Policy and Guidelines for Government-Provided
Mobile Device Usage"
"Bring Your Own Device – Policy and Rules of
“Mobile Information Technology Device Policy"
“Wireless Communication Reimbursement
“Portable Wireless Network Access Device Policy"
The following is an extract from the "Portable Wireless Network Access Device
Policy." While obviously intended for federal agencies, this policy could be
readily adapted and adopted by private-sector enterprises and non-profit organizations.
This policy applies to all employees of the
who use portable wireless devices capable of accessing
resources. This policy describes the handheld wireless network
access system implementation, recommends guidelines for usage and lists
policies and procedures that apply to its use. Portable wireless
network access devices are provided to improve customer service and
enhance government efficiencies and will only be provided to employees
whose Managers have determined that the employee has a demonstrated
The purpose of this policy is to establish rules for the use of portable wireless computing devices and their connection to the
network. These rules are necessary to preserve the integrity, availability and confidentiality of the
Those employees of the
who have a need for
immediate notification and access to email, voice and web services while
away from their office or in a mobile situation are candidates for use
of a portable wireless network access device. All usage is covered
[AGENCY NAME]’s Acceptable Use Policy. Primary use of the portable wireless network access device is for official
business. Personal use of government-owned portable wireless network access devices (for
email, calendar, incoming and outgoing telephone calls) shall be limited to
infrequent, incidental and/or emergency use.
Within each department,
agency and/or component, the determining authority and responsibility
for issuance of portable wireless network access device shall rest with
[COMPONENT APPROVING AUTHORITY]
or similar approving
Final authority and wireless activation of each new wireless network access device shall rest with the
[AGENCY NAME] Chief Information Officer or his/her designee.
[AGENCY NAME] shall implement appropriate
process and controls over the common server, infrastructure, transport
services and computing resources under its control. Deployment of
the portable wireless network access devices will be limited dependent
on available resources.
Network security controls
must not be bypassed or disabled. To the extent possible, security
capabilities of the wireless device should be employed that are
consistent with the
Acceptable Use Policy. Use of any Cellular Telephone access shall be governed by the
Cellular Telephone policy.
Violation of this policy may result
in disciplinary action, loss of access privileges to the common server
infrastructure, or civil and criminal prosecution.8
Secure network management polices should be based on widely accepted and
respected network management principles. For most enterprises – especially
enterprises with a global footprint – adherence to the ISO 27033 set of
standards is considered prudent, if not essential.
ISO/IEC 27033-1:2015 Information
technology — Security techniques — Network security — Part 1:
Overview and concepts
ISO/IEC 27033-1:2015 provides an overview of
network security and related definitions. It defines and describes
the concepts associated with, and provides management guidance on,
network security. (Network security applies to the security of
devices, security of management activities related to the devices,
applications/services, and end-users, in addition to security of the
information being transferred across the communication links.)
Information technology — Security techniques — Network
security — Part 2: Guidelines for the design and
implementation of network security
ISO/IEC 27033-2:2012 gives guidelines
for organizations to plan, design, implement and
document network security.
technology — Security techniques — Network
security — Part 3: Reference networking
scenarios — Threats, design techniques and
describes the threats, design techniques and
control issues associated with reference
network scenarios. For each scenario, it
provides detailed guidance on the security
threats and the security design techniques
and controls required to mitigate the
associated risks. Where relevant, it
includes references to ISO/IEC 27033-4 to
ISO/IEC 27033-6 to avoid duplicating the
content of those documents.
Information technology —
Security techniques — Network
security — Part 4: Securing
communications between networks
using security gateways
27033-4:2014 gives guidance for
securing communications between
networks using security gateways
(firewall, application firewall,
Intrusion Protection System,
etc.) in accordance with a
documented information security
policy of the security gateways,
Identifying and analyzing
network security threats
associated with security
Defining network security
requirements for security
gateways based on threat
techniques for design and
implementation to address
the threats and control
aspects associated with
typical network scenarios;
Addressing issues associated
operating, monitoring and
reviewing network security
— Network security
— Part 5: Securing
Private Networks (VPNs)
gives guidelines for
monitoring of the
necessary to provide
Private Network (VPN)
networks and connect
remote users to
In the future, the ability to generate and maintain secure network
management policies may be influenced by several factors:
Globalization – The need to comply with multiple security and
privacy regulations from multiple jurisdictions; in particular, the
European Union (EU).
Cloud Computing – The need to maintain
a mixed network environment, including public and private clouds.
Smartphone and Tablet Proliferation – The need
to support an ever-expanding range of smartphones and tablets, each with
its own security characteristics.
IPv6 – The need to transition to Internet Protocol version 6.
Internet of Things – The need to support an emerging
class of Internet-connected systems, sensors, and other devices.
Edge Computing – The need to accommodate data processing at the
Today’s enterprise does business on a worldwide
basis. With that opportunity comes an obligation to comply with local,
national, and international security and privacy policies. The world’s
strictest policies belong to the European Union, with the effect that
adhering to EU policies will almost certainly position an enterprise for
Importantly, the EU
policymakers seem forever busy turning out new policies – or new
variations on old policies. As a result, the enterprise chief
compliance officer (CCO), in cooperation with the enterprise general counsel, must
remain vigilant in reviewing – and assessing the implications of – EU
security and privacy pronouncements.
For example, the new European Union General Data Protection Regulation (GDPR) imposes new, stricter data security
requirements on enterprises operating within the EU, or handling personal data
belonging to EU residents.
A parallel initiative, the Digital Republic Bill, adopted by France in
October 2016, penalizes enterprises that evidence inadequate data security
Perhaps inspired by GDPR, the state of California passed the California
Consumer Privacy Act (CCPA). Commencing January 1, 2020, CCPA grants consumers
various increased rights with regard to personal information held by a business.
Among the expanded rights are the right to request a business to delete any
personal information that is collected by the business, and the business is
required to comply with such a verifiable consumer request unless the data is
necessary to carry out specified acts.
From a policy perspective, the major issue surrounding cloud computing is
third-party involvement, as enterprise data travels to and from enterprise and
non-enterprise networks; in the latter category, networks belonging to:
Supply chain partners
Managed security services providers (MSSPs)
Under ideal circumstances, the same secure network management policies
observed by the enterprise would be followed by each non-enterprise actor. In practice, of course, each network owner/operator establishes its own
To achieve maximum protection, enterprise officials, both IT and security,
should “drill down” on partner network management practices. They should
determine, at minimum, if each partner adheres to sound – if not necessarily
identical – network management policies.
Smartphone and Tablet Proliferation
As smartphone and tablet usage continues to expand worldwide, mobile
platforms will become even more tempting targets for malware makers.
Since enterprise business officials are finding it harder to “just say
no” to the “Bring-Your-Own-Device” (BYOD) crowd – those individuals who
argue for the need to connect consumer-grade smartphones and
tablets to enterprise networks – enterprise security officials will
likely amend network management policies to permit the use of a wider
selection of mobile information devices.
To compensate for this concession, security officials will – or should –
detail how each brand and model of authorized smartphone or tablet should be
secured – perhaps in a special subordinate policy or policy addendum.
Internet Protocol version 6 (IPv6) is the planned next generation of the IP
protocol. Slated to succeed IPv4, and proposed for future enterprises, intranets,
and the Internet, IPv6 provides easier administration, an expanded
addressing scheme, and, most importantly, tighter security.
Figure 1 reflects the status of IPv6 industry deployments through December
Figure 1. IPv6 Industry Deployments – 12/17/2019
Source: US NIST
As enterprises migrate to IPv6, they must modify their network policies and
Internet of Things
A term coined by technologist Kevin Ashton in 1999,11 the "Internet
of Things" (IoT) refers to efforts designed to extend the dominion of the
Internet from cyber space to the physical world, creating a network of
intelligent devices that form the mechanical equivalent of the body’s central
nervous system. The purpose is twofold:
To gather information about physical processes in order to improve
To exercise real-time control over physical processes in order to
affect greater operational efficiency and effectiveness.
As analyst Nick Ismail observes, "For some time, one of the primary concerns
with IoT has been its impact of network security. This is because a greater
number of devices are connecting to the network, resulting in a much higher risk
of hackers being able to gain access and do damage."
For those effected, Ismail suggests "creating
a device management policy: A policy
that lays out guidelines for IoT device integration and connection to your
network will help streamline the managing process."12
As the term implies, "edge computing" is computing at the network edge.
According to Gartner, "Edge computing describes a computing topology in which
information processing and content collection and delivery are placed closer to
the sources of this information."13
The emergence of edge computing is tied to Industrial Internet of Things (IIoT), in which industrial components are
transformed into smart machines capable of collecting and processing data
locally and transmitting it to a central data center, or the cloud. Given the
sheer volume of data being collected by sensors and other intelligent devices,
it only makes sense to conduct as much processing "onsite" as possible; in other
words, to shift processing to the network edge.
If edge computing sounds like the latest incarnation of distributed
computing, it is. The principal difference between edge computing and earlier
distributed forms is that edge computing is essential to certain use cases. The
most frequently cited example involves self-driving or autonomous cars, in which
the onboard AI systems must make immediate, often life-and-death, decisions
based on vehicle sensor data. There is literally no time to transmit data to the
cloud for processing. The processing must take place within the vehicle, or at
Network management policies must be amended to enable secure edge operations.