Copyright 2020, Faulkner Information Services. All Rights Reserved.
Docid: 00021148
Publication Date: 2001
Report Type: TUTORIAL
Preview
In today’s enterprise, voice and data networks
serve as essential conduits for communicating information
among employees, between employees and customers or business
partners, and between employees and other enterprise stakeholders. Not
surprisingly, the design, development, deployment, operation, and maintenance of secure
enterprise networks depends upon the formation of comprehensive
network management policies.
Information is essential to the modern enterprise, and enterprise networks
serve as an essential conduit for communicating data among employees, between employees
and customers, between employees and business partners, and between employees
and other enterprise stakeholders. Not surprisingly, the design, development, deployment, operation, and maintenance of secure enterprise networks
is a matter of enterprise policy and priority.
The enterprise Network Management Policy – and its subordinate
policies – are subject to rigorous standards. The policies must be
comprehensive, addressing all aspects of enterprise usage, and align with
(or otherwise support) the overall goals and objectives of the enterprise – not
just the information technology (IT) goals, but, more fundamentally, the
business goals of the enterprise.
Among these fundamental business goals is security. Secure network management polices generally share the same characteristics. They are:
Short, as brief as possible but no briefer.
Written in plain language, except where technical jargon is demanded.
Updated on a regular basis, at least annually (or more frequently based on business or network changes).
Backed by ample procedures (a policy is not a “how to” document).
Consistent with the enterprise-established IT governance standard, such as COBIT, ITIL, or ISO.
A note about nomenclature: Some network management polices may address
security explicitly (in which case the word "secure" or "security" will normally
appear in the title), or implicitly (in which case maintaining security is
considered a principal priority).
The standards
and practices for writing
network management (and other) polices differ from enterprise to
enterprise. For example, the following Network Firewall Policy template, offered by
Hewlett-Packard, consists of seven sections:
“Purpose – A
clear statement of the reason(s) the
security policy exists. For example: This document discusses the
security configuration baseline with which all firewalls deployed at XYZ
Corp should comply.
“Scope – Identifies which sections, divisions, or
departments of an organization are subject to the policy. The scope can also
define or indicate those sections that are exempt from the policy. For
example: This document applies to all departments of XYZ Corp. The
extranet department and the R&D department are exempt from this document
if their department specific policy defines a contradictory requirement.
“Policy – Clearly defines exactly what
requirements, conditions, configurations, and standards must be adhered to,
followed, or implemented. Items in this section of the policy might include
conditions under which VPN connections are enabled, what Internet services
are allowed to cross through the firewall, and what content is filtered.
“Responsibilities
– Identifies the individual or
group responsible for implementing the conditions of the policy.
“Enforcement – Discusses the consequences of
violating the policy.
“Definitions – Defines terms and acronyms to
ensure that everyone reading the policy will clearly understand exactly what
is being discussed.
“Revision History – Documents and dates all
changes to the firewall policy after its initial creation and deployment.
This essential part of any policy ensures that only the latest and most
up-to-date version is actually used.”1
In terms of network management, the “Network Management Policy” is
usually several policies. The “root,” or master, policy:
Describes the nature of network management.
Details the reasons why employees and other network users should adhere to
network management policy provisions.
Discusses the consequences of violating network management policies – both
for the enterprise and for the individuals involved.
Offers an index to subordinate polices.
Subordinate polices are usually developed according to their intended
audience. For example, while both users and technicians – primarily users
– must be cognizant of the “Acceptable Network Use Policy,” the
“Network Patch Management Policy” is germane only to IT and Security
personnel. Table 1 identifies some of the possible subordinate network
management policies.
Table 1. Possible Subordinate Network Management Policies
Policy Name
Description
Primary Audience
Acceptable Network Use
Specifies
how the enterprise network may be used. The ANUP is often employed
to define the limits of Internet usage, such as restricting access to
sites featuring inappropriate content.
Users
Acquisition Assessment2
Establishes Infosec responsibilities regarding
enterprise acquisitions, and defines the minimum security requirements
of an Infosec acquisition assessment.
Techs / Users
Network Backup and
Recovery
Specifies
how network data is protected against loss or contamination.
Techs
Network Configuration
Specifies
which devices may be connected to the network. This is becoming a
major issue as users petition to use their personal smartphones and
tablets for
business purposes.
Users
Network Continuity
Specifies
how network functions are continued or recovered in the event of a
network-related disaster, including the loss of commercial Internet
service.
Techs
Network E-Mail
Specifies
e-mail dos and don’ts, such as “Do not open e-mail attachments from
unknown senders.”
Users
Network
Firewall
Specifies
which source and destination IP addresses are allowed.
Techs / Users
Network Incident Response
Specifies
how network problems are reported, investigated, and, if necessary,
escalated.
Techs
Network Intrusion Prevention3
Specifies how intrusion prevention systems detect
and block network attacks and attacks on browsers, as well as protect
applications from vulnerabilities.
Techs
Network LiveUpdate4
The LiveUpdate Content
policy and the LiveUpdate Settings policy
contain the settings that determine how and when client computers
download content updates from LiveUpdate.
Techs / Users
Network Password
Specifies
the rules for creating and changing login passwords. May also
specify related identity management requirements, such as two-factor
authentication.
Users
Network Patch Management
Specifies
the interval between receiving and applying network patches,
particularly security fixes.
Techs
Network Remote Access
Specifies
how remote users – including teleworkers – may safely connect to the
network.
Users
Network Router and Switch5
Specifies a required minimal security
configuration for all routers and switches connecting to a production
network or used in a production capacity at or on behalf of the
enterprise.
Techs
Network Security
Specifies
how the network – and network data – are secured, via encryption or
other means.
Techs
Network Virus and Spyware Protection6
Specifies how the network:
Detects, removes, and repairs the side
effects of viruses, spyware, and other malware.
Detects the threats in the files that users
try to download.
Detects the applications that exhibit
suspicious behavior.
Techs / Users
Virtual Network Management
Specifies how virtual networks and virtual
network components and services are managed and secured.
Techs
Wireless Communication7
Specifies the technical requirements that
wireless infrastructure devices must satisfy to connect to an enterprise
network. Only those wireless infrastructure devices that meet the
requirements specified in this standard or are granted an exception by
the InfoSec Team are approved for connectivity to an enterprise network.
Owing to their complexity, network management
policies are seldom written from scratch. “Canned” polices, which can
be easily modified to suit the needs of a particular enterprise, are
available for a fee from commercial sources. They are also available
for free from organizations such as the SANS Institute, the US National Institute of Standards and
Technology (NIST), or even the White House.
The Obama White House, for example, crafted a “BYOD Toolkit” that offers five
sample policies:
“Policy and Guidelines for Government-Provided
Mobile Device Usage"
"Bring Your Own Device – Policy and Rules of
Behavior"
“Mobile Information Technology Device Policy"
“Wireless Communication Reimbursement
Program"
“Portable Wireless Network Access Device Policy"
The following is an extract from the "Portable Wireless Network Access Device
Policy." While obviously intended for federal agencies, this policy could be
readily adapted and adopted by private-sector enterprises and non-profit organizations.
POLICY SCOPE
This policy applies to all employees of the
[AGENCY NAME]
who use portable wireless devices capable of accessing
[AGENCY NAME]
computing
resources. This policy describes the handheld wireless network
access system implementation, recommends guidelines for usage and lists
policies and procedures that apply to its use. Portable wireless
network access devices are provided to improve customer service and
enhance government efficiencies and will only be provided to employees
whose Managers have determined that the employee has a demonstrated
need.
The purpose of this policy is to establish rules for the use of portable wireless computing devices and their connection to the
[AGENCY NAME]
network. These rules are necessary to preserve the integrity, availability and confidentiality of the
[AGENCY NAME]
network.
POLICY STATEMENT
Those employees of the
[AGENCY NAME]
who have a need for
immediate notification and access to email, voice and web services while
away from their office or in a mobile situation are candidates for use
of a portable wireless network access device. All usage is covered
by
[AGENCY NAME]’s Acceptable Use Policy. Primary use of the portable wireless network access device is for official
[AGENCY NAME]
business. Personal use of government-owned portable wireless network access devices (for
email, calendar, incoming and outgoing telephone calls) shall be limited to
infrequent, incidental and/or emergency use.
POLICY PROVISIONS
Within each department,
agency and/or component, the determining authority and responsibility
for issuance of portable wireless network access device shall rest with
the
[COMPONENT APPROVING AUTHORITY]
or similar approving
authority.
Final authority and wireless activation of each new wireless network access device shall rest with the
[AGENCY NAME] Chief Information Officer or his/her designee.
[AGENCY NAME] shall implement appropriate
process and controls over the common server, infrastructure, transport
services and computing resources under its control. Deployment of
the portable wireless network access devices will be limited dependent
on available resources.
Network security controls
must not be bypassed or disabled. To the extent possible, security
capabilities of the wireless device should be employed that are
consistent with the
[AGENCY NAME]
Acceptable Use Policy. Use of any Cellular Telephone access shall be governed by the
[AGENCY NAME]
Cellular Telephone policy.
Violation of this policy may result
in disciplinary action, loss of access privileges to the common server
infrastructure, or civil and criminal prosecution.8
ISO 27033
Secure network management polices should be based on widely accepted and
respected network management principles. For most enterprises – especially
enterprises with a global footprint – adherence to the ISO 27033 set of
standards is considered prudent, if not essential.
ISO/IEC 27033-1:2015 Information
technology — Security techniques — Network security — Part 1:
Overview and concepts
ISO/IEC 27033-1:2015 provides an overview of
network security and related definitions. It defines and describes
the concepts associated with, and provides management guidance on,
network security. (Network security applies to the security of
devices, security of management activities related to the devices,
applications/services, and end-users, in addition to security of the
information being transferred across the communication links.)
ISO/IEC 27033-2:2012
Information technology — Security techniques — Network
security — Part 2: Guidelines for the design and
implementation of network security
ISO/IEC 27033-2:2012 gives guidelines
for organizations to plan, design, implement and
document network security.
ISO/IEC
27033-3:2010 Information
technology — Security techniques — Network
security — Part 3: Reference networking
scenarios — Threats, design techniques and
control issues
ISO/IEC 27033-3:2010
describes the threats, design techniques and
control issues associated with reference
network scenarios. For each scenario, it
provides detailed guidance on the security
threats and the security design techniques
and controls required to mitigate the
associated risks. Where relevant, it
includes references to ISO/IEC 27033-4 to
ISO/IEC 27033-6 to avoid duplicating the
content of those documents.
ISO/IEC 27033-4:2014
Information technology —
Security techniques — Network
security — Part 4: Securing
communications between networks
using security gateways
ISO/IEC
27033-4:2014 gives guidance for
securing communications between
networks using security gateways
(firewall, application firewall,
Intrusion Protection System,
etc.) in accordance with a
documented information security
policy of the security gateways,
including:
Identifying and analyzing
network security threats
associated with security
gateways;
Defining network security
requirements for security
gateways based on threat
analysis;
Using
techniques for design and
implementation to address
the threats and control
aspects associated with
typical network scenarios;
and
Addressing issues associated
with implementing,
operating, monitoring and
reviewing network security
gateway controls.
ISO/IEC 27033-5:2013
Information
technology —
Security techniques
— Network security
— Part 5: Securing
communications
across networks
using Virtual
Private Networks (VPNs)
ISO/IEC 27033-5:2013
gives guidelines for
the selection,
implementation, and
monitoring of the
technical controls
necessary to provide
network security
using Virtual
Private Network (VPN)
connections to
interconnect
networks and connect
remote users to
networks.
ISO/IEC 27033-6:2016
Information
technology
—
Security
techniques
—
Network
security
— Part
6:
Securing
wireless
IP
network
access
ISO/IEC
27033-6:2016
describes
the
threats,
security
requirements,
security
control
and
design
techniques
associated
with
wireless
networks.
It
provides
guidelines
for the
selection,
implementation
and
monitoring
of the
technical
controls
necessary
to
provide
secure
communications
using
wireless
networks.
The
information
in this
part of
ISO/IEC
27033 is
intended
to be
used
when
reviewing
or
selecting
technical
security
architecture/design
options
that
involve
the use
of
wireless
network
in
accordance
with
ISO/IEC
27033‑2.
In the future, the ability to generate and maintain secure network
management policies may be influenced by several factors:
Globalization – The need to comply with multiple security and
privacy regulations from multiple jurisdictions; in particular, the
European Union (EU).
Cloud Computing – The need to maintain
a mixed network environment, including public and private clouds.
Smartphone and Tablet Proliferation – The need
to support an ever-expanding range of smartphones and tablets, each with
its own security characteristics.
IPv6 – The need to transition to Internet Protocol version 6.
Internet of Things – The need to support an emerging
class of Internet-connected systems, sensors, and other devices.
Edge Computing – The need to accommodate data processing at the
network edge.
Globalization
Today’s enterprise does business on a worldwide
basis. With that opportunity comes an obligation to comply with local,
national, and international security and privacy policies. The world’s
strictest policies belong to the European Union, with the effect that
adhering to EU policies will almost certainly position an enterprise for
global compliance.
Importantly, the EU
policymakers seem forever busy turning out new policies – or new
variations on old policies. As a result, the enterprise chief
compliance officer (CCO), in cooperation with the enterprise general counsel, must
remain vigilant in reviewing – and assessing the implications of – EU
security and privacy pronouncements.
For example, the new European Union General Data Protection Regulation (GDPR) imposes new, stricter data security
requirements on enterprises operating within the EU, or handling personal data
belonging to EU residents.
A parallel initiative, the Digital Republic Bill, adopted by France in
October 2016, penalizes enterprises that evidence inadequate data security
infrastructures.9
Perhaps inspired by GDPR, the state of California passed the California
Consumer Privacy Act (CCPA). Commencing January 1, 2020, CCPA grants consumers
various increased rights with regard to personal information held by a business.
Among the expanded rights are the right to request a business to delete any
personal information that is collected by the business, and the business is
required to comply with such a verifiable consumer request unless the data is
necessary to carry out specified acts.
Cloud Computing
From a policy perspective, the major issue surrounding cloud computing is
third-party involvement, as enterprise data travels to and from enterprise and
non-enterprise networks; in the latter category, networks belonging to:
Cloud providers
Supply chain partners
Managed security services providers (MSSPs)
Under ideal circumstances, the same secure network management policies
observed by the enterprise would be followed by each non-enterprise actor. In practice, of course, each network owner/operator establishes its own
policies.
To achieve maximum protection, enterprise officials, both IT and security,
should “drill down” on partner network management practices. They should
determine, at minimum, if each partner adheres to sound – if not necessarily
identical – network management policies.
Smartphone and Tablet Proliferation
As smartphone and tablet usage continues to expand worldwide, mobile
platforms will become even more tempting targets for malware makers.
Since enterprise business officials are finding it harder to “just say
no” to the “Bring-Your-Own-Device” (BYOD) crowd – those individuals who
argue for the need to connect consumer-grade smartphones and
tablets to enterprise networks – enterprise security officials will
likely amend network management policies to permit the use of a wider
selection of mobile information devices.
To compensate for this concession, security officials will – or should –
detail how each brand and model of authorized smartphone or tablet should be
secured – perhaps in a special subordinate policy or policy addendum.
IPv6
Internet Protocol version 6 (IPv6) is the planned next generation of the IP
protocol. Slated to succeed IPv4, and proposed for future enterprises, intranets,
and the Internet, IPv6 provides easier administration, an expanded
addressing scheme, and, most importantly, tighter security.
Figure 1 reflects the status of IPv6 industry deployments through December
17, 2019.10
Figure 1. IPv6 Industry Deployments – 12/17/2019
Source: US NIST
As enterprises migrate to IPv6, they must modify their network policies and
practices accordingly.
Internet of Things
A term coined by technologist Kevin Ashton in 1999,11 the "Internet
of Things" (IoT) refers to efforts designed to extend the dominion of the
Internet from cyber space to the physical world, creating a network of
intelligent devices that form the mechanical equivalent of the body’s central
nervous system. The purpose is twofold:
To gather information about physical processes in order to improve
them.
To exercise real-time control over physical processes in order to
affect greater operational efficiency and effectiveness.
As analyst Nick Ismail observes, "For some time, one of the primary concerns
with IoT has been its impact of network security. This is because a greater
number of devices are connecting to the network, resulting in a much higher risk
of hackers being able to gain access and do damage."
For those effected, Ismail suggests "creating
a device management policy: A policy
that lays out guidelines for IoT device integration and connection to your
network will help streamline the managing process."12
Edge Computing
As the term implies, "edge computing" is computing at the network edge.
According to Gartner, "Edge computing describes a computing topology in which
information processing and content collection and delivery are placed closer to
the sources of this information."13
The emergence of edge computing is tied to Industrial Internet of Things (IIoT), in which industrial components are
transformed into smart machines capable of collecting and processing data
locally and transmitting it to a central data center, or the cloud. Given the
sheer volume of data being collected by sensors and other intelligent devices,
it only makes sense to conduct as much processing "onsite" as possible; in other
words, to shift processing to the network edge.
If edge computing sounds like the latest incarnation of distributed
computing, it is. The principal difference between edge computing and earlier
distributed forms is that edge computing is essential to certain use cases. The
most frequently cited example involves self-driving or autonomous cars, in which
the onboard AI systems must make immediate, often life-and-death, decisions
based on vehicle sensor data. There is literally no time to transmit data to the
cloud for processing. The processing must take place within the vehicle, or at
the edge.
Network management policies must be amended to enable secure edge operations.
To facilitate the process of
developing a secure Network Management Policy, consider the following:
Assemble a Policy Development Team, consisting
of network users as well as technical representatives from IT, Security, and
Quality Assurance.
If more expertise is required, engage a network
security consultant or consulting firm. An experienced third-party
contributor can share policy development best practices.
Invite the participation of general counsel to
ensure proposed policy provisions are enforceable.
Identify which laws and regulations apply to
the enterprise, and how these statutes will be enforced through the policy .
Make liberal use of free policy templates and
samples supplied by authoritative bodies such as NIST or the SANS
Institute.
Appoint a policy owner, a single department –
preferably, a single person – responsible for policy administration, both
the root policy and its subordinate policies.
Circulate the policy for user approval prior to
implementation. Unless the subjects of the policy “buy in”
to its various provisions, the policy is not viable.
Once the Network Management Policy – and its associated subordinate
policies and procedures – are developed, conduct a Risk Analysis to identify
– and plug – any residual security exposures.
Select and implement an automated Policy Management tool to help ensure
policy compliance.
References
1 “Define a Network Security Policy: Do It.”
Hewlett-Packard.
2 "50 Free Information & Cyber Security Policy Templates
to
Secure Your Network." PurpleSec. 2019.
3 "The Types of Security Policies." Symantec | Broadcom. April
24, 2019.
4Ibid.
5 "50 Free Information & Cyber Security Policy Templates
to
Secure Your Network." PurpleSec. 2019.
6 "The Types of Security Policies." Symantec | Broadcom. April
24, 2019.
7 "50 Free Information & Cyber Security Policy Templates
to
Secure Your Network." PurpleSec. 2019.
8 “Bring Your Own Device: A
Toolkit to Support Federal Agencies Implementing Bring Your Own Device (BYOD)
Programs.” CIO Council. August 2012:37-8.
9 Benjamin Wright. "Preparing for Compliance with the
General Data Protection Regulation (GDPR): A Technology Guide for
Security Practitioners." SANS Institute. February 2017.
10 "Estimating Industry IPv6 & DNSSEC External Service
Deployment Status." US National Institute of Standards and Technology.
December 17, 2019.
11 "2013: The Year of the Internet of Things." MIT Technology Review. January 4, 2013.
12 Nick Ismail. "Securing Networks in the IoT Revolution." Bonhill Group Plc. March
5, 2018.
13 David W. Cearley, Brian Burke, Samantha Searle, and Mike J. Walker. "Top 10
Strategic Technology Trends for 2018." Gartner. October 3, 2017.