Secure Network Management Policies










PDF version of this report
You must have Adobe Acrobat reader to view, save, or print PDF files. The reader
is available for free
download
.

Secure Network
Management Policies

by James G. Barr

Docid: 00021148

Publication Date: 2001

Report Type: TUTORIAL

Preview

In today’s enterprise, voice and data networks
serve as essential conduits for communicating information
among employees, between employees and customers or business
partners, and between employees and other enterprise stakeholders. Not
surprisingly, the design, development, deployment, operation, and maintenance of secure
enterprise networks depends upon the formation of comprehensive
network management policies.

Report Contents:

Executive Summary

[return to top of this report]

Information is essential to the modern enterprise, and enterprise networks
serve as an essential conduit for communicating data among employees, between employees
and customers, between employees and business partners, and between employees
and other enterprise stakeholders. Not surprisingly, the design, development, deployment, operation, and maintenance of secure enterprise networks
is a matter of enterprise policy and priority.

The enterprise Network Management Policy – and its subordinate
policies – are subject to rigorous standards. The policies must be
comprehensive, addressing all aspects of enterprise usage, and align with
(or otherwise support) the overall goals and objectives of the enterprise – not
just the information technology (IT) goals, but, more fundamentally, the
business goals of the enterprise.

Among these fundamental business goals is security. Secure network management polices generally share the same characteristics. They are:

  • Short, as brief as possible but no briefer.
  • Written in plain language, except where technical jargon is demanded.
  • Updated on a regular basis, at least annually (or more frequently based on business or network changes).
  • Backed by ample procedures (a policy is not a “how to” document).
  • Consistent with the enterprise-established IT governance standard, such as COBIT, ITIL, or ISO.

A note about nomenclature: Some network management polices may address
security explicitly (in which case the word "secure" or "security" will normally
appear in the title), or implicitly (in which case maintaining security is
considered a principal priority).

Description

[return to top of this report]

The standards
and practices for writing
network management (and other) polices differ from enterprise to
enterprise. For example, the following Network Firewall Policy template, offered by
Hewlett-Packard, consists of seven sections:

  1. Purpose – A
    clear statement of the reason(s) the
    security policy exists. For example: This document discusses the
    security configuration baseline with which all firewalls deployed at XYZ
    Corp should comply.
  2. Scope – Identifies which sections, divisions, or
    departments of an organization are subject to the policy. The scope can also
    define or indicate those sections that are exempt from the policy. For
    example: This document applies to all departments of XYZ Corp. The
    extranet department and the R&D department are exempt from this document
    if their department specific policy defines a contradictory requirement.
  3. Policy – Clearly defines exactly what
    requirements, conditions, configurations, and standards must be adhered to,
    followed, or implemented. Items in this section of the policy might include
    conditions under which VPN connections are enabled, what Internet services
    are allowed to cross through the firewall, and what content is filtered.
  4. Responsibilities
    – Identifies the individual or
    group responsible for implementing the conditions of the policy.
  5. Enforcement – Discusses the consequences of
    violating the policy.
  6. Definitions – Defines terms and acronyms to
    ensure that everyone reading the policy will clearly understand exactly what
    is being discussed.
  7. Revision History – Documents and dates all
    changes to the firewall policy after its initial creation and deployment.
    This essential part of any policy ensures that only the latest and most
    up-to-date version is actually used.”1

In terms of network management, the “Network Management Policy” is
usually several policies. The “root,” or master, policy:

  • Describes the nature of network management.
  • Details the reasons why employees and other network users should adhere to
    network management policy provisions.
  • Discusses the consequences of violating network management policies – both
    for the enterprise and for the individuals involved.
  • Offers an index to subordinate polices.

Subordinate polices are usually developed according to their intended
audience. For example, while both users and technicians – primarily users
– must be cognizant of the “Acceptable Network Use Policy,” the
“Network Patch Management Policy” is germane only to IT and Security
personnel. Table 1 identifies some of the possible subordinate network
management policies.

Table 1. Possible Subordinate Network Management Policies

Policy Name

Description

Primary Audience

Acceptable Network Use

Specifies
how the enterprise network may be used. The ANUP is often employed
to define the limits of Internet usage, such as restricting access to
sites featuring inappropriate content.

Users

Acquisition Assessment2 Establishes Infosec responsibilities regarding
enterprise acquisitions, and defines the minimum security requirements
of an Infosec acquisition assessment.
Techs / Users

Network Backup and
Recovery

Specifies
how network data is protected against loss or contamination.

Techs

Network Configuration

Specifies
which devices may be connected to the network. This is becoming a
major issue as users petition to use their personal smartphones and
tablets for
business purposes.

Users

Network Continuity 

Specifies
how network functions are continued or recovered in the event of a
network-related disaster, including the loss of commercial Internet
service.

Techs

Network E-Mail

Specifies
e-mail dos and don’ts, such as “Do not open e-mail attachments from
unknown senders.”

Users


Network
Firewall

Specifies
which source and destination IP addresses are allowed.

Techs / Users

Network Incident Response

Specifies
how network problems are reported, investigated, and, if necessary,
escalated.

Techs

Network Intrusion Prevention3 Specifies how intrusion prevention systems detect
and block network attacks and attacks on browsers, as well as protect
applications from vulnerabilities.
Techs
Network LiveUpdate4 The LiveUpdate Content
policy and the LiveUpdate Settings policy
contain the settings that determine how and when client computers
download content updates from LiveUpdate.
Techs / Users

Network Password

Specifies
the rules for creating and changing login passwords. May also
specify related identity management requirements, such as two-factor
authentication.

Users

Network Patch Management

Specifies
the interval between receiving and applying network patches,
particularly security fixes.

Techs

Network Remote Access

Specifies
how remote users – including teleworkers – may safely connect to the
network.

Users

Network Router and Switch5 Specifies a required minimal security
configuration for all routers and switches connecting to a production
network or used in a production capacity at or on behalf of the
enterprise.
Techs

Network Security

Specifies
how the network – and network data – are secured, via encryption or
other means.

Techs

Network Virus and Spyware Protection6

Specifies how the network:

  • Detects, removes, and repairs the side
    effects of viruses, spyware, and other malware.
  • Detects the threats in the files that users
    try to download.
  • Detects the applications that exhibit
    suspicious behavior.
Techs / Users

Virtual Network Management

Specifies how virtual networks and virtual
network components and services are managed and secured.

Techs

Wireless Communication7 Specifies the technical requirements that
wireless infrastructure devices must satisfy to connect to an enterprise
network. Only those wireless infrastructure devices that meet the
requirements specified in this standard or are granted an exception by
the InfoSec Team are approved for connectivity to an enterprise network.
Techs / Users

Current View

[return to top of this report]

Owing to their complexity, network management
policies are seldom written from scratch. “Canned” polices, which can
be easily modified to suit the needs of a particular enterprise, are
available for a fee from commercial sources. They are also available
for free from organizations such as the SANS Institute, the US National Institute of Standards and
Technology (NIST), or even the White House.

The Obama White House, for example, crafted a “BYOD Toolkit” that offers five
sample policies:

  1. “Policy and Guidelines for Government-Provided
    Mobile Device Usage"
  2. "Bring Your Own Device – Policy and Rules of
    Behavior"
  3. “Mobile Information Technology Device Policy"
  4. “Wireless Communication Reimbursement
    Program"
  5. “Portable Wireless Network Access Device Policy"

The following is an extract from the "Portable Wireless Network Access Device
Policy." While obviously intended for federal agencies, this policy could be
readily adapted and adopted by private-sector enterprises and non-profit organizations.


POLICY SCOPE

This policy applies to all employees of the
[AGENCY NAME]
who use portable wireless devices capable of accessing
[AGENCY NAME]
computing
resources. This policy describes the handheld wireless network
access system implementation, recommends guidelines for usage and lists
policies and procedures that apply to its use. Portable wireless
network access devices are provided to improve customer service and
enhance government efficiencies and will only be provided to employees
whose Managers have determined that the employee has a demonstrated
need.

The purpose of this policy is to establish rules for the use of portable wireless computing devices and their connection to the
[AGENCY NAME]
network. These rules are necessary to preserve the integrity, availability and confidentiality of the
[AGENCY NAME]
network.


POLICY STATEMENT

Those employees of the
[AGENCY NAME]
who have a need for
immediate notification and access to email, voice and web services while
away from their office or in a mobile situation are candidates for use
of a portable wireless network access device. All usage is covered
by
[AGENCY NAME]’s Acceptable Use Policy. Primary use of the portable wireless network access device is for official
[AGENCY NAME]
business. Personal use of government-owned portable wireless network access devices (for
email, calendar, incoming and outgoing telephone calls) shall be limited to
infrequent, incidental and/or emergency use.


POLICY PROVISIONS

Within each department,
agency and/or component, the determining authority and responsibility
for issuance of portable wireless network access device shall rest with
the
[COMPONENT APPROVING AUTHORITY]
or similar approving
authority.

Final authority and wireless activation of each new wireless network access device shall rest with the
[AGENCY NAME] Chief Information Officer or his/her designee.

[AGENCY NAME] shall implement appropriate
process and controls over the common server, infrastructure, transport
services and computing resources under its control. Deployment of
the portable wireless network access devices will be limited dependent
on available resources.

Network security controls
must not be bypassed or disabled. To the extent possible, security
capabilities of the wireless device should be employed that are
consistent with the
[AGENCY NAME]
Acceptable Use Policy. Use of any Cellular Telephone access shall be governed by the
[AGENCY NAME]
Cellular Telephone policy.

Violation of this policy may result
in disciplinary action, loss of access privileges to the common server
infrastructure, or civil and criminal prosecution.8

ISO 27033

Secure network management polices should be based on widely accepted and
respected network management principles. For most enterprises – especially
enterprises with a global footprint – adherence to the ISO 27033 set of
standards is considered prudent, if not essential.

ISO/IEC 27033-1:2015 Information
technology — Security techniques — Network security — Part 1:
Overview and concepts

ISO/IEC 27033-1:2015 provides an overview of
network security and related definitions. It defines and describes
the concepts associated with, and provides management guidance on,
network security. (Network security applies to the security of
devices, security of management activities related to the devices,
applications/services, and end-users, in addition to security of the
information being transferred across the communication links.)

ISO/IEC 27033-2:2012
Information technology — Security techniques — Network
security — Part 2: Guidelines for the design and
implementation of network security

ISO/IEC 27033-2:2012 gives guidelines
for organizations to plan, design, implement and
document network security.

ISO/IEC
27033-3:2010
Information
technology — Security techniques — Network
security — Part 3: Reference networking
scenarios — Threats, design techniques and
control issues

ISO/IEC 27033-3:2010
describes the threats, design techniques and
control issues associated with reference
network scenarios. For each scenario, it
provides detailed guidance on the security
threats and the security design techniques
and controls required to mitigate the
associated risks. Where relevant, it
includes references to ISO/IEC 27033-4 to
ISO/IEC 27033-6 to avoid duplicating the
content of those documents.


ISO/IEC 27033-4:2014

Information technology —
Security techniques — Network
security — Part 4: Securing
communications between networks
using security gateways

ISO/IEC
27033-4:2014 gives guidance for
securing communications between
networks using security gateways
(firewall, application firewall,
Intrusion Protection System,
etc.) in accordance with a
documented information security
policy of the security gateways,
including:

  1. Identifying and analyzing
    network security threats
    associated with security
    gateways;

  2. Defining network security
    requirements for security
    gateways based on threat
    analysis;

  3. Using
    techniques for design and
    implementation to address
    the threats and control
    aspects associated with
    typical network scenarios;
    and

  4. Addressing issues associated
    with implementing,
    operating, monitoring and
    reviewing network security
    gateway controls.


ISO/IEC 27033-5:2013

Information
technology —
Security techniques
— Network security
— Part 5: Securing
communications
across networks
using Virtual
Private Networks (VPNs)

ISO/IEC 27033-5:2013
gives guidelines for
the selection,
implementation, and
monitoring of the
technical controls
necessary to provide
network security
using Virtual
Private Network (VPN)
connections to
interconnect
networks and connect
remote users to
networks.


ISO/IEC 27033-6:2016

Information
technology

Security
techniques

Network
security
— Part
6:
Securing
wireless
IP
network
access

ISO/IEC
27033-6:2016
describes
the
threats,
security
requirements,
security
control
and
design
techniques
associated
with
wireless
networks.
It
provides
guidelines
for the
selection,
implementation
and
monitoring
of the
technical
controls
necessary
to
provide
secure
communications
using
wireless
networks.
The
information
in this
part of
ISO/IEC
27033 is
intended
to be
used
when
reviewing
or
selecting
technical
security
architecture/design
options
that
involve
the use
of
wireless
network
in
accordance
with
ISO/IEC
27033‑2.

Outlook

[return to top of this report]

In the future, the ability to generate and maintain secure network
management policies may be influenced by several factors:

  1. Globalization – The need to comply with multiple security and
    privacy regulations from multiple jurisdictions; in particular, the
    European Union (EU).
  2. Cloud Computing – The need to maintain
    a mixed network environment, including public and private clouds.
  3. Smartphone and Tablet Proliferation – The need
    to support an ever-expanding range of smartphones and tablets, each with
    its own security characteristics.
  4. IPv6 – The need to transition to Internet Protocol version 6.
  5. Internet of Things – The need to support an emerging
    class of Internet-connected systems, sensors, and other devices.
  6. Edge Computing – The need to accommodate data processing at the
    network edge.

Globalization

Today’s enterprise does business on a worldwide
basis. With that opportunity comes an obligation to comply with local,
national, and international security and privacy policies. The world’s
strictest policies belong to the European Union, with the effect that
adhering to EU policies will almost certainly position an enterprise for
global compliance.

Importantly, the EU
policymakers seem forever busy turning out new policies – or new
variations on old policies. As a result, the enterprise chief
compliance officer (CCO), in cooperation with the enterprise general counsel, must
remain vigilant in reviewing – and assessing the implications of – EU
security and privacy pronouncements.

For example, the new European Union General Data Protection Regulation (GDPR) imposes new, stricter data security
requirements on enterprises operating within the EU, or handling personal data
belonging to EU residents.

A parallel initiative, the Digital Republic Bill, adopted by France in
October 2016, penalizes enterprises that evidence inadequate data security
infrastructures.9

Perhaps inspired by GDPR, the state of California passed the California
Consumer Privacy Act (CCPA). Commencing January 1, 2020, CCPA grants consumers
various increased rights with regard to personal information held by a business.
Among the expanded rights are the right to request a business to delete any
personal information that is collected by the business, and the business is
required to comply with such a verifiable consumer request unless the data is
necessary to carry out specified acts.

Cloud Computing

From a policy perspective, the major issue surrounding cloud computing is
third-party involvement, as enterprise data travels to and from enterprise and
non-enterprise networks; in the latter category, networks belonging to:

  • Cloud providers
  • Supply chain partners
  • Managed security services providers (MSSPs)

Under ideal circumstances, the same secure network management policies
observed by the enterprise would be followed by each non-enterprise actor. In practice, of course, each network owner/operator establishes its own
policies.

To achieve maximum protection, enterprise officials, both IT and security,
should “drill down” on partner network management practices. They should
determine, at minimum, if each partner adheres to sound – if not necessarily
identical – network management policies.

Smartphone and Tablet Proliferation

As smartphone and tablet usage continues to expand worldwide, mobile
platforms will become even more tempting targets for malware makers.

Since enterprise business officials are finding it harder to “just say
no” to the “Bring-Your-Own-Device” (BYOD) crowd – those individuals who
argue for the need to connect consumer-grade smartphones and
tablets to enterprise networks – enterprise security officials will
likely amend network management policies to permit the use of a wider
selection of mobile information devices.

To compensate for this concession, security officials will – or should –
detail how each brand and model of authorized smartphone or tablet should be
secured – perhaps in a special subordinate policy or policy addendum.

IPv6

Internet Protocol version 6 (IPv6) is the planned next generation of the IP
protocol. Slated to succeed IPv4, and proposed for future enterprises, intranets,
and the Internet, IPv6 provides easier administration, an expanded
addressing scheme, and, most importantly, tighter security.

Figure 1 reflects the status of IPv6 industry deployments through December
17, 2019.10

Figure 1. IPv6 Industry Deployments – 12/17/2019

Figure 1. IPv6 Industry Deployments - 12/17/2019

Source: US NIST

As enterprises migrate to IPv6, they must modify their network policies and
practices accordingly.

Internet of Things

A term coined by technologist Kevin Ashton in 1999,11 the "Internet
of Things" (IoT) refers to efforts designed to extend the dominion of the
Internet from cyber space to the physical world, creating a network of
intelligent devices that form the mechanical equivalent of the body’s central
nervous system. The purpose is twofold:

  1. To gather information about physical processes in order to improve
    them.
  2. To exercise real-time control over physical processes in order to
    affect greater operational efficiency and effectiveness.

As analyst Nick Ismail observes, "For some time, one of the primary concerns
with IoT has been its impact of network security. This is because a greater
number of devices are connecting to the network, resulting in a much higher risk
of hackers being able to gain access and do damage."

For those effected, Ismail suggests "creating
a device management policy: A policy
that lays out guidelines for IoT device integration and connection to your
network will help streamline the managing process."12

Edge Computing

As the term implies, "edge computing" is computing at the network edge.
According to Gartner, "Edge computing describes a computing topology in which
information processing and content collection and delivery are placed closer to
the sources of this information."13

The emergence of edge computing is tied to Industrial Internet of Things (IIoT), in which industrial components are
transformed into smart machines capable of collecting and processing data
locally and transmitting it to a central data center, or the cloud. Given the
sheer volume of data being collected by sensors and other intelligent devices,
it only makes sense to conduct as much processing "onsite" as possible; in other
words, to shift processing to the network edge.

If edge computing sounds like the latest incarnation of distributed
computing, it is. The principal difference between edge computing and earlier
distributed forms is that edge computing is essential to certain use cases. The
most frequently cited example involves self-driving or autonomous cars, in which
the onboard AI systems must make immediate, often life-and-death, decisions
based on vehicle sensor data. There is literally no time to transmit data to the
cloud for processing. The processing must take place within the vehicle, or at
the edge.

Network management policies must be amended to enable secure edge operations.

Recommendations

[return to top of this report]

To facilitate the process of
developing a secure Network Management Policy, consider the following:

  1. Assemble a Policy Development Team, consisting
    of network users as well as technical representatives from IT, Security, and
    Quality Assurance.
  2. If more expertise is required, engage a network
    security consultant or consulting firm. An experienced third-party
    contributor can share policy development best practices.
  3. Invite the participation of general counsel to
    ensure proposed policy provisions are enforceable.
  4. Identify which laws and regulations apply to
    the enterprise, and how these statutes will be enforced through the policy .
  5. Make liberal use of free policy templates and
    samples supplied by authoritative bodies such as NIST or the SANS
    Institute.
  6. Appoint a policy owner, a single department –
    preferably, a single person – responsible for policy administration, both
    the root policy and its subordinate policies.
  7. Circulate the policy for user approval prior to
    implementation. Unless the subjects of the policy “buy in”
    to its various provisions, the policy is not viable.
  8. Once the Network Management Policy – and its associated subordinate
    policies and procedures – are developed, conduct a Risk Analysis to identify
    – and plug – any residual security exposures.
  9. Select and implement an automated Policy Management tool to help ensure
    policy compliance.

References

[return to top of this report]

About the Author

[return to top of this report]

James G. Barr is a leading business continuity analyst and

business writer with more than 30 years’ IT experience. A member of

“Who’s Who in Finance and Industry,” Mr. Barr has designed,

developed, and deployed business continuity plans for a number of Fortune

500 firms. He is the author of several books, including How to

Succeed in Business BY Really Trying, a member of Faulkner’s Advisory

Panel, and a senior editor for Faulkner’s Security Management

Practices. Mr. Barr can be reached via e-mail at jgbarr@faulkner.com.

[return to top of this report]