Network Perimeter Security: Building Defense In-Depth

2017-07-07 02:10:07

2.8 Proteris Security Standards and Procedures

2.8.1 Abstract

The purpose of this document is to provide detailed information supporting the Proteris Security policy. The Proteris Security policy can be found electronically at http://house.proteris.com.

2.8.2 Context

Proteris maintains a worldwide reputation for quality technical training and consulting. Our clients expect and receive…

2.8.3 Standards and Procedures

2.8.3.1 Administrative Security: Password Standards.

The confidentiality of information is a critical element in the success of Proteris' business model. To support this confidentiality, all passwords shall meet the following requirements.

Passwords will be at least eight characters in length.

Passwords will contain a combination of upper case (A–Z) and lower case (a–z) characters.

Passwords will contain at least one digit or punctuation other than letters such as: ~!@#$%^&*(){}[]:";'<>?,./\|.

Passwords may not be words in any language or employ slang. This includes names and proper nouns.

Passwords may not be written down…

2.8.3.2 Technology/Network/Computer Systems Standards: Router Security Standards.

Routers serve a critical role in the transfer of information on the Proteris network. As such, their configuration will reflect their central nature in the confidentiality, integrity, and availability of Proteris information assets. All log-ins must be done through unique usernames and authenticated through RADIUS. In the event of an emergency or failure of the RADIUS system, local log-on to the router shall be allowed through the use of unique user names and passwords for each authorized router administrator.

All passwords on the router will be kept in encrypted form.

All services not essential to the forwarding and logging functions of the router will be disabled.

All routers will display strongly worded UNAUTHORIZED USE PROHIBITED messages upon log-in. Such messages will indicate that all actions on the router will be monitored and shall give no indication of the make, model, software version, or position of the router in the Proteris network.

Log-in to the router will only be allowed through encrypted sessions. Telnet access is specifically restricted…

2.8.3.3 Physical Security Standards: External Boundary Protection Standards.

Information security is part of a process that includes many different elements of security. For Proteris to meet its information security requirements, it must take steps to reduce the risks of physical trespass and unauthorized entry to Proteris offices. Proteris will install lighting sufficient to illuminate the Proteris office perimeters to a minimum of eight feet in height and two feet from the external wall.

Entrance to Proteris shall be recorded. Employees are required to show photographic identification badges upon entry.

Visitors to Proteris are required to sign in when entering the Proteris facilities and sign out when leaving. The minimum information to be captured is the time of entrance and the purpose of the visit.

A Proteris employee at all times shall escort visitors to Proteris in areas other than the sales office.

Motion detectors shall be installed in all Proteris offices and activated within three hours after normal business hours end. Motion detectors will be deactivated within one hour of normal business start times…

Each of these sections would be much longer and contain details for all the security elements of their respective categories. Information in the Standards and Procedures, AUP, Incident Response, and Disaster Recovery and Planning documents should all have similar forms. This information, while discussing the specific countermeasures to be used for reducing risk to the Proteris network is still not specific enough to actually guide the implementation. Instead, a Security Configuration Guide is required. Along with the information above, a definitions section and a table of contents or index should be included as well.

Like the Standards and Procedures document, the Security Configuration Guide is broken into specific sections. For the sake of simplicity, I generally use the actual requirements set out in the Standards and Procedures document to organize the Security Configuration Guide. For example, from the section on router security, we might see something like this:

2.8.3.4 All Passwords on the Router Will Be Kept in Encrypted Form.

The configuration statement service password-encryption will be included as part of the standard Cisco router configuration. For a complete sample template with annotations, refer to Cisco Router IOS 12.2(5) Proteris Secure Template ver 1.25.

2.8.3.5 All Services Not Essential to the Forwarding and Logging Functions of the Router Will Be Disabled.

The following configuration statements disable unnecessary Cisco router functions:

#(config-if)no ip directed-broadcast — disable directed broadcast packets.

#(config)no service tcp-small-servers — disable "small" TCP servers such as echo, chargen, discard, and daytime.

#(config)no service udp-small-servers — disable "small" UDP servers like echo, chargen, and discard.

#(config)no ip source-route — disables source routing.

#(config)no ip http server — disable HTTP configuration server.

For a complete sample template with annotations, refer to Cisco Router IOS 12.2(5) Proteris Secure Template ver 1.25.

The configuration guidelines would continue for this section and each countermeasure or control utilized by the network. The information would be as specific as possible for two reasons. The first is to ease configuration and installations of new systems or recover from failures. The second is to ensure that new administrators continue to configure the network to the level of security demanded by the site security policy.

A security policy is not an easy document to create. The process of identifying assets, performing risk analysis, and selecting risk management countermeasures is not a straightforward matter of "put in the numbers and out pops the answer." Properly done, an information security policy takes time, effort, and the involvement of many of the people in your company. Alone, a security policy does nothing to increase the security of your network — it is, after all, just words. Nevertheless, a security policy is the best way to ensure that the process of securing your network achieves the goal of information security and reduces the risk to your network while complementing your company objectives.