The Internet and the company intranet are both insecure environments. When an organization connects to the Internet or creates an internal intranet with segments that maintain confidential information, it puts its internal information at risk. Both situations call for secure, controlled access and increased security to protect valuable corporate information. The first step in implementing network security is to establish a security policy.
Using Novell BorderManager 3.7 to secure your network borders is just one of several steps required to implement network security at your company. Implementing a secure network takes a great deal of planning and cooperation from the employees at your company. To successfully implement a secure intranet, you must create a security policy. Creating a security policy can be a long, complex process, but it is essential to the success of creating a secure network. Although technology cannot guarantee a completely secure system, you can take steps to prevent the misuse of data and systems in your organization.
A security policy should be a guideline for all employees and administrators in your organization. It should consist of a set of rules expressing the goals you want to meet in securing and controlling access to your networks. The policy you implement depends on the technologies available to you to carry out the rules you establish.
Follow these general guidelines when writing your security policy:
Explain why the policy was created. This will be useful when you need to make changes later, and need to recall why certain rules were set up.
Use plain language. This helps employees read and understand the policy better.
Detail the responsibilities of the employees and administrators. For example, spell out that employees must keep their passwords secret.
Assign authority. Delegate responsibility when security breaches occur and the policy is not being followed. Include any punitive actions that can result, including reprimands or dismissal.
Deciding What to Include in a Security Policy
Consider the following general issues when deciding what to include in your security policy. You might need to add to this list, based on conversations with staff and administrators in your organization. Your security policy should include rules for the following:
Assigning and accessing accounts
Connecting objects to your network, including connecting a host or client
Connecting to the Internet
Protecting sensitive information on intranet Web or FTP servers
Publishing information on the Internet
Connecting remote users, sites, and customers to your network
Using e-mail
Protecting company-confidential information
Recovering from security breaches
Enforcing rules for multiple sites, and creating a consistent policy among sites for easier maintenance
IMPORTANT: The preceding list is not comprehensive; rather, it gives you a general idea of the issues you need to address and provides a starting point for your security policy. Refer to the available information on Internet security, both online and in bookstores, for more details about designing a complete and comprehensive security policy for your network.
Creating a Security Policy
To create a security policy:
Research potential security policies using sources available on the Internet, as well as published material.
Determine the following information about your organization:
Types of applications and data---Identify categories and determine what needs to be protected and what can be made public, both within and outside the company.
Current relationships---Determine, for example, whether you want to support customer and supplier access.
Employees who need access to information---Categorize this further by determining who needs access to what information.
Determine how the policy can be changed in the future. Specify how new technology and requirements will be incorporated into your organization and the security policy.
Analyze the security policy with regard to risk and cost. This process can become very analytical and might be better accomplished by hiring a consultant.
Publish the security policy. Make sure that all employees read and understand both the policy and their responsibilities.
Implement the policy. This involves implementing the firewall and enforcing the guidelines established by the security policy.
Enforce the policy. The policy is useless if you do not make sure it is being adhered to by all concerned.
Review and update the security policy on an ongoing basis to deal with new issues and changes to the network.
IMPORTANT: This information is a guide only and is not meant to provide all the data you need to create a corporate security policy. For more information on network security and implementing a security policy, read one of the many third-party publications that provide detailed information on this subject.
Establishing a Security Policy Using Novell BorderManager
You can control access to a Novell BorderManager 3.7 security on your network by implementing the following rules:
When installing or upgrading Novell BorderManager 3.7, disconnect the server from the public network.
Control network access to a Novell BorderManager 3.7 server as follows:
Do not configure host utilities such as RCONSOLE or XCONSOLE that provide remote access to the system.
Do not use a Novell BorderManager 3.7 server to support data hosting applications such as file and print services.
Restrict Simple Network Management Protocol (SNMP) access to the system.
Change the default SNMP community string.
Control NetWare Core ProtocolTM (NCPTM) connections to the system by setting packet signatures to the highest level (level 3).
Block source address spoofing by applying packet filters to public interfaces.
Restrict physical access to the server.
Scan network devices and workstations for viruses.
Establish a 7-day, 24-hour emergency procedure for handling security breaches.
Disconnect the Novell BorderManager 3.7 server from the public network if a security breach is suspected.
Encourage users to log out from the network and lock their workstations at the end of the day.
Mandate periodic changes to passwords. Discourage users from choosing personal information, such as names or birthdates, when setting new passwords.
Reference RFC 1244 to formulate guidelines and further implement a site security policy.
