9/18/2001 -- Last month, I talked about intrusion detection, but that’s only a small component of the whole kit and caboodle we call security. In order for you to have effective security, it must be planned. What happens if you build a small house with the plan of adding on to it in the future? If you add a single room or maybe a deck, then you’re usually OK. But if you add on four bedrooms, a deck, den, two bathrooms and a fireplace all over the span of 20 years, I’d bet that the house would look funny.

Planning security is essential to ease growing pains as much as possible while keeping your network secure. In my classes, we often allow students to telnet into real equipment to get hands-on experience; however, there are always some students who say they can’t access the equipment we provide because the firewall won’t allow telnet out. This is an example of a security policy hindering the growth of the company.

There are four broad security weaknesses: physical, technological, configuration and policies. Physical security is probably the easiest to do and one of the most overlooked. This includes things like propping the door open, leaving the door unlocked and not locking your PC when you leave it. (Not one of us has ever done that last one!)

Technological security is the toughest to stick with because we have to live with it if we want to use our tools. Does your company like getting e-mail? Then you have to deal with the many holes found within SMTP, TCP and IP. A technology problem is usually solved by a technology solution; so where there are many SMTP commands that aren’t safe, a PIX firewall can filter many of them out.

Configuration security problems are the "Doh!" of the security world. You forgot to require the user to change his password every 90 days or you may have given dial-in access to the wrong user. You have a configuration security problem when the technology does what you want it to, but you either misconfigured it or neglected to configure it.

Policy weaknesses are holes in your corporate policies. You can set the users so they have to change their password every 30 days, not use something similar to anything they’ve used before, and must use at least 10 characters with letters and numbers. This isn't going to fly unless management buys in. Not only does a security policy have to exist to have any chance of working, but everyone must agree with its necessity -- including execs and IT staff. The rank and file tends to rebel when it finds out that certain groups aren’t affected by an oppressive policy.

A security plan will help you bring these four components together so they play nicely with one another now and into the future. You need to identify the direction your company is going and figure out if your current policy will get you there. For instance, your company may be migrating to a pure Voice over IP solution using the Session Initiation Protocol (SIP), but your PIX firewall will break the connections unless you’ve upgraded to software version 6.0.

Security components can be found in many places beyond your typical router and firewall. If you need to terminate many VPN connections, look at a VPN concentrator. If you need to filter certain traffic crossing a 6000 series switch, you can use a VLAN Access Control List or VACL to accomplish this.

Remember, the ultimate goal of security is to secure the network while allowing people to do their jobs. A network can be locked tight -- that’s not a challenge. The challenge is making sure the network is useful while preventing the bad guys from getting in or preventing the bad guys in your network from doing more damage.