In this multipart series I will be presenting some of the leading industry-standard best practices for enterprise network security using Cisco technologies. Each article in the series will cover a different aspect of security technologies and designs and how each can be deployed in the enterprise to provide the best security posture at the lowest possible budgetary and administrative cost.

“Wisdom consists in being able to distinguish among dangers and make a choice of the least harmful.” That quote is quite possibly the most accurate depiction possible of the never-ending struggle between network security and corporate budget. Providing a mechanism to defend the enterprise network from every conceivable threat is impossible in terms of both technology and funding. We have no way of knowing each and every type of vulnerability that may impact the network, nor are we able to fund the hardware and software systems necessary to mitigate each of these threats. What we are left with is an environment that must be secure, manageable, and expandable at as little cost as possible. What we are typically left with is a situation every network engineer and security administrator in the industry can relate to; a play on that old adage. “Secure. Flexible. Cheap. Pick two.”

Network security is not something that you can just add on when you need it. Network security is a philosophy, a methodology, a means of protecting information. It is not easy to implement because it makes us change the way we live our lives and how we work on a daily basis, and change is never easy. But it is dollars and not convenience that typically impact our security decisions and these decisions are based not on convenience but on the potential loss of revenue. According to a 2007 survey of 642 large North American organizations, each with revenues averaging $1.4 billion yearly, more than 84 percent suffered a security breach within the past year; 54 percent of those organizations lost productivity while 20 percent reported loss of revenue, customers or other tangible assets.

Information security is not a technical concern but a business concern; one which must be a concern for all organizations. With security threats increasing in number and sophistication, organizations need to gain a greater level of protection, control, and visibility over their information systems and must prevent security incidents that disrupt productivity, impact customer relationships, and erode revenue. As government regulation for securing and protection consumer information increases so to does the responsibility and liability of the organization, resulting in a growing emphasis on network security.

We classify security threats in terms of the harm they can bring about to our information systems and the potential impact they can have on our customers as well as our bottom line. We use the limited budget dollars at our disposal-coupled with our technical knowledge-to defend networks from the most severe of these threats, and do what we can to lessen the impact of the remaining threats using the best means at our disposal. The more security knowledge we possess the better our network security design and the lower our budgetary requirements in terms of network security. The more budget dollars we have for security the more advanced the technology we can deploy. Too much knowledge or money, however, may result in a lax approach to security while too little knowledge or money leaves our network environment vulnerable. The security posture of an enterprise network is therefore a delicate balance of budget and knowledge.

To survive in a world where the growth of security threats far outpace security spending, yet everything is becoming interconnected at breakneck speed, the security design of the enterprise network must meet specific criteria in order to maintain its viability as a defense mechanism. These criteria are incorporated in what we know as industry standard best practices, a ubiquitous term many technically savvy people use but few understand when it comes to network security. The true key to understanding network security best practices is in understanding that they are a best practice for a reason. They became a best practice because someone somewhere learned the hard way that not doing things a certain way can result in loss. And loss from a breach of network security can come in many forms, including:

• Loss of revenue
• Loss of employment
• Loss of customer data
• Loss of reputation
• Loss of clients or contracts
• Loss of public confidence and trust

Best practices come about because of mistakes. These are the types of unintentional mistakes that result in a lapse in network security. These design or configuration mistakes are very common and found in almost all network environments, but the problem is that you don’t have to be a security novice to make these mistakes. Once the complexity of your network environment gets to a certain level mistakes are virtually inevitable regardless of the experience level of the network and security staff, and it is the mistake and not the hacker that is going to bring about the types of loss previously mentioned. To protect the network and the bottom line we as network and security professionals have to be right all the time, while the people we are trying to protect our networks against only have to be right once.

As you can see, the discussion of best practices quickly moves from that of a technical discussion to one of a business discussion. The use of industry standard best practices is essential to the survival of an Internet-connected organization in today’s world. There is little room for trial-and-error, and even less for inexperience and lack of understanding in terms of network security. A failure to provide the necessary kinds of protection is a very expensive lesson for any organization to learn, not only in terms of raw dollars but in terms of market survivability, as well. With so little room for error it is essential that an organization’s network security posture be based on design methodologies and best-of-breed security practices that have been proven effective against the threats of today, and at the same time provide a solid foundation for building network defenses against the threats of tomorrow.