The network is the lifeline for the computing infrastructure. The phone system that provides voice communications forms a network of interconnected phones. Desktops connect to servers and the greater Internet via the local area network. Customers, partners, and employees contact the company via the network. The majority of internal communication likely occurs via the voice and data networks. Security policies should attend to the security of network communication. By addressing the risks and defenses against them, the networks can function more securely.

The phone system within an organization often crosses the boundaries of voice and data communications. The desktop computer can interact with modern phone systems to retrieve voice mail, leave messages for others, and administer the system. As with the previous areas of concern, physical access should controlled. The operational constraints—such as Personal Identification Numbers (PIN) for users—and standard configurations should provide a more secure environment. An often forgotten security aspect of the phone system is the provision of remote dial-in capabilities that support both phone system administration and network access.

Several concerns for the phone system are outlined in this Company Z security policy:

· Physical access to the phone system hardware and system configuration terminals is restricted to phone administrators and phone company personnel.

· The phone system hardware should exist in a secured area that requires specialized access methods via keys or electronic cards.

· Default PINs for new users should be randomly chosen.

· When establishing a voice mail account, avoid using PINs that can be easily guessed, such as an extension number, the surname of the user, or other identifiable information.

· Dial-in modems used for administration of the phone system should be protected with passwords.

· Network access via dial-in modems should be authenticated and logged via a centralized authentication and reporting system.

· Modems meant for dial-in should be programmed to prevent dial-out capabilities.

· Installation of new modems should be coordinated through the phone and IT group in order to provide the necessary security and network infrastructure to maintain security.

· Phone line audits should occur regularly to verify the functionality of existing modems and to identify unauthorized modems.

This security policy addresses the phone system rather extensively. A comprehensive security policy takes into consideration all aspects of an organization and does not focus only on the computing environment. All aspects of security in an organization are related; a breakdown in the security of one area provides access despite the security measures of another. A weakness in the phone system security policy might allow an unauthorized intruder to access system and network resources even if other system and network security measures are in place.

The data network should be extended the same security features as the voice network. Network and telecommunications hardware such as routers, switches, and network lines (ISDN, DSL, T1, and so on) should be physically secured to avoid accidental or intentional disruption of network services. Beyond the physical aspects, the network requires a high degree of security and diligence to maintain that level. The first tier of protection is generally a firewall at the Internet access point. The specific firewall rules and filters should be defined based on the network access needs of the organization. A reasonably safe, but somewhat restrictive, guideline is the exception method. This dictates a global rule to deny access to everything first, and then makes exceptions for those network services deemed necessary.

After the firewall, network architecture and organization should also be considered to protect and isolate information as it travels on the network wire. The network hardware must be protected from network attacks and unauthorized configuration attempts.

Company Z has a diverse network that separates servers from the normal desktop computing network. The Internet access point is protected by a firewall. The data network portion of its security policy reads as follows:

· Firewalls are used to protect the internal networks in a restrictive fashion.

· Filtering and rules on the firewall support outgoing connections from employees so as not to restrict their ability to use the Internet.

· Filtering and rules on the firewall allow only incoming connections to the company Web server, mail servers, and name servers (DNS).

· The customer support network exists on a different network number and interface than the administrative and corporate network, and with fewer restrictions in order to support the required services of that organization.

· All access to network equipment, where supported, shall be protected via non-default passwords.

· Managed network equipment, including firewalls, routers, switches, modems, and other communication devices, are configured to allow administrative access from only a small number of administrative systems, in order to protect them from unauthorized configuration changes.

· All configuration changes to network equipment must be logged for reference.

· In the event of network attacks, the network administrators should notify the corporate security department, in case legal intervention is required.

· Network equipment should be configured to enable only those protocols in use by the organization, disabling all other features.

· Response to incidents should occur in the following manner:

1. Attempt to identify the cause.

2. In the event of network disruption and loss of service from attack, network administrators should attempt to identify the source of the attack. Firewall rules should be modified to control the effects, if possible.

3. Restore service to the company as quickly as possible while attempting to preserve evidence of the issue.

4. Upon resolution of an incident, incident forms should be filled out and submitted to the manager of the network group.

5. Analysis of the incident should be discussed in a group meeting to identify weaknesses in the organization and help prevent future issues.

· To protect against equipment failure, spare network hardware should be available.

· To facilitate ease of replacement and security of the configuration of network equipment, the configuration information should be maintained on the administrative servers.

· Where possible, network equipment should be configured to boot and download its configuration from the administrative servers, in order to preserve the integrity and reliability of the configuration.

· Network equipment that is not managed via SNMP should have that protocol disabled. The SNMP (Simple Network Management Protocol) allows administrators to see and modify the settings and configuration for a device with little or no authentication and access control.

· If using SNMP for management of the device, SNMP access should be restricted to administrative servers.

Network equipment presents a complex set of security requirements that should be outlined in the security policy. This allows for a safe installation and a maintained degree of security. The security policy incorporates physical orientation and configuration to defend against unauthorized access and management of the device. Authentication and access restrictions are implemented, as well as reliability in the configuration methods. The services provided by the equipment are tailored to the needs of the organization, allowing a known set of security concerns to be identified and resolved