Securing corporate networks requires administrators to make many decisions, plan actions and perform even more configuration steps. These include configuring the firewall, securing mail and web traffic, and selecting the right antivirus solution. This article shows which factors need to be considered and which approaches make sense.
Network Security Basics
Over the next few months, we’ll be taking a look at the requirements that administrators in certain industries, such as banks, public utilities, and the like, need to consider in order to secure their networks. But before we highlight these industry-specific points, we must first address the general network security requirements that exist in any environment.
To secure modern enterprise networks, administrators have a variety of tasks to perform that have become increasingly complex in recent years. Let’s start with the very basic factors that have been around for years. The first of these is a professional firewall that is precisely tailored to the company’s requirements.
In this context, it is important to know that a firewall alone is by far not enough to ensure a sufficient level of security even in a branch office or a remote office. Nevertheless, the firewall and its configuration still play a central role in the overall security concept.
The firewall is responsible for securing data traffic between the LAN and the WAN and therefore sees virtually all incoming and outgoing traffic. In addition, more and more additional functions have been added in recent years that go far beyond the original task of a packet filter firewall. In this context, we need only mention VPN connections of mobile users and remote offices, intrusion protection functions (IPS) and URL filters, as well as all the functions that appear in the context of the term “next-generation firewall” (NGFW).
The professional configuration of the rules of a packet filter firewall goes far beyond the rule set “Allow all access from the LAN to the Internet” and “Deny all access from the Internet to the LAN” seen in many home routers and often present as the default configuration of professional solutions. For example, in many environments, such as remote offices and branch offices, it can make sense to allow maintenance access from the outside via SSH or similar.
At the same time, it usually also makes sense to prevent access to the Internet from the LAN via protocols that are usually only used in LANs. For example, it is conceivable that malware could use TFTP to upload further malicious code from the Internet, which would have no consequences if the associated data transfers were blocked. Protocols for local access to shares, such as SMB/CIFS, should also not be allowed through a firewall under any circumstances so that the data stored on such shares cannot be accessed from outside.
Admittedly, blocking unneeded services based on protocol and port is not as important today as it used to be, since the majority of data transfers are handled via port 80 and port 443 and HTTP as well as HTTPS anyway, but as the basis of a secure network, a firewall that only allows absolutely necessary services to pass is still a good solution.
Securing web traffic
As we have just mentioned, today, as a rule, a large part of data transmissions goes through the Internet protocols HTTP and HTTPS. These protocols and the associated ports should be open in practically all firewalls. Since a wide variety of data transfers take place in this way, for example, access to messengers, cloud storage, or services such as Office 365, not to mention “normal” web surfing, a classic firewall that only classifies the data streams according to port and protocol has no chance of detecting whether malware is being distributed or data is being stolen via the respective connection.
That’s why it’s essential to have a next-generation firewall that closely monitors HTTP and HTTPS transfers. Such products examine the content of the data streams, filter out infected data, analyze user behavior and use predefined rules to decide which transmissions are allowed through and which are not. Once again, administrators should set up the policies as restrictively as possible so that only the data transfers that are actually necessary are allowed.
In many cases, it also makes sense to combine the aforementioned function with a web filter that prevents access to potentially dangerous and infected websites. To avoid too many problems when configuring the solution, the responsible employees should first test their rules in a “log only” mode and check exactly what is blocked and allowed through in detail before “arming” them. In this way, many calls to the IT department from angry users can be prevented.
Mail security and anti-spam
Let’s now turn to secure mail traffic. In most corporate environments, there is either a local mail server like Exchange or a cloud service where a provider takes care of configuring and securing the mail infrastructure. Since mail is one of the most important distribution media for malware such as ransomware, Trojans, and viruses, it makes sense to pay special attention to the aspect of mail security, regardless of the architecture used in each case.
There are various systems for securing mail traffic. These include anti-virus and anti-spam programs on the host, i.e. the mail server itself, which examine the transmitted data during transfer and remove malware or move infected messages to a quarantine. Such solutions have the advantage that they work at a central location and are therefore relatively easy to manage, as well as being able to see all relevant traffic.
As far as anti-spam products are concerned, it is important to note that they must be able to classify mails not only according to the source domain but also according to their content (with analysis of wording and keywords) and sender reputation. They should also be able to use typical anti-spam lists such as those provided by Spamhaus.org for classification purposes. In many cases, powerful spam filters can also be used to combat phishing emails.
Alternatively, client solutions for mail security are also available, which have often been integrated into anti-virus programs. These also take care of examining and securing incoming and outgoing messages, but directly on the respective client. Since they have to work on each workstation in the network, their administration is somewhat more complex than with centrally operating products. However, a central management console is usually available for such solutions.
Their use makes sense especially in environments where clients need to communicate with mail servers over whose security level corporate IT has no control, such as Gmail or similar services.
Now that we’ve arrived at the endpoints in the network, let’s take a look at typical client-based security solutions, namely antivirus programs. While it used to be standard advice for every security expert to have an antivirus program installed on every (Windows) client, opinions on this matter differ today.
There are several reasons for this: Firstly, antivirus programs must be able to scrutinize all the files on a computer and, ideally, all the memory on the device. This means that they inherently undermine the security concept of the operating system and thus open up attack areas that would not even exist without an anti-virus program.
For example, if an anti-virus tool running with the highest privileges has a security vulnerability and an attacker can exploit it to gain access to the system, then in most cases he will automatically have the highest privileges as well and, accordingly, will usually have the opportunity to do whatever he wants with the computer.
On the other hand, Windows Defender, Microsoft’s own anti-virus tool that has been included with Windows for a long time, has improved significantly in recent years. While Windows Defender initially performed poorly in tests by anti-virus specialists, with relatively weak detection rates that couldn’t keep up with other products on the market, this has changed significantly. Today, Windows Defender detects just as many viruses as other security solutions.
Does this mean that it still makes sense to use other antivirus solutions? Opponents of this move say that no company knows Windows better than Microsoft and that the number of employees in Microsoft’s security department is greater than the number of employees in most anti-virus software vendors in general. That is why, they say, Microsoft’s know-how is the best, and Windows Defender is preferable to all other products in this field.
The representatives of the other opinion say that Windows Defender, even if it is now as powerful as other solutions, becomes a risk simply because of the large number of installations. After all, many attackers design their malware to infect as large a number of computers as possible, and if they assume that Defender works as a security solution on most Windows computers, they will make sure that their malware can overcome Windows Defender if possible. The use of another antivirus program would help prevent the infection in such a case.
Another argument for the use of third-party solutions are additional functions, such as the previously mentioned client-based mail security or anti-spam functions. If these are needed in the company, administrators must switch to a product that meets all the requirements available in each case. So, the bottom line is that the final course of action depends on the preferences of the decision-makers and the requirements of the particular environment.
To comprehensively secure a network, there are many decisions to make and many configuration steps to perform. This article could only provide a brief overview of the most important steps. In most environments, further actions will be required, such as setting up secure remote access for mobile workers and home offices via VPN connections. In the next parts of this series, we will go into more detail about the network security requirements of specific industries.