When considering how to fully protect your network the options are many and varied but the goals are the same, to keep the public internet out and your data and documents in.
Protect the network from outside reach
Many companies these days are making the decision that having public inward access to resources whether that be a mail server or otherwise is simply not worth the risk especially when pretty much everything can be mirrored to an oursourced platform that is 'someone else's problem', but even when you outsource there are still risks especially when files and data are mirrored to local storage. Having very tight controls on what is mirrored and when is of the upmost importance to ensure both the integrity and security of the intranet.
Protect the network from internal compromise
Its a common belief that firewalls are only used to seperate the intranet from the internet at the network border, but in fact this is far from the truth and in any intranet there should be segmentation and firewalls to limit the risk of an internal compromise. A good example would be a network virus that due to the failure of your primary network security controls managed to end up on a workstation, without segmentation that network aware virus now has the entire company available to it along with the undoubtably expensive remediation. Segment your intranet and filter the data between segments to ensure that any risk is localised and identified quickly. Deploy proactive monitoring of both workstations and servers can also be very important to highlight 'unusual' behaviour and target your security staff. Use smart switching to generate alerts for unknown MAC addresses, or ports that come up or go down, unusual traffic levels and so on.
Protect the network from social engineering threats.
One of the many techniques used today to breach company networks is social engineering, the sending of an email to an employee that appears to come from that employees boss with an attachment (or if you've already covered that avenue then a link and instructions), or a delivery guy delivering something to your network that you weren't expecting, a printer service guy infecting printers with malware, the read the meters guy and the list goes on. Employees aren't stupid but they will make mistakes and are by far the largest risk in any security infrastructure. In order to cover all of the avenues of attack you need to cover all the avenues of return by ensuring that internet access is limited and filtered, as is email. USB ports should always be disabled and with heavy segmentation and endpoint monitoring your starting to make it really hard to penetrate the network.
Protect the network from data leakage
The term 'data leakage' is the new way of saying data theft but it means the same. Having your data stolen is not rare, its as commonplace as spam and yet in 9 out of 10 cases the employer is completely unaware. Why? well because of multiple failures in network security strategy allows for data leakage to not only occur without challenge, but for there to be little or no evidence left behind. In fact the first most companies know about data theft is when it appears in the public domain and that's way too late. Preventing data leakage is more than just firewalls and segments, its about real risk assessment, strategies and processes. Our Managed Storage Options service which is widely used by corporates for data and document storage employs extensive logging of every file access, read, write, copy, and so on all tied back to IP & User but that's just an example and there's much more to the it than just logging, you need to be proactive in establishing the security framework and reactive in responding to potential threats quickly and effectively.
If your network security needs a review or some advice, or if you'd like to outsource your network security to us then contact us today for a free assessment.