You will need high security locations on a network just as you do in physical sites where there may be a systems room, a bond store or a security control room. And finally you’ll need a response and management team with a clearly defined chain of command. Think about the security of your networked security devices in this way and you won’t go wrong.

Central to network security is working out what you need to protect and from whom. This means you need to undertake a full audit of the system and the threats it faces, taking into account vulnerabilities and paying particular attention to protecting vital operational aspects of the system.

For the security installation team it’s going to be relatively easy to establish the most vital network components. These may be as simple as DVR or as complicated as an integrated solution combining alarms, access control SCADA and video surveillance across a global footprint incorporating hundreds of sites.

Along with providing protection online, securing network security components also means you need to physically secure the location of DVRs, access control head ends, door controllers and more.

“Ensuring defence in depth in a networked system is going to mean partitioning. At the very least you want to keep high security components of the system in a high security subnet, while moderate and low security machines reside in less secure environments”

Establishing vulnerabilities is a central issue. Consider an off-the-shelf server being used as a video server in a networked environment. You’ll need to establish the default protection level of the server taking into account the fact that more popular operating systems are likely to be exposed to greater levels of attack than less common Linux or BSD platforms.

Start by jotting down all elements of the system – DVRs, video servers, authorized workstations, routers, operating systems, IP cameras and streaming devices. Once you have a list of all components on your network rate their importance to the overall operation of the electronic security application as low, moderate or high. A video server will have a high rating while a duplicated router or a workstation may have a low one.

Once this is complete, figure out the vulnerability of the system components and rate them in the same way. Once you’ve figured out what’s important and what’s at risk start thinking about ways to provide a secure environment for these components to operate in. For high risk, high importance items like video or SQL authentication servers you will need a management area with double authentication and no inward or outward access. For low risk components high levels of inherent security you may simply need double authentication.

When thinking about authentication, consider the type of authentication you need. Will passwords be enough? Double authentication may simply constitute 2 passwords – this is a system that works well enough for many banks. In higher security sites prox and a password or a biometric may be required. Another thing that’s going to need to be addressed is the required synergy between physical and cyber access control solutions.

Remember that the central pillar of network protection against external and internal online threats is going to be restricting inward access using a protective network structure and a properly managed access control database and credential library.

Challenging you will be global electronic security applications. While your instincts will be to lock your security management systems up and throw away the key, some devices like DVRs will need to be available across the Internet. This means there will be some comprises in security levels and/or some compromises in performance levels.

How can you achieve this? You need protection but it needs to be affordable and manageable. That means you need low security domains that might be generally unprotected, while the high security elements of the system of wrapped in cotton wool and kept in an environment of the highest possible security.

You’ll need to do this because sometimes it’s not possible to have quality firewalls protecting every networked device. Low security areas might be protected with an aggressive network intrusion detection system back by a proactive security policy. Screening routers may not be able to protect you from every sort of attack. But capable NIDS on a high security management subnet will allow you detect and attack and respond as well as you can – even if that means pulling the plug.

The importance of partitioning

Ensuring defence in depth in a networked system is going to mean partitioning. At the very least you want to keep high security components of the system in a high security subnet, while moderate and low security machines reside in less secure environments.

Each partition needs to be protected by its own firewall offering stateful inspection and packet filtering. Whatever else goes on you want to decree what and who gets through the gate – and you want to know who they were, where they went and what they did once inside.

What this means is that the security team may wind up installing physical elements of the security system in the server closet for

Depending on the size of the solution the systems team may build a structure in which subnets of machines with similar vulnerabilities and levels of importance might be located on the same switch separated by a VLAN. DVRs, SQLs and authorized workstations might share trusted subnet with all paths to the trusted switch passing through well-managed firewalls.

Then there’s the possibility especially in the case of smaller systems, where the security function might (or elements of the security function) might reside with the highest security administration subnet. In bigger sites systems managers aren’t going to be opening up this location for anything but it may be the best solution in small/medium solutions.

An existing management subnet is going to be inherently secure with rock solid access protection and encrypted communications protocols. External Internet access for remote management? Forget about it.

The management subnet will incorporate things like logging servers, configuration machines and authentication servers. Depending on the security level required there may be out-of-band management located on the management subnet as well. Out-of-band management capabilities denote a parallel management network that monitors and controls a data network. Most systems use in-band SNMP, however.

Proactive protection

Regardless of the protective network structure you end up adopting, the only way you’re going to ensure ongoing security is by monitoring the network and its components – particularly the trusted and high security subnets.

Small organizations might simply have a firewall defending their site but for higher security sites and applications this is not going to be enough. Instead you’ll need to support the firewall using network intrusion detection, secure system loggers, authentication servers. Careful readers will have noticed something – all these applications must be located and isolated on the management LAN.

Security integrators in many cases may hand their networked systems over to network security managers and their teams, especially if some elements of the integrated security system are devoted to authentication. This will become more important given the U.S. government recently decreed both cyber and physical access credentials must be integrated.

Network security teams are still likely to preside over trusted subnets so there will be a need for the security manager and the network security team to work together.

When building a network you’d be best to install network intrusion detection systems on each and every subnet of the system. Security integrators need to be thinking about putting NIDS in front of every subnet on which networked security devices are installed – depending on the nature of the system this may only be a single trusted subnet.

The general rule is that it’s better to leave low importance, low cost elements of the network vulnerable than to scrimp on protection for vital network components.

Every network intrusion device should be set up with a pair of network interface cards (NICs) with one NIC located on the monitored subnet and the other on the management LAN allowing fast and secure reporting of intrusion events. Under no circumstances should NIDS be given an IP address on a monitored subnet.

It goes without saying that NIDS without reporting and organized response are no better than local alarm systems without sirens – pretty much useless. There a number of options you will need to consider when planning reporting, monitoring and response functions for NIDS protecting network security systems and we’ll get to these later on.

Using network intrusion devices

It’s very important not to just throw NIDS at a security subnet and then consider the job is done. Intrusion detection systems are part of an overall security solution but they need to be supported by a firewall that’s regularly tuned up, a set of tough procedures that are followed – the most important of these being regular security audits.

It’s very common for NIDS providers to talk about their systems as offering high tech security solutions for networks, almost as if these systems will detect an intruder and ride to the rescue will a war-chest of responses to any attack. There might be an element of truth to this but there’s plenty of hype as well. 

Never forget that NIDS capability is directly linked to the breadth of the attack database stored on it and how up to date that database is. You also want performance – not just from the NIDS system itself but ease of use of the analysis console. There are 8 key things you need to think about when looking at NIDS. These are implementation, administration and security, response and reporting, documentation, technical support, and cost.

On the operational side you will have to be sure your system is capable of detecting events in a timely way and you also want some kind of restriction on false positive alarm events. Then there’s a need for logging of attack events – this will let you monitor activity and conduct forensic investigations. Last and perhaps most importantly, no NIDS will be any use if it’s unable to work in a seriously congested environment. Make sure the selected NIDS will operate in your environment.

An advantage of intrusion detection is that it gives administrators a very clear idea of what sort of attack traffic they are up against – if any. Any attack that gets through and is detected is an attack the network should be protected against immediately. Essentially this means that ensuring an evolving security solution means being aware of the sorts of attacks the system is commonly being exposed to. Along with this, NIDS will clearly indicate the performance of other security devices protecting a network.

A serious problem with NIDS is false alarms. Early system developers were panned for focusing on bells and whistles without paying any attention to things like accurate detection and diagnosis of attacks. What this meant was that systems were exceptionally good at contacting network support teams to inform them of the false alarms they had generated. The more false alarms generated the harder it is going to be for administrators to weed out actual attacks.

One way around this could be to locate NIDS on both sides of a trusted subnet firewall using signatures carefully set-up in order to reduce false alarms. Another good feature is the ability to pick up trends and display these trends before alarms are generated and a good product is also likely to integrate network intrusion detection and pattern matching data sources.

A key issue with NIDS is going to be their impact on bandwidth so watch this – older systems were certain to both detect and consume network bandwidth with no guarantee of picking up on actual intrusion. Try to establish how much time it will take to set NIDS up so that it’s able to flag actual attacks while ignoring innocent network communications.

A NIDS solution has a sensor or sensors that monitor traffic, detect attacks by comparing the nature of communications to a database of known attacks – this is signature detection – or uncover anything that is unusual or strange when compared to typical network communications, a method called anomaly detection.

Central to the performance or signature detection systems is library size and maintenance. Signature detection is great in that it will pick up any known form of attack but there is a fundamental weakness in that it won’t pick up an attack it’s never run across before. At the same time you need to consider the network environment in which an anomaly-based system operates. If there is a consistency of traffic then aberrations will stand out. A more complicated environment is going to be tougher going for anomaly-based systems.