Best practices: a multi-layered approach to securing your network

When it comes to preventing unauthorized access to your mission critical data, there is no one silver bullet solution. To best minimize risk, security Best Practices suggest taking a multi-layered approach that connects together LAN, WAN and Desktop protocols to create the optimum network security for your credit union.

Here are a few proven tips and tactics to employ:

Desktop:

• Insure desktops are running a supported operating system.
• Insure operating system and business application patches are kept up to date.
• Insure business applications used in the organization are current and supported by the vendor.
• Insure business applications are standardized across the organization.
• Insure virus protection software is installed, patched and you receive daily virus signature file updates.
• Establish a user authentication method such as Active Directory to centralize user and security policy administration.
• Establish strong user authentication policy enforcement.
• Establish desktop user policies.
• Business versus personal use.
• Do not open emails or attachments from unknown sources.
• Do not email unencrypted confidential data such as (account numbers, social security numbers, birth dates, etc.)
• Peripheral devices (I.E. CD-ROM, Flash Memory Drives, etc.)
• User’s password should expire periodically forcing him/her to  change it.

Local Area Network (LAN):

• Only office network data connection ports should be active when a user device is connected. Unused network data connection ports should be deactivated at the network switch to prevent an unauthorized person from capturing data packets.
• Credit union business units should be setup on separate “VLANs” to prevent employees from capturing data packets from other business units.  As an example, accounting department may be separated from tellers.
• Wireless:
• Wireless connections should be setup as encrypted using a strong encrypted protocol such as AES 256 bit WPA2 for example.
• SSID should be set not to broadcast thus minimizing an unauthorized user from determining the wireless session exists.
• Users’ authentication should be set up as part of the same centralized authentication method used for desktops such as Active Directory.

Corporate Servers:

• Servers should be physically secured from unauthorized employees and not used as a user desktop.
• Servers should be logically isolated onto their own network VLAN within the organization.
• Servers should be running supported operating systems and patched with latest patches soon after release by the vendor.

Wide Area Network (WAN):

• Firewall:
• Corporate Internet external connections that are “untrusted” should be terminated into a Firewall separated from the internal “trusted” corporate network.
• Third party network vendor connections should be placed on an individual Firewall DMZ port.   Multiple DMZ ports should be established if dealing with multiple third party network connections.
• Internet facing servers such as those used for email and web based services should be placed on a DMZ network port.
• Firewall should be physically and logically secured from unauthorized employees.
• Firewall should log all firewall administrative tasks, VPN authentication and any exceptions encountered with the security access lists.
• Firewall log should be reviewed daily to identify potential fraudulent activity.
• Firewall should alert security/network personnel if established thresholds are reached.

• Intrusion Detection System (IDS) should be deployed at a minimum on the credit union’s Internet connection between the Firewall and the Internet router/switch port. This should be monitored utilizing a third party monitoring service specializing in Firewall management.
• Intrusion Protection System (IPS) should be deployed on the Internet connection between the Firewall and Internet router/switch to mitigate suspicious activity by blocking suspicious traffic to the Firewall.
• Routers:
• Routers should be running a supported version operating system and patched as soon as the vendor releases an update.
• Routers should utilize security access lists to only allow specific data that meets the access list requirements.
• Routers should be physically and logically secured from unauthorized access.  

Connecting you with ideas to maximize your protection is one of our top goals at EPL, and together, these tips and strategies should provide you with a formidable network security solution. If you have any questions or concerns regarding your current network security solution, don’t  hesitate to contact me. 

Larry Linville

SVP of Operations

EPL, Inc.