Network security

Network security policy

AJ Kumar
February 9, 2017 by
AJ Kumar

A security policy designates an organization's security controls, without specifying technologies, as well as offers high-level directives on acceptable and unacceptable actions to protect critical assets. A policy should also be applied throughout the organization in a consistent manner and provide a reference for employees to operate their typical activities. The previous article dealt with data privacy and integrity norms, and in the continuation of this series, this article provides a complete understanding about how to impose network security policies onto devices, protocols, communication or else in generic and uniform manner. This part will focus on best practices and methodologies of network security in the form of policies, instead of the actual implementation

Network security policy

There is no definitive mechanism for protecting a network because any security system can be subverted or compromised, if not from the outside then certainly from the inside. Ultimately to secure a network is to implement different layers of security so that an attacker must compromise two or more systems to gain access to critical assets. The first step in enforcing policies is to define the policies that will be enforced. Security measures often restrict personnel in their operating practices and make some activities less convenient which results in a temptation to boost security regulations. Network policies are, therefore, govern how a network should be implemented and configured to streamline employee's operation in ordinary conditions as well as guides how to react during the occurrence of abnormalities. In this context, the following section explains the imposition of policies measures of each term or principle of network security to protect information and systems.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.

Device security

You will most likely identify different network segments with different security requirements while designing security for your network. For instance, some servers will need to be accessible by the employees. Some of on the other hand will be openly accessible. Hence, to implement security for different divisions or subdivision, you will erect perimeters that can only be crossed by certain types of traffic in the form of Public network, Private network, and semi-private network. The limitations of such network segments are founded by devices such as a router, gateway, bridge, and switch which are capable of regulating and controlling the flow of packets into and out of the segment. Communication and monitoring devices are typically deployed in the network for various purpose, must be configured properly according to requirement and accessed on the ground of given privilege and profile of users as well as, their inbuilt software most up to dated. Apart from that following measure should be taken in the context of device security as

  1. The company must sign an NDA to each employee about not disclosing the details of deployed devices inside the perimeter.
  2. Regularly applied patches and security updates released by vendors.
  3. ACL should be maintained to permit or deny TCP and UDP traffic.
  4. Services must be disabled if they are not in use.

Internet access

Internet access policies include automatically blocking of all websites identified as inappropriate (especially social media related sites) for company user. Moreover, internet access should be based on the work nature of the employee. The Internet constructs a network topology in itself and connects various crucial assets of the company for example server, account sections, etc. therefore, must be filtered, and monitored properly before wielding.

VPN policy

VPN provides a means to protect data while it travels over an untrusted network. VPN is intended for employee use of organization-owned computer system only. All kind of remote access to corporate network should be routed via VPN with a valid corporate-approval, standard operating system along with appropriate security patches. Access to company computer from home via the internet should not be allowed. To protect the network when VPN are used for remote user access, the security administrator should ensure that adequate protection is implemented over endpoints by applying L2TP with IPSec. Moreover, VPN vendors include firewalling functionality in their client to filter traffic.

Port communication policy

Communication ports either inbound or outbound at the workstation for unnecessary services must strictly be in the blocked state apart from essential service such as HTTP, HTTPS, etc. as it being mostly noticed that ports open for several services opened needlessly, that typically induces the hacker to breach the system with ease. Such security measures could be applied by the system administrator at Firewall end as the first line of defense. Hence, a workstation that does directly communicate to the internet must be limited to use only authorized communication services or ports in inbound connection.

Wireless LAN policy

To stop the possible abuse of wireless network, there should be proper user authentication ensured along with the appropriate replacement of WEP and anomaly tracking mechanism on wireless LAN. Moreover, 802.11i security measures such as TKIP, CCMP should be employed for encryption. At the same time, there is the following list of suspicious events on wireless LAN which should always consider for intrusion detection as;

  • Beacon frames from unsolicited access point
  • Flood of unauthenticated frames (MITM attack)
  • Multiple incorrect SSID on closed network
  • Frames with duplicated MAC address.
  • Randomly changing MAC address

Remote connection policy

Data security is becoming a vital issue as more organizations establish network links between their employees to share information and increase productivity. As personnel more often prefer to work from home, security begins with a terminal session between an authorized user and a remote host on a network and user can perform all functions as if he were actually on the remote host. At the same, mismanagement of user credentials can lead to exploitation too. Hence, direct access to critical server or system of an organization should be strictly in restricted mode via remote login or SSH utility in exception to authorized user. However, encrypted access could be permissible.

Firewall rules policy

When a user connects to an insecure, open network, such as the Internet, he opens a large doorway for potential attacks. One of the best ways to defense against exploitation from the insecure network is to employ firewalls at the connection point end, as it is a necessity to safeguard their private networks and communication facilities. There should be rules enforcement policy varies to the type of firewall and resource deployment on the network as.

  • In the case of dedicated server access, an application proxy firewall must be placed between the remote user and dedicated server to hide the identity of the server.
  • Secondly, if the requirement of traffic filtering based on source and destination IP/Port address, packet-filtering firewall placement is quite useful which augment speed of transmission too.
  • On the other hand, when speed is not a concern, state table (stateful inspection firewall) filters configuration at the network is an appropriate choice which dynamically validates the connection and forwards the packet.
  • Moreover, NAT should also be employ as it complements the use of firewalls in providing an extra measure of security for an organization's internal network, especially preventing DDOS or many SYN flooding attacks.
  • If you need a higher level of control than is available by preventing an IP address from communicating with your server, IP packet filtering can be used.

Intrusion policy

IDS should be housed for anomaly detection and monitoring unauthorized access, as for the extreme line of defense, firewall or antivirus are not sufficient. Security administrator must constantly check system and security log files for something suspicious. Moreover, use Advance Antivirus which has inbuilt IDS/IPS capability, for inappropriate auditing rights, elevated privileges, incorrect groups, altered permission, registry change, inactive users and much more. Most importantly, IDS software is configured on the top of an OS, but network intercepting IDSs are increasingly being deployed as hardware application because of performance perspective.

Proxy server policy

A proxy server typically resides between server and user, for both offensive and defensive purpose. When deploying a proxy server, the following checklist must make sure as:

  1. Logging facility should be enabled for all services
  2. Never allow the proxy to accept outside connection.
  3. The proxy must be running with most up-to-date patches and software.

Secure communication policy

Data that passes through many channels including a switch, routers on the network in unencrypted form, is vulnerable to many attacks such as spoofing, SYN flooding, sniffing, Data alteration, and session hijacking. Although, you are not in control to of the devices that your data might pass over, but you can secure the sensitive data or may be secure the communication channel from being data accessible to some extent. Hence, employment of numerous ciphering tactics such as SSL, TLS or, IPSec, PGP, SSH can encrypt all kind of communication such as POP, HTTP, POP3 or IMAP, and FTP because SSL packets can be passed through firewalls, NAT servers, and other network devices without any special considerations other than making sure the proper ports are open on the device. If we have some data need to transmit data over a network securely, then there are some security initiatives one need to take to mitigate the risk of an attack:

  • Authenticate the identity of people (and/or computers) who will send packets
  • Make sure that the data will not be tampered with (no MITM attack encountered)
  • Ensure that the data will not be read by any unauthorized individual between you and the source.

DMZ policy

Certain system or server for instance e-mail, web server, database etc.…that need to access the public internet, must be deployed on a dedicated subnet which separates from the internal system from outside, because publicly accessible system comes directly under attack by hackers. A potential attack against critical system can be undermined or even negligible by placing them in the segregated network along with the firewall.

Learn Network Security Fundamentals

Learn Network Security Fundamentals

Build your skills with seven hands-on courses covering network models and protocols, wireless and mobile security, network security best practices and more.


Network security policies revolve around protecting all the resources on a network from threats and further exploitation. We must not only consider the machine established on the network, but other essential network devices, network transmission media, and the data being transmitted across the network. By the end of this article, you got a thorough understanding of various network security aspects, on which there is a possibility to impose policies to establish robust, reliable, and secure network architecture. Network policies is draft by an organization to comply by its each entity for betterment of operation rather so that sort of defense could be maintained, as network vulnerability could transpire in any form and later exploited to gain access to the system, resorting to number of ways that a system can be compromised like malware infection, software bugs, an executable, code injection and many more.

AJ Kumar
AJ Kumar

AJ Kumar is a Cyber security evangelist, has a great passion for open source programming, IT security, bug detection, penetration testing, and assembly language on diverse platforms including Windows and Linux. He can be reached via ajkumarhv[at]gmail[dot]com;