Implementation Roadmap

What You Need

to Implement a
Network Security
Solution

07/30/02 8429/JW
Introduction
A breach in network security could cost your company a
great deal in lost productivity, lost data, repair work, and loss
of confidence among customers, partners, and employees.
But these damages are preventable. You just need a solid
security strategy and a well-planned implementation.
With the explosion of the public Internet and e-commerce,
private computers and computer networks are increasingly
vulnerable to damaging attacks. Hackers, viruses, vindictive
employees, and even human error all represent clear and
present dangers to networks. And all computer users, from
the most casual Internet surfers to large enterprises, could
be affected by network security breaches.
However, security breaches can often be easily prevented. How?
This roadmap provides you with a general overview of the most
common network security threats and the steps you and your
organization can take to protect yourselves and ensure that the
data traveling across your networks is safe.
Reliable, scalable, accessible, and manageable computer
networks, applications, and tools are essential to an
effective security implementation.
2
What Is Network Security?
Network security involves all activities that organizations,
enterprises, and institutions undertake to protect the value and
ongoing usability of assets and the integrity and continuity of
operations. An effective network security strategy requires
identifying threats and then choosing the most effective set
of tools to combat them.
Threats to network security include:
• Viruses—Computer programs written by devious pro-
grammers and designed to replicate themselves and infect
computers when triggered by a specific event
• Trojan horse programs—Delivery vehicles for destructive
code, which appear to be harmless or useful software
programs such as games
• Vandals—Software applications or applets that cause
destruction
• Attacks—Including reconnaissance attacks (information-
gathering activities to collect data that is later used to
compromise networks); access attacks (which exploit network
vulnerabilities in order to gain entry to e-mail, databases,
or the corporate network); and denial-of-service attacks
(which prevent access to part or all of a computer system)
• Data interception—Involves eavesdropping on communi-
cations or altering data packets being transmitted
• Social engineering—Obtaining confidential network
security information through nontechnical means, such
as posing as a technical support person and asking for
people’s passwords
 Network security is an ongoing process; as technology progresses
and your business evolves, it will be more important than ever
to keep up with your changing security needs.

Network security tools include: Benefits and Examples

• Antivirus software packages—These packages counter most
virus threats if regularly updated and correctly maintained.
• Secure network infrastructure—Switches and routers have
hardware and software features that support secure connectivity,
perimeter security, intrusion protection, identity services, and
security management.
• Dedicated network security hardware and software—
Tools such as firewalls and intrusion detection systems provide
protection for all areas of the network and enable secure
connections.
• Virtual private networks—These networks provide access
control and data encryption between two different computers
on a network. This allows remote workers to connect to the
network without the risk of a hacker or thief intercepting data.
• Identity services—These services help to identify users and
control their activities and transactions on the network.
Services include passwords, digital certificates, and digital
authentication keys.
• Encryption—Encryption ensures that messages cannot be inter-
cepted or read by anyone other than the authorized recipient.
• Security management—This is the glue that holds together
the other building blocks of a strong security solution.
Implementing a network security solution can prevent costly
security intrusions, reduce overall infrastructure costs, and enhance
productivity:
• Reducing costs—A study conducted by Griggs Anderson/Gartner
Group found that security investments resulted in an average
annual savings of $426,000. The costs of connectivity, telecom-
munications infrastructure, and maintenance were reduced in
nearly 90 percent of companies.
• Enhancing productivity—The Griggs Anderson/Gartner Group
study found an average employee productivity improvement of
more than three hours per week.
• Preventing security intrusions—Recovery from damage
caused by a security breach can be costly. In addition to lost
data, lost productivity, and information technology hours
devoted to correcting problems, expenses include offsetting
negative publicity, loss of customer and investor confidence,
and overall damage to the company image. Security can prevent
all of these damages, benefiting the company’s productivity,
image, and bottom line.

None of these approaches alone will be sufficient to protect

a network, but when they are layered together, they can be
highly effective in keeping a network safe from attacks and
other threats to security. In addition, well-thought-out corporate
policies are critical to determine and control access to various
parts of the network.

3
 Strategic Business
Considerations and Questions

Following are four strategic business considerations for assessing your network security needs:

• Customer confidence—Some customers still feel wary of Internet-based transactions. Companies must
enact security policies and instate safeguards that not only are effective, but also are perceived as effective.
Organizations must communicate how they plan to protect their customers.
• Government regulations—Government bodies have enacted a variety of security regulations, some of them
specific to particular industries. Businesses that do not comply with these regulations may face penalties.
• Level of risk—Companies must identify their acceptable level of risk and their mission-critical applications.
It is also critical to determine the costs if those applications are disrupted.
• Corporate policies—Corporate policies must be defined for security, usage, forensics, and enforcement.

Deployment Considerations
and Questions

Following are five areas to consider before deploying a network security solution:

• Strategy—Understand your network security needs and objectives, and gain the support of senior management
by backing up your case with return-on-investment numbers and clear business benefits. Identify your most
critical applications, the most likely threats to your network, and your acceptable level of risk.
• Process—Clearly define the methods and practice for implementing a network security solution. What security
solutions does your company currently have in place? What are your corporate security policies? Will policy
changes be required?
• People—Training, organizational culture, and organizational structure must support your security strategy
and goals. Does your security staff have the skills, equipment, and access to implement an effective security
solution? Will you need to outsource service and support?
• Technology—Reliable, scalable, accessible, and manageable computer networks, applications, and tools are
essential to an effective security implementation, as is interoperability. Will effective security require upgrades
to your network?
• Service and support—In addition to people and technology, you will want to consider whether to use outside
services to plan, design, implement, and operate your network security solution. You will also want to consider
the potential costs of any weaknesses or downtime in your security solution, in addition to the possible cost of
future upgrades and expansion needs.

4
 Timeline

Deployment timing depends on your network security needs. A typical deployment timeline includes the
following basic elements:

• Business assessment and strategy development—Determine the current state of your company’s security
infrastructure, obtain the support of senior management, and develop a strategic vision for your company’s
network security.
• Evaluate and select technology—Determine the best software and hardware to support business needs
and strategic vision. Prioritize your criteria; interoperability, scalability, performance, etc.
• Build model and test—Connect business processes to technology features (a process known as “mapping”),
customize configurations, and conduct testing.
• Train—Familiarize users with new technology, business tools, processes, and operating activities.
• Full deployment—Implement full solution to the entire organization and network.

The sample timeline below illustrates a possible security implementation period for a business with 100 employees.

Timeline

Month 1 2 3
Week 1 2 3 4 5 6 7 8 9 10 11 12

Security Implementation Total Solution Deployment: 2.5 Months

Business Assessment and

3 weeks
Strategy Development

Evaluate and Select Technology 2 weeks

Build Model and Testing 2 weeks

Training 1 week

Full Deployment 4 weeks

5
Success Measurements

The most significant benefits of an effective network security

solution come from the absence of intrusions and attacks. These
benefits can be difficult to measure, as you might never know
what attacks would have taken place had you not had effective
security in place.

Yet a security solution has other measurable benefits, including:

• Reduced costs for connectivity, telecommunications infrastructure,

and maintenance
• Employee productivity improvement
• Customer confidence in your business’s network security
• Partner and employee confidence in your business’s
network security
• Business continuance

Summary
A network security breach can be devastating to a company.
In addition to lost business and productivity, the time and labor
involved in repairing damages can become a significant expense.
Also consider the immeasurable costs of negative publicity,
legal liabilities, and lost confidence resulting from a serious
security attack.
As time goes on, more and more new technology will be developed
to further improve the efficiency of business and communications.
At the same time, breakthroughs in technology will provide even
greater network security, and therefore greater peace of mind to
operate in cutting-edge business environments.
Provided that enterprises stay on top of this emerging technology,
as well as the latest security threats and dangers, the benefits of
networks will most certainly outweigh the risks. But it’s important
to remember that network security is an ongoing process; as
technology progresses and your business evolves, it will be more
important than ever to keep up with your changing security needs.
Top Ten Security Tips
1. Encourage or require employees to choose passwords
that are not obvious.
2. Require employees to change passwords every
90 days.
3. Make sure your virus protection subscription is
current.
4. Educate employees about the security risks of
e-mail attachments.
5. Implement a complete and comprehensive network
security solution.
6. Assess your security posture regularly.
7. When an employee leaves a company, remove
that employee’s network access immediately.
8. If you allow people to work from home, provide a
secure, centrally managed server for remote traffic.
9. Update your Web server software regularly.
10. Do not run any unnecessary network services.

6
Corporate Headquarters European Headquarters Americas Headquarters Asia Pacific Headquarters
Cisco Systems, Inc. Cisco Systems International BV Cisco Systems, Inc. Cisco Systems, Inc.
170 West Tasman Drive Haarlerbergpark 170 West Tasman Drive Capital Tower
San Jose, CA 95134-1706 Haarlerbergweg 13-19 San Jose, CA 95134-1706 168 Robinson Road
USA 1101 CH Amsterdam USA #22-01 to #29-01
www.cisco.com The Netherlands www.cisco.com Singapore 068912
Tel: 408 526-4000 www-europe.cisco.com Tel: 408 526-7660 www.cisco.com
800 553-NETS (6387) Tel: 31 0 20 357 1000 Fax: 408 527-0883 Tel: +65 317 7777
Fax: 408 526-4100 Fax: 31 0 20 357 1100 Fax: +65 317 7799

Cisco Systems has more than 200 offices in the following countries and regions. Addresses, phone numbers, and fax numbers are listed on the
Cisco.com Web site at www.cisco.com/go/offices.
Argentina • Australia • Austria • Belgium • Brazil • Bulgaria • Canada • Chile • China PRC • Colombia • Costa Rica • Croatia • Czech Republic
Denmark • Dubai, UAE • Finland • France • Germany • Greece • Hong Kong SAR • Hungary • India • Indonesia • Ireland • Israel • Italy
Japan • Korea • Luxembourg • Malaysia • Mexico • The Netherlands • New Zealand • Norway • Peru • Philippines • Poland • Portugal
Puerto Rico • Romania • Russia • Saudi Arabia • Scotland • Singapore • Slovakia • Slovenia • South Africa • Spain • Sweden
Switzerland • Taiwan • Thailand • Turkey • Ukraine • United Kingdom • United States • Venezuela • Vietnam • Zimbabwe
Copyright © 2002, Cisco Systems, Inc. All rights reserved. Cisco, Cisco IOS, Cisco Systems, and the Cisco Systems logo are registered trademarks of Cisco Systems, Inc. and/or its affiliates in the U.S. and
certain other countries.

All other trademarks mentioned in this document or Web site are the property of their respective owners. The use of the word partner does not imply a partnership relationship between Cisco and any other company.
(0206R)
BW8429 07.02