Is Security Policy useful for network device management?

Comments: For most IT professionals, integrating networks is a good thing. Whether it's about the convergence of the data and voice networks, data and storage networks we are talking about, or the convergence of more data and equipment or power management networks recently, "convergence" means that you can manage less networks to achieve more flexibility and lower costs.

For most IT professionals, integrating networks is a good thing. Whether it's about the convergence of the data and voice networks, data and storage networks we are talking about, or the convergence of more data and equipment or power management networks recently, "convergence" means that you can manage less networks to achieve more flexibility and lower costs. However, the device network management system also brings new security problems to them.

For security professionals, the two networks mean physical isolation or the gateway must be a clear security control demarcation point between the two networks. Integration means that the two security zones are physically merged into one, but they have to be logically isolated from each other.

Regardless of the implementation of integration, security professionals must understand how logical isolation should be maintained once physical isolation is ineffective. For example, the security team generally recommends assigning a dedicated VLAN to the voice in the voice network, so that security control can be performed through the specific intersection between the voice VLAN and the data VLAN.

　When the security team is forgotten in network device management

When the company integrates its building management, environmental control, monitoring, and physical access networks connected to Ethernet, the previously isolated functions start to interact with each other. The security team must immediately take control measures to protect the new integrated network from Internet infections that breed Trojans and DoS attacks.

The problem is that security personnel are generally not invited to participate in network convergence, and they are often the last to know network convergence. The best reason is that security is not an early consideration, so they are notified very late. The worst reason is that they think they will refuse rather than invite them-this often happens.

In addition, some security and network teams still refuse to accept the reality, and they believe that their company will never migrate device management to Ethernet-even if this migration is now underway. The actual situation is that the energy and building management networks have been integrated into Ethernet, but the degree of integration is too small, so that no one has considered their security issues. For example, even if you do not have a wiz-bang building management system to control unit lights and air conditioners, you may also have a mechanical device system connected to an Ethernet data center. No one wants to tell you, But network convergence is there.

Unverified network device management systems may contain viruses and worms.

If your data center has a cooling system or UPS with reporting and monitoring capabilities, they will be connected to an Ethernet switch in most cases. Those control systems use some standard protocols and can manage them through software running on Windows or a Web interface. They may support protocols such as HTTP, HTTPS, SMNP, SMTP, SSH, and FTP, as well as system logging. To facilitate and reduce costs, those control systems may also adopt some out-of-the-box software, such as MySQL or MS-SQL databases, Apache or IIS Web servers, and a ready-made SNMP library. All of these vulnerabilities exist.

Surprisingly, your company may have spent millions of dollars to ensure that the data center has multiple redundant paths for power generation, cooling, and network connections, including independent primary and standby lines, backup UPS system and generator. For all redundancy, apart from the failure of both the independently designed and standby systems at the same time, SQL or HTTP worms can constitute a threat. Those control systems may be connected to a separate Ethernet to connect to each other and have the same vulnerability as those in a completely independent power supply. All redundancy has been integrated into a single fault point without any attention.

This experience is no exception to power management. We should have learned from speech fusion (VoIP. No matter how many redundant call controllers are used, when the Slammer Worm clears the sqldatabase in the call management server, many companies understand that there are defects in integration, so they disable the voice network.

Today, most companies focus more on separation and security of Voice/Data, logically separating networks, and protecting them from the threat of infected data networks. However, they have not learned much from power systems, building management systems, environmental control and physical security systems. But the reality will no longer leave a chance for luck.

Best practices for enhancing integrated network security through the device management system

To protect an ever-increasing converged network that includes components related to various devices, such as building management systems, data center control systems, and smart grids, you do not need to add pallets for new devices. Today, most companies can improve their security by implementing existing security best practices and tools. To extend network security to the building and power management systems, see the following road map:

1. Find out them: If you don't know if you have an electric power management system connected to a LAN, you can take a look at the data center, Unit Environment Control, and smart grid plan.

2. Access risk: pay special attention to the following: Connecting the previous redundant and independent systems to a common TCP/IP network accidentally. Identify the areas where systems need to be separated from each other and access from a wider LAN.

3. Formulate policies: formulate policies for the procurement, connection and Management of buildings and power management systems. Establish Rights boundaries, integrate IT policies, and train equipment-related personnel who may not have security experience.

4. Implement control: logically divide networks and control them through the network layer to isolate the traffic from the wildcard LAN and the traffic between them. The separation system should be independent and redundant. Strengthen Building and power management verification and authorization mechanisms.

5. Monitoring: extract Event Logs and security logs from these systems to your extensive monitoring infrastructure.

6. Audit: include the recently integrated network in your regular internal and external audit content to ensure the effectiveness of the implementation and control of measures.

If you are responsible for data security, your work should now be extended to many fields including buildings, power grids, and physical security systems. You may not know about it yet, but this system has already appeared in your data center and gradually expanded to your organization and branch offices. This time, you may be able to overcome the threat by powering off the power before the next worm destroys your data center or your organization.