This is the third article in a three-part series about considering best practices for deploying IP security systems. The discussion is about the wider scope of best practices for deploying physical security technology on enterprise networks. Such practices are needed because many security devices and systems were designed on the assumption that the equipment would be deployed on a completely independent security network rather than in an enterprise network environment.
The authors have formed the Bp.IP Initiative to advance best practices for deploying IP-based security systems in enterprise network environments, including practices that compensate or work around the network-related shortcomings of security products currently available.
Living in a Managed World
An enterprise network environment is a managed network environment. In a managed network:
- The locations and points of attachment of devices on the network are entirely planned and tightly controlled.
- Network traffic requirements are anticipated and provided for (consistent with resource constraints.
- Optimization is given attention.
- Devices are actively monitored and offline conditions are quickly investigated and remedied.
- Computer and network access is controlled.
- Firewalls and other measures are in place to help protect the network against unauthorized internal or external traffic.
For example, in a well-managed enterprise network, a port on a network switch will be shut down automatically if an unacceptable network traffic condition occurs. There is usually a critical data backup scheme, whereby a standard backup solution is put into place and used as appropriate for various classes of data. Backup and emergency power provisions keep critical portions of the network operational (along with critical information systems) during power outages. Redundant network paths are designed and managed so that loss of a single pathway triggers a rerouting of affected network traffic.
The Role of Logs
Another aspect of a managed network environment is the use of logs to capture system and network status and event information, including computer and network security events. Logging is so important to the managing of networks that the National Institute of Standards and Technology (NIST) published specific recommendations in its Special Publication 800-92 - Guide to Computer Security Log Management. Additionally, the Internet Engineering Task Force (IETF) formalized a commonly used protocol for log entry information, the syslog protocol (Syslog is short for system log). Originally syslog was created to provide diagnostic information for network operations trouble-shooting; it is now also used for reporting security event information.
Most enterprise networks contain one or more log management infrastructures (meaning the hardware, software, and data storage used to generate, transmit, store, analyze and dispose of log data). Deploying security systems and products that support syslog reporting means that IT's existing network log management infrastructure can be used to monitor and manage the health and security of security systems on the network. Readers with a technical interest in Syslog should see the overview at: www.ciscopress.com/articles/article.asp?p=426638. In March 2009, the syslog protocol was updated (as RFC 5424) to provide a message format that enables vendor-specific extensions to be provided in a structured way. A number of network cameras from Axis, Cisco and others support syslog messaging.
Requirements for Security Systems and Devices
In a managed network environment, security systems and devices that connect to, or operate on the network must not generate prohibited traffic or in other ways act outside the acceptable parameters defined for network computers and devices.