Q: How will you protect your client's network?
When people hear that question, most people think about firewalls and their [company's] connection to the Internet. But protecting the network is something that needs to be thought of throughout all parts of design -- it affects more than just how you connect to the Internet. Security really can't be an afterthought. For example, yes, there should be a firewall between the company and the Internet, or maybe distributed firewalls, where you have a firewall in each office. But how do you provide VPN access? How do road warriors connect back into the network? Are you doing it in a secure, encrypted way so that you're not exposing the company?
There are other [network] protection issues. For example, how are your technicians going to connect to the equipment to do maintenance? Are they going to type passwords in plain text, or will they use encrypted protocols? And if your technicians have passwords to these boxes, how do they share those passwords?
Also, do you have some sort of password escrow policy? Every time you change the password, do you give it to the client? And then there's issues with how you give it to them: Do you email it? Do you email it using an encrypted email client? Do you put it in a sealed envelope and put it in your safe?
Finally, how are you going to do security patches? It used to be that we didn't think so much about patching hardware, but now hardware has more software in it than a lot of our PCs: the largest of the Cisco routing products have a more complicated operating system than on my laptop. These operating systems often have high-priority security patches, so it's important to come up with some kind of security policy. Typically machines that are exposed to the Internet need to be patched faster than other machines, so I've been at sites where there's a service-level agreement (SLA) created that [indicates] equipment with direct Internet access would be upgraded within hours or days of a new patch, while with the other equipment there's a monthly or quarterly patch cycle. Or maybe the vendor was more risk-averse and just decided that the internal equipment would only get a patch for either some kind of emergency or if there was a specific fix that was needed. Otherwise the software would just [be left] alone.
This was first published in March 2008