A process, not a state
Security is more important than ever. Despite that it is largely still taken way too easy. A network isn’t suddenly secure because someone adds a firewall. Security is a process. A process that must be applied to all areas of the network, all hosts, all procedures. The key components are humans. Security begins with responsible selection of the protocols used and a good implementation of these, sensible use of firewalls, security-concious router selection and configuration – and much more.

Mandantory for us, but still worth stating explicitely: we use encrypted protocols for all system management tasks. Old insecure protocols like telnet are banned.
But these obvious cases are just a tiny part of the picture. How, for example, are backups taken? These contain your valuable data as well and thus should not traverse networks – even internal ones – unencrypted. But that is the standard way. As every so often we use a different approach and take backups over encrypted and authenticated ssh pipes. And of course we have offline storage for tapes. While there is a dedicated raid set and a tape library for daily and weekly backups, the monthly and yearly ones go to offline storage.
We use this approach for each and every protocol and subsystem we operate. Every protocol is analyzed for security and reliability prior to using it – and if it doesn’t fullfill our requirements, we look for alternatives.

The best protocols are useless if implemented incorrectly. Every piece of software we run gets audited. Obviously a complete audit is not always possible, but with years of experience an qualified judgement can be reached relatively fast. We often modify (and feed back the changes!) existing software, and in some cases where the existing solutions don’t convince us we start from scratch – OpenNTPD and OpenBGPD were born this way.

Firewalls might be the most misunderstood piece of a security policy. A firewall by itself is at best a very small security improvement – it can only be part of the puzzle. A firewall is much more of a policy enforcement device than a security one. An important piece of the puzzle, but just a piece.
We run all servers behind redundant firewall clusters. We use pf on OpenBSD. Hostmaster Henning Brauer is deeply invloved with its development. These firewalls don’t just protect our networks from the internet, they also partition our internal networks.
We use stateful inspection so that the firewalls don’t see each packet isolated but in the context of the entire session. They also scrub anomalities.

Host Security
A firewall is pretty useless if the attack comes from the inside. Each and every host on the entire network, even if unreachable from the internet, has to be secure on its own.
Two key points to host security: wise selection of the software in use and attentive operators. Correct implementation of security policies, modest distribution of access rights and permanent paranoia are the basics. No host must ever offer unprotected non-public services that are just protected by the firewall – they also must protect themselves.

Network Security
Partitioning internal networks by clever segmentation using VLANs solves a lot of problems. One that remains is the so-called “spoofing” where the attacker fakes his IP- or hardware-address. Our firewalls make sure no packets with any of our own IP addresses as source can enter from the outside, and no packet without one of the permitted source IPs ever leaves our network. Protecting against spoofed mac address (that’s the network card’s hardware address) has to happen earlier – on the switches. Each and every port connected to servers and the like has a list of permitted mac addresses, all others are filtered out and our staff is notified to investigate.