It takes more than just well-written applications to secure a network. Despite good procedures and strong firewalls, machines on the inside of a network can still be vulnerable to spyware, viruses, and backdoors. Because of this, good network security is more than just a firewall. Good network security means understanding which services are vulnerable and implementing strategies to address those areas. In general, you need several elements to have an adequate level of network security:

• Packet Filtering - Packet filters should be deployed at the Internet egress router to deny access to ports with known security issues. Filters should allow only known services with a "deny all" policy for unused services.

• Network Isolation - The corporate network should have at least two layers of networks: a "DMZ" network that allows specific services be accessed from the general network, such as domain name services, general web hosting, and email access; and an internal network that is protected by a strong internal firewall.

• Internal Firewall - A good internal firewall should conceal internal IP addresses, prevent unsolicited inbound connections, and perform stateful inspection of common protocols (email, web, and others) to filter potential exploits.

• Software and Hardware Inventory - A database should be maintained on every piece of hardware and software deployed on the corporate network. Hardware should include the MAC address of any network interface and the type and revision level of each operating system. Every software application on every system should be know, including its revision level, licensing, and maintenance requirements (if any). Routine software inventories should be run to identify unauthorized applications. This data should be able to identify each and every system on the network that is affected when a new vulnerability is announced.

• Software Updates - Procedures should be put in place to keep software updated against reported vulnerabilities. Update information should be maintained in a log.

• Monitoring and Reporting - The network should be monitored for unidentified MAC addresses, unexpected network services, exploit attempts, network resource usage, and other anomalies. The data should be summarized and reported on a regular basis and alerts should be delivered immediately.

• Virus and Spyware Protection - All computers on the network should have active virus and spyware protection. This data should be updated at regular intervals and users should be instructed on procedures to protect their systems using these tools.

• Early Warning - The network security administrator should subscribe to several software vulnerability services in order to keep informed of problems, new viruses, and vulnerabilities.

• Review and Revise - Network security policies and procedures should be reviewed at least every three months to evaluate areas of vulnerability. You need to know what works, what needs improvement, and what is creating problems. As exploits and vulnerabilities change, so must your security strategy. Network security is an evolving process.