Not too long ago it was thought that the only secure network was a net-
work that was completely disconnected, or one that had no power. While
that may still be true today, it does not help our local administrator deal
with problems he or she never had to deal with in the past. Prior to the
World Wide Web, most of our computer networks were islands unto
themselves. Organizations may have exchanged e-mail, or hosted bulletin
boards, but for the most part Company A's network was completely sepa-
rate from Company B's network. The biggest problems an information
technology professional may have had were someone, stealing floppy disks
or hacking the company's telephony switch. With today's Internet, or net-
work of networks, distributors or suppliers can look into their customers'
inventory databases, employees can telecommute with broadband connec-
tions, students can submit or receive homework without ever leaving home,
and thousands of other things are possible that we could not do prior to the
advent of http and the World Wide Web. These advances are great for
changing the way we all live, work, play and learn; however, it begs the
questions: Are my distributors looking past the databases for which they
have authority? Is there someone other than my employees accessing my
network without my knowledge? Who else is trying to communicate with
my child over the Internet?
For the above reasons and many others it becomes apparent that all
organizations need to have a plan for securing their assets, both physical
and electronic. The corporate, or organizational, security policy is an
administrator's strength in applying rules and policies about how the net-
work is to be used. The technology that companies, schools, or other pri-
vate and public institutions deploy is, by itself, not enough to prevent their
x Foreword
networks from being compromised. Once the policy is in place and a plan
is set out to secure the network, it becomes apparent that security will never
again be point product or niche solution. Instead, network security must
become a process, one that is reviewed and updated with each change of the
physical, or logical, network that it applies to.
As one starts his or her journey down the path of security, it becomes
apparent that network security can no longer be thought of as an after-
thought, or a "bolt-on" solution. Security must become a fabric of the net-
work that strikes the balance between security and usability. Policies,
architectures, and processes need to be noninvasive to legitimate users, but
impenetrable to would-be attackers.
Craig Tiffany
Network Security Consultant
Cisco Systems, Inc.
Craig Tiffany is a security specialist working in the field for Cisco Systems,
Inc. for more than four years. Craig earned his CCIE certification for rout-
ing and switching in March of 1998. Since then, he has worked with several
Fortune 100 companies, and has consulted with hundreds of small to
medium businesses, cities, counties, schools, universities, as well as other
large enterprises. Prior to working for Cisco Systems, Inc., Craig was a
technical marketing engineer for Intel Corporation in the Intel Architec-
ture Labs. Craig also spent several years as a network engineer and technical
operations lead at one of Intel Corporation's fabricating sites.

Get Internet Security now with the O’Reilly learning platform.

O’Reilly members experience live online training, plus books, videos, and digital content from nearly 200 publishers.