Introduction to Network Security
Open versus closed security models

With all security designs, there is some trade-off between user productivity and security measures. The goal of any security design is to provide maximum security with minimum impact on user access and productivity. Some security measures, such as network data encryption, do not restrict access and productivity. On the other hand, cumbersome or unnecessarily redundant verification and authorization systems can frustrate users and prevent access to critical network resources.

Business needs should dictate the security policy. A security policy should not determine how a business operates. Because organizations are constantly subject to change, security policies must be systematically updated to reflect new business directions, technological changes, and resource allocations.

Security policies can vary greatly in design. Three general types of security models are open, restrictive, and closed. Some important points are as follows :

  • Security model can be open or closed as a starting point.
  • Choose the best end-to-end mix of security products and technology to implement the model.
  • Application-level security can include Secure Socket Layer (SSL) technology.

Like security models, many devices can be classified as open, restrictive, or closed. For example, routers and switches are typically open devices, allowing high functionality and services by default. On the other hand, a firewall is typically a closed system that does not allow any services until they are switched on. Server operating systems can fall into any of the three categories, depending on the vendor. It is important to understand these principles when deploying these devices.

Open Access
An open security model is the easiest to implement  – . Very few security measures are implemented in this design. Administrators configure existing hardware and software basic security capabilities. Firewall, Virtual Private Networks (VPN), Intrusion Detection Systems (IDS) and other measures that incur additional costs are typically not implemented. Simple passwords and server security become the foundation of this model. If encryption is used, it is implemented by individual users or on servers.

This model assumes that the protected assets are minimal, users are trusted and threats are minimal. However, this does not exclude the need for data backup systems in most open security policy scenarios. LANs, which are not connected to the Internet or public WANs, are more likely to implement this type of model.

This type of network design gives users free access to all areas. When security breaches occur, they are likely to result in great damage and loss. Network administrators are usually not held responsible for network breaches or abuse.

Restrictive Access
A restrictive security model is more difficult to implement  – . Many security measures are implemented in this design. Administrators configure existing hardware and software for security capabilities in addition to deploying more costly hardware and software solutions such as firewalls, VPN, IDS, and identity servers. Firewalls and identity servers become the foundation of this model.

This model assumes that the protected assets are substantial, some users are not trustworthy, and that threats are likely. LANs, which are connected to the Internet or public WANs, are more likely to implement this type of model. Ease of use for users is diminished as security is tightened.

Closed Access
A closed security model is most difficult to implement. All available security measures are implemented in this design. Administrators configure existing hardware and software for maximum-security capabilities in addition to deploying more costly hardware and software solutions such as firewalls, VPN, IDS, and identity servers  – .

This model assumes that the protected assets are premium, all users are not trustworthy, and that threats are frequent. User access is very difficult and cumbersome. Network administrators require greater skills and more time to administer the network. Furthermore, companies require a higher number of network administrators to maintain this tight security.

In many corporations and organizations, these administrators are likely to be very unpopular while implementing and maintaining security. Network security departments must clarify that they only implement the policy, which is designed, written, and approved by the corporation. Politics behind the closed security model can be monumental. In the event of a security breach or network outage, network administrators may be held more accountable for problems.