Compliance in the LAN Domain depends on implementing the best controls. As with all domains, you can meet some goals using different controls. Don’t just accept the common controls. Take the time to explore alternative controls for each security goal. Some controls will have more of an impact on your organization than others. If two controls provide the same assurance but have different levels of impact on your organization, choose the one that has less of an impact.
As you analyze controls in the LAN Domain to meet compliance requirements, ensure each control satisfies your security policy. If a control does not support any part of your security policy, you should question its value to your organization. Although different legislation, regulations, and vendor standards have different requirements, Table 10-2 lists some types of controls you’ll likely need to ensure components in your LAN Domain are compliant.
Implementing multiple types of controls decreases the likelihood an attack will be successful and makes your LAN Domain more secure.
TABLE 10-2 Preventive, detective, and corrective controls in the LAN Domain.
CATEGORY OF CONTROL | TYPE OF CONTROL | DESCRIPTION |
---|---|---|
Preventive | Node-based access controls for LAN nodes User-based access controls for LAN resources Configuration change control Encryption | Only allow authorized nodes to establish connections. Only allow authorized users to access resources. Limit changes to network device configuration settings and filtering rules. Enforce encryption for stored data and transmitted data for confidential information. |
Detective | Connection request auditing Object access auditing Performance monitoring Packet analysis Configuration settings monitoring | Log connection failures for all connections and successes for high-value targets. Log access failures for most objects and successes for critical objects. Frequently sample network traffic flow metrics and alert for any unusual activity. Examine packets for known attack signatures and to ensure necessary data are encrypted. Compare LAN device configuration settings with stored baselines to detect any unauthorized changes. |
Corrective | Operating system and application patching Attack intervention | Keep applications and operating systems patched to the latest available level. Automatically modify filtering rules to deny traffic from sources generating known attack signature packets. |