Over the next few weeks, I have the exciting opportunity to build a small, hopefully secure computer network from scratch - complete with web server, email and office servers; an air-gapped collection of particularly secure systems, and an office network of laptops and desktops. And, in what I suspect will be seen as a brave step, I have to make at least a part of the network Wi-Fi to get around a problematic aspect of the building in which the network will be established.

I have to admit, for a long time I was less than confident about implementing a wireless network, due to concerns about "war-driving" hackers and the like. But in fairness, the convenience has convinced me the system is worthwhile.

Of course, the network will have a firewall and a reasonably sensitive intrusion-detection system; and of course, the most important of the servers will be free-standing - the old "sneaker firewall" being one of the best forms of defence.
I'll implement strong authentication on the router itself, and some kind of encrypted protocol over that. And perhaps more importantly, I plan to have a single monitoring station to record and illustrate the allocation of network addresses by the router, so I can spot if anyone manages to sneak a connection. Maybe I'll implement a frequently-changed password for the Wi-Fi connection, or maybe I'll put my trust in the existing authentication mechanism.

Time and close monitoring will show me which is best - particularly if I stick to my current thought, which is to turn the wireless router off at the end of each working day.

With care and a little forethought, secure networks can be implemented - though only, in fairness, at the expense of a little convenience. But that is the most important observation: security is at the expense of other things.

Too many organisations implement secure environments, or plan their information security, without considering the issues of expense and general risk analysis. Risk analysis involves working out the cost of losing the data - loss of confidentiality, integrity or availability - and the likelihood of different types of threat emerging. It involves calculating the cost of the security measures, and then the extent to which those measures do indeed protect the information assets from the different types of threat. And then it involves spending money and monitoring the results.
The data will be protected in as many different ways as I can imagine and can afford. I plan to do everything that I can possibly do to protect it... and then I need to plan for what I will do if anything goes wrong.

Security involves planning for all eventualities one can imagine. But I need to think of everything; and an intruder only has to find one chink in my technical and organisational armour. Remember, security is something you do, not something you have done.

Have your say, here: