If you design your network to conform with a total-security model, you'll run into at least two major problems: the human factor and what I call "code overload." Acknowledging these problems sometimes involves not subscribing to the total-security model - which some might view as cutting corners. First, it's tough to implement total security when humans are involved. All levels of the network management cycle are run by people who, even if they are experts, can make mistakes - especially when the network is complex and includes several remote sites. Whether because of a network engineer misconfiguring network equipment or a user opening an infected attachment, your network is exposed. You can take measures to minimize human fallibility, but implementing them usually require an unrealistic amount of time, people and money.

Second, total security can create code overload - and the more code you deploy on your equipment, the more your network performance is affected. Additional code also increases the time it takes to update your rules, which in itself represents a real security threat. Each time you update a system, you open some ports to let the updates go through, which makes it more vulnerable. Too much security can kill security.

While I believe there are times we can't do everything by the book, there are ways to minimize corner cutting.

Instead of trying to accommodate the requirements of total security, serve your business goals first. Because you cannot guarantee foolproof security everywhere, you're better off implementing it where it truly matters to your business. All parts of your network are not equal; some require more surveillance than others. You can optimize the network architecture by segmenting it into different security zones.

The opposing view
Rob Tillman: "From the corporate perspective, there is never a reason to skimp on network security."
Face-off forum
Debate the issue with Craig, Tillman and your peers.

There are tools to minimize the problems of human error and code overload. These include vulnerability-assessment, monitoring and policy-management tools. My company uses network security management software from Solsoft because of its multiproduct management capabilities. Other companies might prefer a single-vendor product for VPN and firewall management, such as those from NetScreen or Check Point. Such tools are essential to minimize corner cutting, and without them I wouldn't be able to do my job effectively.