[jeffgrant]

First thing I would do is perform a Threat Analysis, and use that to set the business policies. Get them signed off by the Powers That Be. Clearly spell out what things you are protecting yourselves against, and what you're not. Management wants everything, but never wants to spend the money required for it. If/when **** goes wrong, they won't understand that, they'll just point fingers.

Then take that and implement it using the appropriate hardware/software and design. Be sure to implement the required changes in end-user policies, etc.

Are you a small start-up selling a simple widget, or are you a bank doing international banking transactions? Are you a marketing company, or are you hosting an online service? All of these have different requirements.

Too many people just start implementing network security for the sake of implementing network security.

And be sure to include proper monitoring and logging as part of that security.


And remember, good security is part of the design, not a bolt-on or after-thought.


Again, it all depends on what you want, what you need, and what you can afford to do (cash, time, effort, etc).