A single server, or a simple network with only a handful of connections—the only sort of network that existed prior to the 1980s—is relatively easy to secure. Once the network expands to include non-trivial topologies, with multiple interconnections that are neither completely regular nor completely random, the complexity increases dramatically.
With that complexity comes vulnerability. Unpredictable interactions between systems and variable capabilities and states can create opportunities for intrusion.
Any lack of communication between different network operators – or between different national governments, as the case may be – makes it even easier for hackers to slip in and out without leaving any tracks. A profusion of insecure client machines provide many alternate attack vectors, and a broad user base means there are plenty of untrained and credulous account holders to prey on.
Today, many internal corporate networks have a number of nodes, connections, and users that make the entirety of the early Internet look like Speak and Spell by comparison. Hackers have wasted no time in taking advantage of this. In many cases, securing those networks is the job of network security consultants.
Corporations and Even Governments Rely on Experts Outside of the Organization
When encountering security issues or proactively working to prevent them, most corporations and even many government agencies need to turn to experts outside of the organization. This isn’t a slight against their in-house IT staff. Instead, from the perspective of the organization, it’s simply a way to retain the services of highly specialized information security professionals on an as needed basis without having to put them on payroll.
Working with corporations and governments, outside consultants serve as experts at evaluating the vulnerabilities of network infrastructure and devising methods of protecting them. Because the work is so specialized, and infrastructure adjustments made relatively rarely, it’s more economical for most companies to contract with outside consulting firms for this service than to rely on in-house IT staff.
Network security consultants work for the Big Five IT consulting firms, which serve major corporations and government agencies almost exclusively:
- Accenture (formerly Andersen Consulting)
- Deloitte Consulting
- Ernst & Young
- KPMG Consulting
Many smaller, regional consulting firms also employ infrastructure security teams, however, they more often work with small-to-midsized businesses or local governments.
From the smallest business LAN (Local Area Network) to the globe-circling trunk networks run by major telecom providers, network security consultants are busy securing the business and government information systems that we all rely on.
Network Security Consultant Job Duties Are Heavy on the Networking
Infrastructure security consultants can expect to spend a lot of their time with their nose buried in the intricacies of TCP/IP (Transmission Control Protocol/Internet Protocol) and the ancillary communication protocols running on various layers of the OSI (Open Systems Interconnection) stack. Together, this collection of protocols define the mechanisms through which the modern Internet functions, detailing ports and timing, handshakes and encryption agreements. They include:
- HTTP and HTTPS (HyperText Transfer Protocol and its encrypted Secure variant)
- FTP (File Transfer Protocol)
- IRC (Internet Relay Chat)
- RIP (Routing Information Protocol), OSPF (Open Shortest Path First), BGP (Border Gateway Protocol) and other dynamic routing protocols
The tools and devices that network security consultants use to manage all these interwoven functions allow them to screen, segment, and monitor network traffic to prevent intrusions and attacks:
- Routers and switches direct traffic toward its ultimate destination, providing soft network segmentation based on routing protocols
- Access points and hubs serve as endpoints for computers and other devices to connect to the network
- Load balancers direct traffic across multiple servers to resist intentional or unintentional overloads
- Firewalls provide hard network segmentation and aggressive packet screening to delimit private networks from the open Internet
How Consultants Learn Their Way Around Someone Else’s House
Particularly with respect to router management, these devices have become so sophisticated that they are essentially minor servers, with unique operating systems and programming languages. Network security consultants quickly become fluent in those languages and may spend much of their day programming routers and creating sophisticated sets of firewall rules.
Outside infrastructure security consultants work with in-house IT and business counterparts to draw up designs that serve business and operational functions. They may work closely with enterprise and security architects when new network topologies are being planned, and with security engineers and specialists to implement new networks.
Tools of the Trade
Network security consultants often work with networks that have been designed and built by someone else, so part of the daily challenge is establishing the bounds and mapping the paths. Tools such as WireShark are an invaluable part of the toolkit for illuminating network traffic. When working with wireless networks, consultants might call on tools like AirMagnet or Netspot.
This work also helps network security consultants in documenting existing networks and security practices. They may be asked to draw up network maps or produce reports on network layouts and security measures that the in-house IT department can later reference.
Encryption is also an important part of the infrastructure security consultant’s toolkit. Authentication protocols using combinations of symmetric and asymmetric encryption algorithms such as TKIP (Temporal Key Integrity Protocol) and CCMP (Counter Mode Cipher Block Chaining Message Authentication Code Protocol) are used to establish secure wireless connections. Semi-permanent encrypted connections using various advanced ciphers (such as AES or TripleDES) are used to create Virtual Private Networks (VPNs), routing internal network traffic over the Internet through secure tunneling protocols like L2TP (Layer 2 Tunneling Protocol). Encrypted IPSEC (Internet Protocol Security) traffic may also be used to secure data transmitted between servers or between clients and servers.
Network Security Consultant Job Qualifications: Certification and Degrees
Because a few large corporations dominate the networking hardware platform space, specific certifications dealing with those products are valuable.
Expected Proficiencies and Related Certification
The entire Cisco or Juniper series of certifications (or those from Aruba, for wireless networking products) are useful qualifications. Still, it’s the more advanced security or design-related certificates that IT consulting firms often covet when making hiring decisions:
- JNCIS-SEC (Juniper Networks Certified Specialist-Security)
- JNCDS-SEC (Juniper Networks Certified Design Specialist-Security)
- JNCDA (Juniper Networks Certified Design Associate)
- CCIE-SEC (Cisco Certified Internetwork Expert-Security)
- CCAr (Cisco Certified Architect)
Also, the Wireshark Certified Network Analyst certification is a plus.
A general background in networking is almost always required. Knowledge of TCP/IP, TKIP, IPSEC, and high-level communication protocols is essential. Consultants should also be familiar with Junos or Cisco’s IOS router control software.
Between two and seven years of experience may be required even for entry-level network security consultant jobs.
Some knowledge of wireless networking protocols is also beneficial, particularly with respect to geographic and radio theory, although this is not typically required for positions that don’t involve specialized wireless network security work.
Also not required, but often valuable, is knowledge of common network authentication systems like RADIUS (Remote Authentication Dial-In User Service).
What makes networks work is the common agreements underlying the protocols that software implements. These agreements are specified in a set of documents maintained by the Internet Engineering Task Force called RFCs, or Requests For Comments. Again, although this is not usually required for network security consulting positions, knowledge of the relevant RFCs is viewed favorably.
Holding the Right Degree
IT professionals preparing for a network security consulting position with a college degree often starts by investigating colleges that have been designated as Centers of Academic Excellence (CAE) through the DHS (Department of Homeland Security) and NSA (National Security Administration).
This program evaluates two- and four-year institutions offering everything from certificate programs to graduate programs and selects those with impeccable programs and highly esteemed instructors. Selected schools are designated as:
- National Centers of Academic Excellence in Cyber Defense Education (CAE-CDE) – 4-year schools and universities that offer undergraduate and graduate degrees in cybersecurity
- National Centers of Academic Excellence in Cyber Defense Research (CAE-R) – Research institutes with qualifying cybersecurity research programs
- National Centers of Academic Excellence in Cyber Defense 2-Year Education (CAE-2Y) – Community colleges and vocational schools with certificate and associate’s degree programs in cybersecurity