There's an old adage that says, "If your most familiar tool is a hammer, the whole world starts to look like a nail."

When it comes to security, a multifaceted, layered approach works best.

Here are five principles of the layered approach.

1. Think layers.

Given the many types of security threats, companies put themselves at great risk by implementing a point product, such as a firewall, and declaring the network safe. Installing a firewall alone is a little like locking the door to a house and leaving all of the windows open. Most companies deploy firewalls at the perimeter of the network to guard against external threats, not to protect against internal attacks or accidental damage by employees.

A firewall alone may not even be sufficient to prevent against external threats. For example, the "Nimda" worm, which wreaked $635 million worth of damage in 2001, was specifically designed to bypass firewalls. The damage might have been prevented by the integrated use of a firewall and an intrusion detection system. In fact, sometimes companies are not even aware that their security has been breached because they have not incorporated the right monitoring and analysis tools as part of their overall security solution.

With a multilayered approach, even if an intruder is able to bypass one access point, overlapping layers of security ensure that the break-in will be stopped by another mechanism. Similarly, overlapping security can prevent either accidental or intentional harm to information resources or the network by employees.

2. Think modularity.

By assigning various security tasks to discrete modules that address specific threats, you can implement security measures that meet your unique exposure and budget requirements. At the same time, you can maintain the flexibility and scalability to layer in other security mechanisms as your needs grow and change.

3. Think manageability.

Security is a dynamic, ever-changing requirement. New security threats come along frequently. It is extremely important, especially for small organizations, to implement a security system that is adaptable and easy to manage.

When companies buy only point products from different vendors, security becomes difficult to manage. Each mechanism has to be programmed to distribute and enforce policies, and then synchronized with every other security appliance in the network. If all of the products don't act in concert, there likely will be gaps and therefore greater exposure to malicious mischief.

4. Think inclusiveness.

When point security devices such as firewalls were first developed, they were created with conventional Ethernet local-area networks (LANs) in mind. But over the last few years, more and more small companies have started taking advantage of mobility and remote access, wireless LANs, and converged networks (carrying both voice and data and even video over the same network).

Some point product security vendors are still focused on the world of Ethernet LANs. Their products have not evolved to support virtual private networks (VPNs), wireless LANs (WLANs), IP telephony, or other up-and-coming technologies, so security for these areas of the network must be managed separately. If any of these technologies are in your future, make sure your security extends to these parts of the network as well.

Remember that network security should be used as part of a comprehensive corporate policy that addresses all aspects of security. This includes even mundane but crucial issues such as employee use of the Internet and personal assets. Ultimately, any security mechanisms integrated into a network will only be as effective as the security policies they enforce.