Navigation haute|Navigation gauche|Contenu

Move beyond perimeter security to protect your organization

topics
what's new
Green IT
Network
IPv6
network technologies
network security
future of enterprise network
Satellite Broadband

Network security evolves to defeat new threats

 
What does network security mean in 2009? Thanks to rapid developments in both technology and business culture, it means something vastly different than it did even at the start of the decade. Unless organizations track and react to these changes, they risk governance headaches that will make them wish they had taken the time earlier on.
 
Post-Enron, governments placed an increasing emphasis on internal controls and compliance. From Sarbanes-Oxley through sector-specific regulations such as HIPAA and BASEL II, regulations mandated the need for more security within organizations. Companies faced punitive measures if they did not comply, which created a rush among organizations eager to avoid fines or worse.
 
Risk-based approach
Things are changing. The spate of embarrassing public security breaches both in the private and public sectors in the past couple of years have shown that merely ticking the boxes by meeting the basic regulatory requirements is not enough in many cases. Instead, companies must move to a risk-based security approach, in which they evaluate the real risks to their organizations, and develop both policies and technology architectures to mitigate them.
 
The move to a risk-based approach is made all the more urgent by the increasingly complex threat landscape. Twenty years ago, security risks centered largely on external access to the organization, and with client access to systems still relatively limited, malicious insider threats were easier to track and stop.
 
Consequently, companies concentrated on perimeter technologies that stopped malicious traffic from hackers and malware writers getting into the network. Firewalls were considered the most important part of any security arsenal.
 
Evolution of firewalls
Firewalls have developed from basic stateless devices that simply blocked ports, into more sophisticated devices that understand more about the traffic passing through them. Stateful inspection firewalls understand where traffic is coming from over time, so that repeated attempts to access an unauthorized service from the same IP address can be identified and stopped, for example.
 
The development of application-layer firewalls shook up the industry considerably. With this technology, organizations were able to understand not just the source and destination of the traffic passing over the firewall, but its content, too. That means that they can analyze what outsiders are doing to applications, and stop unorthodox interactions (such as sending malformed packets to try and break the system, for example).
 
Such systems were complemented by content and email filtering systems located at the gateway, that can be used to stop spam and malware by intercepting known signatures at the edge of the network before they get to servers or client devices.
 
Virtual private networks (VPN) were also an important part of the mix, both for remote users accessing systems from outside the office and for fixed sites such as branch offices that wanted secure access to central resources. Encrypted VPNs originally operated using the IPSec protocol, which restricted them largely to fixed-point use because of the complexity involved in configuring the clients. With the introduction of SSL based devices, things changed, and it became more plausible for remote users to access central resources with little or no client configuration. SSL VPNs were lighter and offered more flexibility, meaning that many vendors have gravitated towards this approach.
 
Traditional techniques lacking
However, ongoing developments in the increasingly innovative malware community have made some traditional techniques vulnerable. For example, an employee accessing a corporate network via an SSL VPN from a public Wi-Fi hotspot may feel safe, but if the laptop that they are using has been compromised by malware, then the malware can easily deliver its payload and infect other client devices in the company via the encrypted link. And with malware infection now so rife, that possibility should not be overlooked.
 
There are also an increasing number standard of entry points into the corporate network. Instead of centralizing Internet access through gateways enterprises are choosing to use local Internet service providers (ISP) for their sites. While local Internet breakout is less complex, it also opens up a vast number of new attack points directly into the corporate network and opens the gate to malware if the entry points are not properly secured.
 
Similarly, the filtering of malicious URLs is now only partly successful. The infection of tens of thousands of legitimate web sites using SQL injection and other attacks, for example, makes it impossible to filter all of the traffic using simple URL checks. Other techniques, such as analyzing the behavior of JavaScript on the fly, become necessary, and these are starting to make their way into gateway analysis devices.
 
Such measures have helped enormously to protect corporate networks, but even they are no longer enough. The introduction of new technologies and the democratization of network and systems access have changed this dramatically.
 
Looking beyond the perimeter
Now, employees can steal thousands of customer records from unprotected computers with a USB key that fits into their pocket. And companies are being forced to open up their boundaries, letting employees access resources remotely while at home and on the road and allowing different devices, owned by both employees and visitors, to connect to the network.
 
More intimate inter-company relationships, encouraged by integration technologies such as web services and service-oriented architectures, have led to applications that straddle corporate boundaries. And finally, patterns of organizational data access and storage have scattered sensitive information across all parts of the organization (including on mobile devices that are being taken outside the office).
 
Consequently, while perimeter technologies continue to be important, the emphasis on risk mitigation has expanded to the rest of the network, and has led to the concept of deperimeterization, in which companies are forced to assume that their networks are insecure. This creates the need to secure resources on a machine-by-machine level, and to focus on the type and location of data in the organization. It has also created a need for a "defense in depth" approach, in which multiple layers of security technologies are used together to try and filter out as many threats as possible.
 
Intrusion detection and prevention
New technologies have emerged to help protect the soft underbelly of the corporate IT infrastructure. Intrusion prevention systems (IPS) are used to spot potentially threatening behavior on networks and stop it happening. An infected client attempting to infect other machines on a subnet could generate a recognizable pattern of activity on a particular port. An IPS could be configured to automatically block traffic from that client’s IP address until the problem had been identified and dealt with.
 
IPS products can be either network-based (so that they monitor traffic passing over the network infrastructure) or located on a host computer, so that they protect a particularly sensitive system such as a database or email server.
 
Network access control
In keeping with the "defense in depth" concept, network access control (NAC) can provide another layer of protection for all systems connected to the network. NAC is used for shielding the network and its nodes from infected devices.
 
When a device is introduced onto the network, a NAC server inspects it, matching it against predefined criteria. These could include its patch levels (has it been updated with the latest security patch from the operating system vendor?) and its most recent anti-malware signature update.
 
The NAC server refers the results against a policy server to decide what it should do with the client. The policy may dictate that the client be allowed full access, or might quarantine it onto a virtual LAN that provides restricted access to corporate resources until the criteria are met. It could even prevent the client from connecting altogether.
 
Other client access control mechanisms include the use of 802.1x, a protocol designed not only to authenticate endpoints that are connecting to the network.
 
Unified threat management
Many of these features, such as firewalls, content analysis, and IPS, have been collected into single appliances. Unified threat management (UTM) compresses the ‘defense in depth’ elements together to make them more manageable and affordable for enterprise users. The idea of plugging a single box into the network and having it take care of everything will appeal to many companies, especially as they attempt to address what is largely a zero-ROI technology category in a resource-constrained market.
 
The caveat is that while a selection of vendors claim to offer UTM products for larger enterprises, some analysts question the scalability of the concept. As customer size increases, the processing overhead involved in handling multiple, processor-intensive security measures increases. Some vendors are offering configurations incorporating multiple generic processors to throw sheer muscle power at the problem. Others are opting for specialized hardware to offload particularly intensive work such as cryptographic functions. IT departments, particularly in larger companies, should be careful to check references and product specifications when considering UTM as a category.
 
Protecting data
While IPS, NAC and 802.1x-capable products are used to help protect networks, the truly security-aware company will also take steps to protect the data residing on the endpoint devices. Both government departments and private companies have suffered heavily from the loss of sensitive information, which can be lost via varying routes: copying to a USB stick, burning to a CD, or unauthorized email.
 
Data leak prevention technology has therefore become a big part of the network security landscape. This software category arose as security companies tried to consolidate different technologies into a single, data-centric product set that could be more readily mapped to the business problems associated with data loss.
 
One critical component of the data leak prevention product category is encryption. Endpoint encryption software can be used to encrypt entire disks. This technology is now built directly into certain editions of Windows Vista in the form of BitLocker, while other third-party solutions are also available, both for full disk encryption and for the encryption of specific files and folders.
 
Products installed on endpoint devices can now lock down USB ports and prevent the burning of certain data to external optical media. They can even be used to prevent the printing of data and the copying of screens using printscreen commands and screen grabbers. Gateway-level appliances that check the data being allowed out of the organization via the network can also complement them.
 
Central management and policy
The important thing for security teams to remember is that central control will quickly become a problem unless it is adeptly handled from the outset. Encryption on laptops should be managed from a central console so that users can’t turn it off, for example. This idea of tightly managing processes is crucial for IT departments as they focus more on network security issues.
 
The most carefully-specified technology solution will be of little use if underlying IT management processes are not observed. A lack of proper change management, for example, could stop critical security patches from being applied in time to stop an attack.
 
It may not be necessary to fully embrace methodologies such as the IT Infrastructure Library (ITIL) or the Information Systems Audit and Control Association (ISACA’s) Control Objectives for Information and related Technology (COBIT). These are methodologies designed to address the management of IT services, and the control of IT, respectively.
 
Their adoption would doubtless help to reduce the pressure on security technology budgets by bolstering security processes through best practice. But other options are also available. The ISO 27000 series of information security management standards are designed to address a range of security processes from risk assessment to auditing. These can help to provide a rockbed of processes that can be instrumental in informing higher-level corporate risk management policy.
 
Managed security
Another option is to cut through the whole tangled mess and adopt a managed services approach to security. The year 2008 saw a measured expansion to cloud-based services in the IT community, some of which spanned security. Vendors began producing or acquiring online traffic monitoring and scanning services. Some have designed their cloud-based security platforms as foundations onto which more modules can be added, paving the way for an increasingly rich offering in the security world. Managed services can cover everything from traffic analysis through to VPNs and online firewall monitoring.
 
The advantage of managed services is that companies can offset the considerable resources needed for specific security measures (such as malware scanning) when necessary, while retaining others as necessary. Cloud-based malware scanners are harder for the underground "black hats" to analyze, making it more difficult for them to produce scanner-resistant malware (which is a growing trend in that community).
 
However organizations choose to structure their response, the take-home message is that simple perimeter protection is not enough. Modern security measures must permeate the entire infrastructure - and the people that manage it.

Recent news

print this pageprint this page
send this pagesend to a colleague