Enterprise network security is fundamentally changing the network landscape. Security services used to be an afterthought, as was network management. But security services have taken front and center in the purchasing decisions of network infrastructure. Point of fact: Merrill Lynch decided to go with Avaya´s IP Telephony solution rather than Cisco´s due in large part to security concerns.

Not only is network security impacting purchasing it is changing internal process and procedures for managing and operating networks. In the past we built large integrated management systems that operated vast sprawling enterprise networks. Not any longer - this consolidated view and operation of enterprise networking is too vulnerable to security threats, so our industry is moving back toward single application and element management systems. The impact is huge. Security is inflationary to network purchases; you pay more for a network without adding to corporate productivity. But wait, it gets worse. The time and resources needed to manage a network is also increasing as we move away from an efficient centralized management system to
element and application management.

Building and maintaining network security is now a large and growing part of every IT manager´s responsibility. Adding to security concerns are threats of terrorism and perhaps the biggest black hole of all: privacy (an entire can of worms we´ll save for a future Lippis Report). Homeland Security initiatives, the Sarbanes-Oxley Act, HIPAA and other federal mandates have IT managers struggling just to understand these initiatives along with protecting enterprise, customer, investor and national assets. The bottom line: enterprise network security isn´t just about the enterprise anymore. The above is not meant to add more anxiety to an already formidable set of tasks, but rather to make the point that enterprise security must be proactive and driven by business and regulatory requirements, not reactive and focused on technical parameters. While this may seem academic, the fact is that many enterprises wait for a catalyzing event (i.e. a DDoS attack, worm, etc.) to modify their security infrastructure. When they do so, they often immediately look to the latest technology or platform to plug the vulnerability. This ?¬¢‚Äö?ᬮ??¨finger in the dam?¬¢‚Äö?ᬮ¬¨?? approach has IT managers constantly running behind security issues.

In this issue, we develop an enterprise network security architecture that will help you think through the totality of options available to protect enterprise data and application resources internally and externally. Like many approaches in our industry, network security comes in layers of protection to close vulnerabilities.
The Four Layers of Enterprise Network Security

While many vendors have been merging multiple security functions into a single platform, there is no single catch-all device or application that can secure an entire enterprise and all its resources. For sure, security services are on the move, with some vendors stuffing security into existing products to ride the tide of security purchasing. But don´t be fooled, the fact remains that there are some security services and functions that should remain separate, either physically or logically. By implementing security in layers, enterprises maximize coverage while minimizing the likelihood that a breach will pass undetected. There are four primary layers of network security:

Perimeter Security: Controls what traffic (users, protocols, applications, objects, etc.) is permitted to enter and leave an enterprise site
Transmission Security: Protects data flows to and from an enterprise site
Internal Security: Control over which users have access to which resources
Desktop (Personal) Security: Protects end-user devices (PCs, laptops, PDA, cell phones etc.)

Perimeter Security

The perimeter has long been the cornerstone of enterprise security. Perimeter defenses are designed to restrict traffic flows in and out of the enterprise based on numerous factors, including user, IP address, protocol, application, time of day, etc. The foundation of the perimeter is the firewall, inspecting traffic flows and allowing or denying access to the enterprise network based on predefined rulesets. Additionally, enterprises can deploy externally-accessed resources (web/email servers, etc.) outside the firewall in a demilitarized zone (DMZ), a separate port and network outside the firewall with no direct connection to the internal LAN. The DMZ prevents external users from gaining direct access to LAN-based resources. Firewalls are often integrated with VPN gateways, discussed below in Transmission Security. Cisco PIX, Check Point FW-1 and Netscreen are the clear leaders here. Look for Microsoft to make aggressive moves in this area as well, as it continues to add functionality to its software-based Internet Security and Acceleration (ISA) Server.

The firewall is only one component of perimeter security. Also included on the perimeter are a host of inspection functions, including content/URL filtering, virus scanning and SPAM filtering. Deploying this functionality at the perimeter (vs. the desktop) reduces or eliminates potential impacts on the internal network. Several vendors have begun to integrate content/URL/email filtering and virus scanning functionality into the firewall ?¬¢‚Äö?ᬮ‚Äö?Ñ?? which makes good sense considering the deep packet inspection that firewalls perform. Symantec´s Gateway Security platform and newcomer Fortinet´s FortiGate systems are examples of integrated perimeter devices. Intrusion detection systems (IDS) and newer intrusion prevention systems (IPS) provide an additional layer of
perimeter security inside the firewall. Host-based IDS systems reside on specific nodes (file/application servers, etc.) and monitor application and OS activity, comparing session activity against normal usage patterns that have been collected over time. Network-based IDS systems scan network traffic and compare activity against known attack patterns (signatures), sounding alerts for positive matches.

One of the main issues with IDS is the high volume of false-positives that are detected, potentially caused by a network traffic hiccup or software flaws in the IDS itself. Another issue with IDS is that it is passive ?¬¢‚Äö?ᬮ‚Äö?Ñ?? so, when actual attacks are detected, the IDS does nothing to prevent them. IPS devices provide this critical next step ?¬¢‚Äö?ᬮ‚Äö?Ñ?? they sit inline, detect attack signatures and block them. You may ask ?¬¢‚Äö?ᬮ??¨Isn´t this what a firewall is supposed to do??¬¢‚Äö?ᬮ¬¨?? ?¬¢‚Äö?ᬮ‚Äö?Ñ?? stay tuned to upcoming Lippis Reports for that discussion. Network Associates (through its acquisition of Entercept and Intruvert), Top Layer and SourceFire are all shipping IPS products today.

Another recent addition to perimeter security is application level/web firewalls. In recent years, attackers have learned to leverage the abundance of unsecured web applications to breach enterprise infrastructure, exploiting HTTP port 80. Firewalls and virus scanners focus on known-port and traffic attacks, such as SMTP, but have little or no visibility to incoming HTTP traffic. As a result, HTTP-based worms, cookie-poisoning and other such attacks are on the rise. As a result, vendors including Blue Coat Systems, NetContinuum and Teros have sprung up to combat these web vulnerabilities.

Transmission Security

Transmission Security focuses on securing and preserving data integrity in transit. IPSec-based Virtual Private Networks (VPNs) have been the traditional means of securing data transmissions over public IP networks, providing tunneling and data encryption services. IPSec is used for site-to-site (gateway to gateway) connectivity, which is generally fixed, as well as for remote access connectivity for mobile users.

While IPSec is well suited for relatively static site-to-site connections, it faces a number of challenges in providing remote access security. The main issue for many enterprises is that IPSec requires a client to be installed and configured on every remote user´s PC or laptop. This makes it difficult to deploy, manage and troubleshoot, and creates an opportunity for operator error. Additionally, most large enterprises block IPSec at the firewall, making it impossible for remote users working on client sites to remotely access corporate resources back at their own office. Finally, some cable operators and DSL providers have begun to block IPSec traffic from residential users in an attempt to force them to subscribe to more expensive business access
services.
Over the past year, several startups have emerged with a new solution for secure remote access: SSL-based VPNs. Much like traditional IPSec-based VPNs, an SSL gateway is deployed at the enterprise site. However, instead of accessing to the VPN and corporate resources via client software, users simply connect to the VPN through a standard web-browser utilizing SSL (HTTPs) inherent in virtually all browsers today. No client software is required (a Java applet or ActiveX object may be downloaded at connect time, but is transparent to the user), virtually eliminating deployment, management, and user education issues. SSL VPNs can provide access to any web-based application, and now provide access to most client-server and legacy applications as
well. Additionally, SSL VPNs utilize SSL port 443, a commonly open and secured firewall port, sidestepping the
IPSec filtering and blocking issue. Startups Neoteris, Netilla , NetSilica and Whale Communications are shipping SSL VPN products, as are more established vendors including Aventail , Nortel and Nokia.

Another new set of vendors is integrating firewall, VPN, content management, email/URL filtering, IDS/IPS, antivirus, etc. into a single ?¬¢‚Äö?ᬮ??¨security switch?¬¢‚Äö?ᬮ¬¨?? architecture. The goal of these platforms is to provide maximum security depth and breadth while minimizing complexity and administrative burdens by eliminating the need for switches and load balancers that are often required to scale the security infrastructure. These comprehensive security switches are ideal for larger enterprise environments and/or data center deployments. Vendors in the security switch space include Crossbeam Systems, Inkra Networks and Nauticus Networks.

Internal Security

Internal network security is often lost in the shadow of publicized Internet and external security threats. The fact remains that the greatest threats often reside inside the firewall. The US Computer Science Institute and the FBI suggest that as much as 30% of all breaches come from internal sources, while 70% of all breaches (internal and external) are initiated by employees.

Unfortunately, there is no ?¬¢‚Äö?ᬮ??¨silver bullet?¬¢‚Äö?ᬮ¬¨?? technology that can stop internal attacks from occurring. Proper firewalling and LAN segmentation, internal IDS/IPS Intrusion detection systems (IDS) and newer intrusion prevention systems (IPS) and regular audits are all contributing factors, but educated employees are the key. Educating employees on social engineering techniques, complex password usage, and reporting of incidents provide the strongest pillars of internal security. Gaining executive sponsorship for security educational programs will also lead to a security culture within the enterprise.

Desktop (Personal) Security

Many of the perimeter defenses mentioned below, including various scanning and filtering functions, were initially deployed at the desktop as a component of internal security. Now, however, desktop or personal security is most critical to users outside the office. The relatively insecure, always-on nature of broadband cable and DSL services has exposed home users (telecommuters, day extenders, etc.) as a major vulnerability, with their PC´s, laptops, etc potentially used as launch pads into the enterprise network. Both antivirus software and newer personal firewalls are being employed to combat this vulnerability. The traditional antivirus vendors, including Symantec and MacAfee (Network Associates) are major players in the personal security space, as
well as 3Com and newcomers including Zone Alarm.

Network Security and Process

While varying layers of network security and their underlying platforms lay the foundation of a solid security architecture, establishing a well-defined security process is key to securing the enterprise. Initiating a security process and culture involves numerous steps including:

?¬¢‚Äö?ᬮ¬¨¬¢ Password Management: force users to renew passwords after a set period, and encourage complex password usage.
?¬¢‚Äö?ᬮ¬¨¬¢ Segmented Management: Restrict administrator access to only those systems for which each IT employee is responsible. Eliminate ?¬¢‚Äö?ᬮ??¨master administrator?¬¢‚Äö?ᬮ¬¨?? privileges and rename administrator accounts.
?¬¢‚Äö?ᬮ¬¨¬¢ Change/Patch Management: Establish a repeatable process for system changes and upgrades, as well as patching.
?¬¢‚Äö?ᬮ¬¨¬¢ Educate Employees: Inform employees of security procedures. Train employees to report suspicious incidents, and educate them as well on security response.

These steps will instill security as a culture within the enterprise, and enable secure, repeatable processes to be employed.

Closing Vulnerabilities!

Developing a sound security architecture is an ongoing process with no definitive end. There are a few initial steps IT managers can take to begin ramping up enterprise security practices:

?¬¢‚Äö?ᬮ¬¨¬¢ Take stock of what resources are most critical to protect. Use an inside-out approach to ensure that these resources have been secured before considering making them accessible to outside parties, whether external or on site.
?¬¢‚Äö?ᬮ¬¨¬¢ Take a careful inventory of what users require access to specific resources. To the extent possible, limit access to only those required applications ?¬¢‚Äö?ᬮ‚Äö?Ñ?? using open-ended, ?¬¢‚Äö?ᬮ??¨any-user-any-service?¬¢‚Äö?ᬮ¬¨?? policies often leads to trouble.
?¬¢‚Äö?ᬮ¬¨¬¢ Work to instill a security culture in your organization. This happens from the top-down - management must lead by example, not just IT. Security is the priority of the entire enterprise, which includes all business units and each employee.
?¬¢‚Äö?ᬮ¬¨¬¢ Assess your network at every site in each of the four layers identified above. Build a list of vulnerabilities within each layer. Develop security solutions to each vulnerability identified. Look for efficiency patterns that reduce security spending while closing the largest number of prioritized security threats.

Posted 2 September 2003 at 7:18 pm under Lippis Report. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.