Application security

Moving the wall inside the gates: Preventing security breaches from inside your private network

Too often, network security relies on placing firewalls in front of public network access points and calling it a day. The assumptions are 1) being on a private network is synonymous with being on campus 2) campus users are implicitly trustworthy and 3) external threats are mitigated by the perimeter firewall.


Unfortunately, these assumptions don't hold true. With the explosion in mobility, being on the private network can mean being anywhere and too often we hear of security breaches stemming from within. As for that perimeter firewall, with open ports for every partner, contractor and remote user that demands access, it serves as nothing more than an initial line of defense.


Clearly the network perimeter is vanishing. Going forward, a new model for enterprise defense must be established. But first, criteria for this new paradigm must be set forth. Start by considering whether or not the network is what you wish to protect. When queried, the majority of IT personnel indicated controlling access to applications, data and mission critical infrastructure was of utmost importance.


Hence a new perimeter must be drawn around these critical resources. With this paradigm shift, no distinction need be made between internal or external users or between employees and third-party users. And with the right technology, access to core resources can be restricted to connections for which user/device identity and specific authorizations have been established.


A new wave of security offerings, including intrusion prevention/detection systems (IPS/IDS) and network access control (NAC), are attempting to address issues arising from the vanishing network perimeter. Unfortunately, these solutions do not establish the necessary new perimeter – either individually or collectively.


Consider that threats are already on the network for IPS/IDS to work. And consider that NAC ensures devices are clean, but does little to curtail user behavior once on the network. Moreover, many NAC solutions require hardware replacement, software distribution and architecture shuffling which may not align with the organization's technology ecosystem.


So while firewalls, VPNs, IPS/IDS and NAC will continue to play their role, there remains a need for a solution aimed at replacing the vanishing network perimeter with a new perimeter, one that draws a moat around core data center applications and trades trusted networks for trusted users.


Unfortunately, the approaches taken by early NAC adopters and vendors focus on broad-based LAN access, separate from NAC for wireless access and VPN. In contrast, solutions for the new perimeter must instead take a unified approach to controlled access, providing a greater range of access methods, eliminating multi-solution attack vectors, simplifying management and applying identity-based access as mandatory enterprise policy.


At the new perimeter, access and security must adapt to the needs of remote and local employees, partners and visitors as well as adapting to credentials, device posture and access environments. The strategy can be likened to a bank vault, wherein that which is truly valuable is protected, and no one gets in without proper screening.


At the end of the day, the only things that matter to a new perimeter security solution are the applications, data, users and end points. What follows is a vision for new perimeter security, henceforth enabled by and referred to as a Universal Access Controller (UAC), and what organizations should look as they seek out next-generation enterprise security.


Business critical applications, networks and resources must be cordoned off. For this purpose, UAC hardware utilizes a security-hardened OS immune to known and exploitable security gaps and features a reverse proxy architecture to eliminate direct connections with back-end infrastructure. Moreover, while additional security measures may be present behind the UAC, the hardware platform should provide base-level firewalling and content inspection to effectively guard the data center.


With defenses established, it is time to enable connectivity. Again, the UAC must reach all users and, as such, must feature broad access capability. Remote access VPN must be supported, preferably over SSL VPN for its ability to extend access to any browser-enabled device. Redirection for local wireless users (e.g. captive portals) must be present to ensure all traffic is funneled through the UAC. And fixed local users must be brought through the UAC in a method transparent to established work flows (e.g. substitute Windows login).


Connections between end-users and the UAC are encrypted to prevent tampering and sniffing in the area beyond the new perimeter, and encrypted site-to-site/peer-to-peer tunneling must be supported to connect protected zones both within a given location and at geographically dispersed sites. In this manner, users may connect to the new perimeter at close proximity and gain access, as authorized, to a full scope of available resources.


With connectivity provided for, the business of admitting users begins; and step one is determining identity for both devices and users. The UAC ensures that the security posture for end-user devices complies with predefined security policies, including scans for anti-virus software, anti-spyware, personal firewalls, service packs, etc. In addition, UACs also support strong authentication in the form of 2-factor implementations such as scratch cards, mobile support, USBs and SMS.     


In the event devices do not comply with security policy, the UAC may take one of three actions 1) actively remediate managed devices and provide access 2) actively alter resources available on unmanaged devices to match the security environment or 3) quarantine unmanaged devices on a separate remediation portal where users may choose whether to undertake further action. By these means, the UAC provides maximum access without compromising security.


Once identity is established, the UAC meters access through the new perimeter with application-level granularity – providing complete control over resources allocated to a given user or group. What's more, the UAC provides flexibility in the manner in which access is provided, supporting network level and portal based connectivity such that access can be tailored to roles within the organization and network exposure can be kept to a minimum. Where absolute separation is necessary, (partners, vendors, customers, employees, etc.) the UAC has the ability to support multiple fully-separate virtual systems on a single system with separate portals on the front end associated with separate VLANs on the back end.  


Last but not least, UACs provide post session and end-point security. All the encryption and access control in the world is for naught if data is left behind or falls into the wrong hands. As needed, the UAC can wipe end-user devices clean upon log out, removing any trace of the preceding session.  Furthermore, the UAC can place any session inside an encrypted vault in which actions such as printing, saving, copy and paste, etc. simply are not possible. Of particular importance, clear and intuitive audit trails for all UAC activity establish airtight accountability for both internal legal objectives and external compliance requirements.


If the time is right for your organization to consider migration towards a new perimeter solution, bear in mind a few details. You will hear more about new perimeter solutions in the days ahead, from a range of vendors. But not all security products are up to the task. Establishing the new perimeter requires enough headroom to support thousands, even tens of thousands of concurrent user sessions while imparting virtually zero latency. And as a strategic piece of the overall IT architecture, they must provide guaranteed availability through such features as multi-unit clustering with load balancing and stateful session failover. Insisting that solutions you choose meet these criteria will be paramount in determining the success of your new perimeter deployment.


While the UAC does not secure broader networks beyond the data center, it protects what counts - business critical data and applications, in a manner that is affordable, manageable and deployable. When considering the original drivers for NAC – guarding against high-risk scenarios such as partner, remote, and wireless access – no other solution drives productivity, bolsters security and reduces cost and complexity to the same degree as a UAC.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.