It’s a maxim that applies as much to network security as it does to protecting physical assets because there are many ways for a determined individual to penetrate a perimeter defense. Some threats like the Sobig virus instantly threatened networks through email attachments while T-Mobile’s customer data was hacked over a period of many months as reported in SC Magazine here.
Firewalls have a rightful place in network security, but they can no longer be as rigid as they have in the past. Firewalls are good at stopping certain threats, but they can’t determine an anomaly in a packet’s protocols and decide to block it. Also, a perimeter defense has to take into account the numerous wireless and mobile devices and all their potential connection points via customers, partners, and employees who travel or connect at home. Even in cases when users are authorized, they may take shortcuts to circumvent procedures and expose the network to trouble. That’s a lot of unknown connections and potential threats to manage, and it shows the vulnerability of the traditional, perimeter-based defense.
To have an open network without sacrificing security, organizations need more than firewalls because of their necessary holes and other weaknesses. They also need capabilities for intrusion detection, prevention, vulnerability management, and security event management, which includes handling deliberate or unintended threats from inside the perimeter. Reaching this level of total security has to start with as complete an inventory as possible of network assets and their vulnerabilities, as well as a comprehensive security policy.
How many laptops are configured to connect to the network? Does the security policy require them to have the latest operating system and virus protection, or are some still running Windows 98? Is instant messaging allowed, with its potentially vulnerable protocols? Are these policies being enforced?
With the perimeter defense dissolving around networks, IT departments have to deploy a variety of tools to continuously measure these vulnerabilities and threats, and then manage them. For example, the latest generation of intrusion detection systems (IDS) enables administrators to know with confidence that intrusions are not false alarms, how critical they are, and if servers, routers, or any other assets have been compromised. In addition to firewall protection, IDS systems can be configured to work with host-based systems and their individual security policies. In the case of a docking station for a laptop, it is already inside the network and could have a more permissive security policy, but an IDS tooled for a cable modem would be more restrictive because it’s outside the network and may be more susceptible.
Intrusion prevention systems (IPS) offer another useful layer of protection that blocks attacks as they try to penetrate the firewall by recognizing the signature of known, inbound threats. IPS is valuable, although it has its limitations in that it’s not designed for zero-day, internal network, and some other types of attacks because it only applies to one subnet. As a point of reference, there is no way to configure IPS quickly enough to block the 4,496 new Windows viruses and worms released during the first half of 2004.
While IDS and IPS solutions combine to form a solid set of point solutions, they need the support of discovery tools designed for the whole network. These passive tools provide continuous feedback on assets and vulnerabilities inside the firewall, including version control for operating systems and applications, port usage, the flow, type, and volume of traffic, and new or changed assets. With this information in real time along with the baseline security policies, administrators have the context they need to manage identities and access, determine real threats from false alarms, and deploy corrective measures in time to prevent damage.
Taken together, use of all these tools represents a systematic approach to network security in an era of dissolving perimeter defenses. Perimeters have evolved to have a more fluid nature that enables interactivity, and security must change, too. It’s a matter of establishing sensible security policies, accounting for all network assets through a continuous discovery process, deploying IDS to identify suspicious traffic, and then implementing IPS and passive technologies for blocking, patching, or reconfiguring defensive measures. Because of the diverse origins of threats, multiple tools are needed for optimal performance and accuracy.
Networks have to remain porous for functionality and organizational competitiveness. This gives threats new pathways to enter and carry out their pernicious work, but an effective security infrastructure will keep them and internal threats in check. Organizations that embrace this thinking with the right suite of tools and methodology can expect to have both an open and a secure network.
Sourcefire is exhibiting at Infosecurity Europe 2005 which is Europe’s number one information Security Event. Now in its 10th anniversary year, Infosecurity Europe continues to provide an unrivalled education programme, new products & services, over 250 exhibitors and 10,000 visitors from every segment of the industry. Held on the 26th – 28th April 2005 in the Grand Hall, Olympia, this is a must attend event for all IT professionals involved in Information Security. www.infosec.co.uk
The author is Regional Director EMEA, Sourcefire