It is one of the old security adages that the nature of the threats to networks are ever-changing.
Today they encompass physical threats (theft of computers), technical (viruses), resource (loss of computing power, bandwidth overload), legal (illegal data on corporate networks), human resources, information loss and employee time-wasting.
Each is a threat that needs to be considered separately. But the most significant change to network security for years has just materialized, and it means that firewalls need a complementary gateway barrier if defense against invasions via web traffic is to be effective.
Ten years ago, when corporate networks largely consisted of internal data traffic handled by bridges, hubs and LAN switches, with routers managing what limited internet access there was, the firewall symbolized a gleaming piece of state-of-the-art ‘machinery,’ capable of identifying and tackling any external threat.
Things have changed. The ubiquity of internet access within the modern enterprise is such that web traffic levels are increasing daily, and so are the security threats that this brings with it.
This does not mean, though, that the firewall has been made redundant – far from it. In fact the very real security concerns facing businesses today are such that the firewall is more vital than ever. But separate appliances, allied with firewalls in a coordinated defense system, are required to tackle the emergence of a new loophole – port 80 – over which the vast majority of web traffic flows, and which is subjected to only very basic checks.
Airport sophistication needed
The situation facing IT departments is uncannily similar to that facing the fledgling airlines and airports – and indeed the passengers using them – when air travel first emerged as a popular phenomenon. Then, arrive at the airport with a passport and the right ticket and you were directed to the right aircraft. While the same is true today, the overall system has been tightened somewhat.
Even the least comprehensive of airport security systems for departing passengers will perform basic questioning at check-in. But it will also have security staff patrolling the check-in areas looking for suspicious behavior; weighing and x-raying of hold baggage; x-raying of cabin baggage and possible body searching; metal detector checks for passengers; plus further questions and scrutiny at the gate, and all areas of the airport constantly monitored by closed-circuit television for anything untoward. At the destination, sniffer dogs check baggage once more, and immigration checks and further x-raying of baggage are undertaken. Depending on the route and the customer, different numbers and types of checks are undertaken.
While superficially it seems that the level of security is governed by the number of checks carried out, in fact it is a combination of the checks and the types of security threat being checked for: while a terrorist with a concealed weapon may be able to bluff his way through verbal checks, he may not beat a metal detector, and a keen-eyed security guard should have cause for concern and frisk him if needed. Granted, no defense system is ever totally impenetrable, but airports have realized – largely for common sense reasons – that threats come from all sides and in varying shapes and sizes, hence multi-faceted protection is critical.
Firewalls are the equivalent of check-in. The passenger name and destination ticket are checked; if they match, the passenger is allowed to continue. Port 80 security devices provide for enterprise networks the rest of an airport’s security arsenal, as the table below shows.
Once hold baggage is checked, a machine at the airport reads the barcode on the luggage label and directs the luggage to the correct airplane. One customer may have multiple pieces of luggage, but the machine looks at each one individually and does not know that there may be multiple pieces of luggage that are related. This is similar to a firewall inspecting each packet of data and making forwarding decisions one packet at a time.
Whereas firewalls understand packets, or individual chunks of data, and look at the source and destination and see if they match defined rules, security gateways that address port-80 traffic understand data. They rebuild complete web content and make decisions based on this content and its parameters. The x-ray analogy is a clear one; port-80 security devices are able to ‘look inside’ web traffic and assess whether it is genuine and perfectly innocent, or an attempt by a hacker to test the network’s defenses. A web page is made up of many individual pieces of data and may come to the user in hundreds of individual packets, so this ability to ‘look inside’ them is crucial.
The device can then make decisions based on user, file-type, MIME-type, active content type, original web site, time of day, browser, user, group, site of user and other such factors. It can also take individual objects and redirect them to virus-scanning devices, something that is not possible if the only understanding gained is on a packet-by-packet basis. There is a further parallel to be drawn over virus scanning, which is similar in its function to x-raying hand luggage, while metal detectors that passengers must walk through are like removing mobile code such as Java and Active-X.
Acting on intelligence
Security gateways, also, provide an enterprise with complete logs of every user, every request, everything that happens. They allow security-critical statistics to be analyzed, such as time online by user, users creating the most web traffic, most popular sites, split of data by site category, the amount of streaming data and types of browser in use.
This gives the organization far better information on which to act. Take the usual security system based largely on firewalls, which list traffic only by IP address, not by user. From a HR perspective this is useless, as management cannot discipline staff if they are unsure who is doing what.
So, just like airlines who need to know their most important customers, who habitually arrives late at check-in, who uses multiple airlines, and who is loyal, security gateways can show what each user does, for how long, and where they go. Then the company’s management can ascertain whether there is a problem that needs to be addressed.
Implications for the IT function
The most significant capability on security gateways is the quantum leap in security sophistication that they deliver to the enterprise. Essentially, they allow organization to upgrade or downgrade their security curtain as circumstances dictate, just like an airport.
Picture this: a new virus is spread by Visual Basic files, and for a few crucial hours there is no solution to it. Management can insert a specific rule for ‘block all’ .VBS (Visual Basic) files, and implement it immediately. When the virus vendors have an update to their scanning system, this can be deployed and the block removed from the security gateway.
Alternatively, month-end in a multinational company could bring with it some crucial communications that need to be made between several systems. These may start at 6 p.m. GMT, during the North American working day. To ensure bandwidth is not consumed during this time for non-crucial work, a rule could be set up that starts automatically at 6 p.m. and stops again at midnight GMT. During this time, streaming support is limited to a lower level of performance, access to news web sites are redirected to an internal web page saying ‘month end: don’t go here until tomorrow’. Without anyone needing to access the management system at midnight the rule automatically gets rescinded, making maximum use of available resources while security is tightened.
It is this level of sophistication that the modern enterprise is seeking, but unable to achieve with firewalls alone, and that security gateways are delivering.
Nigel Hawthorn is marketing director of Blue Coat Systems ( www.bluecoat.com).
Blue Coat Systems are exhibiting at Infosecurity Europe, Europe’s largest and most important information security event. Now in its 8th year, the show features Europe’s largest free education program, and over 200 exhibitors at the Grand Hall at Olympia from 29th April – 1st May 2003. www.infosec.co.uk