Monthly column
What You Can’t See Might Still Hurt You…
By Klaus Majewski
Within any
modern business environment, it is now relatively easy to find technically aware people who are
able to tell you exactly what kinds of servers are on the corporate Intranet, and perhaps even what
functions these servers perform. However, if you ask these same people to detail the types of
traffic flowing across the same Intranet, you will be far less likely to get an informed
answer.
Invariably, this is because people have become overwhelmed with keeping up with the various
types of network traffic, including data, voice and video, subsequently believing that they have a
strong perimeter protecting their network against potential threats and malicious attacks.
Perimeter defense is a start
Let’s take an example: a company that has firewalls protecting all connections to and from Internet, VPN connections to branch offices, subcontractors, and remote mobile users. Email and file transfer traffic is content checked at the perimeter. All Web connections go through http-cache servers. All customer or subcontractor accessible servers are located in separate DMZ areas. Does this sound like a secure perimeter protection? Well, it is a good start.Sadly, strong perimeter defenses simply aren’t good enough, since a single mobile user and laptop can cause innumerable problems for a modern company. According to an IDC report published in October 2005, the number of remote and mobile workers reached 650 million worldwide in 2004, and IDC predicted that over the next five years, that number will reach 850 million – more than one quarter of the global workforce. The increase is not very surprising if you think how easy and cheap it is to get Internet access from almost anywhere. People also prefer to work from home offices rather than spending time in the morning traffic jams.
Remote working means that corporate laptops have greater possibility to catch an infection from non-trusted systems like home computers. Corporate security policies must take this into account when thinking about possible attacks against company assets.
For example, if a mobile user logs on to his/her laptop at a customer site the machine can be vulnerable to contracting some sort of infection. In this case, the infected laptop when brought back to the office and connected to the internal network is now sharing the corrupt files within the protected network. Perimeter security has now been physically bypassed and the infection is free to spread to other computers on the network segment. This is why it is so essential that corporate networks include internal protection mechanisms that can defend against such simple oversights. Perimeter defenses, however strong, simply don’t offer sufficient protection any longer.
Layered defense has been proven as a mature technology that works. Instead of one layer of protection there are several layers of security. The idea is to slow the attacker down, collect more information about his actions and finally stop the attacker before he reaches his target. Security is a process that has four steps: protect, detect, react, recover and revise. First ,the company has to define its assets that must be protected and then implement good enough protection for them. Because no protection is complete, security breaches have to be detected when they occur. Once the security breach is detected, it has to be contained. Once the emergency is handled, the company should find out why the attacker got past some layers of defense. Once the reason is found then there has to be a change in the security procedures to stop the new way of breaching the security. Then the process cycles and starts again.
Of course, large enterprises can afford powerful network management systems capable of monitoring the overall health of internal networks. Small and medium business companies simply do not have that kind of money at their disposal to invest in Intranet protection. It is essential that these companies find alternative means to achieve the same levels of protection, but in order to find the perfect solution, we have to consider some common problems.
Visibility for internal network
First, companies need to view exactly what is happening on its Intranets. There has been several cases where company’s domain name server (DNS) has been compromised. Attackers were using the DNS to leak confidential information out of the company. Just for your information, DNS are normally allowed to go through the perimeter security without any checking. If those compromised companies had been using protocol checking then they would have seen that it was no longer DNS-traffic that was flowing out from their DNS server.To achieve protection from this, companies should employ strategically placed Intrusion Prevention System (IPS) sensors to help reveal information about the internal network flow. Today's IPS systems do not produce the large number of false positives that were sometimes associated with older Intrusion Detection Systems (IDS), and it is no longer necessary to sprinkle IPS sensors throughout an internal network as a sort of scattergun approach to intrusion security. Organizations should deploy IPS at intelligent locations, for example, within the firewall, in demilitarized zones (DMZ) or in front of critical servers. It’s really a question of common sense, and placing devices where it matters most. IPS systems are then able to report exactly what kind of activity is happening on Intranets.
Removal of non-business traffic
A second consideration is how to prevent unwanted traffic inside the internal network, for example, a worm or peer-to-peer program (like eMule). Music and movie downloads using peer-to-peer programs will easily clog any size of an Internet connection. Music downloads look like normal Internet traffic at the perimeter, but it is not helping the company to do its business. Additionally there might be liability issues for the company regarding the copyright protection of music and movies.Intrusion prevention system can easily prevent the use of different non-business related peer-to-peer programs. Immediately there is more bandwidth available for business related applications and for remote connections between branch offices.
Co-operation of security layers
An infected computer inside the company’s network will try to infect its neighbor computers and therefore spread the infection. One solution would be to segment Intranets using firewalls. This would allow for an organization to isolate Finance or Accounts departments from the rest of the Intranet and therefore prevent infections spreading into those business critical network segments.However, if the IPS sensors and firewalls were deployed to co-operate more closely, they could be used together to strengthen Intranet security. IPS sensors can show what is flowing across the Intranet by inspecting network traffic in each application layer. If they are well located, for instance in front of critical servers, these IPS sensors will then block any harmful traffic. In circumstances where they are not covering the whole traffic path, they can then also instruct internal firewalls to block further unwanted traffic throughout the company’s Intranet and even at the perimeter. Because today's IPS and firewall systems are very granular, they can simply block all offending traffic while allowing genuine business traffic to flow without interruption. This co-operation would help to isolate infected computers and limit their damage to a minimum.
Many corporate Intranets are deployed to connect a number of branch office networks, where security can often be perceived as less effective than at corporate headquarters. For example, postal services headquarters have very good network security, but local post offices might not even have any personnel that have IT-knowledge. This kind of situation requires a remotely managed and operated security solution. The system should enforce the same kind of security rules that are in effect at the headquarters. It ensures that there is no weak link in the company’s security, and that all locations are equally protected.
Security is continously evolving
Another example is a multi-national company that has remote offices around the globe. It
has good security policy that dictates what must be done to protect the company assets.
Unfortunately, it is the fact of life that the most remote offices will not follow the company
security policy if it is not actively enforced.
The only way to make sure that company security policy is followed everywhere is central enforcement of the security policy. Internal audit people would like to have centrally located audit information about security policy conformance. In real life this is just a dream in many cases.
This is because many companies buy separate, locally managed security solutions that lead to erosion of overall security principles over the years. Any comprehensive security solution makes good use of centralized management that allows all branch offices to use identical access rules and intrusion prevention rules employed by headquarters. Centralized management will collate all security logs in local log servers, while displaying centrally automatically combined log information from all other log servers including fast and accurate reporting. This helps companies adhere to regulatory requirements like Sarbanes-Oxley or Payment Card Industry security policy (PCI from Visa and MasterCard).
Security is a continuously living and evolving process and therefore it has the ability to adapt to different kinds of new threats that are risks for the business. This requires agile protection mechanisms, which are able to enforce and manage ever-changing security needs.
A combination of IPS sensors and firewalls offers a perfect protection strategy for small and medium businesses, while also providing a fast and easy way to maintain the security of internal networks.
Now are you ready to see and believe?
Read more about StoneGate Intrusion Prevention System
