×

TMCnet
ITEXPO begins in:   New Coverage :  Asterisk  |  Fax Software  |  SIP Phones  |  Small Cells
 

Feature Article
April 2003


Tony Rybczynski photoMaking Business Realities Work For You

Part IV: Putting Security Into The DNA Of The Enterprise Network

BY TONY RYBCZYNSKI

 

Business Reality: There�s a dark side to the Internet.

As our economy becomes inescapably entwined with the Internet, businesses are facing the dark side of online commerce and of extending the enterprise over the Internet. The greater the reach of the network, the greater its vulnerability to external threats. The Internet was designed for sharing information, not for protecting it. That means the typical Internet-connected enterprise network also potentially reaches hackers, cyber-thieves, and others who would accidentally or maliciously wreak havoc on the private network.

Consider the damages from recent viruses, such as SirCam (2.5 million computers affected, $460 million in clean-up cost, $757 million in lost productivity) or Code Red (1 million computers affected, $1.1 billion in clean-up cost, $1.5 billion in lost productivity). Meanwhile, the FBI says that the majority of financial loss is perpetrated internally. No wonder IT executives are putting security and disaster recovery at the top of their investment priorities.

What would happen if your company�s patents, financial records, customer lists, or employee files got into to the wrong hands? What would happen if credit card numbers were lifted from your online store? � if the media snooped on privileged executive communications? � if competitors used knowledge of your negotiations to undercut you?

Financial, insurance, and healthcare institutions, among others, also face stringent Federal requirements to protect data privacy and integrity; failure to comply can result in criminal prosecution, fines, and prison terms.

Every business has an obligation to protect network integrity and data confidentiality -- for its own sake as well as for customers and business partners. Security is not optional -- it must be part of the very DNA of the network.

Technology Response: Make security an intrinsic part of network DNA.

How do you simultaneously share and protect the same resources? While encouraging electronic transactions and appropriate networking of enterprise information, enterprises also require new safeguards to protect the security and confidentiality of that information. That duality is hard for some IT executives to take, especially since businesses are so diverse, widespread, and handle massive volumes of data.

Security is not a �one size fits all� situation. At one end of the spectrum, the �Closed Enterprise� uses logical (e.g., frame relay) or physical private lines between sites. Web presence is achieved through an Internet data center provided by a service provider (who is responsible for establishing a secure environment). Conventional dial access is provided for remote employees (e.g., working from a hotel). The company uses private e-mail among employees with no external access.

At the other end of the spectrum, the �Open Enterprise� fully leverages the Internet by allowing partners, suppliers, and customers to have access to internal resources (e.g., as part of a supply chain management system). Employees can also have access from home, remote offices, or other networks using wired, wireless LAN, or mobile devices. In this case, security needs to be addressed across the enterprise to control employee, partner, and even customer access to enterprise databases and applications. The diversity of supported services and access mechanisms translates into multiple paths into the enterprise network. This diversity increases the level of threats and security risks to the enterprise. Open Enterprises are susceptible to application layer threats, network layer threats, unauthorized access, and eavesdropping. The networking infrastructure of switches and routers and network management systems in these enterprises are all targets.

Security is also a major concern for the Closed Enterprise, not just from disgruntled internal users, but also because there are a number of exposures, primarily on three fronts. Physical security is an obvious area. Even if Internet access is not supported, employees can take their laptops home and use them for Internet surfing, thus exposing them to various forms of security breaches. The third exposure area is associated with the introduction of wireless LANs. Perhaps, the highest risk comes from the false sense of security that the closed enterprise is immune to external risks.

The starting point for all types of enterprises is the development of an enterprise security policy. Although a network security policy will vary from enterprise to enterprise, there are common guidelines that apply to nearly all business practices to reduce risk and protect valuable asset information and resources. The policy covers voice and data communications, as well as end users and operations staff. There should be clear responsibility for security across the enterprise. Clear separation of administrative duties and responsibilities needs to be established. Some enterprises have established a Chief Security Officer. Critical resources that need to be protected need to be identified and the impact of loss or corruption evaluated. Survivability criteria need to be established. Which users or user groups have access to which network and application resources needs to be defined. The access per user should be limited to the absolute minimum privileges that are needed for the task. Finally, a strategy for auditing all security-related activities needs to be developed.

A Unified Security Architecture For The Enterprise

Variable depth security (security everywhere to the depth required by the resource being protected) is a basic principle in securing the enterprise. This is complementary to what is generally called perimeter security, and serves to protect critical resources as the enterprise opens up its environment to partners and customers. Variable depth security drives the development of a layered security architecture across network, network-assisted and application security layers. The enterprise can choose which functions within these layers are required to meet its needs.

Network security operates at OSI Layers 1-3, and includes techniques that physically or logically partition network devices. This includes the use of wavelengths, virtual LANs (VLANs), static firewalls, and IP VPN tunneling. Wavelengths provide isolation required for Storage Area Networks (SANs). VLANs effectively segregate areas of the same network, for example, demilitarized zones from internal enterprise servers. An important new capability is the introduction of the Extendible Authentication Protocol (EAP). EAP not only controls Layer 2 port connectivity, but also can be used along with secure access management to customize the security (and QoS) profiles of the port for a particular authenticated user. Static firewalls provide packet filtering based on MAC or IP source or destination addresses, or port or protocol ID.

The network security layer also protects data and voice in transit between endpoints in several ways. Virtual private networks (VPNs) use �tunnels� -- secure channels created with encapsulation or encryption -- to securely send data between networks or nodes, even across the public Internet. Unfortunately, bolting IP VPN capabilities onto legacy routers brings its own brand of performance penalty. Specialized devices have been developed called Secure IP Services Gateways. These appliances offer high-speed VPN services (encryption/authentication), IPSec security features, stateful firewalling, secure dynamic routing over secure tunnels, all in a tightly integrated and fully managed platform. SSL (Secure Socket Layer) VPNs operate at the session level, are good for Web applications and extranets and limited application access, and don�t require any special client software. In addition, SSL VPNs open up a large security hole when used from uncontrolled PCs (e.g., kiosks). In contrast IPSec VPNs operate at the network layer, are application agnostic, and require a PC client. Most importantly IPSec VPNs provide the enterprise with complete control over their security environment.

Network-assisted security delivers security services that generally operate at OSI Layers 4-7. Stateful packet inspection techniques, active intrusion detection, anti-virus scanning, URL and content filtering techniques can all be used to further enhance network security. Stateful firewalls are more intelligent and efficient than static firewalls, as they not only inspect every packet but also protect against out-of-sequence packets and spoofed TCP connections by maintaining the state information of every connection. Intrusion detection systems (IDSs) enable network administrators to monitor traffic patterns and protocols and be alerted of suspicious activity. Through proactive monitoring, an organization can thwart external attacks and other threats to protected information.

Application security is functionality that can be built into the design of applications. However, the layered approach opens up the opportunity to use the network-assisted security layer to offer security functionality across multiple applications, while in many cases improving their performance. For example, SSL, when used extensively to secure transactions, can result in a major performance hit on servers. Leveraging the network-assisted security layer through SSL acceleration can improve server utilization by orders of magnitude.

Hardening the operating systems (OS) is a key element of securing information systems within the application security layer. A typical enterprise may use multiple OSs for various applications, including network management. Some IP telephony systems use the same or hardened versions of these operating systems, while others are based on a real-time OS kernel and specialized software.

These three security layers operate under the fourth major element of the security architecture: a Closed Loop Policy Management system, providing configuration, monitoring, and auditing of the network and applications. Policy management is the linkage between the enterprise security policy and the IT infrastructure. A complete policy management solution includes a policy manager for entering policies, a policy decision point or server that retrieves policies and makes decisions on behalf of policy enforcement points (e.g., routers and switches), and policy repositories, Lightweight Directory Access Protocol (LDAP)-compliant directories that store the policy information. Policy enforcement points define the points in the networks where policies are enforced, and include flow classification. �Closed loop� policy management includes configuration of edge devices, enforcement of policies in the network, and verification of performance as seen by the end user application. Enforcement of policies in the network also includes admission controls of applications vying for access to network resources. Policy management can go some way towards simplifying the configuration management environment inside enterprises, minimizing opportunities for human error. Policy-based configuration management operates on the basis of ports, users (including mobile users) and applications, using LDAP to extract policy information from directories, and the COPS (Common Open Policy Service) protocol and CLI to communicate with network switches.

Every user has to go through Secure Access Management providing authentication and authorization for employees, partners, customers, and operational staff. Secure access management is the fifth element of the enterprise security architecture. Several methods can be used to authenticate a user. Techniques include: passwords, biometric techniques, smart cards, and certificates. Password-based authentication must use strong passwords that are at least eight characters in length with at least one alphabetic, one numeric and one special character. Password authentication alone may be insufficient. Based on a vulnerability assessment, it may be necessary to combine password authentication with other authentication and authorization process such as certificates, Remote Authentication Dial-in User Service (RADIUS), Kerberos, and Public Key Infrastructure (PKI).

The sixth major element is Network Management Security. On the one hand, network management is like other data applications, running on servers and workstations, complemented by application security, and taking advantage of functionality of the network and network-assisted layers. Network operators (who may be working from a remote site or from home) are specialized users who also need to be authenticated and authorized for resource access via the secure access management layer. Encryption technology based on IPSec or SSL should be used to protect traffic, in particular when SNMPv3 is not used. Authorization for network operators should support multiple levels of control mechanisms. On the other hand, network management is unique among applications in that network devices are intrinsic to the application: configuration data is activated by these devices and operational data generated by them.

These six architectural elements come together to provide the security options required to build secure internal and Internet data centers, campus and remote office networks, and remote access configurations. They apply to all forms of traffic (data, multimedia streaming and IP telephony) and to clients and servers. Putting security in the DNA of the enterprise IT infrastructure is as important as instilling the security policy in every employee of the enterprise.

Tony Rybczynski is director of strategic enterprise technologies for Nortel Networks with 30 years experience in networking. For more information, visit the company�s Web site at www.nortelnetworks.com.

[ Return To The April 2003 Table Of Contents ]



Today @ TMC
Upcoming Events
ITEXPO West 2012
October 2- 5, 2012
The Austin Convention Center
Austin, Texas
MSPWorld
The World's Premier Managed Services and Cloud Computing Event
Click for Dates and Locations
Mobility Tech Conference & Expo
October 3- 5, 2012
The Austin Convention Center
Austin, Texas
Cloud Communications Summit
October 3- 5, 2012
The Austin Convention Center
Austin, Texas