April 2003
Making Business Realities Work For You
Part IV: Putting Security Into The DNA Of The
Enterprise Network
BY TONY RYBCZYNSKI
Business Reality: There�s a dark side to the Internet.
As our economy becomes inescapably entwined with the Internet, businesses
are facing the dark side of online commerce and of extending the enterprise
over the Internet. The greater the reach of the network, the greater its
vulnerability to external threats. The Internet was designed for sharing
information, not for protecting it. That means the typical
Internet-connected enterprise network also potentially reaches hackers,
cyber-thieves, and others who would accidentally or maliciously wreak havoc
on the private network.
Consider the damages from recent viruses, such as SirCam (2.5 million
computers affected, $460 million in clean-up cost, $757 million in lost
productivity) or Code Red (1 million computers affected, $1.1 billion in
clean-up cost, $1.5 billion in lost productivity). Meanwhile, the FBI says
that the majority of financial loss is perpetrated internally. No wonder IT
executives are putting security and disaster recovery at the top of their
investment priorities.
What would happen if your company�s patents, financial records, customer
lists, or employee files got into to the wrong hands? What would happen if
credit card numbers were lifted from your online store? � if the media
snooped on privileged executive communications? � if competitors used
knowledge of your negotiations to undercut you?
Financial, insurance, and healthcare institutions, among others, also face
stringent Federal requirements to protect data privacy and integrity;
failure to comply can result in criminal prosecution, fines, and prison
terms.
Every business has an obligation to protect network integrity and data
confidentiality -- for its own sake as well as for customers and business
partners. Security is not optional -- it must be part of the very DNA of the
network.
Technology Response: Make security an intrinsic part of
network DNA.
How do you simultaneously share and protect the same resources? While
encouraging electronic transactions and appropriate networking of enterprise
information, enterprises also require new safeguards to protect the security
and confidentiality of that information. That duality is hard for some IT
executives to take, especially since businesses are so diverse, widespread,
and handle massive volumes of data.
Security is not a �one size fits all� situation. At one end of the spectrum,
the �Closed Enterprise� uses logical (e.g., frame relay) or physical private
lines between sites. Web presence is achieved through an Internet data
center provided by a service provider (who is responsible for establishing a
secure environment). Conventional dial access is provided for remote
employees (e.g., working from a hotel). The company uses private e-mail
among employees with no external access.
At the other end of the spectrum, the �Open Enterprise� fully leverages the
Internet by allowing partners, suppliers, and customers to have access to
internal resources (e.g., as part of a supply chain management system).
Employees can also have access from home, remote offices, or other networks
using wired, wireless LAN, or mobile devices. In this case, security needs
to be addressed across the enterprise to control employee, partner, and even
customer access to enterprise databases and applications. The diversity of
supported services and access mechanisms translates into multiple paths into
the enterprise network. This diversity increases the level of threats and
security risks to the enterprise. Open Enterprises are susceptible to
application layer threats, network layer threats, unauthorized access, and
eavesdropping. The networking infrastructure of switches and routers and
network management systems in these enterprises are all targets.
Security is also a major concern for the Closed Enterprise, not just from
disgruntled internal users, but also because there are a number of
exposures, primarily on three fronts. Physical security is an obvious area.
Even if Internet access is not supported, employees can take their laptops
home and use them for Internet surfing, thus exposing them to various forms
of security breaches. The third exposure area is associated with the
introduction of wireless LANs. Perhaps, the highest risk comes from the
false sense of security that the closed enterprise is immune to external
risks.
The starting point for all types of enterprises is the development of an
enterprise security policy. Although a network security policy will vary
from enterprise to enterprise, there are common guidelines that apply to
nearly all business practices to reduce risk and protect valuable asset
information and resources. The policy covers voice and data communications,
as well as end users and operations staff. There should be clear
responsibility for security across the enterprise. Clear separation of
administrative duties and responsibilities needs to be established. Some
enterprises have established a Chief Security Officer. Critical resources
that need to be protected need to be identified and the impact of loss or
corruption evaluated. Survivability criteria need to be established. Which
users or user groups have access to which network and application resources
needs to be defined. The access per user should be limited to the absolute
minimum privileges that are needed for the task. Finally, a strategy for
auditing all security-related activities needs to be developed.
A Unified Security Architecture For The Enterprise
Variable depth security (security everywhere to the depth required by the
resource being protected) is a basic principle in securing the enterprise.
This is complementary to what is generally called perimeter security, and
serves to protect critical resources as the enterprise opens up its
environment to partners and customers. Variable depth security drives the
development of a layered security architecture across network,
network-assisted and application security layers. The enterprise can choose
which functions within these layers are required to meet its needs.
Network security operates at OSI Layers 1-3, and includes
techniques that physically or logically partition network devices. This
includes the use of wavelengths, virtual LANs (VLANs), static firewalls, and
IP VPN tunneling. Wavelengths provide isolation required for Storage Area
Networks (SANs). VLANs effectively segregate areas of the same network, for
example, demilitarized zones from internal enterprise servers. An important
new capability is the introduction of the Extendible Authentication Protocol
(EAP). EAP not only controls Layer 2 port connectivity, but also can be used
along with secure access management to customize the security (and QoS)
profiles of the port for a particular authenticated user. Static firewalls
provide packet filtering based on MAC or IP source or destination addresses,
or port or protocol ID.
The network security layer also protects data and voice in transit between
endpoints in several ways. Virtual private networks (VPNs) use �tunnels� --
secure channels created with encapsulation or encryption -- to securely send
data between networks or nodes, even across the public Internet.
Unfortunately, bolting IP VPN capabilities onto legacy routers brings its
own brand of performance penalty. Specialized devices have been developed
called Secure IP Services Gateways. These appliances offer high-speed VPN
services (encryption/authentication), IPSec security features, stateful
firewalling, secure dynamic routing over secure tunnels, all in a tightly
integrated and fully managed platform. SSL (Secure Socket Layer) VPNs
operate at the session level, are good for Web applications and extranets
and limited application access, and don�t require any special client
software. In addition, SSL VPNs open up a large security hole when used from
uncontrolled PCs (e.g., kiosks). In contrast IPSec VPNs operate at the
network layer, are application agnostic, and require a PC client. Most
importantly IPSec VPNs provide the enterprise with complete control over
their security environment.
Network-assisted security delivers security services that
generally operate at OSI Layers 4-7. Stateful packet inspection techniques,
active intrusion detection, anti-virus scanning, URL and content filtering
techniques can all be used to further enhance network security. Stateful
firewalls are more intelligent and efficient than static firewalls, as they
not only inspect every packet but also protect against out-of-sequence
packets and spoofed TCP connections by maintaining the state information of
every connection. Intrusion detection systems (IDSs) enable network
administrators to monitor traffic patterns and protocols and be alerted of
suspicious activity. Through proactive monitoring, an organization can
thwart external attacks and other threats to protected information.
Application security is functionality that can be built into
the design of applications. However, the layered approach opens up the
opportunity to use the network-assisted security layer to offer security
functionality across multiple applications, while in many cases improving
their performance. For example, SSL, when used extensively to secure
transactions, can result in a major performance hit on servers. Leveraging
the network-assisted security layer through SSL acceleration can improve
server utilization by orders of magnitude.
Hardening the operating systems (OS) is a key element of securing
information systems within the application security layer. A typical
enterprise may use multiple OSs for various applications, including network
management. Some IP telephony systems use the same or hardened versions of
these operating systems, while others are based on a real-time OS kernel and
specialized software.
These three security layers operate under the fourth major element of the
security architecture: a Closed Loop Policy Management system,
providing configuration, monitoring, and auditing of the network and
applications. Policy management is the linkage between the enterprise
security policy and the IT infrastructure. A complete policy management
solution includes a policy manager for entering policies, a policy decision
point or server that retrieves policies and makes decisions on behalf of
policy enforcement points (e.g., routers and switches), and policy
repositories, Lightweight Directory Access Protocol (LDAP)-compliant
directories that store the policy information. Policy enforcement points
define the points in the networks where policies are enforced, and include
flow classification. �Closed loop� policy management includes configuration
of edge devices, enforcement of policies in the network, and verification of
performance as seen by the end user application. Enforcement of policies in
the network also includes admission controls of applications vying for
access to network resources. Policy management can go some way towards
simplifying the configuration management environment inside enterprises,
minimizing opportunities for human error. Policy-based configuration
management operates on the basis of ports, users (including mobile users)
and applications, using LDAP to extract policy information from directories,
and the COPS (Common Open Policy Service) protocol and CLI to communicate
with network switches.
Every user has to go through Secure Access Management providing
authentication and authorization for employees, partners, customers, and
operational staff. Secure access management is the fifth element of the
enterprise security architecture. Several methods can be used to
authenticate a user. Techniques include: passwords, biometric techniques,
smart cards, and certificates. Password-based authentication must use strong
passwords that are at least eight characters in length with at least one
alphabetic, one numeric and one special character. Password authentication
alone may be insufficient. Based on a vulnerability assessment, it may be
necessary to combine password authentication with other authentication and
authorization process such as certificates, Remote Authentication Dial-in
User Service (RADIUS), Kerberos, and Public Key Infrastructure (PKI).
The sixth major element is Network Management Security. On
the one hand, network management is like other data applications, running on
servers and workstations, complemented by application security, and taking
advantage of functionality of the network and network-assisted layers.
Network operators (who may be working from a remote site or from home) are
specialized users who also need to be authenticated and authorized for
resource access via the secure access management layer. Encryption
technology based on IPSec or SSL should be used to protect traffic, in
particular when SNMPv3 is not used. Authorization for network operators
should support multiple levels of control mechanisms. On the other hand,
network management is unique among applications in that network devices are
intrinsic to the application: configuration data is activated by these
devices and operational data generated by them.
These six architectural elements come together to provide the security
options required to build secure internal and Internet data centers, campus
and remote office networks, and remote access configurations. They apply to
all forms of traffic (data, multimedia streaming and IP telephony) and to
clients and servers. Putting security in the DNA of the enterprise IT
infrastructure is as important as instilling the security policy in every
employee of the enterprise.
Tony Rybczynski is director of strategic enterprise technologies for
Nortel Networks with 30 years experience in networking. For more
information, visit the company�s Web site at
www.nortelnetworks.com.
[ Return
To The April 2003 Table Of Contents ]
|