ACCORDING TO A STUDY BY RESEARCHER, IDC on endpoint security management, approximately 60 percent of serious security threats come from internal sources that have been given access to an organisation’s network resources. This can include anyone from employees based on site, to remote workers, consultants, business partners and customers who are now being allowed remote access to networks and web servers.
Many FM companies typify this ‘opening up’ of the traditional IT network perimeters, collaborating with and granting access to their networks and web servers to multiple suppliers and partners.
This trend, known as ‘de-perimeterisation’, is forcing many organisations to re-think security strategy and many are considering moving to the IT security model represented by Policybased Networking (PN). PN typically consists of a suite of complementary solutions interoperating with existing network systems to enforce rules and policies that govern who and what can be admitted to the network and what resources and information they can be allowed to access when they are inside.
The start point for PN is controlling network admission via a device or software called a Network Admission Controller (NAC). When a user wants to access the network, whether they are logging on remotely or from the office, using wireless or wired access, the NAC verifies their identity by querying the organisation’s authentication servers (such as RADIUS, LDAP or RSA). The system checks the user directory on the authentication server to determine the rules and policies relating to that user’s access to the network. It may have been specified, for example, that he or she may be granted access only during certain hours or from certain locations. Organisations might want to establish these sorts of policies for a partner to have daily access to specific information from your network, or to stop people from logging on to the network from Internet café’s or other third party locations, for example.
One of the major challenges that IT security specialists are grappling with is that even trusted users, whose identity has been verified, can inadvertently infect other devices with viruses, worms, spyware and other threats. This could be because they have not kept the security software on their desktop or laptop up to date or there is a security flaw on their system which has not been picked up. For this reason, the NAC system also scans each user’s device for proper versions of anti-virus, anti-spying or personal firewall software, as well as correct operating system patches. Access is only allowed to those that comply with established security software policies.
Critical protection
The next component of PN is an Identity Enforcement appliance (ID) which helps control data traffic flowing within the network. This ensures that access to servers containing critical business and financial information, customer details or employee records, is restricted only to those employees, suppliers and partners who need these resources, based on the organisation’s agreed policies.
Anyone not conforming to policy is denied even visibility of restricted components and information, with the ID concealing their locations and eliminating potential risks. If it detects offending behavior, the system can place a user into ‘quarantine’. In other words the user’s machine is effectively isolated from the network while the system and network administrators decide what to do next.. Alternatively ID could shut down the port which was giving the ‘suspect’ user access to the network.
While organisations once focused primarily on encrypting data crossing the traditional boundary of the network perimeter (ie going in or out of the network, the ID delivers an additional layer of security by encrypting sensitive traffic moving within the network), This helps to ensure that neither legitimate users nor intruders can eavesdrop on confidential data streams, an aspect that is becoming very significant because of the way organisations are opening up their networks to partners and supplies.
Web-based systems
With many organisations turning to web based systems to deliver computer applications and information to their employees, partners and customers via the Internet or on intranets, the final component of an all-inclusive PN security strategy is an Application Protection (AP) appliance. This works to protect web-based systems which can become exposed to vulnerabilities — even if it is unknowingly from authorised users.
The AP, which has properties similar to traditional firewall software, authenticates every internal user seeking access to critical web servers, which might hold financial or customer data, for example. It deters any irregular activity, preventing a wide array of web attacks, including denial of service attacks which attempt to make web resources unavailable to intended uses; buffer overflow attacks which force applications to crash or produce errors, and forced browsing which is a way of editing URLs in order to access information via a web browser.
The AP scrutinizes the content of the traffic to and from the web servers, including headers, fields and data. If it detects an attack or questionable activity, it can block access or place suspect devices into quarantine.
While the tendency to open up the IT infrastructure to partners, suppliers and customers improves efficiency and enhances business processes. The flip-side is that it puts even greater pressure on the IT department to prevent unauthorised access, keep information protected from prying eyes and to avoid malicious attacks. By facilitating access to the network but linking it closely to user and device identity and linking this to policy, a security strategy based on a comprehensive PN solution helps organisations to find a balance between the business benefits of making their systems more open, and the necessity of maintaining an effective level of security.
. Reginald P Best is EVP/GM Application Security Business at AEP (info@aepnetworks.com) www.aepnetworks.com.
