InfoSecurity

May 31, 2006
True network security not obtainable

Ajay Kumar

NEW DELHI -- Today, network and security managers are being asked to expand the boundaries of the enterprise to the riskiest end-points on the Internet (airport kiosks, wireless hot spots, employee-owned PCs, and PDAs). Not only are they being asked to do this for employees, they are also extending access to business partners and customers.

As a result, companies have been pouring billions of dollars into securing their network infrastructures. And yet, today, the attacks on our networks are more vicious and powerful than ever. The reality is that networks are inherently difficult and expensive to secure, and in the end, they become an operation liability for network and security managers who need complete control over determining who gets access to critical data and from what devices. What’s more, the worst attacks on our networks actually come from inside a corporation’s walls, not from the outside.

Re-evaluating investment priorities

True network security , while a priority for nearly every CIO and CSO today, is not obtainable. This doesn’t mean that one should stop investing in network security; but should re-evaluate the investment priorities. Rather than building up private infrastructure, focus on reducing the complexity of network and further leveraging the increasing availability and cost-efficiencies of public infrastructure. The organizations should focus their security efforts on securing communications between users and applications rather than securing their own private network.

A vital first step is to treat all users the same. No matter where they are and whether their end device is managed or unmanaged, assume every connection as “dirty.”

The inverted network

This concept of treating all users the same, internal and external, and treating all end points as dirty is called the inverted network, which describes the shift in the network perimeter. While the perimeter for course-grained network protection doesn’t disappear completely, a new perimeter is formed further inward around the back office systems.

With the inverted network, you end up with three levels of your network:

• Public infrastructure level, which is untrusted;
• Private infrastructure level, which is semi-trusted;
• Application level, which is a fully-trusted zone around the data center.

Today, there are only two of these layers. This model suggests moving the trusted level further back to a much smaller set of networking resources and network systems and building a new boundary protecting fully-trusted system. In fact, the corporate network is not “trusted” as network companies would have you believe as you invest in securing this level. It is, in fact, only “semi-trusted.”

A semi-trusted environment is such because it has inherent vulnerabilities and therefore can not be fully trusted. It is somewhat trusted, since it is private infrastructure and the enterprise owns it and probably requires some level of authentication to gain access. However, it remains vulnerable to attack and exposure.

Networking companies would surely disagree with this stance, as they believe you can maintain a large trusted layer and want you to make your networks intelligent and secure and retrofit them with switches, routers, firewalls, and other equipment.

In treating all connections the same, you just need to know three things:

• Prove to me that ‘the user is who he is’;
• Know what is happening at his end to make a policy decision;
• Know what applications the user is seeking.

As long as you know these three things, you can manage all network communications.

Whether inside or outside the corporate LAN, every user should be authenticated, the end point system should be interrogated to determine the identity, the security and state of the user’s end device, policy provisioned based on that information, and then appropriate access to resources based on the above.

SSL VPN: Handling secure communications

Today, all of this is done with remote access solutions based on the SSL protocol. SSL VPNs have become a standard platform for managing and securing remote access. That platform is continuing to vastly expand to cover sophisticated end point control, policy management, auditing and monitoring capability and importantly, ease-of-use and administration. SSL VPN vendors are aggressively adding capability, speed and ease-of-use that will make this the platform to handle all of your network’s secure communications.

With this view of secure communications, the word “remote” goes away, and the SSL VPN handles all secure access to applications, sitting at the edge of your data center.

Many companies are already taking advantage of an SSL VPN for all access, internal and external.

Is it time to add more complexity at the network layer and in network infrastructure. Should you try to create an environment that is easier to manage and maintain?

Network companies would vote for complexity, and want you to invest in more complex networking gear toward this unobtainable goal of network security. But solving the security problem at the network layer is too costly and too complex. Every network manager knows that the more complex a network, the more difficult it is to manage and maintain.

Most CSOs and CIOs say their number one problem is operational management of the network and security configurations. The high majority of network outages are self-inflicted due to the complexity and dependencies of the networking and security layers. Allow your IT teams to concentrate on keeping the network running by keeping it simple.