Network professionals are faced with a constant barrage of attacks of increasing complexity and cost, as well as mounting regulatory pressures. It's clear that traditional perimeter strategies alone are no longer effective for today's highly interconnected enterprises.
Organisations are trying to solve the problem with the tools at hand. And while perimeter security strategies have reduced some of the risks, they were never designed to secure more complex internal corporate networks. With the continuing increase of security breaches, it's not surprising that organisations are exploring alternatives for controlling users and protecting their internal networks.
The current multilayer approach, which combines firewalls, intrusion-detection systems (IDS), deep packet inspection, access controls, antivirus software and rigorous patching practices, can be costly and complex. It also lacks one element of control that has proved successful in physical security - an 'identity badge' attached at entry with security clearance to specified areas. This control is different from flashing your ID only once when entering the building, as you do with one-time authentication, passwords and tokens.
In today's highly regulated environment, you must know, and must be able to prove, who is on your network and what they're doing. The following suggestions help enforce effective access control and improve security around critical assets:
1. Internal security is different from perimeter security
Perimeter security defends your networks from HTTP and SMTP attackers. Internal networks are faster, more varied and complex. Plus, the access an insider has to your network outweighs the access a sophisticated hacker gains with scripts. Even if you trust everyone on your internal network, the risk remains since most vulnerabilities result from carelessness rather than intentional misuse.
The trick to security is layering the right defence at the right level based on the type of attack you are likely to see. Deploy broad hacker defences such as firewalls and IDSs at the perimeter where you can tune them to look for and block reconnaissance activity. At this layer, identification by IP address is enough. Then use tokens with your perimeter firewalls to authenticate known users before they enter your internal corporate network.
2. Defend your critical resources
Have you ranked your critical internal systems in order of importance? Which applications or servers can you think of where the data should be available to specific employees? Is there an asset on the inside that is so important that you've considered attaching additional authentication in order to access it? Or have you considered surrounding it with firewalls or IDSs? Prioritise by answering these questions, but remember these devices operate off IP addresses that can be spoofed, hijacked or stolen.
On a large network, it's not realistic to expect that every host can be locked down and patched. Perform a cost-benefit analysis associated with various solution options. Classify new assets based on their value to the business, as well as the financial impact of downtime. It might take a month to locate, catalogue, classify and assess the vulnerabilities for every Web server on the network, but it's time well spent.
Once you have your prioritised list, evaluate what is least protected and address those first. For example, Web servers in the demilitarised zone are a more immediate concern than those that are protected by more layers of security and are therefore less accessible. Finally, identify any Web servers that have a high asset value but can't be patched because of compatibility or other issues. These servers must be moved to a trusted area of your internal network with advanced barriers between them and the rest of the world (ie. virtual perimeters).
3. Shut off unused network services
Although obvious, this continues to be a source of vulnerability. Systems and software have a variety of open ports and services for easy implementation and use. Remote access services are commonly turned on by default for both Windows and Unix systems. Unprotected file shares and remote procedure calls are just two examples that provide a variety of attack possibilities.
Audit your servers and hosts frequently to check for these services and lock them down when they shouldn't be running. Remember that blocking these common services at the firewall protects them only from outside access. You should still be concerned about travelling laptops and attacks from the inside. To help identify the various remote access services, go to a Web site such as SANS Institute or that of the operating system vendor.
4. Create virtual perimeters
Since the perimeter has dissolved, build virtual perimeters around business units. Begin by evaluating how your network is used. And, instead of creating unrealistic goals like 'no host should ever be compromised,' a better goal would be that no one host can give an intruder complete access to the network if it is compromised. We know how to build perimeters between the Internet and the internal network. The next step is to establish perimeters between the different business user groups on the network.
5. Identify your users
The next step is to know who your users are and which resources they should access, and then enforce access control policies for internal servers and applications. Your key strength for defending your internal network at this level is that you know who should be there and where they should be. At this layer of protection, an IP address is unacceptable for identification.
Authentication is necessary, but it's only effective once at log-in. By attaching an 'identification badge' upon entering a network, organisations can monitor usage, and restrict access and block access to unauthorised users.
The identity movement emphasises that only by organising computing around identity and managing it by identity can access problems be resolved. This focus on identity has resulted in the widespread identity management movement. Identity management is an effective way to integrate authentication, access control and password administration.
Steve Gant is founder and CEO of Trusted Network Technologies, an Atlanta-based developer of identity-based access controls for internal networks. He can be reached at [email protected]