ids firewalls anti virus anti spam deployedSecuring the Converged Enterprise, Part I The Risk Implications of Unified Networks, Applications and Protocols I. Convergence Trends In the context of computer and telecommunications networks, the term “convergence” has historically meant combining voice, data and Merged networks and applications also open up new opportunities for correlating data and events across the organization. This ability improves employee decision-making and enhances customer service in call centers and elsewhere throughout the business. video on a common network. However, convergence is now gaining several other definitions. The ability to correlate network events, specifically security-related events, can actually enhance the ability to protect the converged For example, many employees work from home. They share PCs, local networks and Internet access connections with family members, using enterprise network. On the other hand, convergence introduces some new security risks that the IT department must address. Those risks the same physical circuits to connect to both the public Internet and to their employer’s private intranet. Public and private network traffic and general advice for mitigation are discussed in this paper, which introduces the following recommendations for securing converged is converging on commercial DSL, cable modem and other broadband access lines. enterprise networks: Meanwhile, wired and wireless networks are merging to support consistent application experiences as users roam. This phenomenon is commonly •A “defense-in-depth” approach to security, which employs multiple layers of user screening and encryption known as fixed-mobile convergence, or FMC, which is in its infancy. Dual-mode smart phones and other devices that support connections •Centralized management of security helps deliver improved levels of security and scalability efficiencies to both mobile WANs and wireless LANs are part of the FMC landscape. Applications that allow single user identities and phone numbers to work across the entire blended wired/wireless infrastructure are now •Integration of security components into network devices, which simplifies the security infrastructure and renders it less likely to fail available. Presence capabilities, which combine user location and availability information for managing personal communications, are II. At Issue: Complexity Increases Risk Enterprise IT departments must balance the benefits of convergence with associated new security risks. While convergence eases being introduced to help stitch applications into a seamless experience. Soon, specialized networks will plug into the corporate network as another form of network convergence. Among these are radio communications and data access tasks for the typical end user, the complexities associated with supporting multiple interfaces, protocols frequency identification (RFID) networks (used for asset tracking and supply chain management), sensor networks (used for remotely and devices create scalability challenges for IT that can lead to potential vulnerabilities. monitoring and controlling industrial devices) and Closed Circuit Television (CCTV) video surveillance networks (used for blending Voice, data and video, for example, might traverse any number of access networks as telecommuters, road warriors and extranet physical security with IT resources). These specialized networks will connect to the enterprise’s traditional LAN via IP and Web services, partners now use a wide variety of devices and interfaces to connect toback-end resources. A given organization may support hundreds of providing enterprise-wide access. wired or wireless interfaces to a public WAN, virtual private network (VPN) service, cellular network or the public switched telephone The merging of networks, traffic types, applications and interfaces makes life simpler and more productive for end users. From a cost network (PSTN). Collectively, these interfaces represent a large, complex set of network entry points that the IT department must perspective, the capital and operational expenses required for running one network instead of several isolated “silos” drop significantly. manage and protect. Distributed Enterprise Edge Security This means that a single firewall that sits at the perimeter of the network between LAN and WAN, while still necessary, may no longer be adequate to secure the entire converged enterprise. 3rd Party Network Primary Provider IP Network Governance Mandates Edge Edge Finally, organizations now must comply with the latest corporate and industry governance mandates, such as Sarbanes-Oxley, Gramm-Leach- Bliley (GLB), Health Insurance Portability and Accountability Act (HIPAA), Basel II and Payment Card Industry Data Security Standard. These mandates require log-in audit trails and resource-access tracking. Client Enterprise Client Enterprise Creating a defense-in-depth network security infrastructure that protects against intrusions at multiple network segments can greatly This diagram depicts a Premises-based Security Solution assist in keeping all sites and interfaces updated and protected, both internally and externally. It can also help ensure compliance with the security components of government mandates. Premises-Based Solutions •Major business security investment at edge III. Defense in Depth A defense-in-depth approach to network security creates a network infrastructure that is highly resilient to both internal and external •IDS, Firewalls, Anti-Virus, Anti-SPAM deployed by business attacks. Building defense-in-depth security entails deploying different forms of security in various places throughout the converged network •Broad-based network attacks difficult to defend against at individual locations to mitigate a mix of risks. By setting up multiple checkpoints between a user attempting to gain network access and the intended destination •Disparate security policies for Internet connected endpoints data resource, organizations can accurately verify user access rights. Check points can also be effective at scanning network traffic for •Difficult to scale malicious code that might disrupt service. The code can then be filtered off the network. Software Update Challenges and Vulnerabilities Network junctions where one type of network connects to another, where users must cross from one LAN segment to another or devices Organizations have traditionally prioritized the order in which various sites receive security and operating system (OS) patches and upgrades. in which user groups and departmental traffic are logically separated can be thought of as network trust boundaries. For defense in depth, They base the priority patching on the level of criticality associated with each site. The data center, for example, usually takes top priority. user authentication checks and scanning for malicious code should take place at the primary trust boundaries: Software patches are now released very frequently and the sheer number of sites and interfaces to be updated is also quickly •Between public and private network interfaces using network firewall and intrusion detection/prevention system (IPSs) products and services proliferating. An IT staff may not get beyond updating the first few priority locations before returning to the site at the top of the list to apply still newer patches. At some point, a hacker could conduct a distributed attack to find a weak point in the infrastructure, such as a •Between LAN segments and internal departments using firewalls and IPSs lower-priority site with out-of-date software. A worm or Trojan horse could then be introduced to the network that could impact availability •At the “mobile edge” in client devices with endpoint security software and encryption/VPN software and uptime. Similarly, severely out-of-date firewalls could provide an outsider with access to private files and databases, which the hacker could copy to steal data. Protection at these key network junctures establishes a resilient underlying LAN-WAN platform that protects multiple types of A centralized, automated system for issuing patch updates is very useful in combating this issue and will be discussed in the section, application traffic. Traditional convergence, the merging of voice, data and video ontoa common infrastructure, opens the door to “Centralized Security Management.” a single attack being able to potentially affect all these types of application traffic. Reinforcing the base infrastructure has become Growing Internal Threats extremely important. Adding to the complexity of risk mitigation is that internal attacks have also become a growing issue. An increasing number of security Centralized Security Management attacks come from inside the organization. The Computer Security Institute (CSI)’s 2006 Computer Crime and Security Survey report, for By centralizing the management of these defense-in-depth security components, an organization can achieve the scale needed to help example, revealed that 7 percent of several hundred respondents attributed more than 80% of cyber crime losses in 2005 to insiders.1 ensure higher levels of security. Taking a network-centric security approach means creating one central place for setting, maintaining and enforcing a common set of security policies across all network sites. This setup allows businesses to overcome the patch-vulnerability Network-Based Security issue discussed in Section I. By pushing software updates out to predetermined network devices simultaneously from a central location, 3rd Party Network organizations avoid the one-at-a-time update approach that can result in some sites having outdated software being vulnerable to attack. IP Network VPN, Firewall, IDS, Anti-Virus, etc. The centralized location could be a service provider’s security operations center. In this case, businesses would subscribe to a Edge Edge carrier’s security service. This involves pushing out updates to all sites and devices per individual corporate policy while utilizing the Firewall, IDS, Anti-Virus, etc. Client Enterprise Client Enterprise provider’s economies of scale. Depending on the network segment to be protected, such as a LAN or WAN, security appliances may or may not be needed on the customer premises. This diagram depicts security built into the network, protecting business network and applications Let’s take a look at the basics of securing the various network segments that comprise a defense-in-depth architecture. Network-Based Solutions Securing the WAN •Service provider security investment in the network In the WAN, network-based security, often in the form of a service, uses a series of gateways in the service provider’s network that reside •Security elements deployed by provider across the network between users and data resources. The gateways translate private IP addresses into publicly routable addresses. This system helps ensure •Broad-based network attacks are defended in the network that a private device never directly exposes its IP address to the public Internet, PSTN or other shared network. This prevents a hacker from •Centralized security policy, administration, alerting and reporting piggybacking onto that address for entry into private network resources or launching another type of attack into the private network. The more gateways that are used, the deeper a hacker will have to •Easy to scale •Efficient, cost-effective, holistic penetrate to find the private routable IP address. Using multiple gateways makes it more difficult for the hacker to succeed. For protecting the privacy of data in transit, encrypted VPNs should be used in cases where traffic traverses the public Internet infrastructure. Similarly, network-based firewall services protect connections made between two WANs. Capable today of deep packet inspection, today’s Encryption scrambles data and authentication information. To protect the privacy of data in transit, encryption can be used to create a firewalls permit and deny access based on user access control lists (ACLs). They can also filter anomalous signatures and protocol private “tunnel” for each customer through the publicly shared Internet. The VPN can be in the form of an IP Security (IPSec) VPN behavior as packets travel between networks, serving an IPS function. It is prudent for firewall-based filtering to take place between any two service between fixed corporate sites or a Secure Sockets Layer (SSL) VPN service for remote and mobile users. dissimilar networks, particularly between a public Internet service and a VPN (or private network). For example, if a business site or employee’s home office uses a DSL or other commercial Internet access connection to reach its corporate MPLS VPN service, filtering Many enterprises using MPLS VPN services elect not to encrypt traffic, because MPLS technology creates virtual circuits that keep the should take place where the access network meets the MPLS network. Another appropriate spot for filtering is between two corporate partner customer’s traffic from intermingling with that of others. However, companies with the highest security requirements, such as financial networks that both run Internet-based VPNs, but allow some resource sharing between their networks. institutions transmitting customer account data, may elect to encrypt their MPLS traffic as a “belt and suspenders” approach for double security protection. Services are available to encrypt the traffic across the shared MPLS backbone network segment. If a services-based approach to network-centric security management is taken, providers may also offer additional scanning services and reports. Such services might scan the public Internet to detect precursors to worms and other events and send notification alerts of Securing the LAN Given that incidents of internal attacks are growing, security between LAN segments and between LAN application servers (places that pending vulnerabilities. Services may also be customized by examining individual Internet or VPN traffic and potentially detecting a distributed represent internal trust boundaries) has become another priority. For example, IPSs focus on filtering anomalous or otherwise suspicious denial-of-service (DDoS) aimed at that network. To mitigate risks, some managed VPN services will automatically deploy policies and take action when certain events are detected on the VPN . traffic off the LAN at internal trust boundaries. When managed centrally, an operations center would continually send updates with the latest known malicious signatures to IPS appliances that sit between the access network and distribution network (wiring closet) Securing the VoIP Network versions for OSs, security and application software. Taking a centralized, network-centric approach to endpoint security keeps policies and To a large degree, protecting the voice-over-IP (VoIP) network involves the same set of protective services that have long been in place for security versions consistent throughout the converged enterprise. data network infrastructures. If VoIP (and IP video) are simply new applications being added to the IP network, it is difficult to keep that In the event that a device is lost or stolen, encrypting the hard drive of endpoint devices storing mission-critical data will help protect against traffic secure if it is running over a vulnerable infrastructure. data theft. Personal firewalls running on the endpoints block hacker intrusions into the device for data theft or for piggybacking onto a Just as data might be separated into virtual LANs (VLANs) for different user groups, with different resource access rights belonging to different corporate network connection. VLANs, voice traffic may be segregated onto its own VLAN. This helps ensure that VoIP devices can only talk to other VoIP equipment and Application convergence, the blending of mobile and wired networks and the telecommuting phenomenon are creating new requirements can’t use the VoIP network as a launching pad into the data network. There is also a quality-of-service (QoS) benefit to putting VoIP on its for securing endpoint, or client devices. One requirement is preventing devices from passing infected code to the corporate network. While own VLAN, which can be prioritized for low latency. traveling, a user might unplug from the corporate network and connect to the public Internet and pick up a virus or other malware. In some ways, VoIP is simpler to secure than it was in the traditional circuit-switched environment. For example, encryption of voice calls for Businesses need to guard against the virus impacting the user’s local data, as well as prevent the virus from being transmitted to the privacy is possible in the packet-switching environment, where this was not previously available. Most VoIP vendors encrypt in the handsets corporate network. they sell so that conversations are protected end-to-end. Guarding against toll fraud, or theft of service, involves the same basic practice as in circuit switching. Here extension transfers to outbound IV. Conclusion The traditional WAN perimeter is still vulnerable and continues to require firewall-based protection. However, security in the converged ports are disabled. For off-LAN calls, using multiple gateways between an IP address and the public Internet or PSTN (depending on where a enterprise no longer represents protecting just one physical network perimeter. Instead, there are now multiple network “edges,” requiring a call is terminating) prevents the handset’s private IP address from being exposed as a possible attack point. distributed, defense-in-depth security architecture with WAN gateway services, firewalling, IPS and endpoint security. Securing Wireless Networks The first step for securing a converged network is to make sure the underlying infrastructure is reinforced with these capabilities. A Wireless LANs, also called 802.11 and Wi-Fi networks, have inherent authentication and encryption for use over the LAN. To help ensure centralized, network-centric approach will provide added layers of protection by automatically handling, deploying and maintaining the privacy and avoid theft of user credentials in public Wi-Fi hotpots, many organizations rely on IPSec VPNs to encrypt over-the-air data when Wi-Fi client devices are used remotely. latest versions of security system software, OSs and application software. Managed security services can also add another layer of On the corporate campus, there is the possibility that unauthorized or rogue devices might associate to the network. Similarly, a personal protection by scanning WAN traffic, alerting network customers about detected events and possibly taking automated actions when events are discovered. wireless client device might erroneously associate to a rogue 802.11 radio. If malicious, it may attempt to grab user credentials (a breach Ensuring all sites and interfaces are continually in compliance with security, OS, and application software versions shut down the called phishing). Thwarting attempts to steal credentials involves deploying the latest version of 802.11 authentication and encryption occasional open network pinhole. This will help prevent distributed attacks that could exploit the point of entry, preventing data theft or standards. Preventing rogue radios from flooding Wi-Fi client devices with bogus disassociation messages, thus overloading the device and the introduction of malware onto the network. causing denial of service, requires Radio Frequency (RF)-specific IPSs. These are often sold as a third-party overlay system or service. They Part II of this paper will examine the various security components and services in greater depth to offer more detailed understanding of the might also be bundled into a basic WLAN system. role each “layer” of security throughout the enterprise. Securing Remote and Mobile Endpoints Endpoint security also plays a key role in mobile networking. It’s important to keep endpoints (or clients) free of viruses and other References 1. Lawrence A. Gordon and Martin P. Loeb, Computer Security Institute “2006 CSI/FBI Computer Crime and Security Survey,” page 12, figure 13. malware and also in compliance with corporate standard software For more information contact an Representative or visit |
|
In cities, towns and remote locations, mini satellite dishes point attentively to the Southern sky. Emblazoned with names like DirecTv,
ExpressVu, DirecWay, Web Conferencing, iNetVu, Linkstar, XM Satellite Radio, Sirius Satellite Radio
iDirect their numbers are growing at an amazing rate. Iridium Satellite Phone is the only provider of truly global satellite
voice and data solutions with complete coverage of the earth (including oceans, airways and Polar Regions).
Get the latest buzz on Free satellite tv systems - including the features and benefits that make them today's ultimate television viewing experience.(Get Dish)
Ever wonder why these satellite dish systems are in such great demand?
Does high speed internet service or digital television programming via satellite intrigue you?
If you've never heard of Cheap VoIP, get ready to change the way you think about long-distance phone calls. VoIP, or Voice over Internet Protocol, is a method for taking analog audio signals and turning them into digital data (IP packets) that can be transmitted over the Internet. |
