protect network trust boundariesSecuring the Converged Enterprise, Part 2 Network Defense-in-Depth Architectural Considerations I. The Vanishing Network Perimeter Converged enterprise networks bring together a wide variety of applications, protocols, devices and underlying network types. The One recommended best practice for implementing defense in depth is to use a centralized management model, which involves automatically deploying software updates network-wide, in line with corporate policy, from a network or security operations center (NOC or SOC). This result is a communications environment in which employees are no longer restricted to using network services from traditional office approach provides a substantial degree of automation that helps keep security, application and operating system software updates synchronized. workstations. Instead, they now frequently access voice and data network application services while traveling and at home. Keeping updates current becomes increasingly important as networks scale larger. A missed update could leave a chink in network armor, The traditional enterprise network “perimeter” is disappearing and network access now extends to just about everywhere. Separate making centralized and automated update processes far more reliable and safer than a manual or ad hoc process. networks are joining together to provide a seamless experience that doesn’t require users to stop and restart a data or voice session as they change locations. Corporate network security must adapt to support this transition. II. Identifying and Helping to Protect Network Trust Boundaries If there is no longer a concrete network perimeter, how do you identify and strive to protect multiple network perimeters, or trust boundaries, which may be invisible? The answer lies with first identifying the Historically, the intersection where the public Internet meets the private corporate campus LAN was considered the one and only various places where data is stored and used, such as in servers and client computing devices. Then, consider the various ways a potential network perimeter, and the most vulnerable spot in the network. The reason is that the Internet is a publicly accessible network. attacker, either internal or external, might cause harm: by attempting to gain unauthorized access to resources, by listening to or capturing The Internet also falls under the management purview of multiple network operators, rather than individual enterprise network managers. packets in transit, or by flooding network servers or devices with corrupt packets to create a denial-of-service (DoS) or distributed DoS Therefore, it is considered to be an “untrusted” network. (DDoS) attack that would/could overwhelm the devices and render them inoperable. This network junction should continue to receive access control, firewall and intrusion detection/prevention filtering protection. Today, a full defense-in-depth approach to security has become an industry best practice. With a defense-in-depth approach to security, multiple Externally, firewalls and intrusion prevention systems (IPSs) join with encryption and endpoint-security capabilities to help protect against security points are placed between the user of the data and where the data is processed and stored. That helps enterprises better deter both data theft, unauthorized access and the release of infected code (malware, such as worms) that remote and mobile devices might pick internal and external attacks against their network or data. Attacks may vary in nature, with each requiring a different technological up from the public Internet. Internally, virtual LANs (VLANs), firewalls and IPSs thwart breaches between departments, between LANs and between LANs and servers. solution. The defense-in-depth security model helps protect against several different types of risks and reaches beyond the traditional network perimeter to permeate the WAN, internal LAN, internal wireless LAN, corporate servers, end-user computing devices and to Let’s take a closer look at these various solutions, how they function at each network segment, and some deployment options and considerations. the enterprise data. III. External Defenses External defenses were designed to help protect data and voice traffic in transit over the WAN, thwart unauthorized external access to enterprise access connection either meets a Multi-protocol Label Switching (MPLS) backbone used for VPN services or an Internet service provider point of presence, where encryption is applied to create an Internet VPN. internal resources and keep private sensitive data stored in mobile computing devices confidential. Protecting the traditional network perimeter at WAN access points in the data center and at branch and remote offices falls in the “external defense” category. External As noted, firewall and IPS filtering can be conducted at each enterprise WAN access point. However, this solution is less scalable. Having the defense also includes measures taken to protect data in transit and endpoint or end-user device security. service directly in a provider’s backbone network allows businesses to scale these security capabilities as users and sites are added to the network. By filtering “bad” traffic from the network before it traverses the last-mile access link, identified unauthorized access attempts and Break-Ins and Malware For protecting physical LAN-WAN intersections such as at data centers, branch locations, and home-office locations, installing a series of malware are segregated from the network and its internal IP addresses. Keeping the malicious traffic at a distance helps reduce the likelihood of it harming the network. gateways between users and data resources is recommended. In many cases, this is a service offered by a VPN provider to help ensure Monitoring for Internet Threats that a private device never directly exposes its own IP address to the public Internet, PSTN or other shared network. The idea is to install To further defend the WAN, emerging public Internet scanning services are available that help detect precursors to worms and other malicious layers of security between the user and resource. This makes it more difficult for potential malicious hackers to discover the IP addresses of events. The service is designed to then notify users of the pending vulnerabilities. Other services can specifically examine individual an enterprise’s servers and routers, and break into them to cause mischief. If considering a gateway service, businesses should discuss Internet or VPN traffic, and potentially detect a DDoS attack aimed at an individual network. Some managed services will automatically with their service provider the number of gateways appropriate for achieving a high level of security. Fees associated with the creation of deploy policies and take action to mitigate risks when certain events are detected on an individual VPN. multiple layers should also be addressed. Similarly, network-based firewall services and IPSs are designed to protect connections at specified enterprise locations. Businesses can Encrypting Data in Transit For added protection of the privacy of data in transit, encrypted VPNs should be used in cases where traffic traverses the public Internet install and manage these devices at every site, or purchase a managed service from a carrier. Alternatively, a network-based service (which does not require a CPE purchase) can be used to filter traffic against user access control lists (ACLs) and other enterprise criteria at the infrastructure. Encryption scrambles data and authentication information to create a private “tunnel” for each customer through the publicly shared Internet to protect the privacy of data in transit. The service provider point of presence. The point of presence is where the VPN can be in the form of an IPSec VPN service between fixed An Enterprise In-Depth FIrewall/IPS Filtering Scenario Regional Office Data Center Internet Between Server Service Provider Farms NOC/SOC Internet Branch Office Centralized Filtering Service Wiring Closet At the Wired - Wireless LAN Perimeter Between Departments Teleworker = L3 network and L7 application firewall filtering. WAN traffic can be filtered through a service; in-depth internal protection should be deployed in a number of network segments and can take the form of an appliance, software, or corporate sites or a Secure Sockets Layer (SSL) VPN service for remote and mobile users. Both SSL VPN and IPSec VPN offer support encryption, OSI Model data integrity and authentication technologies such as Triple-DES, 128- bit RC4, Advanced Encryption Standard (AES), MD5 and SHA-1. Application 7 •IPSec VPNs. IPSec VPNs operate at Layer 3 and are recommended for static, “trusted” private enterprise sites that require LAN access on a par with the primary site. IPSec encryption can be delivered Presentation 6 in the form of a service, which encrypts traffic across the service provider’s backbone, and utilizes a carrier’s economies of scale Session 5 as a businesses number of sites and quantities of traffic grow. Alternatively, VPN termination equipment can reside on the premises and can be installed and managed individually or by a carrier in the form of a managed network service. To help protect Transport 4 the network, security controls should be placed between the VPN egress point and the enterprise network. Network 3 •SSL VPNs. For mobile workers requiring “on the fly” encryption, SSL VPNs may be a good choice. Because they are browser-based, require no installation and maintenance of special client-side Data Link 2 software, and offer application-layer access control, SSL VPNs can be quickly deployed. Unlike IPSec VPNs, SSL VPNs encrypt and Physical 1 decrypt at Layer 7 (See Illutration of OSI Model). The Open System Interconnection Reference Model (OSI Model) depicts how data communications systems may be architected and •Transport Layer. Provides end-to-end transmission correctness, data recovery and flow control (Transmission Control Protocol (TCP), User Datagraph Protocol (UDP)). interconnected. In 1977, the International Organization for Standardization (ISO), began to develop its OSI networking suite. OSI has two major components: an abstract model of networking (the Basic Reference Model, or seven-layer model), and a set of concrete protocols. Parts of OSI have influenced Internet protocol development, •Session Layer. Establishes a session (allows two networked resources to hold on-going communications across a network) and security (SQL, Net BIOS). but none more than the abstract model itself, documented in ISO 7498 and its various addenda.1 •Presentation Layer. Determines how computers represent data. These functions ensure that information sent from the application layer of one system will be readable by the application layer of The OSI reference model describes how information from a software application in one computer moves through a network medium to a another system (data compression, data encryption, format conversion, use of image, ASCII, MPEG). software application in another computer. Communication is partitioned into seven functional layers. Each layer in the model specifies particular network functions, directly interacts with only the immediate layer beneath and provides facilities for use by the above •Application Layer. Generates or interprets data (File Transfer Protocol, Simple Mail Transfer Protocol, electronic mail, web browser). layers. Protocols enable an entity in one host to interact with a corresponding entity at the same layer in a remote host. Encryption and MPLS VPNs MPLS technology creates virtual circuits that keep one customer’s traffic from intermingling with that of others. Encryption over these OSI is considered the primary architectural model for inter-computer communications. Layers 1-3 handle data transport issues. Layers 4-7 deal with applications. The layers are composed of: types of VPNs is not necessarily needed but is recommended for companies with the highest security requirements, such as those •Physical Layer. The physical medium by which the customer information/packets are transported from origination to destination (OC3, cable, wireless, LAN, copper, SONET, Private Line). transmitting sensitive customer data. Services are available to encrypt the traffic across the LAN or a shared MPLS backbone network segment. Endpoint Security •Data-Link Layer. Transports frames across the physical layer and provides transmission error notification (Frame Relay, ATM, Ethernet). Endpoint security involves creating policies for end user computing devices, such as laptops, handhelds and smartphones. The policies should cover: •Network Layer. Provides routing and related functions that enable multiple data links to be combined into an inter-network (routing protocols-BGP, Internet Protocol-IP, VPN, VPLS, MPLS). •Update status of the device software programs •Frequency of device scanning by central NOC or SOC to check for out-of-date software •How to help protect against viruses and other malware Employees, guests and extranet associated/vendors might represent a high-level classification of users, with employees being further •Use of personal firewalls and host-based IPS software on the device subdivided. Each classification that is created gets placed in its own VLAN, with access limited to resources that are specific to that VLAN. •Data protection through Data Rights Management solutions Similarly, voice-over-IP (VoIP) traffic is usually placed in a separate voice VLAN with access limited to the corporate PBX (see “Securing In the case of personal firewalls and host-based IPSs, consider the mobile device almost as a mini-network unto itself. It has an IP the Converged Enterprise,” Part I, for securing voice traffic). address for accessing the Internet. Without a personal firewall, the IP address is exposed directly to the Internet. Someone could find the IP VLANs usually aggregate in Ethernet switches in the distribution layer of the corporate network. These are the switches that reside between address and compromise the system if the intruding system’s own source address was not filtered off the network. The same holds true wiring closet switches and core data center switches. In this location, businesses should deploy protection against members of any one with host-based IPS: someone could inject malicious code onto the computing device, either to cause harm to the device itself or to VLAN gaining access to another VLAN’s resources that are off-limits. These areas are locations where firewall filtering plays a role. potentially infect the corporate network the next time the device connects to it. Firewalls represent the first level of access checking. They will either grant or deny a given IP address access to a resource. Deploying them Those policies can be enforced internally or through the use of a carrier service that matches incoming service requests from mobile at key “entry” points such as where VLANs come together, where public and private networks meet, and where wireless and wired devices to a corporate policy. The policy resides in either an appliance or router in the data center and the scanning can take place there as networks meet reinforces corporate access policies to ensure that individuals see only the data they are supposed to see. one option. Industry-wide, router and antivirus software-makers have teamed together to build antivirus capabilities into common network Many firewalls now also support application-layer inspection at Layer 7 (see OSI Model illustration) for performing IPS capabilities, which check equipment that scales to cover many devices as they attempt to access the network. for anomalous protocol behavior. They also identify applications that attempt to “sneak” through the firewall at Layer 3 by hopping across Policies can also be uploaded from the data center to a service provider’s NOC or SOC, where incoming requests are scanned on TCP ports, or by piggybacking onto the open TCP port 80 (defined to carry Web traffic). behalf of the business, helping to keep “bad” traffic further from network components. The scans compare the software versions Locations where a switch or router link one network or network segment to another form a trust boundary. A trust boundary is a vulnerable residing on the devices with the corporate mandate. If there is a match, the connection is allowed. If not, the IPS technology takes the network border that provides an opportunity for a hacker or malicious code to enter the network. Each trust boundary represents a potential action as dictated by policy to block the connection, update the software or quarantine the connection for later remediation. point of entry for a clever hacker. Firewalling and IPS capabilities, at a minimum, should be present at each of these boundaries. Other variables can be part of the policy as well, such as what type of connection the device is using to connect. Certain types of Where Wired and Wireless LANs Meet connections might be restricted to accessing certain resources. Similarly, there might be different policy requirements for guest access and for extranet users (business associates who you allow access to There is a juncture where 802.11-based wireless LANs (WLANs), also called “Wi-Fi” networks, meet the wired LAN. There are security mechanisms built into Wi-Fi access points (APs), controllers and client devices that cover user authentication and the encryption of some of your network resources). passwords and authentication messages at the lower two OSI layers. However, as another trust boundary, this point in the network should IV. Internal Defenses The primary goal with deploying internally focused security layers is to enforce enterprise policies regarding users’ access rights. Layer 3 (see also be checked to help ensure that wireless users match with their wired-access network rights and to help prevent the malicious code OSI Model illustration) firewalls are used in a number of places to help verify that only authorized users gain access to the network by from getting onto the network via the wireless network. matching corporate policies of users’ network access rights to the connection information surrounding each access attempt. If there is Some WLAN systems have per-user firewalls built directly into them. Others don’t, requiring that wireless users pass either through the no match, the firewall blocks the connection. central NOC/SOC firewall or through a firewall appliance that front- ends the WLAN controller. Some large networking vendors that Segregating Departments participate in both wired and wireless markets have integrated the systems to a point where security devices on the wired LAN (whether Most enterprises create VLANs to logically segregate user access to various corporate resources across their LAN. Enterprises usually they are managed internally or by a service provider) communicate with the WLAN controller; thereby, applying both wireless and wired classify users intosegregated VLANs by department, but VLANs may also be created using some other corporate criteria such as a job title. security protection capabilities to the radio frequency (RF) traffic. In many cases guests are placed into a “guest VLAN,” and those users may not have access to anything but the public Internet. Sample Configuration of Wireless IDS/IPS Wi-Fi clients are designed to associate to the wireless access point with the strongest signal. If the client associates to a malicious rogue, RF Sensor the rogue can flood the client (or the network to which the client connects) with messages to cause a DoS attack. In an effort to Data Center capture that user’s credentials, the rogue access point may also lure the user to a phony Web site that appears to be the real thing. This is a breach called phishing. Floor 3 Most wireless IPSs alert businesses to issues surrounding rogue activities and have the capabilities to automate the process of shutting down a rogue. Caution should be exercised with that option, Wi-Fi Controller particularly if the network is in a multi-tenant building or a fairly populated environment. The detected rogue might be a legitimate device in use by the business down the hall or residence next door. Automatically shutting down these devices could create other issues. RF Sensor Floor 2 Wireless IDS/IPS Appliance or Server VI. Conclusion Convergence is happening across devices, networks, protocols and applications. This integration affords business users many productivity and time-saving benefits and entirely new communications capabilities that weren’t possible before. Rogue Device RF Sensor However, because many employees now work in branch offices, home offices or in a mobile fashion from anywhere on the road, there is Floor 1 no longer a single network perimeter to protect. Instead, there are multiple, invisible network edges that need defending as users access Wi-Fi networks operate in unlicensed spectrum. This means that anyone can use these frequencies as a network medium, even if they the corporate network from many locations (both trusted and untrusted) and start to store sensitive data in their mobile computing devices. potentially interfere with another network. Wireless, which radiates in three dimensions, is less controllable and traceable than wires that plug directly from user computers into Ethernet switch ports. Radio waves can leak outside the building, for example, making it possible Because of the distribution of users and computing devices, applying security measures to the converged enterprise has become a multidimensional discipline that requires a defense-in-depth for an attacker to piggyback on a user connection and gain access to the corporate network. Theoretically, if wired authorization, authentication approach to network security that helps protect against various types of risks, such as: and accounting (AAA) measures are rock solid, they will help protect against attackers coming in through the wireless back door. At this •Unauthorized access to resources point in time, that’s not a risk most enterprises are willing to take. •Theft of data packets in transit Wireless IPSs that operate at the RF level to detect unauthorized (rogue) devices can be deployed as an integrated part of a WLAN •Break-ins topersonal computing devices system, as an overlay monitoring system that is operated in house or as a third-party service. Many can detect whether the rogue device is •The introduction of viruses and other malware onto the corporate network that could render one or more systems inoperable actually connected tothe corporate network. Rogue devices that are connected are more dangerous because it means an unauthorized •The unauthorized use or alteration of enterprise data device has established a potential path tonetwork resources. Unconnected rogues might simply belong to a nearby network operator. Centralizing the functions of pushing software updates and managing access control, firewalling and intrusion protection helps ensure that a When using these systems, it’s important that they continually scan all worldwide channels, even those that are not sanctioned for use in the single corporate policy or set of policies is enforced consistently network-wide. This centralization also allows security measures to company’s own particular country. Otherwise, the rogue access point might be overlooked. scale as the network and number of users and devices grow. CPE can be installed and managed in house or through a service provider in the form of a managed service. Alternatively, a WAN service provider can deploy and manage a centralized, multi-layer defense from its own Even if a rogue access point is not connected to the network, it still represents a red flag. It might try to connect to the network or lure a client device to the network. NOC or SOC in the form of a service. In this scenario, rules and policy engines in the corporate data center communicate with the provider’s NOC/SOC, where they are enforced. Key Points to Securing a Converged Environment The traditional network perimeter has vanished and the convergence of different traffic and application types on a common network means 1. Utilize the network as a security device putting many more “security related eggs” into a single basket. A threat to the data network, for example, has suddenly become a threat 2. Deploy a centralized Defense-in Depth Architecture to the voice network, too. These conditions are challenging enterprise IT departments to build a comprehensive, multidimensional foundation 3. Aim to detect and block malware on the end-point, and in the network that uses a mix of services, products, policy and network automation to cast a strong net of security measures across their organizations’ dynamic and ever-evolving communications infrastructure. 4. Utilize network and information intelligence 5. Use strong authentication with users References 1. http://en.wikipedia.org/wiki/Osi_model 6. Help protect the data itself through multiple solutions including Digital Rights Management 7. Take preventative and near real time measures to help protect data |
|
In cities, towns and remote locations, mini satellite dishes point attentively to the Southern sky. Emblazoned with names like DirecTv,
ExpressVu, DirecWay, Web Conferencing, iNetVu, Linkstar, XM Satellite Radio, Sirius Satellite Radio
iDirect their numbers are growing at an amazing rate. Iridium Satellite Phone is the only provider of truly global satellite
voice and data solutions with complete coverage of the earth (including oceans, airways and Polar Regions).
Get the latest buzz on Free satellite tv systems - including the features and benefits that make them today's ultimate television viewing experience.(Get Dish)
Ever wonder why these satellite dish systems are in such great demand?
Does high speed internet service or digital television programming via satellite intrigue you?
If you've never heard of Cheap VoIP, get ready to change the way you think about long-distance phone calls. VoIP, or Voice over Internet Protocol, is a method for taking analog audio signals and turning them into digital data (IP packets) that can be transmitted over the Internet. |
