|
The threats against business-technology systems have never been higher. Armed with sophisticated tools, attackers constantly attempt to steal proprietary corporate information for espionage, extortion, identity theft, and other forms of financial fraud. While software vulnerabilities, worms, viruses, spyware, and denial-of-service attacks prove costly, and garner the bulk of media attention, it’s the malicious insider with intimate knowledge of an enterprise’s business practices, systems, and applications who creates the greatest security risk and potential to do harm.
In recent years, employees, both current and former, have been suspected, indicted, and convicted of all types of crimes—selling of usernames and passwords, planting destructive logic bombs, sabotaging critical servers and applications, stealing credit reports and other personally identifiable financial information used to conduct identity theft and fraud, and more.
The 2005 CSI/FBI Computer Crime and Security Survey shows that enterprises are identifying about an equal number of security incidents that originate from inside their organization as those that are committed by outsiders. At the same time, the study reveals that the costs of unauthorized access and the theft of proprietary information have risen dramatically: The average cost per respondent due to unauthorized access leaped from $51,544 in 2004 to $303,234 in 2005. During the same period, the cost associated with the theft of proprietary information increased from $168,529 to $355,552. Considering the ability that insiders have to inflict damage, enterprises that focus primarily on strong perimeter security defenses are not mitigating anywhere near half of their real-world risk.
Those unnerving statistics should come as no surprise to industry trend-watchers. The threats and vulnerabilities are increasing as the workforce grows ever more diverse, both in the ways it remotely accesses corporate networks and the devices it uses to do so. The velocity of e-business demands that enterprises make even more applications available to mobile employees, remote contractors, suppliers, and customers. This means that the corporate network can be accessed from nearly anywhere: home offices, wireless café hotspots, remote conference centers, airports, hotel rooms, and partner networks.
Security managers feel the pressure. More often than not they have no control over these access points, and sporadic, if any, control over remote devices. They’re well aware than some of the worst attacks that brought corporate network and application availability to a crawl, such as Code Red and Blaster, shattered the most heavily-fortified enterprises by running straight through “secured” VPN connections delivered by courtesy of an employee’s infected notebook or remote PC.
It’s clear: increased mobile technological capabilities, market competition, and a progressively dispersed workforce will continue to dissolve the network perimeter. And as the perimeter fragments, there’s a dramatic increase in the attack surface and vulnerabilities associated with transient workers and devices connecting both wired and wirelessly. This means hackers and malicious insiders increasingly will be able to leverage the vulnerabilities on remote networks, PCs in home offices, notebooks, and intelligent handheld devices as they attempt to gain access to proprietary and regulated information. This significantly increases the need for security solutions that are capable of adapting to the ever-changing types of devices and system configurations that access the network. Every device that connects to the network creates a potential security risk, and should be vetted to ensure it’s both compliant with policy and malware free. This is where traditional security defenses — anti-virus, ant-spyware, intrusion detection/prevention systems, and conventional authentication and access control methods — fall flat. While a critical part of any in-depth defense strategy, they don’t provide continuous security policy and access enforcement as conditions change. They don’t adapt to changing endpoints. They don’t lift security policy when an employee accesses the network from home, or a café. They don’t lock down a worm-infested system. They do little more than let bad things happen if a trusted user connects to the network with unauthorized software installed on their machine. That’s the essence of Network Access Control and the crucial security gap it fills to secure networks from threats inside and out.
Effective Network Access Control
For ultimate network protection against insiders, as well as worm, virus, and other forms of malicious attacks, enterprises need to be able to determine the health of endpoints before they’re granted access to the network. When a system is found to be infected, or not on par with security policy, it needs to be restricted to limited to no access to the network until it’s remedied. This way, a worm-infested system won’t reach the network. This way, the overall security posture and healthy configurations of endpoints are continuously maintained. And this way, unauthorized endpoints don’t get access. The end result: network usability, availability, and security all trend up.
For these reasons, enterprises are currently turning to NAC solutions to improve the overall health and security of their networks, automate basic network and system maintenance tasks, and cut down help desk calls associated with infected and poorly configured systems. Also, increased regulatory pressures from the likes of Gramm-Leach-Bliley, Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, and countless state data breach laws all have spurred the need for companies to focus on continuously ensuring that endpoints and servers are available and compliant, and that the risks to the integrity and confidentiality of the information they hold are mitigated.
Choosing the right NAC solution is critical. Mistakes are costly: there’s nothing worse than deploying a NAC solution only to quickly discover that it doesn’t fully integrate with the existing infrastructure, blocks legitimate and compliant users from access (false positives), can’t handle increased network bandwidth demands, or merely performs a one-time checkup, and then allows that same user to move on to tweak security software settings, install unauthorized software, or become infected with spyware or a worm while cruising the Web.
The Elements of Effective NAC
One of the greatest strategic advantages that effective NAC deployments provide is the ability for organizations to directly map and enforce internal security and regulatory compliance policy to the actual configurations and security status of their servers and endpoints. Enterprises with established risk management programs in place have detailed their desired endpoint configurations and end user access privileges, and are enforcing these policies as users access the network. Patch levels and anti-virus signatures are continuously maintained. Endpoints with spyware or worm and virus infections are quarantined and denied access until their problems are remedied. Workers, consultants, and partners attempting to access the network with banned applications, such as peer-to-peer file sharing applications, are blocked. Employees with unlicensed applications are informed that they’re in violation. Organizations with this level of network control, even if they’re not under any regulatory requirement, find that they not only have increased security, but that network and application availability and worker productivity are greatly enhanced.
Building NAC solutions isn’t easy, as many vendors have discovered. Today’s applications and network infrastructure are simply too complex for vendors to be able to build effective NAC solutions overnight. Just ask anyone who has tried to implement a NAC solution that required complex endpoint software to be deployed on each endpoint, or a wholesale overhaul of the network and router switch infrastructure. These have proved to be expensive and painful. Such NAC approaches are doomed to failure. The market simply won’t accept additional complexity and management burden.
Successful NAC solutions need to reduce complexity and leverage existing network infrastructure investments. Below are the requirements—based on five years experience and more than 500 NAC deployments worldwide — of an effective, efficient, NAC deployment that will provide unprecedented levels of insight and control over the enterprise network:
Authenticate
In this initial stage, both the identification of the user and the host are examined to determine if either is entitled to access to the network. This is a critical step, and shows why it’s so important that any NAC solution be able to integrate smoothly into existing authentication systems, such as those on the front-end, including 802.1X, Windows domain login, Cisco SCCP “Skinny” (for Cisco Call Manager and VoIP), and RADIUS accounting servers.
Validate
Following authentication, endpoints must be thoroughly validated to determine if they’re in compliance with security policy prior to network access. Is the anti-virus software turned on and up to date? How about the personal firewall? Which ports are open and available? What applications are currently running, and are any forbidden? Are system patches current? Compliance with policy here is critical and can’t be overstated. Ideally, NAC solutions perform this function without requiring additional client-side software that must be deployed and managed.
Quarantine and Remedy
With the security status of the endpoint fully base-lined, access control is now seamlessly enforced; it is automatically vetted against granular access control policies and the results of the validation screening process. Enterprises don’t permit visitors to their corporate campus to have carte blanche access to buildings, rooms, and data centers. And neither should their networks. Effective NAC solutions keep guests safely away from vital corporate applications and information. Infected, non-compliant, and at-risk systems are blocked until they’re cleansed or remedied. Malicious traffic is dropped altogether, and users are given easy instructions to implement options to remedy their systems: links to patches, AV signatures, and virus cleansing tools. This not only provides greater uptime due to enforced configuration management and keeping malicious software off the network; it also significantly reduces the risks of unauthorized access to regulated information and intellectual property from attackers, both internal and external, to the organization.
Authorize
In this stage, once endpoints and users are understood, and the systems are in a compliant state, end users and specific systems can only access systems to which they’re entitled. This means that network traffic, based on user identity and authorization policy, is segmented so that only authorized users have access to critical business applications and information. No access to confidential and regulated information is provided to any users unless they’re specifically authorized. These access control policies need to be automatically, dynamically, and continuously enforced.
Inspect
Security risks don’t cease after an endpoint has been initially authenticated and vetted for its security status—and neither does an effective NAC architecture. There’s little sense in examining systems thoroughly upon network entry, and then turning the cameras off. Once authenticated and allowed onto the network, users can perform quite a bit of damage with simple Telnet and shell prompts, including effective hacks against servers. While users can have legitimate reasons for many types of applications necessary for their jobs, some also can attempt to glean unauthorized and protected information. Thus, effective NAC solutions must utilize the network to watch connections in real time, and ensure that employees aren’t doing anything malicious. NAC solutions should include — indeed, must include — continuous inspections of OSI layers four through seven to vigilantly determine that endpoints aren’t exhibiting signs of spyware, worms, or viruses.
As users surf the Web, open e-mail, and access the network from home or wireless hotspots, they’re continuously at risk to spyware, Trojans, and virus infections. They also can tweak system and firewall settings for any number of reasons, and inadvertently knock the system out of compliance or get nailed with a virus infection. That’s why it’s so critical that NAC solutions employ intrusion detection and prevention capabilities—so they can thoroughly and constantly detect suspicious endpoint behavior to block worms, viruses, and spyware on the fly, whether they’re network based or a rogue application trying to infect the system through a maliciously crafted URL.
Also, future-proof NAC solutions can’t choke on bandwidth. Considering the increased traffic and bandwidth demands — VoIP and Videoconferencing, more mobile data and telecommuters, ever-increasing graphically-oriented applications, growing dependency on network traffic-heavy Web applications — trends that are all bound to continue to place heavy burdens on bandwidth availability, NAC solutions must be able to handle significant levels of traffic and perform authentication and validation at wire-speed.
There’s no doubt that the unrelenting dissipation of the network perimeter, the nonstop evolution of malicious software, and heightened regulatory burdens all require security solutions that are adaptive to change, and continuously enforce security and compliance policy. Effective NAC solutions are proving to be the crucial pathway there. Most security professionals, IT administrators, and CIOs realize this. And as enterprises get closer to full-scale NAC deployments, they’ll find that surviving compliance audits will be much easier. The overall security and availability of their networks will be greatly enhanced. They’ll be protected not only from the increasing numbers of spyware, viruses, and worms circulating the Internet, but from the most dangerous and costly attacks made possible by insiders placed in positions of trust.
About the Author:
Rod Murchison is Vice President of Product Management at Vernier Networks.
Go Back
|
