Using a neighbor's Wi-Fi, opening a clearly suspicious email
and even its attachment, shopping online while at office are some of the
activities that are posing security risks, according to the findings of a recent
survey conducted by InsightExpress. And these behaviors are not shown by casual
web-surfers at a cybercafe-but are demonstrated by people who are considered
to be responsible champions of India Inc. All these activities are happening
either from within the office network or using an office laptop. None of the
perpetrators of these acts are irresponsible guys; they are people who clearly
understand the need for keeping their office network safe, and are also aware of
the efforts that their IT department puts in to keep the network secure and
running smooth. Yet, these security-risk activities are taking place all the
time.
While employee education and inculcating a security
consciousness among employees can achieve a lot, even one rogue/weak link can
bring down the entire network, for days. The latest CSI/FBI Computer Crime and
Security Survey paints a slightly rosier picture. Unauthorized use of computer
systems has decreased, albeit slightly. But enterprises are still faced with the
simple fact that threats from within the organization have not reduced.
The simplest reason for the increased vulnerability is that the
enterprise network is no longer limited to one campus. Today, the world is the
perimeter for most organizations, for some it extends even beyond that boundary!
The office LAN-let alone the enterprise-wide network spanning all the branch
offices across the globe-is accessed not just by the employees, but also by
guests, partners, contractors and even sub-contractors. They use not only the
VPN to access these networks, but also very often physically walk into the
network with their very own end terminal, and use that to access the Internet
from within the office environs. In the worst case, they may even misuse their
rights and make unauthorized use of the network.
Threats to the enterprise network come not only from crafty
employees trying to stealthily steal office data, but even more from guileless
people bringing infected nodes festered with spam engines and worms into a
secure network, making a mockery of the elaborate perimeter security that
enterprises set up.
Any Way Out?
Look at an airport. Nowadays, everybody has easy access to it. While this
reflects that the airline sector is poised for unprecedented growth, it also
exposes the vulnerability of the sector. However, the airport does not deal with
these threats by shutting itself down. It places security at every entry point.
Perimeter security becomes a very small, sometimes the least sophisticated part
of the entire security setup at an airport. But, security gets tighter as you go
deeper into the airport.
For long, enterprise networks have worked on the exact opposite
lines. Enterprises have a strong perimeter defense, and once entry is gained, it
is easy for everybody to access the network. Though employee education played a
significant role in safeguarding that network, there are very few ways to check
if employees are crossing the ethical and professional boundaries.
To be brutally fair, not even railway stations can be
safeguarded by the casual manner with which most organizations try to secure
their networks. While an enterprise network enables business, network security
enables smooth running of that network, says M Hayath of Cisco. Prasad Babu of
Juniper adds, "Many enterprises carry out a network audit or a network
security audit much after they implement security solutions. Ironically, it is
not the first step they take." "Primarily, people go by product
solutions or point solutions. They say, I will implement a firewall today, and
then over the next year or so I will consider an IPS. It is not a very cohesive
or coherent security plan", he adds. Babu is just being polite; there is
neither coherence nor even the scent of a plan in this approach.
Some users counter that with continuously expanding networks, it
may not be very practical to roll out the entire security paraphernalia at one
go. India is a fast-growing economy, and no matter how much capacity or
capabilities an organization acquires today, it will still fall short. But that
should not be an excuse for not having a plan, or a security policy in place.
Babu reveals: "In the typical deployment we see today,
there is a lot of focus on perimeter security. Bigger and bigger walls are
built, and stronger gates are placed. Lot of resources are being devoted to
build security from an outside-inside perspective." However, in typical
organizations, once you are in, there is no stopping the malware.
The Magic of Technology?
Technologies abound, and that is a good thing as well as bad. The good thing
is that if you have delayed a technology adoption, a smarter one than the one
you missed out in the earlier offering will be available to you. The bad part
is, there will always be a better technology, and the hackers and the crooks
will be competing with the latest technologies, not with the ones out two years
ago.
Firewalls, anti-viruses might be old technologies, yet they
cannot be done away with. Even though IDS and IPS have not matured in terms of
market adoption, node-level and access control security solutions are now being
touted by security vendors as the next must-haves. Different vendors call them
by different names-network admission control or unified access control.
Hayath says, "It takes the username authentication of the
user and then checks to see if the host is in tune with the policy. If not, it
pushes the host into the quarantine zone. And the user is left with no option,
but to update his particular end-node with all patches." Cisco also
recommends using a desktop security agent, CSA. It complements the anti-virus on
the laptop or the desktop. Hayath says, "It is behavioral-based software.
And it does not work on signatures or definitions. If you have a CSA loaded, and
you try to download something unknowingly that tries to execute itself, CSA can
caution you that some suspicious activity is taking place and recommend you not
to execute it." The important thing to note here is that these are
recommended to complement, but not to replace perimeter security at the
enterprise level, or replace the firewall/anti-X solutions for desktops. What
this approach achieves, explains Hayath, is that the infection that originates
from one node remains confined to that node, and if it spreads to a particular
VLAN, it stays limited to that VLAN. It can also control who has what access to
the network or even the applications on the network, adds Babu.
IDS and IPS have not matured in terms of market adoption, node-level and
access control security solutions are now being touted by security vendors
as the next must-haves
Elementary,Did You Say?
Babu reveals another thing. While logically, partitioning the enterprise-wide
network into VLANs is now elementary, it is still not very fashionable to put in
a layer of security between these various VLANs. Some organizations have done
that, but it is still not very prevalent. When implemented, this would amount to
a perimeter security for each department of the organization, and it would
provide security to the way it communicates with the other departments of a
particular organization. This is mostly being done by the IT/ITeS environments,
where a single organization does project for multiple groups or multiple
principals and then builds security for each of these groups independently. Babu
adds that there are organizations with evolved security culture. These
organizations have drilled-down layered architecture.
Hayath agrees, but has a slightly different take on the
situation. He says, "The BFSI segment is pretty much aware on the security
standpoint. They have a lot of RBI regulations and everything there is about
money. So, security obviously matters. Even in the remotest branches they have
routers, which can carry out security management-right from identity and
access rights to IP Sec VPN, SSL VPN, 802.1x. As they stand now, they have the
right security infrastructure in place." But, as pointed out by
InsightExpress, authorized users are prone to unauthorized activity. Therefore,
they too need to upgrade to access control solutions.
Is Perimeter Security Passé?
The concept of secure and unsecured zone of a network is no more relevant as
every point has to be secured; that is the direction we are moving towards, says
Babu. Security has to be at every entry point. If a laptop is connected to a
LAN, that is an entry point; if it is connected to a wireless hotspot in a cafe,
that is an entry point; and if somebody is entering the network over the
Internet or a leased line, that is an entry point. Every entry needs to be
secured. It can no longer be said that it is secure if it is connected to LAN.
Managed Security
Obviously, providing enterprise security is not the core business of most
enterprises. While this increasing need for security bodes well for the business
of managed security, the close integration of the enterprise network with WAN
seems to make a strong case for managed security offerings from telecom/Internet
service providers. This offering could not only be targeted at the remote
workers of large enterprises, but also at providing a complete security solution
to the SMEs and large SOHOs. The beauty does not end here. A large enterprise is
already a mini telco in terms of the users to whom it provides connectivity, and
scaling it further to provide the telco's subscribers is not going to be too
difficult either, he says. The enterprise-level security solutions can be used
by the service provider, and the CSA can be pushed to the laptop by the SP. From
a NAC perspective, you just need to scale it up to hundreds of thousands of NAC
clients.
The managed security service providers are also taking a step
forward by proactively monitoring the risks, which may attack the network in the
future. This could be done through NAC/UAC-like solutions, which may get
integrated as a service component, in addition to the management and monitoring
of the firewall.
NGN: How Much More Security?
"If proper care is taken, enterprise NGNs will only require an
incremental investment in security", Babu says. A converged network will
carry voice and data applications, maybe even video, with users connecting from
all over the network and the Internet with a host of end terminals and even PDAs.
For securing voice applications, soft-switches and end IP phones
need to be secured in real time. IP Sec would no longer be sufficient.
Encryption would be required on the wireless side, and SSL VPN for handhelds.
Bandwidth will increase, so more equipment, probably with higher capacities,
will have to be brought in. But important is, enterprises do not need to rip off
their existing security investment.
New equipment would be required to handle applications like
voice or IPTV. But, when traffic increases, there will always be a new site that
would have less traffic and the older equipment could be relocated there.
Alternately, as the traffic increases, smaller and more concentrated sub-groups
could be created. For example, if one box can cater to 100 users of fast
Ethernet, tomorrow the users move to gigabit Ethernet. In such a case, these 100
users can be broken into 3 different VLANs, explains Babu. This would ensure
that the existing investment in the Fast Ethernet switch is conserved.
Security implementations, however, have usually been driven by
compliance pressures. The good news is that most compliance regulations don't
require a particular type of deployment or even an architecture. Compliance
requires the ability to secure a network and its applications, and solutions, in
a manner that it should be possible to give you an audit of the traffic going
through it, says Babu. Whether that audit trail is created using
application-level security or by implementing gateway security at the VLANs, at
the end of the day, it should facilitate us to know the following: who accessed
what, when, and was he authorized to access it and what did he do with that
access. The idea is, even if you have a valid ticket to the airport, it does not
grant you access to the control tower. IT has shown the way to many verticals in
the country; it certainly can show the way to others too.
Alok Singh
aloksi@cybermedia.co.in