Internet
provides a world-wide communications infrastructure allowing
organizations to provide cost-effective, world-wide connectivity
to network users. Increasing reliance on Internet technology,
along with the explosive increase in the deployment of corporate
intranets and extranets, have not only changed the way organizations
do business, but also how they approach network security.
This paper
identifies and describes ten of the most pressing network security
challenges faced by organizations in today's increasingly complex
environments:
1. Protecting your corporate network resources against internal
and external threats
2. Providing world-wide connectivity for your mobile and remote
employees
3. Using the Internet to lower your wide area data communication
costs
4. Providing your business partners with selective network access
through a secure extranet
5. Guaranteeing your secure network's performance, reliability,
and availability
6. Defining and enforcing user-level security policies across
your network
7. Immediately detecting and responding to attacks and suspicious
activity against your network
8. Securely and efficiently managing your network's IP address
infrastructure
9. Implementing an open security solution that enables integration
with industry-leading and custom applications
10. Managing the total cost of ownership across your secure
network.
Protecting
your corporate network resources against internal and external
threats
Today, enterprise-wide networking means connectivity to anyone,
anywhere-internal or external-to your corporate network. With
all of the advantages of such connectivity come unprecedented
challenges to network security professionals. First and foremost
among these is securing your company's vital network resources
against everything from inappropriate usage to outright attacks,
which could originate from the Internet or from within your
own corporation.
Network
access control provides a fundamental means to protect network
resources. With highly granular access control rules, security
administrators can define policies that control network communications
according to the source or destination of connection requests,
the type of network traffic, and the time of day.
Protecting
your network is more than just controlling access to specific
resources, however. In addition to powerful access control features,
a complete network security solution must also be able to:
- verify
the identities of network users
- encrypt
sensitive data in transit
- optimize
the use of registered IP addresses
- apply
security to the content of network traffic
- detect
and respond to attacks in real-time
- provide
complete audit information
And it must
be able to deliver these capabilities for all of the applications
your organization utilizes, both currently and in the future,
without hindering network performance or restricting connectivity
in any way.
Providing
worldwide connectivity for your mobile and remote employees
Many organizations have discovered the tremendous cost advantages
the Internet offers for remote user connectivity when compared
with traditional remote access solutions requiring large modem
banks and expensive dial-up phone connections. As more and more
companies deploy Internet-based Virtual Private Networks (VPNs)
to connect remote and mobile workers to the corporate network,
securing these mission-critical communications becomes crucial.
There are
two main components that must be in place to ensure the privacy
of your company's data as it travels over public networks like
the Internet. First, the identity of both the remote client
and of the corporate Internet gateway must be authenticated
in the strongest manner possible. Second, once these identities
are confirmed, all sensitive data transmitted between client
and gateway must be encrypted for privacy in transit.
Just as
importantly, both the authentication and encryption capabilities
must integrate seamlessly with your existing network security
solution. Network security measures, such as access control,
are just as vital for VPN communications as for traditional
network traffic. Simply because a remote user is able to establish
a VPN connection back to the corporate network does not imply
that they should be able to access all network resources (e.g.
sensitive accounting servers, customer databases, etc.)
As the demand
for remote network connectivity grows, network security managers
must provide manageable and easy-to-use VPN solutions. In order
to progress beyond a pilot deployment, the solution must be
easy to deploy and administer for potentially large numbers
of remote clients, and it must be as seamless and transparent
as possible for end users.
Using the Internet to lower your wide area data communication
costs
Just as client-to-network VPNs are cost-effective solutions
for delivering secure network access to remote and mobile users,
network-to-network or site-to-site VPNs enable organizations
to leverage the Internet to dramatically reduce the costs of
connecting offices. Strong authentication and data encryption
capabilities allow companies to move business communications
away from expensive frame relay or leased line networks to the
Internet, while preserving data security.
It should
be recognized that while the need for strong authentication
and encryption is just as critical for connecting disparate
sites as for remote access solutions, new management challenges
arise. The first lies in managing hardware and software at multiple
locations that may not have experienced IT staff onsite. Efficiency
and security are maximized when a single enterprise-wide VPN
policy can be defined and managed from a central management
console. This eliminates the need for a separate security policy
for each site.
While the
cost savings of Internet VPNs are compelling, migrating business
communications from private, dedicated networks to the Internet
can produce unpredictable and unreliable performance. Integrated
bandwidth management to prioritize critical traffic within a
VPN, and high availability to deliver fault tolerance, can mitigate
many performance concerns of Internet-based communications.
Providing
your business partners with selective network access through
a secure extranet
Once you've succeeded in securely connecting your own organization's
distributed entities - both remote users and branch offices
- the next challenge is to extend your enterprise network to
key business partners, such as suppliers, strategic partners
and customers, through extranet applications. Achieving extranet
interoperability requires strict adherence to industry standard
protocols and algorithms. Reliance on proprietary technology
will doom any VPN deployment from the beginning.
The accepted
standard for Internet-based VPNs is the Internet Protocol Security
(IPSec) standard. IPSec defines the format of an encrypted and
authenticated IP packet, and is required for the next generation
of IP communications. To automate the management of encryption
keys, IPSec is often used with the Internet Key Exchange (IKE).
Once standards-based
interoperability has been established, the extranet VPN must
be implemented such that external partners are granted access
only to the specific resources they need, such as particular
application servers. Here again is an example of the importance
of integrating the enterprise VPN into your overall enterprise
security policy, providing fine grained access control so that
extranet partners only access authorized network resources.
As you open your corporate network to increasing numbers of
external users, you'll need to ensure that your company's resources
are protected by a comprehensive, robust, policy-based enterprise
security solution.
Guaranteeing
your secure network's performance, reliability and availability
A natural consequence of increased Internet usage for business
communications is network congestion, which can adversely affect
the performance of mission-critical applications. While the
Internet is a powerful and cost-effective means of delivering
valuable information resources to a wide variety of stakeholders,
these benefits are not fully realized if users suffer from poor
response times, gateway crashes, or other network delays or
failures.
Oversubscribed
Internet and intranet links can result in significant traffic
congestion causing increase latencies, lower throughputs, and
dropped connections. Advanced bandwidth management can alleviate
these potential problems by actively controlling the allocation
of limited bandwidth resources. Critical traffic can be prioritized
over discretionary traffic to ensure that bandwidth utilization
is in alignment with your organization's goals. For example,
casual web surfing should never degrade the performance of an
important database application.
As your
organization experiences increasingly higher traffic loads,
many resources like public Web servers may become overwhelmed
with connections. Reliance on a single server can result in
poor response times, or even failed connections. Server load
balancing provides a scaleable solution to this problem by allowing
a single application server to be replaced by a pool of servers.
The traffic load can then be distributed among the individual
servers for improved performance.
Even with
adequate performance, your organization must provide a reliable
network infrastructure that can withstand the failure of a network
gateway. Companies cannot afford even momentary losses of network
connectivity due to a gateway failure. Fortunately, fault tolerance
(or high availability) is supported with many network security
products.
High availability
solutions guarantee that your network is secure and available
virtually 100 percent of the time through hardware redundancy,
software redundancy or a combination of both. When a failure
does occur, the high availability components ensure that your
network is secure and that connections are maintained in a manner
that is completely transparent to end users. Truly effective
solutions provide users- internal and external-with a reliable
service while providing network administrators with maximum
security.
Defining and enforcing user-level security policies across
your network
The rapid adoption of the "extended enterprise" has
caused an explosive increase in the number of applications,
users, and IP addresses in use across many organizations. Providing
reliable network security in such dynamic environments requires
the deployment and enforcement of user-level security policies.
In comparison to enterprise-wide policies, user-level security
policies deliver access control, authentication, encryption
parameters, etc. for individual network users. Managing this
voluminous amount of user information, however, can pose formidable
challenges for both network and security administrators.
Providing
a central, scaleable data store for user-level security information
addresses some of the deployment hurdles, and is facilitated
by the emergence of the Lightweight Directory Access Protocol
(LDAP). With LDAP, all of your user information can be stored
in a single database and shared among multiple network applications.
This enables you to separate user management from network security
management, freeing your organization's valuable security managers
from time-consuming and routine user account maintenance responsibilities.
It also provides your organization a greater level of security
by delivering highly granular capabilities that recognize the
diverse network privileges found in large user communities.
To further
complicate the enforcement of user-level security, most applications
track IP addresses as opposed to actual users. In environments
where (Dynamic Host Configuration Protocol (DHCP) is used, utilizing
IP addresses for security policies is not effective because
IP addresses are dynamically assigned. The challenge for network
security managers is to be able to utilize technologies like
DHCP while still managing security based on user identity. In
addition, the security solution should also provide detailed
log and audit information containing a history of all network
communications by user.
Immediately
detecting and responding to attacks and suspicious activity
against your network
Network security is only as good as the policies put in place
to protect your network and users. To maintain the highest degree
of network protection, you should continually evaluate the effectiveness
of your security policy by providing real-time detection of
unauthorized activity.
An effective
intrusion detection solution can provide an additional measure
of security by detecting a broad range of attacks and suspicious
network activities. Attack recognition is insufficient by itself,
however. The intrusion detection application must be tightly
integrated with your enterprise security solution in order to
respond immediately and prevent unauthorized access to your
organization's valuable network resources. Without this tight
integration, intrusion detection does not offer much protection
against network attacks.
In addition
to real-time response, a well-designed intrusion detection application
will provide comprehensive event logging for complete auditing
capabilities, and extensive alerting mechanisms to notify the
proper IT personnel.
Securely
and efficiently managing your network's IP address infrastructure
As networks become more central to your organization's critical
business operations, the number of computers and devices, each
requiring an IP address and name, has grown exponentially. Managing
the IP address and name space of fast growing networks is becoming
increasing difficult.
The traditional
methods of manually configuring the IP address of every computer
and device on a network, and editing corresponding network-based
configuration files, are no longer viable - they are error-prone,
labor-intensive, and lack the integration needed by today's
networks. The net result has been an IP address
infrastructure
that has no central control, is too expensive to manage, and
cannot provide the scaleability or reliability needed by the
modern enterprise.
IP address management solutions which provide centralized management
and distributed administration of your enterprise-scale IP network
infrastructure can be extremely valuable in meeting these challenges,
but only if tightly integrated with the overall network infrastructure,
including the enterprise security policy. More specifically,
the ability to map IP addresses to specific users, even when
dynamically allocated, is critical to developing sound, user-based
security policies.
Implementing
an open security solution that enables integration with industry-leading
and custom applications
Network
security managers are responsible for choosing from a dizzying
array of specialized hardware and software products to solve
their organizations' network security and infrastructure needs.
While individual products from different vendors are attractive
as best-of-breed solutions in specific areas such as virus detection
or authentication, organizations require assurance that the
disparate products will integrate to provide seamless, comprehensive
network security.
Alternatively,
you can choose to purchase a broad range of solutions from a
single vendor a part of a product "suite". Although
this may alleviate some of your integration concerns, it may
severely limit your choice of application. It is unlikely any
single vendor can provide the desired capabilities across a
spectrum of security technologies.
To realize
both best-of-breed application choice and full management integration
you should consider an enterprise security solution built on
an open architectural platform. An open architecture with well-defined
interfaces enables third-party security applications to plug
in seamlessly with the overall security policy. In addition,
you can leverage application programming interfaces (APIs) to
develop and deploy custom application to meet your specific
network security needs.
Managing
the total cost of ownership across your secure network
A significant portion of the total cost of ownership (TCO) for
your enterprise network is the expensive human resources devoted
to managing the solution. The ability to manage all elements
of an enterprise security installation from a centralized, integrated
console is what differentiates a cohesive, manageable, cost-effective
solution from a mere patchwork of individual point products.
Using separate,
independent management interfaces for even a handful of products
not only increases management overhead and its associated costs,
but can introduce security risks if separate and redundant updates
put network security enforcement points in an inconsistent state.
In addition, any changes to the network policy should be automatically
propagated throughout the entire network. Without this centralized
management capability, network security managers must manually
reconfigure each enforcement point with every policy change.
Source:
www.checkpoint.com (resources). Check Point Software Technologies
offers a full range of networking solutions.