by August 4, 2005 0 comments



There are good IT trends and bad ones. The good ones help meet your organization’s business objectives and give you a good ROI for your IT purchases. For instance, the reducing cost of bandwidth is a good trend, as it helps your organization stay better connected and communicate more effectively. The bad ones give you nothing but trouble, and sadly you still have to live with them. The growing number of security threats is a bad trend, and sadly, something that can’t be ignored. Everyday new and more powerful security threats emerge, forcing us to re-look at our network and fortify it more. Everyday new security products and solutions also emerge to combat these new threats, with each one claiming to be the best thing that ever happened to mankind since brown bread. Whether we like it or not, we’re forced to find out more about them. 

Living in fear like this is perfectly ok because, like the saying goes that only the paranoid survive. The saving grace is that you’re not the only one who is paranoid! Most people are, but sadly instead of doing something about it, most people grossly neglect even the basics of security. Weak or no passwords, outdated anti-virus and other security software, and unpatched machines are just a few basics that come to mind. If you really want to secure your network, look at the basics first, and then move up. 

Define your policies
So what is network security? Does it have to do with setting up firewalls, or keeping your systems patched with the latest updates? Maybe it’s about keeping your anti-virus and anti-spam software updated? Or maybe it’s about setting up an intrusion detection system? While these activities are definitely the ways of securing your network, they’re not the ends on their own. That’s because the real threat to network security lays elsewhere-us human beings. All these great security products and technologies are helpless if one of your users gives out his/her username and password to an unknown person. Sounds ridiculous? Let’s look at it this way. Would a user refuse to give out his username and password to the network administrator who’s doing a security audit? Or why wouldn’t a new employee in your organization pass on some seemingly harmless information to a senior manager who needs it urgently? The employee is only trying to be helpful, without really knowing that it’s not a network administrator or a senior manager whom the information is being given to, but an imposter. 

Key points
  • Define an overall policy defining the
    overall organizational objectives towards network security.
  • Define the network access policy to
    determine who is allowed to access what on the network.
  • Draw out general guidelines for users on how
    to identify basic security threats coming in from email and the Internet.
  • Implement the four pillars of security
  • Firewalls
  • Patch management
  • Anti-virus/Anti-spam
  • Intrusion detection & prevention

Network security starts from the user. Unless your users are educated and alert, no amount of investments in security
products will help you. Define an overall security policy that defines access 
levels in your organization. Next create general guidelines to educate your users on what kind of information can they give out and what they can’tand to whom. Help them understand the various types of security risks that are possible and how to tackle them. 

In today’s threats filled world, prevention is better than cure and pre-emption is better than control. You need to ensure that you recognize a potential security threat before it affects your network. 

If you can train your users on how to recognize security threats, half your problems are solved. The other half will be taken care of by your security infrastructure. 

Four pillars of security
A security breach can happen from either inside or outside your network. Outside threats can come in through your Internet gateway or email. Internal threats could be from a disgruntled employee or an imposter gaining access to a vulnerable system. The imposter could be a human, or malicious code like a worm or Trojan that infects an unpatched system. So the security infrastructure must take into account both internal as well as external threats. There are four pillars in security that deal with both of these threats: 

Firewalls: To protect a network from threats coming from external networks such as the Internet.

Patch management: To eliminate vulnerabilities in servers, desktops and networking hardware as firewalls and routers.

Anti-virus/anti-spam: To protect all systems from viruses and other threats
entering through spam.

Intrusion Detection/Prevention System: To detect suspicious activity on your network and prevent it from spreading.
Each of these applies to the entire network as well as individual nodes. For instance, a firewall can be implemented on a network as well as a desktop system. Similarly, you can do a network wide roll-out of patches and updates, or do it on individual nodes. An intrusion detection and prevention system can be used to detect suspicious activity on the network or on a particular host. Anti-virus and anti-spam solutions can sit on servers as well as clients. Where all you choose to deploy depends on your specific environment.

While all this sounds simple, implementing these four pillars in a large enterprise can be quite daunting, because of the size and complexity of the network. 

Firewalls woes
A firewall protects your Internet gateway as well as the WAN link between your offices. It would also help prevent unauthorized traffic from flowing out of or into your network. A good firewall would therefore keep track of and control which applications are trying to access the Internet. For instance, the latest worms tend to generate a lot of traffic on the network, and a lot of it end up reaching your Internet gateway. The firewall should be able to detect this anomaly on your network and do packet rate limiting. 

A firewall is usually not required on every node of a large enterprise network, mainly because managing so many personal firewalls is a nightmare. You would therefore need to configure your network firewall with proper rules and also enforce strict policies on the network. For a large enterprise, the challenge would be to select appropriate firewalls for different offices, maintaining their policies, and keeping them updated. From the time a vulnerability is detected to the time it’s patched up could be a serious matter. You’ll need to check with your vendor on how soon he would be able to provide you with the latest updates. Managing the rules set is another major issue in firewalls, as there would be so many firewalls, each with its own set of rules. Legacy applications can also cause problems, especially if they don’t support multi-user accessibility. Therefore, configuring firewalls to provide access to them can be a major hassle.

More firewalls also increase management headaches. Ideally you would want to manage all of them from one central console, but it may or may not be possible, especially if you’re using different brands of firewalls. Each would have its own web management interface to configure it. 

Patches and updates
This is the most critical part of any network security and must be taken very seriously. Most of the times, networks get compromised because the hacker or a malicious code manages to find one unpatched vulnerability on a system, be it a server, desktop, or even your networking hardware like firewalls, routers, etc. It’s therefore critical to keep all systems on your network updated with the latest patches. 

Devise a strategy to do a proper network wide roll-out of patches. While it would not be possible to be able to completely automate the process, you do need some amount of automation, which is only possible through the use of patch management programs. These should be able to take care of patching all machines on your network, including desktops and servers. On a large enterprise network, it should ‘not’ be the users’ responsibility to update their systems. It should be managed centrally. 

A large enterprise is likely to have a heterogenous network environment. Would your patch management application be able to keep track of and update patches on all the operating systems and applications? You can achieve some amount of automation if you have Windows clients, but what about your mobile users who would be traveling out and possibly connecting to other networks? Worse yet, there can be situations where you’ll be bringing in rented machines to your premises. Chances are that they won’t be patched. So keep track of all incoming and outgoing machines on your network. .

Time to patch can be another issue on a large network. When a new patch is released for your operating system. Before deploying the same, you would first want to install it on a test server to ensure that everything’s ok. Only then will you roll it out to your production server. Suppose the process takes about four hours. If you have 25 servers, then how much time do you need to to apply the patch on all of them? It’s also unlikely that all your servers will be kept in the same place. This clearly illustrates how difficult and time consuming it can be to apply a simple patch. Now consider the task you face with multiple patches being released every day for different applications and
OSs!

Anti virus/anti spam
Most security threats today happen because of worms coming in through email. The email could be from a legitimate source like another user on your network or from spam. So you need both anti-virus and anti-spam solutions on servers as well as desktops. You would need a central management console to keep all clients updated. While every anti-virus can do a live update, keeping track of whether they’re happening can be quite a task. Another issue is that the investments can be huge for a good anti-virus solution. Some software can do both virus and spam filtering, which could also be a good option. Nowadays, anti-virus and anti-spam server appliances are becoming popular. 

Intrusion detection and prevention
What if despite keeping your firewalls properly configured and systems updated, somebody manages to get into your network? That’s where intrusion detection and prevention systems come in. Every organization must have some form of an IDS in place. It need not be a large scale and expensive deployment. A simple packet monitoring utility like Ethereal could also be used as an IDS (see What’s up on your Network? in the Hands on section in this issue). 

One major issue that organizations seem to be facing with intrusion detection systems is getting it to capture all the traffic from a firewall and monitoring it. The drop rate in this case can be significant, due to which it might just let a threat pass through. Another issue with these systems seems to be cross compatibility. It may not be possible to use a third party tool to extract the logs from the IDS and put it into say Crystal Reports to view it. Conversely the IDS may not be able to pick up logs from another monitoring utility and display them. 

You could possibly set up intrusion detection systems in key parts of your network, say your Internet gateway, the switch on each subnet, various servers, etc. The degree of complexity here would vary depending upon your network’s size. You may or may not need protection at the desktop level. 

Phishing & Pharming
This article would not be complete without discussing the latest of security threats, phishing, which is the art of trying to deceive somebody into giving out confidential information. The best way to deal with them is to educate your users. Another type of threat is even more dangerous. You type in your bank’s website’s URL and login. While everything seems normal, it turns out that the site is fake. The cracker has managed to poison your DNS server so that all requests to your bank lead to his/her website. The rest as they say, is history. Such attacks are known as pharming, and the trouble with them is that it’s very difficult to detect them (read our last month’s cover story on pharming). So keep your DNS servers closely guarded. The cracker could also poison the ‘hosts’ file on a user’s desktop by sending a Trojan. The hosts file would then point the user to the cracker’s fake site. 

The bottom line is, security threats are real and happening. Devise proper policies and keep a close watch of your network to protect it. 

No Comments so far

Jump into a conversation

No Comments Yet!

You can be the one to start a conversation.

<