Pick up any security magazine....it's ok, I'll wait....
Stories are abound with the latest worm, identity theft, targeted attacks and other "James Bond-ish" types of attacks that have claimed its next victim. Don't get me wrong, all of these things happen with astounding regularity, but there are times, such as now that we need to take a step back to the basics.
Our employees are our biggest asset, but they can also be our biggest security risk. Every day, confidential information walks out the door when employees bring thumb drives, laptops and in fact their brains, home. In most cases, it comes back in the next day when employees return to work. But what happens when it doesn't? PCs get stolen, thumb drives get lost, and people talk - sometimes divulging proprietary information that they shouldn't. And this puts organizations at risk.
In efforts to stem the incidents of viruses, Trojans, worms and other bad things that can infiltrate a network, we not only should be investing in gear to secure our network, but we must also invest in our own employees in the form of education. In order to truly stack the deck in the company's favor, it is essential to establish a real and ongoing "in-service" to educate employees on the ways they can help secure the organization from security incidents.
Striking the right balance between employee education and purchasing security products is not easy, but is necessary. However, focusing on one without the other can be a recipe for a breach. From a security perspective, investment in the network and employees costs money, but it also pays dividends. And you can take that to the bank.
As we begin 2009, we return to work with the “clean slate” feeling and with renewed vigor to implement our 2009 plans that we have diligently worked on in Q4’08. We have celebrated our 2008 victories and are ready to implement adjustments in course to take advantage of emerging opportunities that will take the company to the next level.
From an IT perspective one constant planning exercise revolves around security; specifically ensuring the security of applications, and perhaps most important the security of proprietary information and customer data. Every year, we endeavor to stay one step in front of the hackers by deploying and fine tuning the right combination of security element to our networks.
In reviewing the security news events of 2008, the good news is that a lot of highly sophisticated and damaging attacks were identified. The bad news is that in the vast majority of cases were discovered after the breach occurred.
The big question is: why do we accept this approach as an immutable law of security? We continue to purchase and deploy security that reports about what has happened in the past instead of what is happening right now. We deploy “rear view mirror security” that empowers us to take action only after the damage has occurred.
In our personal lives, would we ever buy a physical security system that promises to inform us after a thief has broken into our houses and made off with our most prized possessions?
In planning our security strategy for this year (and indeed beyond), it is essential to choose security that not only provides a detailed historical view with drill down capabilities, but also a security solution that can identify what is happening right now in order to take action before the damage has been done. There are lots of options as to whether manual, semi-automatic, or fully automatic actions are taken when a breach is detected. Leading security solutions allow for the appropriate action to be configured based on the threat or type of attack.
Make the resolution now to no longer accept rear view mirror security to secure your most prized asset. Your organization depends on it.
To a happy (and secure) 2009!
"I want to deploy NAC in my network, but there are older components in my wired/wireless infrastructure that do not support 802.1x, so I can't deploy NAC yet, right?" As a PLM for a NAC product, I hear this question constantly. True, 802.1x is the most visible and prevalent type of NAC enforcement, but it is not the only type of enforcement provided with available NAC architectures. In fact, depending on your security and access control needs, and your existing network architecture, one of the other options might actually be a better choice for your deployment. Let's take a look at some of the available methods of enforcement:
- 802.1x Enforcement - This is supported by most of the primary NAC solutions on the market today. This provides ultimate control in that an end user is unable to pass a single packet until they have been authenticated and their machine has been checked for the appropriate patches, endpoint security applications, etc. One downside, however, is that 802.1x must be enabled on every switch and wireless access point in your network. The first switch port, for example, that is not 802.1x enabled represents a potential security hole in your NAC solution.
- Client Enforcement - In this model, a software agent running on the endpoint performs the enforcement. When the user logs on to the network, the software-based agent contacts the NAC system to do the authentication, endpoint integrity scans, and apply the appropriate access control rules to the user's session.
- DHCP Enforcement - With DHCP enforcement, the DHCP protocol is used to assign differing network configurations to devices connecting to the network based on user authentication and endpoint integrity. One of the traditional downsides of DHCP enforcement has been from a security perspective, with spoofed and/or static IP addresses being an easy way to bypass these types of access control mechanisms
- Inline Appliance Enforcement - This approach leverages an appliance through which all end user traffic passes in order to perform access control. A positive attribute of such a scheme is that it does not require any changes to the existing network configuration, nor does it require hardware upgrades. In addition, many of the solutions out there enable a much more granular set of policy types that can be enforced versus other types of enforcement. A downside, however, is that from a deployment perspective, a large enterprise network might potentially need to deploy a large number of these across their network in order to contain traffic sufficiently. Some such enforcement models use existing security devices such as firewalls and IPS devices - appliances that might already be deployed in your network, minimizing even further the need to deploy additional network/security gear.
In actuality, most NAC solutions on the market today will provide more than one of these options, for additional flexibility. The key point is that 802.1x is not the only approach to NAC out there. For example, if your primary goal when deploying NAC is to restrict access to key financial applications and data stored in your primary data centers, 802.1x might not be the best alternative. You might instead look towards an inline appliance solution, where the appliances are deployed in front of the data center. When a Finance user needs to access that information, they authenticate to NAC. This is a solution that is faster to deploy than an enterprise-wide 802.1x solution, but still meets the needs for this specific deployment.
Remember: always start with your organization's security needs and then seek out the appropriate solution rather than the other way around. You might miss more suitable solutions if you jump on the technologies presented to you before determining your true needs.
This week I was at a partner event talking about security and a person in the audience asked me, "so how do I sell security"? On first blush, this seemed to be like a question that is so general, it cannot be answered! Ask me an easier one, "why is the sky blue"?
Then I got to thinking, selling green is easy, consolidation is cake, virtualization sells itself. Why? Because they have a demonstrable and predictable cost savings. Selling security is like selling insurance. It's hard to quantify, until the unthinkable happens.
As I mentioned in a previous post security has changed...so much that this unthinkable is becoming more of a reality. I felt so strongly about it, that I recorded a 3 minute video to talk more about the changing security landscape and how that insurance policy is not a luxury, but a necessity to every high performing business.
Check it out and let me know what you think!
- the server access tier, connecting LAN ports to the network;
- the network aggregation tier, which aggregates FE and GbE from the access tier up to the core network; and
- the data center core network tier, which interconnects the data center network to the external network and to other data centers.
Network services such as stateful firewalls, intrusion prevention, load balancing & caching are typically deployed at the aggregation tier, since it is best to place services close to the servers and applications they serve. However, this poses a big challenge as businesses deploy these services at scale due to the difficult nature of managing a distributed service deployment. Organizations need to make sure the services are configured uniformly throughout the network and figure out how to redeploy a service to an application while the application moves between physical locations. To date network and security organizations are drowning under the workload of keeping up with the ever changing requirements from the applications and need a way to simplify their data center network.
One approach is to implement a two-tier, high density, high-performance data center network - in which the access tier is solely responsible for connecting the servers to the core network and the core network is responsible for directing traffic the right way. Ideally, an organization would use a large enough firewall that can virtually connect to all the data center networks, while supporting full line-rate forwarding of multi 10GbE and be able to intelligently participate in the network routing protocols.
By taking the core based firewall and service approach, organizations will manage to reduce two of their biggest challenges: 1) application mobility and 2) distributed service deployment. By having all the intelligence at the core of the network you decouple the physical placement of the server from the logical attributes that are associated to it allowing you to manage from a single unified service element.
Since we are right in the midst of the presidential race where everyone is talking about "change", it looks like I too have been influenced and have spoken about change; specifically the changes in security threats that organizations must come to terms with. I would be remiss in not discussing in this installment the quantum changes that we have seen in the financial markets and what this means from a security perspective.
The financial turmoil that has seemed to envelop the world's economy can be seen clearly on the faces of financial services employees as I pass them on the street down in New York's financial district. As the stock market swoons and dips (and dips again) once mighty financial giants are unsure of their short term viability let alone long term viability.
And while these wild market gyrations continue to unfold, the CIO is also faced with the monumental task of continuing to ensure security of the network, applications and users while it appears that Rome is indeed beginning to burn.
The security threat is not from where you may think. As workers at the financial institutions begin to lose faith in their organization and feel that their job may be at risk, the time that is ripe for confidential data to leave the organization. Moreover, for an entire industry in "meltdown mode," the insider threat is gaining new attention as the incidents of employees committing a security breach are on the rise.
While most employees may not intend to create a security breach, there are always those few "bad apples" that find this to be the best time to harvest information (maybe for their next job or for retribution against a perceived injustice that the organization committed).
Whatever the motivations, CIOs must realize that given the current economic crisis, they must turn to comprehensive security that is able to look at potential threats inside their perimeter. They must be able to root out sophisticated and stealthy attacks that are designed to evade traditional security solutions, because who knows the organization's security better than one's own employee?
All financial investing have some inherent risk (as we are painfully aware), but in this unsure economic situation it is essential for the CIO to recognize the security risks and plan a careful strategy for maximum protection.
When I go to on customer calls, one of the first things I do is open my laptop and do a networks scan. Most of the time, I can hop onto the network and gain full access without being challenged. I have full rights, full reign and the proverbial carte blanche to do as I wish. But don't think that this is an aberration. TJMaxx, UBS and Best Western all share the common bond and they are just a few organizations on a very long list of companies whose data has been stolen.
Hackers today can do more damage with a keyboard than a gun. Whether they sell confidential corporate information on the black market or commit identity theft, the motivation is financially based and can be highly lucrative.
Beyond soft targets, we also have sleeping sentries. A recent Verizon study noted that 63% of the organizations studied took MONTHS to find that a breach has occurred. This is long after the damage has been done and is too late to mount a meaningful defense.
The motivation for hacking has evolved from breaking into websites to gain notoriety to a potential financial windfall for using or reselling confidential information. The sooner we mount the right defense to address this new reality, the better chance we have for ensuring that our organization is not on the front page of the Wall Street Journal for all the wrong reasons.
For certain, the types of attacks have grown in sophistication, and have changed in methodology, purpose and operation. At the same time, our networks have changed. Because interconnected networks are a prerequisite for doing business, our networks have become porous. We allow a multitude of people onto our networks including partners, subcontractors, and guests. How is it possible to have perimeter-based protection if we don’t really know where the perimeter starts or ends? Do we need to re-evaluate our security posture because perimeter protection is dead?
Over the past five years, the sheer number of security incidents has decreased dramatically. While we have not eradicated bad things from finding their way to our network, perimeter protection plays a key role in this precipitous drop.
Security will undoubtedly remain a cat and mouse game between the hacker and security professional. Some hacking attempts will work and many will be stopped. There is no silver bullet when it comes to security; it takes a multi-faceted approach that leverages information and collaborates to root out the newest threats that are just over the horizon.
No need to initiate CPR on the perimeter-based approach just yet, for it is just another weapon in our arsenal that effectively stops the bad guys from compromising our network and our business.
Stay tuned for our next discussion where we will discuss the evolution of the attack and what the hacker is after in your network; your greatest asset may be at risk.
For the next few weeks, my colleague Michael Rothschild is going to be taking a look at perimeter security, intrusion prevention and internal threats. I hope you find the topic useful.
But what about security in these virtualized environments like the consolidated data center for example? There are multiple users with different profiles shared amongst common resources that need to be protected from one another. You also need to provision the right set of services for each user based on administrative policy. It is quite obvious that it is difficult to predict the type of security services and the performance that would be required for these datacenters given their ever changing requirements. Because of this many businesses are considering the solutions that can deliver multiple services that can simply be turned on or off as required.
So what would you want – a system that can be dynamically provisioned and scaled to run different services using a common hardware platform or a system to keep inventory of service specific appliances/cards that can be manually provisioned as needed?
VOIP deployments are gaining momentum at the expense of the plain old telephone service and we are witnessing the emergence of IPTV as a viable alternative for delivering video compared to the legacy cable and satellite media. These are highlighting a trend where IP is becoming the de-facto communication protocol for not only data but for voice and video as well.
Service providers are faced with the challenges of building a single network to offer multiple services such as VOIP. The service infrastructures for delivering voice and video have become targets of attack just like publicly accessible web servers. If a VOIP server is compromised or comes under a DOS attack, the subscriber will not be able to get a call through. Similarly in an IPTV deployment, an attack on the video server would result in the subscriber being unable to change channels – which undoubtedly would be quite frustrating!
In order to roll out successful IP based voice and video services, it is vital to incorporate high-performance security mechanisms into your network design especially since these converged services are not too far in the future.
Is your security gear ready to turn on the lights for VOIP and IPTV?
As a long distance runner, completing a marathon felt like a formidable task. Assigning a time target for the 26.2 mile race seemed almost impossible. The strategy that has worked for me is to break the race into 5 parts of 5 miles each (last one being 6.2 miles) and assign time targets that would collectively help me reach my time goal. A similar approach can work with securing the network – divide and conquer.
In security parlance this is referred to as layered defense, where each part is a layer targeting specific threats. The first and most important layer is the network edge protection – deployed at the perimeter or in a data center.
I believe the essential technologies that form the network edge and protect your networks include FW, VPN, DoS Protection and Content validation.
- Firewall – Flexible access control all the way from Layer 2 (datalink layer) to Layer 7 (application layer) is very important. Access control based on users and roles rather than IP addresses is becoming more relevant these days with the huge amount of mobility options out there. On this front, integration with a Network Access Control (NAC) framework is necessary, and the good news is there is a standardization effort in this space. You can read more about this in my colleague Steve Hanna’s blog: Got the NAC
- Virtual Private Networks (VPN) – The perimeter security solution should provide options for secure tunneling of data (VPN) between sites and telecommuting clients from the Internet.
- Denial of Service (DoS) Protection – DoS and DDoS (Distributed Denial of Service) continue to be a vector of attack against publicly hosted services with botnets as the most common sources. You need a solution that can signal into the cloud to filter the attack traffic at the ISP network edge or earlier, thereby freeing the final hop for the clean traffic. Check out additional efforts standardization at Dissemination of flow specification rules
- Protocol/Content validation – The capability to inspect application data for protocol anomalies and attacks is necessary as software vulnerabilities are constantly popping up and it is difficult to keep all the systems patched up to date. The solution must be dynamically updated with the latest protection pack without requiring any downtime in order to secure your network.
Let me know if you have any additional thoughts and/or questions about securing the network edge!
The recent 2008 Beijing Olympics witnessed one of the broadest uses of the Internet of any public event to date. In fact, Internet traffic has been pretty much doubling year over year and with it the increase of viruses, identity theft, spam, etc. According to the 2007 CSI-FBI Security Report financial fraud, virus losses and system penetration by outsiders are some of the major causes for financial loss.
Over the past 19 years that I've been working with networking and security technologies the world has seen many advances in firewall (FW) technology starting from ACL to Stateful FW to Application Aware FW that performs DPI to validate application data and enforce application level access control. Now with Enterprise and Service Provider networks proliferating at all levels and rapidly growing due to more users and higher requirements for advanced applications and services, many businesses can no longer afford the performance and security tradeoffs and complexities associated with maintaining their legacy network infrastructure. They need to integrate security into their network infrastructure to ensure fast, reliable and secure access to applications and services in an efficient and effective manner.
Network and Security administrators need to secure their networks in a layered defense - with the firewall as the cornerstone of their security strategy. Today more than ever businesses require a high-performance network with a FW that can deliver high throughput and high-performance.
Here's a shortlist of what businesses should consider when looking for a FW solution to secure their networks:
- Scale to more than 100 Gbps of throughput and performance.
- Provide granular access control based on the user and service requested.
- Integrate protocol/content validation to ensure that the data will not harm the integrity and availability of the services.
- Provide all of the above in a form factor that optimizes on space, power and heat.
- Is operationally simple to manage and deploy.
Check out a new video post by Juniper's GM and senior executive VP on their take of the FW market: http://www.juniper.net/srx
Our primary objective is to explore technical IT security issues as business and technology challenges that could compromise the effectiveness of enterprises and service providers. We'll share our strategies for staying ahead of today’s rapidly changing threat landscape and focus in particular on innovation in network security technologies.
We’ve assembled a great team of bloggers to kick off these conversations with
you, but we encourage your participation. If there's a topic that you'd
like us to cover, let us know by commenting on the blog. We’re not just
talking — we’re listening.
Our Bloggers Krishna Narayanaswamy,
Krishna is a Distinguished Engineer in the Service Layer Technologies group at Juniper. He is currently working on DPI technology initiatives in products targeted at service providers and enterprise markets.
Krishna has 19 years of experience in data networking involving Ethernet, ATM, IP, Switching and Security technologies. He has authored 10 patents in the areas of switching, security and QoS. He was actively involved in the IEEE 802.1 and ATM Forum standards committees.
Prior to Juniper, he was the co-founder and System Architect at Top Layer Networks where he played a pivotal role in bringing multiple products to the market. He has also held senior engineering roles at Digital Equipment Corporation and Fore Systems.Michael Rothschild,
Michael Rothschild is the senior manager of solutions marketing at Juniper Networks, responsible for security solutions for the enterprise.
When he’s not busy helping customer’s understand the importance of a solutions focus to address the new security threats affecting business, Michael is a professor of marketing and volunteers as a paramedic.
As a Solutions Architect and Leader of Enterprise Solutions Engineering at Juniper Networks, Lior Cohen is responsible for developing reference architectures and best practices utilizing Juniper products. In his free time, Cohen enjoys mountain biking and spending time with his children.
Senior Product Manager
Senior Product Manager in the Access Business Group at Juniper Networks is responsible for driving the business strategies, product development, partner interactions and customer engagements to help drive the growth of Juniper Networks' Unified Access Control and Secure Access SSL VPN solutions. Rich is also an avid snowboarder and motorcyclist (not at the same time).