Embed Size (px)
Citation preview
Top IO Challenges to Securing a Network Steve Barnett
Managing Director, Check Point Software Technologies (UK) Ltd, Suite 5b, Enterprise
House,Vision Park, Histon, Cambridge, CB4 4ZR, UK
Tel: 01223 713 600; Fax: 01223 236 847; www.checkpoint.com
The Internet provides a worldwide communications infrastructure allowing
organizations to provide cost-effective, worldwide connectivity to network users.
Increasing reliance on Internet technology, along with the explosive increase in the
deployment of corporate intranets and extranets, have not only changed the way
organizations do business, but also how they approach network security. This article
identifies and describes 10 of the most pressing network security challenges faced by
organizations in today’s increasingly complex environments. These must be faced and
resolved if truly secure networking is to be achieved.
Protecting corporate network resources against internal and external threats
Today, enterprise-wide networking means
connectivity to anyone, anywhere, internal
or external to a corporate network. With all
of the advantages of such connectivity come
unprecedented challenges to network
security professionals. First and foremost
among these is securing a company’s vital
network resources against everything from
inappropriate usage to outright attacks,
which could originate from the Internet or
from within the corporation.
“‘Network access control
provides a jbdamental
means to protect network
resources. ” Network access control provides a
fundamental means to protect network
resources. With highly granular access
control rules, security administrators can
define policies that control network
communications according to the source or
destination of connection requests, the type
of network traffic, and the time of day.
Protecting a network is more than just
controlling access to specific resources,
however. In addition to powerful access
control features, a complete network
security solution must also be able to:
Verify the identities of network users
Encrypt sensitive data in transit
Optimize the use of registered IF’
addresses
Apply security to the content of
network traffic
Detect and respond to attacks in real-
time
Provide complete audit information
In addition, it must be able to deliver
these capabilities for all of the applications
an organization utilizes, both currently and
in the future, without hindering network
performance or restricting connectivity in
any way.
Providing worldwide connectivity for a mobile and remote employees
Many organizations have discovered the
tremendous cost advantages the Internet
offers for remote user connectivity when
compared with traditional remote access
solutions requiring large modem banks and
expensive dial-up phone connections. As
more and more companies deploy Internet-
based Virtual Private Networks (VPNs) to
connect remote and mobile workers to the
corporate network, securing these mission-
critical communications becomes crucial.
There are two main components that
must be in place to ensure the privacy of a
company’s data as it travels over public
networks like the Internet. First, the
identity of both the remote client and of the
corporate Internet gateway must be
authenticated in the strongest manner
possible. Second, once these identities are
confirmed, all sensitive data transmitted
between client and gateway must be
encrypted for privacy in transit.
Just as importantly, both the
authentication and encryption capabilities
must integrate seamlessly with the existing
network security solution. Network security
measures, such as access control, are just as
vital for VPN communications as for
traditional network traf&. Simply because a
remote user is able to establish a VPN
connection back to the corporate network
does not imply that they should be able to
access all network resources (e.g. sensitive
accounting servers, customer databases, etc.)
As the demand for remote network
connectivity grows, network security
managers must provide manageable and
easy-to-use VPN solutions. In order to
progress beyond a pilot deployment, the
solution must be easy to deploy and
administer for potentially large numbers of
remote clients, and it must be as seamless
and transparent as possible for end users.
Using the Internet to lower wide area data communication costs
Just as client-to-network VPNs are cost-
effective solutions for delivering secure
network access to remote and mobile users,
network-to-network or site-to-site VPNs
enable organizations to leverage the
Internet to dramatically reduce the costs of
connecting offices. Strong authentication
and data encryption capabilities allow
companies to move business
communications away from expensive
frame relay or leased line networks to the
Internet, while preserving data security.
It should be recognized that while the
need for strong authentication and
encryption is just as critical for connecting
disparate sites as for remote access solutions,
new management challenges arise. The first
lies in managing hardware and software at
multiple locations that may not have
experienced IT staff on-site. Efficiency and
security are maximized when a single
enterprise-wide VPN policy can be defined
and managed from a central management
console. This eliminates the need for a
separate security policy for each site.
While the cost savings of Internet VPNs
are compelling, migrating business
communications from private, dedicated
networks to the Internet can produce
unpredictable and unreliable performance.
Integrated bandwidth management to
prioritize critical traffic within a VPN, and
high availability to deliver fault tolerance,
can mitigate many performance concerns of
Internet-based communications.
Providing business partners with selective network access through a secure extranet
Once you’ve succeeded in securely
connecting the organization’s distributed
entities - both remote users and branch
offices - the next challenge is to extend the
enterprise network to key business partners,
such as suppliers, strategic partners and
customers, through extranet applications.
Achieving extranet interoperability requires
strict adherence to industry standard
protocols and algorithms. Reliance on
proprietary technology will doom any VPN
deployment from the beginning.
“Reliance on proprietary
technology will doom any
WN deploymentjkom the
beginning. ”
The accepted standard for Internet-based
VPNs is the Internet Protocol Security
(IPSec) standard. IPSec defines the format of
an encrypted and authenticated IP packet,
and is required for the next generation of IP
communications. To automate the
management of encryption keys, IPSec is
often used with the Internet Key Exchange
(IKE).
Once standards-based interoperability has
been established, the extranet VPN must be
implemented such that external partners are
granted access only to the specific resources
they need, such as particular application
servers. Here again is an example of the
importance of integrating the enterprise
VPN into an overall enterprise security
policy, providing fine grained access control
so that extranet partners only access
authorized network resources. As you open
the corporate network to increasing numbers
of external users, you’ll need to ensure that
the company’s resources are protected by a
comprehensive, robust, policy-based
enterprise security solution.
Guaranteeing secure network’s performance, reliability and availability
A natural consequence of increased Internet
usage for business communications is
network congestion, which can adversely
affect the performance of mission-critical .
apphcattons. While the Internet is a
powerful and cost-effective means of
delivering valuable information resources to
a wide variety of stakeholders, these benefits
are not fully realized if users suffer from
poor response times, gateway crashes or
other network delays or failures.
Oversubscribed Internet and intranet
links can result in significant traffic
congestion causing increase latencies, lower
throughputs and dropped connections.
Advanced bandwidth management can
alleviate these potential problems by
actively controlling the allocation of limited
bandwidth resources. Critical traffic can be
prioritized over discretionary traffic to
ensure that bandwidth utilization is in
alignment with the organization’s goals. For
example, casual Web surfing should never
degrade the performance of an important
database application.
As an organization experiences
increasingly higher traffic loads, many
resources like public Web servers may
become overwhelmed with connections.
Reliance on a single server can result in poor
response times, or even failed connections.
Server load balancing provides a scaleable
solution to this problem by allowing a
single application server to be replaced by a
pool of servers. The traffic load can then be
distributed among the individual servers for
improved performance.
Even with adequate performance, an
organization must provide a reliable
network infrastructure that can withstand
the failure of a network gateway.
Companies cannot afford even momentary
losses of network connectivity due to a
gateway failure. Fortunately, fault tolerance
(or high availability) is supported with
many network security products.
High availability solutions guarantee that
the network is secure and available virtually
100% of the time through hardware
redundancy, software redundancy or a
combination of both. When a failure does
occur, the high availability components
ensure that the network is secure and that
connections are maintained in a manner
that is completely transparent to end users.
Truly effective solutions provide users -
internal and external - with a reliable
service while providing network
administrators with maximum security.
Defining and enforcing user- level security policies across a network
The rapid adoption of the ‘extended
enterprise’ has caused an explosive increase
in the number of applications, users and IP
addresses in use across many organizations.
Providing reliable network security in such
dynamic environments requires the
deployment and enforcement of user-level
security policies. In comparison to
enterprise-wide policies, user-level security
policies deliver access control,
authentication, encryption parameters, etc.,
for individual network users. Managing this
voluminous amount of user information,
“Mdnaging this
voluminous amozlnt of
user information, however,
can pose formidable
challenges for both
networ& and securiv
administrators. ”
however, can pose formidable challenges for
both network and security administrators,
Providing a central, scaleable data store for
user-level security information addresses
some of the deployment hurdles, and is
facilitated by the emergence of the
Lightweight Directory Access Protocol
(LDAP). With LDAP, ail of the user
information can be stored in a single database
and shared among multiple network
applications. This enables you to separate
user management from network security
management, freeing the organization’s
valuable security managers from time-
consuming and routine user account
maintenance responsibilities. It also provides
the organization a greater level of security by
delivering highly granular capabilities that
recognize the diverse network privileges
found in large user communities.
To further complicate the enforcement of
user-level security, most applications track
II’ addresses as opposed to actual users. In
environments where DHCP (Dynamic
Host Configuration Protocol) is used,
utilizing IP addresses for security policies is
not effective because IP addresses are
dynamically assigned. The challenge for
network security managers is to be able to
utilize technologies like DHCP while still
managing security based on user identity, In
addition, the security solution should also
provide detailed log and audit information
containing a history of all network
communications by user.
Immediately detecting and responding to
attacks and suspicious activity against a
network
Network security is only as good as the
policies put in place to protect a network
and users. To maintain the highest degree of
network protection, ,you should continually
evaluate the effectiveness of the security
policy by providing real-time detection of
unauthorized activity.
An effective intrusion detection solution
can provide an additional measure of security
by detecting a broad range of attacks and
suspicious network activities. Attack
recognition is insufficient by itself, however.
The intrusion detection application must be
tightly integrated with the enterprise security
solution in order to respond immediately
and prevent unauthorized access to the
organization’s valuable network resources.
Without this tight integration, intrusion
detection does not offer much protection
against network attacks.
In addition to real-time response, a well-
designed intrusion detection application
will provide comprehensive event logging
for complete auditing capabilities, and
extensive alerting mechanisms to notify the
proper IT personnel.
Securely and efficiently managing a network’s IP address infrastructure
As networks become more central to an
organization’s critical business operations,
the number of computers and devices, each
requiring an IP address and name, has
grown exponentially. Managing the IP
address and name space of fast growing
networks is becoming increasing difficult.
The traditional methods of manually
configuring the IP address of every
computer and device on a network, and
editing corresponding network-based
configuration files, are no longer viable -
they are error-prone, labor-intensive, and
lack the integration needed by today’s
networks. The net result has been an IP
address infrastructure that has no central
control, is too expensive to manage and
cannot provide the scalability or reliability
needed by the modern enterprise.
IP address management solutions which
provide centralized management and
distributed administration of an enterprise-
scale IP network infrastructure can be
extremely valuable in meeting these
challenges, but only if tightly integrated with
the overall network infrastructure, including
the enterprise security policy. More
specifically, the ability to map IP addresses to
specific users, even when dynamically
allocated, is critical to developing sound,
user-based security policies.
Implementing an open security solution that enables integration with industry- leading and custom applications
Network security managers are responsible
for choosing from a dizzying array of
specialized hardware and sohare products
to solve their organizations’ network security
and infrastructure needs. While individual
products from different vendors are attractive
as best-of-breed solutions in specific areas
such as virus detection or authentication,
organizations require assurance that the
disparate products will integrate to provide
seamless, comprehensive network security.
Alternatively, you can choose to purchase
a broad range of solutions from a single
vendor a part of a product ‘suite’. Although
this may alleviate some integration
concerns, it may severely limit the choice of
application. It is unlikely that any single
vendor can provide the desired capabilities
across a spectrum of security technologies.
To realize both best-of-breed application
choice and full management integration
you should consider an enterprise security
solution built on an open architectural
platform. An open architecture with well-
defined interfaces enables third-party
dddresses to spec$c users,
even when dynamically
allocated, is critical to
developing sound, user-
based security policies. ”
security applications to plug in seamlessly
with the overall security policy. In addition,
you can leverage application programming
interfaces (APIs) to develop and deploy
custom application to meet specific
network security needs.
Managing the total cost of ownership across a secure network
A significant portion of the total cost of
ownership (TCO) for an enterprise network
is the expensive human resources devoted to
managing the solution. The ability to
manage all elements of an enterprise
security installation from a centralized,
integrated console is what differentiates a
cohesive, manageable, cost-effective
solution from a mere patchwork of
individual point products.
Using separate, independent management
interfaces for even a handful of products not
only increases management overhead and its
associated costs, but can introduce security
risks if separate and redundant updates put
network security enforcement points in an
inconsistent state. In addition, any changes
to the network policy should be
automatically propagated throughout the
entire network. Without this centralized
management capability, network security
managers must manually reconfigure each
enforcement point with every policy change.
