Security Products

By Klaus Majewski · December 2006

Adding layers of intrusion prevention systems to a company's intranet can keep a network from being left out in the cold

WITHIN any modern business environment, it is now easy to find technically aware people who are able to tell you exactly what type of servers are on the corporate intranet, perhaps even what functions the servers perform. However, if you ask these same people to detail the types of traffic flowing across the intranet, you will be less likely to hear an informed answer.

Layered defense has been proven as a concept that works. Instead of having one layer of protection that leaves networks susceptible to a single point of failure, layered security offers additional protection.

People have become overwhelmed with keeping up with the various types of network traffic, including data, voice and video, subsequently believing they have a strong perimeter protecting against potential threats and malicious attacks.

For example, a company may have firewalls protecting all connections to and from the Internet, virtual private network connections to branch offices and subcontracted remote mobile users. As e-mail and file transfer traffic flows into the network, all content is checked at the perimeter, and each Web connection goes through HTTP-cache servers. Outside of the firewall is where customers and subcontractors have access to the network through accessible servers located in the demilitarized zone. Many companies use this type of firewall configuration to manage distributed networks, and though this offers a relatively secure perimeter protection, it is just a starting point.

With the proliferation of Web-enabled applications, the variety of network connection methods and innumerable problems a mobile user/laptop can cause a modern company, organizations need to consider more than a strong perimeter defense. IDC's October 2005 industry report found the number of remote and mobile workers reached 650 million worldwide in 2004, and over the next five years, the number will reach 850 million -- more than one quarter of the global workforce.

The increase is not surprising considering how easy and affordable it is to access the Internet almost anywhere. Since most people today have the technology to work from home, many prefer the option over spending time in morning traffic jams. As the amount of remote workers increases, the corporate network has the heightened possibility of being infected from non-trusted systems like home computers. Corporate security policies must take home users into account when thinking about possible attack vectors against a company's information assets.

For example, a mobile user can log onto a laptop at a customer site, making the machine vulnerable to contracting some sort of infection. In this case, the infected laptop, when brought back to the office and connected to the internal network, is now sharing corrupt files within the protected network. Perimeter security has now been physically bypassed, and the infection is free to spread to other computers on the network segment. Corporate networks should comprise internal protection mechanisms that can defend against simple oversights. Perimeter defenses, however strong, simply don't offer sufficient protection any longer.

Layering the Security Process
Layered defense has been proven as a concept that works. Instead of having one layer of protection that leaves networks susceptible to a single point of failure, layered security offers additional protection. The security approach slows down the attack, collects more information about its actions and supports the network in effectively stopping it before an attack.

Security is a process that has five steps: protect, detect, react, recover and revise. In the first step, the company has to define its assets that must be protected and then implement policies that provide sufficient protection. Because no protection is complete, security breaches have to be detected during occurrence. Once the security breach is detected, it must be contained. And once the emergency is handled, the company should find out why the attack passed through certain layers of defense and adjust security procedures to stop future breaches.

Of course, large enterprises can afford powerful network management systems capable of monitoring the overall health of internal networks. But small- to medium-sized businesses do not always have the same resources to invest in intranet protection. These companies should find alternative means to achieve the same levels of protection. But in order to find the perfect solution that supports a specifically-defined security process, there are some common problems to consider.

Internal Network Visibility
It is critical companies see exactly what is happening on intranets since there are several cases in which a company's domain name server can be compromised such as attacks that use the DNS to leak confidential company information.

Domain name services are normally allowed to go through perimeter security without any checking, making it difficult for organizations to know that modified and potentially harmful DNS traffic is flowing out from the DNS server. However, if organizations have a protocol-defined policy that checks all data inside the network, the issue can be visible.

To achieve greater visibility, companies should employ strategically placed intrusion prevention system (IPS) sensors to help reveal information about internal network flow. Modern IPS systems do not produce a large number of false positives sometimes associated with older intrusion detection systems. Organizations should deploy IPS at intelligent locations, for example, within the firewall, in the DMZ or in front of critical servers. It's really a question of placing devices where it matters most and using an IPS system to report exactly what kind of activity is happening on the intranet.

Removal of Non-Business Traffic
A second consideration is how to prevent unwanted traffic inside the internal network, for example, a worm or P2P program like eMule. Music and movie downloads using P2P programs will easily clog an Internet connection. Music downloads look like normal Internet traffic at the perimeter, but can be detrimental to the company?s business operations while impacting the network bandwidth and slowing the flow of information.

IPS can help prevent the use of different non-business-related P2P programs and free bandwidth to address business-related applications -- such as remote connections between branch offices.

Layered Cooperation
When an infected computer is inside the company's network, it will try to infect its neighboring computers, spreading the infection. One way to defend the network in this situation is to segment intranets using firewalls. This allows for an organization to isolate finance or account departments from the rest of the intranet and prevent infections from spreading.

However, if sensors and firewalls are deployed to cooperate more closely, the technologies can be used together to strengthen intranet security. IPS sensors can show what is flowing across the intranet by inspecting network traffic in each application layer. If IPS sensors are located in front of critical servers they can block any harmful traffic. In circumstances where IPS isn't covering the entire traffic path, the technology also can instruct internal firewalls to block further unwanted traffic throughout the company?s intranet, even at the perimeter. Also, because modern IPS and firewall systems are very granular, they can block all offending traffic while allowing genuine business traffic to flow uninterrupted. The cooperation helps isolate infected computers and keep damage to a minimum.

Protecting Distributed Networks
Many corporate intranets are deployed to connect branch office networks, where security can often be perceived as less effective than at corporate headquarters. For example, postal service headquarters will have strong network security policies, but local post offices might not have as stringent procedures due to lack of IT personnel expertise. This kind of situation requires a remotely managed and operated security solution. The system should enforce the same kind of security rules in effect at headquarters to ensure there are no weak links in security and all locations are equally protected.

In another example, a multi-national company that has remote offices all over the globe has a comprehensive security policy that dictates what must be done to protect its assets. Unfortunately, many remote offices do not always follow the company's security policy, especially if it is not strictly enforced. The only way to make sure a company's security policy is followed everywhere is to centralize the enforcement of the approach.

Any comprehensive security solution makes use of centralized management that allows all branch offices to use identical access and intrusion prevention rules employed by headquarters. Centralized management will collate all security logs in a local log server, presenting a dynamically-integrated view of all log information that sources each log server to provide a fast and accurate report. This helps companies adhere to regulatory requirements like Sarbanes-Oxley or the Payment Card Industry security policy from Visa and MasterCard.

Security is a continuously living and evolving process. It has the ability to adapt to different threats that present risks for business. This requires agile protection mechanisms that are able to enforce and manage ever-changing security needs. A combination of IPS sensors and firewalls offer a protection strategy for small and medium businesses while providing an easy and fast way to maintain the security of internal networks.

This article originally appeared in the December 2006 issue of Security Products, pgs. 56-58.

About the author

Klaus Majewski
Klaus Majewski is an IPS product manager at Stonesoft.