Beruflich Dokumente
Kultur Dokumente
for Defense-in-Depth
Securing the Network from the Inside Out
J o e l
S n y d e r
INTRODUCTION
The idea of perimeter defense when referring to a corporate network ignores common knowledge: that most successful and signicant security breaches dont come
from the outside. Serious issues often originate inside the network: everything from
worms, viruses, and Trojan horses to unsecured wireless networks, peer-to-peer mobile
communications and guest users can compromise the security of corporate networks.
To address these threats, the corporate network should no longer be a single homogeneous zone in which users connect from anywhere in the network and receive
the same levels of access. Instead, the network requires internal perimeterization and
defenses. Regulatory requirements also demand stringent controls on data ow within
the corporate network. Logging and auditing requirements put pressure at one end
of the spectrum, while rules regarding disclosure and information sharing are pushing
against the other side.
In addition, the notion of a perimeter in a corporate network is fast disappearing.
While site-to-site and remote access VPNs are extending the perimeter, employees
themselves are eroding the perimeter and making it weakeroften without being
aware of the impact they are having on network security.
For example, a mobile employee who connects a laptop to the Internet from a mobile
hotspot and is exposed to a worms or viruses can infect the corporate network when
the employee returns to the ofce.The rewall that stopped the worm at the perimeter is unable to stop this internal attack because it came from a trusted source. Similarly, an unsecured wireless access point (AP) in the corporate network can singularly
jeopardize the security provided by the perimeter rewall.
Privacy -
Problem
Challenges
Solution
Maintaining
authentication
databases for all types
of users and systems;
equipment that doesnt
support authentication
protocols
Authenticate users
(and perhaps devices)
within the network,
leveraging tools like
802.1X, RADIUS
and LDAP to provide
both authentication
and authorization
information
STRATEGY 1:
Authenticate and authorize all network users
There are two key challenges in implementing network user authentication: the lack of a centralized authentication database, and
the inability of some legacy systems to support modern protocols.
The clear choice for network authentication is IEEE 802.1X,
the IEEE standard for network authentication. As an open
Figure
New approaches to security require authentication for all users prior to
being granted network access. Centralized policy management drives
this new security architecture. Sophisticated new systems that centralize security can now enforce user access based on location, device
type and a myriad of other parameters.
The obvious place to start deploying network-based authentication using 802.1X is in the wireless network. As a
replacement for simple WEP authentication, 802.1X can be
used by itself or in conjunction with WPA or 802.11i security. Since wireless is becoming an obligatory technology for
most buildings, adding 802.1X both resolves the demand for
wireless and offers the opportunity to get acquainted with
the technology and the protocol.
B O T T O M
B A R
Virtual LANs extend the Ethernet standard by letting two different networks share the same wire. To keep the trafc separated,
each frame from each network is tagged with a VLAN number. At either end of a physical link, devices such as switches or routers know how to interpret the VLAN tags and break the trafc apart. End systems only see the trafc from the LAN they belong.
In effect, what used to require two sets of equipment and two physical wires can now be done with a single set of VLAN-capable
switches and routers.
Problem
Challenges
Solution
Need to separate
network-connected
entities into different
security and service
proles without
rewiring and
reengineering the
network
Use dynamic
assignment to VLANs
for devices and users
as a way to provide
coarse-grained
control of security at
the building level
STRATEGY 2
Use VLANs for trafc separation and
coarse-grained security
The key to successful use of security VLANs is dynamic assignment. While some ports in the network can be hard wired to a
particular VLAN (for example, in the server room or in the reception area of the company), assigning trafc to a VLAN should
be done dynamically based on the authentication provided by
the user (see Strategy 1, authenticate and authorize network
users). Dynamic assignment is a critical requirement in building
manageable networks. Static denition of security tends to cause
long-term maintenance problems and impedes mobility of end
users. By tying security to authentication information retrieved
at the point of network access, secure networks can support
quickly changing and moving user populations with minimum
stafng costs.
Challenges
Solution
Policy management
is difcult.
Firewalling has
become inexpensive,
but still represents
a considerable
premium over
simple switching
Build stateful
security policies
based on group
information,
applying policy at
the port level
STRATEGY 3
Use rewall technology for ne-grained security
Challenges
Solution
Build encryption
into the network
where possible and
where risk is high
STRATEGY 4
Place encryption throughout network to ensure privacy
Privacy of data throughout the enterprise is becoming a signicant issue. Because the network itself carries very sensitive data,
there is a strong need to protect that data from accidental or in5
When approaching privacy from a defense-in-depth pointof-view, the natural inclination is to build encryption into the
network itself. While IEEE 802.11i is helpful when discussing
privacy in WLANs, for the wireline side of the network, the alternatives are less clear-cut. Unfortunately, 802.11i doesnt apply
in a wired environment. Network managers are left in a standards
void, then, with no obvious analog to 802.11i for the wired
LAN. Additional alternatives for wireline encryption are proprietary link-encryption systems that offer security at the data link
layer, but no higher. Higher-layer encryption that can traverse
data links but stops short of the end systems is also an option.
For example, cooperating network equipment at the network
jack and the data center could encrypt data across multiple links
and switching/routing points.
COMMON SOLUTIONS
All wireless
Server-to-server wired
Client-to-server wired
Problem
Challenges
Solution
Identifying and
remediating threats to
network integrity in a
cost-effective way
Balancing threat
identication with
resource cost
Analyze requirements
for intrusion detection
and remediation and
nd a solution which
ts the networks real
requirements
STRATEGY 5
Detect threats to the integrity of the network
and remediate them
access to users who may have a wide variety of untrusted computing platforms. However, this same thinking is beginning to
move into the enterprise network.
The idea is simple: detect the security posture of the end system,
and use that information to control access. Actually implementing end-point security policy enforcement is another matter
entirely.
Although highly distributed networks are common deployment architectures, you may want to consider a more centralized
strategy when it comes to monitoring network integrity and
identifying threats. For example, pulling trafc back to a central
data center and a small number of switching and routing points
offers the opportunity to both monitor the network inexpensively and, where appropriate, install choke point technologies
such as intrusion prevention systems.
Problem
Challenges
Solution
STRATEGY 6
Include End-Point Security in Policy Enforcement
CONCLUSION
Defense in depth is process not a product. Its a proactive approach to thinking about security from the inside out. Certain
architectural approaches such as centralized security overlays lend
themselves well to solve today interior security problems. Security continues to be an ongoing process and constant vigilance
and user awareness play equally important roles in building the
best security posture for enterprise networks.
END