Special Focus: Network Security
From the September 2005 issue of Communications News
Bring on the security gateway
Internal security is often overlooked when firewalls and IPS are already in place.
by Tamir Hardof
 In order to inspect and control all traffic on the LAN, a solution that sits inside the network–not at the perimeter–is required. |
Just a few years ago, deployment of an antivirus solution and a next-generation perimeter firewall would have been enough to let your IT security staff sleep at night–but those days are long gone. Antivirus solutions are point products that block known viruses and are not designed to even recognize application-layer worms.
Firewalls will continue to be critical for network security, but they do not address threats that bypass the perimeter any more than a 10-foot wall would stop a fly from traversing over or a mole from burrowing under it. Firewalls are critical and the first line of a layered security defense, but what do you do when the threats are al ready inside your perimeter defenses? Today’s threat environment is about threats that emerge from inside the network, either through penetration of the perimeter or, more commonly, by introduction from a source that directly accesses the inside of the network. How many laptop users in your organization connect from home or external locations such as airports, cafés and other public hotspots that are beyond your company’s perimeter line of defense? These mobile laptops can become infected and spread malicious data inside the LAN–their remote-access connections represent an authorized tunnel right into the network.
How many contractors, visitors, partners or temporary workers connect their laptops to your internal networks? Do you know what is on those laptops? In any of these scenarios, these laptops have become potential carriers of malicious code and direct attacks that plug right into your internal network.
The first development to address this area was intrusion-detection systems (IDS), an array of servers and sensors deployed across a network to watch for and report on network traffic. An IDS is designed to be strictly passive, however, and, at best, alerts IT managers about potential threats based on signatures–but it is incapable of actually responding. Furthermore, IDS solutions generate a large number of alerts and are inherently prone to an unacceptably high rate of false positives.
Evolutionary security path
The natural evolutionary path of the IDS was to improve accuracy by reducing
false positives and to develop a way to respond to alert information in a
timely manner. Thus, the intrusion-prevention system (IPS) was born, which
incorporated the traffic-monitoring functionality of its predecessor, while
adding application-layer inspection and proactive attack protection that was
lacking in legacy firewalls.
An IPS still primarily relies on signatures and faces a challenge dealing with false positives. In the effort to cut down on false alerts, an IPS can also suffer from false negatives, failing to identify and block unknown attacks.
Standalone IPS products are constricted to a limited deployment posture, primarily at the network perimeter, so they often miss the activity generated inside the network. They attempt to prevent attacks aimed at compromising the internal network, but they try to do this from the perimeter. Unless the internal traffic is being inspected with an intelligent mechanism designed to address the unique aspects of securing the LAN, the internal network is still not secure.
An enterprise-wide view of the network is critical to ensure exceptional security protection. Achieving this bird’s-eye view requires a layered approach that integrates both perimeter and internal security devices that share not only central management, but also central logging, reporting and event correlation–for a more comprehensive ability to monitor and respond to attacks.
In order to inspect and control all traffic on the LAN, a solution that sits inside the network–not at the perimeter–is required. An internal security gateway offers not only a direct view for inspection and monitoring, but it also offers multiple advanced methods for reacting in real time to malicious or suspicious activity. This can be achieved through traffic behavior analysis–the internal security gateway has the ability to “learn” what is considered normal and abnormal traffic and can check data against regularly updated signatures.
Simply keeping up with emerging threats and vulnerabilities is not enough. Internal security gateways offer not only updated signatures and new defense mechanisms in a timely manner but also provide advisories, with detailed descriptions of vulnerabilities and threats, to stay ahead of the curve.
Network zone segmentation and quarantine capabilities are additional features that enhance internal security solutions. Zone segmentation allows IT managers to assign different security levels to different areas of the network to provide added protection to high-value network segments. Quarantining is used to confine attacks and sequester compromised devices.
Combining security and management components with forensics is also necessary in order to monitor the logging and reporting generated by gateway devices, as well as translating security events into actionable information. Automated aggregation and correlation of data substantially minimizes the time an IT team spends analyzing data, and also isolates and prioritizes real security threats. This further allows for the identification of additional and previously undetectable activity, and reduces business risk by responding in real time.
While point IPS products offer limited security capabilities, many of their features are an important part of a complete security solution. Elements of intrusion prevention–application-layer security and attack-blocking, for example–are best deployed at multiple layers in the network and not as a standalone point product. A firewall that offers these features is critical to protecting the network from hackers and malware that attempt to penetrate the perimeter. The distinction to note is that these features are equally important inside the network and on all hosts.
The best technology in the world still needs to be fiscally beneficial, delivering a clearly recognizable value. Whether purchasing decision makers and IT teams are motivated by preventing business disruption, protecting productivity or meeting regulatory compliance, internal security is too vital and should not be addressed by anything less than an intelligent, multitiered security architecture that is scalable and specifically designed to protect the internal network.
For more information from Check Point Software:
www.rsleads.com/509cn-250
Tamir Hardof is product manager for Check Point Software Technologies, Redwood City, Calif.