Thursday, April 1, 1999
Protecting your corporate network resources against internal and external threats
Today, enterprise-wide networking means connectivity to anyone, anywhere — whether the users are internal or external to your corporate network. With all of the advantages of such connectivity come unprecedented challenges to network security professionals. First and foremost among these is securing your company’s vital network resources against everything from inappropriate usage to outright attacks, which could originate from the Internet or from within your own corporation.
Protecting your network requires more than just controlling access to specific resources.
In addition to having powerful access control features, a complete network security solution must also be able to:
* Verify the identities of network users
* Encrypt sensitive data in transit
* Optimize the use of registered IP addresses
* Apply security to the content of network traffic
* Detect and respond to attacks in real-time
* Provide complete audit information
Your solution must also be able to deliver all these capabilities for all of the applications your organization utilizes — for those currently in use and for applications in the future — without hindering network performance or restricting connectivity in any way.
Providing worldwide connectivity for your mobile and remote employees
Many organizations have discovered the tremendous cost advantages the Internet offers when compared with traditional remote access solutions involving expensive leased lines and modems. Yet, as more and more companies deploy Virtual Private Networks (VPNs) to connect remote and mobile workers to the corporate network, securing these mission-critical communications becomes a paramount concern.
There are two main components to ensuring the privacy of your company’s data as it travels over public networks like the Internet. First, the authenticity of the remote client as well as the Internet gateway itself must be verified as accurately as possible. Second, once the identities are confirmed, sensitive data transmitted between client and gateway must be encrypted for privacy in transit. It is important that both the authentication and encryption capabilities must integrate seamlessly with your existing network security solution, since maintaining access control is just as vital for VPN communications as for traditional network traffic.
For client-to-gateway VPNs in particular, manageability and ease of use are also of particular concern to network security managers. In order to progress beyond a pilot deployment, the solution must be easy to put in place and administer for potentially large numbers of remote clients — and it must be as seamless and transparent as possible for end users.
Using the Internet to lower your wide area data communication costs
Just as client-to-gateway VPNs are a cost-effective solution for granting network access to remote and mobile users, gateway-to-gateway or site-to-site VPNs enable organizations to leverage the Internet to dramatically reduce the costs of connecting offices at different locations. While the need for strong authentication and encryption is just as critical as with remote access solutions, that brings in new management challenges. The first challenge is administering hardware and software at multiple remote locations that may not have experienced IT staff onsite. More generally, managing additional security policies at remote VPN sites can be extremely inefficient and ineffective if these solutions operate independently and have separate administrative interfaces.
Although the cost savings of Internet VPNs are compelling, transitioning critical communications from private, dedicated networks to the Internet can introduce poor performance and unreliable delivery. A truly effective VPN offers reliability, quality of service and superior application performance — even when based on unpredictable infrastructures like the Internet.
Providing your business partners with selective network access through a secure extranet
Once you’ve succeeded in connecting your single remote users and branch offices to your network, the next challenge is to extend your enterprise network to key external users such as suppliers, strategic partners and customers. Without the assurance that every organization with which you’re connecting will deploy the same security technology as you do, the key requirement for interoperability is that all participants’ solutions comply with industry standard algorithms and protocols. The most critical standards are IPSec and IKE: IPSec defines the overall IP packet structure and security associations for VPN communications, while IKE is the key management scheme for handling the keys used for encryption and authentication.
Once standards-based interoperability has been established, the extranet VPN must grant external partners access only to the specific resources they need, such as particular application servers. Here again is an example of the importance of integrating the VPN into your overall enterprise security policy, thus balancing the desire for connectivity with the need for tight access control. As you open your corporate network to increasing numbers of external users, you’ll need to ensure that your company’s resources are protected by a comprehensive and robust policy-based enterprise security solution.
Guaranteeing your secure network’s performance, reliability and availability
A natural consequence of increased Internet usage for business communications is network congestion, which can adversely affect the performance of mission-critical applications. Although the Internet is a powerful and cost-effective means of delivering valuable information resources to a wide variety of stakeholders, these benefits are not fully realized if users suffer from poor response times, gateway crashes or other network delays or failures.
For Internet and intranet gateways to be successful, they must perform all necessary security functions without imposing significant delays on the traffic they control. Specifically, firewalls must be able to maintain performance for both internal and external users while securing all necessary network services and protocols. As your business increases its reliance on Internet connectivity, your gateway machines will be the workhorses responsible for more and more network services – everything from inbound and outbound Web traffic and email to VPN connections. With bandwidth at a premium, you must be able to deliver reliable performance for the most important applications or users.
If network connectivity is mission-critical, then High Availability becomes a critical requirement for the necessary gateways. The primary objective of a High Availability firewall solution is to ensure that the network is secure and available 24/7 through hardware redundancy, software redundancy or with a combination of both. When a failure occurs, the redundant components or back-up will ensure that the network is secure and that connections are maintained in a manner that is completely transparent to end users. Truly effective solutions provide internal and external users with a maximum amount of reliable service, while simultaneously providing network administrators with maximum security.
Defining and enforcing user-level security policies across your network
The rapid adoption of the “extended enterprise” has caused an explosive increase in the number of applications, users and IP addresses in use across organizations. Managing user-level security information for multiple applications presents a formidable challenge. Network and security managers must often check redundant data stores to ensure that they are synchronized in order to maintain overall security. This challenge is partially addressed by the emergence of standards for directory services, most notably LDAP (Lightweight Directory Access Protocol), which allows multiple applications to share information about users. Many security applications, however, do not integrate with centralized directory services.
Furthermore, because most applications track IP addresses rather than the users that the addresses represent, managers must attempt to relate this IP address-based data to actual users or departments in order to utilize the data for any type of analysis or planning. In environments where DHCP (Dynamic Host Configuration Protocol) is used, utilizing IP addresses for security policies is not effective because IP addresses are dynamically assigned, that is, the IP address does not remain the same.
Immediately detecting and responding to attacks and suspicious activity against your network
Protecting your network from intruders and unauthorized activity is one of the most critical aspects of enterprise security management. Internet misuse, although a serious threat, is only one security challenge that faces network managers. They must also protect valuable resources from internal attacks or unauthorized access by employees or by extranet partners. Viable intrusion detection technologies must not only identify suspicious activity, but they must be tightly integrated with the enterprise security solution in order to be able to respond immediately and prevent unauthorized access to the organization’s valuable network resources. Beyond simply achieving a quick response time to such activity, you’ll also want a solution that thoroughly logs unusual activity and notifies the appropriate IT personnel immediately, perhaps by email or pager.
Securely and efficiently managing your network’s IP address infrastructure
As networks become more central to your organization’s critical business operations, the number of computers and devices, each requiring an IP address and name, has grown exponentially, making the task of managing the IP address and name space increasingly difficult. The traditional methods of manually configuring the IP address of every computer and device on a network and editing corresponding network-based configuration files are no longer viable, being error-prone, labor-intensive and lacking the integration needed by today’s networks. The net result has been an IP address infrastructure that has no central control, is too expensive to manage, and cannot provide the scalability or reliability needed by the modern enterprise.
IP address management solutions that provide centralized management and distributed administration of your enterprise-scale IP network infrastructure can be extremely valuable in meeting these challenges, but only if tightly integrated with the overall network infrastructure, including the enterprise security policy. More specifically, the ability to map IP addresses to specific users, even when dynamically allocated, is critical to developing sound, user-based security policies.
Implementing an open security solution that enables integration with industry-leading and custom applications
As a network security manager, you are responsible for choosing from a dizzying array of specialized hardware and software products the appropriate tools to solve your organization’s network security and infrastructure needs. Although individual products are attractive as best-in-breed solutions in specific areas such as virus detection or authentication, you may also need to implement custom applications. And you need to deploy all of this on a variety of hardware platforms, from routers and switches up through high-end servers. Whether it’s comprehensive protection for your Internet gateway, heightened security for a particular departmental subnet or a firewall to guard a single critical machine, the best enterprise security solution will offer a choice of configurations and deployment platforms to meet your organization’s current and future needs.
The more applications you deploy and the further you extend your corporate network to external users, the more you’ll need to rely on an open, standards-based solution. Truly open solutions are not only based on industry standards for interoperability, but on solutions with published, open interfaces that allow custom programming when there are no existing products that meet your organization’s specific needs.
In the long term, the toughest challenge will be to be able to manage all of these products and platforms in a cohesive, centralized manner, while maintaining an enterprise network that’s both secure and flexible.
Managing the total cost of ownership across your secure network
A significant portion of the true cost of your enterprise network is the ongoing financial and human capital spent managing the entire solution. The ability to manage all elements of your enterprise security from a centralized, integrated console is what differentiates a cohesive, manageable, cost-effective solution from a mere patchwork of individual point products. Using separate, independent management interfaces for even a few technologies not only increases management overhead and its associated costs, but can introduce security risks if separate and redundant updates put network security enforcement points in an inconsistent state.
