Network security is the biggest concern and priority of any network administrator today, but it is very difficult to get a good definition of network security. The security of any network lies in the ability of the administrator to control the traffic on the network. The extent to which the administrator can control the traffic ultimately determines the security of the network. We define network security as the ability to control the following:
- Network traffic to and from the Internet.
- Network traffic to and from the machines on the LAN.
- The behavior of each application and the network traffic generated by each application on each computer on the network.
- The users who can use each application.
Any network that can fulfill these four points will be secure from all internal and external threats.
Now let us examine how these four parts of network security translate to actual security. Operating system vulnerabilities are the most common method of attack against any computer. Stateful Inspection (SI) firewalls cannot protect against most attacks that exploit OS vulnerabilities.
Even firewalls that perform deep packet inspection fail because it is almost impossible for them to keep up with the long, ever changing list of known OS exploits. The weakness of SI firewalls is that they are not very effective against attacks that propagate from inside. An attack on the internal network from a machine on the LAN will never be detected by the SI firewall because the packets will never pass through it.
Because of implicit trust of the nodes on the LAN side, the SI firewalls are vulnerable to Trojans. Once a Trojan has infected a machine on the LAN, the SI firewall will almost always allow that Trojan to send traffic to the Internet. Because of this, the Trojan may be able to send passwords and other corporate secrets to hackers, thereby creating a much bigger security problem for the users. Some SI firewalls can provide a little bit more protection by limiting the ports on which traffic can be sent out, but port 80 tunneling is frequently used by Trojans to bypass any attempts to block traffic via port based filtering.
The only way to protect against OS vulnerabilities is to either apply all the available security patches or have a system that will detect malicious code. Applying security patches is time consuming and requires ceaseless vigilance in order to stay up to date.
Currently, there is no product on the market that can reliably and efficiently detect malicious code under all circumstances and prevent it from harming the system. I’ve set out with Neil to create a secure network for our business environment. In order to secure our network we will deploy, we must have following components:
- Perimeter firewall.
- Desktop security: Firewall and IDS.
- Anti-virus and malicious code detectors.
- Network traffic monitoring and shaping.
- Central management
The perimeter firewall is the first line of defense against attacks. Any incoming and outgoing traffic must pass through the perimeter firewall. Depending on the inspection capabilities we enable in the firewall, a large fraction of unauthorized and malicious traffic can be stopped. While perimeter firewalls have shortcomings and do not offer complete security, they are an integral component of a secure network. Without a perimeter firewall, a network is very vulnerable to attack.
Most of today’s security threats are aimed at the enterprise desktop. It is critical that a robust mechanism be used to secure the desktops inside our network. The typical attack pattern of today’s worm is to infect a machine and then use that machine’s resources to locate more potential victims. Desktop security can be divided into two parts.
First, one must prevent any intruders from infecting a machine. This is the realm of anti-virus and malicious code detection products. Second, one must prevent unauthorized incoming/outgoing network connections. This helps to prevent the spread of intrusions. Malicious code can infect the computers on a network in many ways, including viruses in e-mails, compromised executables, infected software downloaded from the Internet, etc.
Anti-virus software/hardware detects the presence of malicious code based on known signatures and filters it out. This signature-based method has the advantage of a low false positive rate and does not require too much user intervention. The downside is that the signatures must be continually updated, and it therefore provides no security against unknown attacks. More than likely, we will also need to use some sort of IDS (intrusion diction system). Firewalls and IDS systems control the type of traffic that is allowed to and from the network. The ability to monitor and shape this network traffic helps improve network security.
For example, if one is able to monitor all traffic at the network perimeter, one obtains a good idea about the nature of incoming network traffic, types of attacks, etc. Similarly, by monitoring the traffic on the LAN side, one can cross check that network flow is according to the specified rules and that there is no misuse of networking resources. Unfortunately, most security products do a very poor job of providing a reasonable picture of what the network traffic flow is like. If the administrators are not able to visualize the network traffic, they will not be able to easily administer or secure it. Network-based IDS operates very much like anti-virus systems. They detect intrusions based on known signatures. Earlier intrusion detection systems were passive and would only raise an alarm once an intrusion was detected.
Some of the newer systems can create rules on the fly to stop the spread of intrusions. Most network-based intrusion detection systems degrade performance because every packet requires searching a large signature database. On a fast Ethernet or gigabit Ethernet network, this will overwhelm most processors. Sometimes the intrusion signature may even be split over several packets, in which case the system will fail to detect the intrusion. We will be more likely to use some sort of host based IDS because they catch the actual source of the intrusion, the malicious program, and not just the symptom, the packets. Network security has many components, and every network has many vulnerable points. The ability to centrally manage, monitor, and respond to potential security threats is critical for the security of any network.
Central management guarantees consistent security policies and ensure that policies are correctly enforced. The root cause of network vulnerability is the inability to manage network security. Most networks are not equipped to control and monitor traffic in the ways outlined in the previous section. The root cause of network vulnerability is the inability to manage network security. Most networks are not equipped to control and monitor traffic in the ways I outlined here. Security management is often overlooked in favor of performance. Historically, networks have been faster than both routers and computers.
However, as predicted by Moore’s law, the processors have become much faster, and in many cases, the gateways and nodes on the LAN are no longer the bottleneck. The network itself is now the bottleneck. For example, almost any laptop or desktop can send unencrypted data at a rate of 100 Mb/s, but average bandwidth to the Internet is only 1.5Mb/s. In addition, managing security is a complex task, and it becomes more difficult as the network grows and the security threats multiply.
Most small and mid-size corporations will have anywhere from 100-5000 machines in a very dynamic environment. The myriad facets of security, coupled with a patchwork of authentication methods and access controls, further compounds the problem. In comparison, Neil and I will probably use 20-150 units in a very static and homogenous environment. Almost no LAN traffic, even in the most secure networks, is encrypted. Those with wired LANs may not consider it important to encrypt traffic on the LAN because there is already some level of protection. The adversary is unable to access the physical medium over which data is being transported.
This, however, is not the case for wireless LANs. Because of flaws in the wireless security protocols, and due to the fact that sometimes devices are misconfigured or left with factory default settings, an adversary may be able to gain access to the network traffic or even compromise the entire network. Therefore we won’t be using any wireless devices. But an even bigger threat is the belief in proxy application firewalls as a catch all. Application proxy firewalls intercept all traffic from local hosts and create a proxy network connection. Application layer filtering has long been considered as the cure against a large number of attacks that target vulnerabilities in applications as well as against Trojans that try to mimic well-known applications.
The advantage of this approach is that local hosts that have unpatched applications and are vulnerable to application exploits can be protected by a proxy firewall that is well patched against those exploits. Proxy firewalls can also filter out unacceptable commands e.g., disallowing PUT or GET in FTP connections or disallowing ActiveX controls in web connections. While the general idea of proxy firewall has some merits, its utility in real life is limited. For example, most applications provide enough control so that a proxy is not necessary.