Do you know what is attached to your network? Do you really
know what's inside the devices attached to your network? Are your
security technologies able to understand more than just the threats
from PCs and people? If you cannot answer these three questions
with 100% certainty, then your network is at risk.
Corporate networks are predicted to grow exponentially over the
next five years. However, little of that growth will be from adding
new people to the network. Instead, growth will come from a desire
to "IP-enable" everything that we possibly can.
From IP-enabled phones to IP inventory systems based on radio
frequency identification technology, the possibilities are
limitless, and it is crucial that an enterprise's security model
evolves in accordance with the technology.
There are four approaches, that can eliminate the risks.
The first is to apply access control to IP devices. Although a
Windows PC may use technology such as 802.1X to authenticate its
identity and gain access to the network, a photocopier or camera
cannot. That does not mean the need for access control should be
ignore, but rather new and different methods of access control for
such devices must be used.
Secondly, many companies have begun to offer proactive protection
tools for the typical Windows PC. They usually involve the
placement of an agent on the PC, which informs the network of the
patch, AV and configuration state of the PC, so that mis-configured
PCs are controlled.
Although this is a great method for a PC, it is usually quite hard
to find an IP device that can accept such an agent. In order to
determine the risk of a machine, a network-based assessment must be
used on attachment.
Typically, this technique involves some sort of vulnerability
scanning tool linked to the policy rules of the switches or access
points, so that when the scan sees unusual configurations (open
ports, strange responses to probes, etc) the network can act to
control such risk.
The third requirement in the machine-centric world is the ability
to provide assistance in the remediation of mis-configured systems
after isolation.
Manual remediation of issues on a PC can be done via a floppy disc
or CD-Rom. However, IP-enabled devices only allow updates via the
network interface. This makes putting a machine into quarantine
undesirable - you cannot simply turn off the port it is attached to
when a problem occurs. Instead, a much more granular level of
control is needed, where the attached switch or access point can
suppress all protocols and applications except for the inbound
administrative ones needed to update the device.
This type of quarantine policy is found only on the most
sophisticated policy-enabled networking devices and far exceeds the
quarantine VLan model that is generally used.
The final component needed to support a secure machine-centric
network model is the ability to deliver a dynamic response
capability.
Although access control and proactive protection allow a network to
decide who and what should be allowed onto the system, there is
still a risk of an authorised system becoming compromised after
attachment. As such, the communications network must use
traditional and new detection capabilities coupled with rapid
location and policy adjustment functions.
For example, if a radiology server in a hospital gets infected with
a virus after it is in operation, the most likely first detection
of this situation will come from effective intrusion detection
systems in the network.
These systems will see the attack and know the IP address of the
source, but they can do little to suppress the situation fully. By
having a network infrastructure that can be told of the detected
threat and search for the interface of the offending station it is
attached to, a local policy change can remove, suppress or
quarantine the system.
This link between detection, location and response is currently
found only in advanced secure network products, but it will be
critical in the machine-centric network as the number of nodes
increases beyond the ability of IT staff to perform these steps
manually in a timely manner.
These four techniques - access control, proactive protection,
assisted remediation and dynamic response - have initially been
applied to protect and respond to the threats of the Windows PC. As
networks inevitably expand from the introduction of IP-enabled
devices of every kind, these tools will be critical in delivering a
secure network.
The challenge will be to expand their assumptions and capabilities
to properly protect the enterprise from threats and risk
originating from any type of entity that could attach to it.
John Roese is chief technology officer at Enterasys
Networks