Appgate Network Security's proposal for network security
won the Jericho Forum challenge at last month's Black Hat
conference in Las Vegas.
Jericho Forum, whose members include chief information security
officers at global businesses, had set a challenge to the IT
industry to provide security technology to support the level of
openness required in modern businesses.
The main focus of Jericho Forum members is to push forward the
idea of deperimeterisation, which proposes the removal of a
hardened network security perimeter.
The winners, Tomas Olovsson and Jamie Bodley-Scott of Appgate,
presented a paper titled "Balancing the equation: Enterprises
moving to the deperimeterised world need to adopt a 'core'
mentality based on controlled access to systems". In it they
recommended users switch from a central firewall complex to a set
of centrally controlled distributed firewalls.
In Appgate's proposal, the central firewall is replaced by a set
of distributed firewalls that are installed on all clients and
servers. Appgate recommended that these firewalls be centrally
controlled and configured dynamically to allow or deny traffic on
the network.
The paper also advised IT managers to ensure that applications
and application servers are invisible to unauthorised users. The
authors said this was an important first step and would also
increase internal security.
Under the system, authentication and authorisation requests are
handled through a central Kerberos server. The system is also able
to specify whether encryption for confidentiality and/or integrity
should be demanded before granting access to data or documents.
Olovsson and Bodley-Scott said user authentication and
authorisation should be supported on a large number of devices,
from desktop systems to handheld devices and mobile phones
They said a generic client in Java should be used. In order to
support large deployments, the proposed system would need to handle
not only new applications but also integrate with older and legacy
applications.
According to Olovsson and Bodley-Scott, since protection is
deployed in the end-points (ie, clients and servers on the
network), very close to the applications, it is possible to have a
very detailed knowledge of events and the centrally collected logs
can be very accurate, further boosting security.
Key points for implementing
deperimeterisation
- Authorise users through a Kerberos server which issues a
"ticket" to a user to enable access to an application
- Check user credentials using Lightweight Directory Access
Protocol
- Load digital certificates on end-user devices or implement a
one-time-password system via a phone Sim card
- lntercept IP traffic using a Virtual Ethernet driver
- Run Java-based client software that supports SSH
tunnelling
- Encrypt application network traffic using the Secure Sockets
Layer protocol
- Use front-end servers to facilitate communications between new
systems and legacy IT
- Protect each application server with firewalls
- Install personal firewalls to provide access to workstations
only if users have a valid Kerberos ticket.