Wireless connectivity, mobile workers and network
convergence make security a moving target, but too many users still
ignore the basics of good practice
It is easy to see why the IT managers responsible for network
security have a hard time increasing their budgets. Business bosses
understandably wonder why the money they handed over last year has
not fixed the problem. What is the point of pouring more money into
yet more firewalls, intrusion detection systems and anti-virus
software if the problem will not go away?
The standard IT reply is that security threats continue to grow,
and that we will always need new technology and techniques to
combat them. And as other parts of the company load more
applications onto the network, the threat profile changes. Voice
over IP, for instance, makes network security and performance far
more important.
But are these arguments valid? The fact remains that despite all
the money and effort poured into network security, companies
continue to experience security breaches, both from the internet
and from within their organisations. Yet many of these problems
could be easily avoided.
For instance, a failure to patch known vulnerabilities is one of
the most common security errors. The SQL Slammer outbreak that
caused such chaos three years ago exploited a known vulnerability
in SQL Server. Thousands of companies were severely damaged by it
just because they had failed to apply a patch that had been
available for six months.
An associated problem is the misconfiguration of network
components, which can leave the whole organisation exposed to
outside threats. Products installed with default passwords and
configurations are an open invitation to hackers, but the problem
is far more complex.
"The biggest problem is configuration errors in any part of the
network - firewalls, switches, routers," says Tim Leehealey, head
of business development at Guidance Software.
He points out that networks are complex and constantly changing.
"Management systems do not cut it in giving you a comprehensive
view of how everything is configured and understanding where the
conflicts might be," he says.
"Inevitably, you end up with something misconfigured - a
firewall that will accidentally let you establish a connection from
outside and go into certain servers, or a firewall that is more
lenient than the router that sits in front of it and therefore
largely useless. Lots of things that look innocuous by themselves
are, when viewed with the whole network, a security hole."
Rhodri Davies, technical architect at security consultancy
Vistorm, says problems often arise from a basic lack of
understanding of the network, and where defences should be
placed.
"We have seen cases where a firewall has just been plugged into
a patch panel," he says. "When you track the connections you find
that the inside and outside of the firewall and the internal and
external networks have all been patched together."
Davies warns that configuring a firewall is no trivial task. "An
ordered firewall rules base may seem simple enough to understand,
but there can be problems if you do not consider carefully what a
source or destination network really includes, particularly when
adding to existing rules. There are ways of structuring
configurations to minimise the risks of making mistakes later. But
do not assume that because someone can drive the graphical
interface, the result will be secure."
Anthony Rawlings, managing consultant at IT consultancy Xantus,
adds that networks are constantly changing, with devices being
added or moved. Such changes need to be reflected in the firewall
rules, but he says this is often overlooked.
The problem can arise because companies have separate teams
involved on infrastructure and security. Unless they talk to each
other, such errors can arise. Rawlings favours having system
changes signed off by someone different from the person who made
the changes. "We need a team to sit outside of the operation, doing
nothing but checking and auditing what has happened," he says.
"They could also do penetration testing as well."
That other great stalwart of traditional security, the intrusion
detection system (IDS), can also prove problematic. The IDS is like
a burglar alarm on the system, telling you when someone is trying
to do something they should not. But unless the IDS is properly
configured and monitored, it becomes like one of those annoying
alarms that goes off all the time - people do not bother to respond
or call the police.
As Phil Cracknell, UK president of global information security
organisation the Information Systems Security Association (ISSA),
points out, unless you have some kind of incident plan, and people
know what they should do, or who to report to, then monitoring is
an expensive waste of money.
Cracknell, who is also the new director of technology assurance
at Deloitte, recommends that users carry out a regular review of
the network, as the whole infrastructure is likely to be in a
constant state of flux. Without initial and ongoing planning, he
says, new devices and segments will be appended to the existing
logical structure in an ad hoc manner.
"Periodic assessment of the functionality, traffic and use of
systems, their location physically and logically, and the network
rights of those systems should be conducted," Cracknell says.
"With a poorly designed architecture, security incidents start
to become hard, if not impossible, to detect. Network convergence
can rapidly compound such problems. Inclusion of VoIP, wireless and
multimedia traffic in even the most expertly configured network
architectures can bring the environment to its knees."
Cracknell's advocacy of a holistic approach is echoed by Paul
Simmonds, head of information security at chemicals firm ICI and a
founding member of security user group the Jericho Forum. Unless
companies really understand their network traffic, he says, the
first they know of a worm attack is when the network slows
down.
This lack of understanding also convinces companies to work on
what Simmonds perceives as "the flawed assumption that the internal
network is secure" and that network-based security schemes - such
as network intrusion detection systems, Network Admission Control
from Cisco, and Network Access Protection from Microsoft will keep
you safe. Equally, he says companies "do not understand the systems
connecting to their network. Dynamic Host Configuration protocol
(DHCP) and BootP allow any system to connect."
The biggest challenge for business, as the Jericho Forum has
underlined, is knowing where the network begins and ends.
Customers, suppliers, consultants and remote workers all expect to
have seamless access to your systems, which means the traditional
hard perimeter approach to security can no longer be effective.
Most people agree that a more layered form of defence is required,
rather than relying on a single hard shell.
But how do you control this more fluid workforce without
stopping legitimate workers from doing their job? As anyone with a
laptop knows, the first thing you do when visiting another office
is look for a spare Ethernet socket to plug into, and quite often
you are successfully connected in seconds.
"This becomes a major problem where the physical perimeter
allows untrusted individuals, including visitors or contractors,
inside it," Cracknell says. He recommends disabling switch ports
and floor and wall sockets until they are required.
And one way around the problem of DHCP, which handles the
addressing of new connections, is to use known media access control
(Mac) addresses, although this can be a network administration
headache. Any machine with an unknown Mac address will not be given
the credentials to join the network fully.
Wireless networks and mobile workers present a further
challenge. The mobile worker can bring in viruses acquired outside
and infect the rest of the organisation. And the worker who decides
he would rather work by the window and install a wireless access
point can expose the company to anyone sitting outside with a
computer.
Some form of network access control can go a long way to
mitigating these threats by imposing pre-conditions on any endpoint
devices trying to gain access to the network. A virtual private
network (VPN) will create an encrypted connection for remote
workers, which should make the connection secure.
But, as Steve Matthews of Context Information Security warns,
even VPNs (specifically SSL VPNs) can create security holes for
hackers to climb in. "In one particular instance, Context
identified that an SSL VPN was running an admin console with PHP
command.exe, which enabled us to take full control of the system
and get full access to the network behind it. The perception of the
SSL VPN was that, because it was a security device, it would be
secure in itself," he says.
And while most companies are adopting encryption, such as WPA2,
for their wireless networks, Matthews warns that many laptops are
open to attack. "Because many users of wireless laptops will
connect to a number of different access points - wireless hotspots
in airports, hotels, cafes, not to mention their own homes - we
increasingly identify clients broadcasting association requests for
different service set identifiers," he says. This means users can
be fooled into entering a bogus website.
But security needs to be a mix of people, process and
technology. The best security comes from having well-trained and
motivated staff, who will not click on dodgy e-mail attachments,
and will not be lured into spyware-infected websites.
And like every other aspect of the security jigsaw, security
training and awareness is not a one-off exercise. It needs to be a
continuous programme of education, incentive and information.
Network Security Best Practice
● Keep patches up to date
● Do not leave devices in default configurations
● Review the whole network regularly to see what has changed
● Have an incident response plan for incident response alerts
● Train staff to be security-aware
● Disable unused switch ports and network sockets
● Scan regularly for rogue wireless access points
● Apply endpoint security – check that devices meet minimum
standards
● Encrypt wireless networks and lock clients to limit broadcasting
requests
Secure web use for all >>
David Lacey's
security blog >>