For years network security has been seen as central to preventing the undesirable outside world gaining access to corporate networks. The rationale was that if the network perimeter was protected, hackers could not get in.
IT security managers have used firewalls to define the applications that can access the network by opening and closing firewall ports; intrusion detection to monitor network activity and intrusion prevention systems, to stop unauthorised access. In this scenario, the corporate network is treated like a walled garden with access careful controlled through a strict IT security policy. Authorised users are given role-based access to applications and data behind the corporate firewall. New products are constantly being developed and existing ones enhanced to support the changing requirements of modern network security.
However, the Jericho Forum, IT security chiefs group, has identified a drawback with taking this approach to corporate IT security. Businesses rely on a firewalls to keep the good things in and the bad things out, but this does not reflect how businesses now operate.
|More guides to network security|
The use of firewalls to define a hard corporate network perimeter cannot cope with businesses that work with external partners, or provide hot-desking and tele-working for staff. At global engineering firm Arup, for instance, joint ventures are part of how the business work. Collaboration with external companies is critical.
"We use site-to-site virtual private networks with access control," says Mark Judge, group IT security manager at Arup. When long-term access to the corporate network is required, Judge says Arup segments its network, which effectively creates a walled garden around joint venture projects, providing access for business partners to a defined area of the corporate network without reducing the overall level of security on the network.
According to Paul Simmonds, a chief security officer and founding member of Jericho Forum, "In the future, most [business data] will be outside the organisation, so security must be designed for the internet."
Rather than making sure the network is secure, Simmonds, says, "from a purist's point of view, security is about providing good network quality of service."
Maintaining quality of service involves ensuring network applications are not affected when a hacker attacks the network with a denial of service attack, or employees decide to stream the Six Nations Rugby on their office PCs across the very expensive corporate wide area network.
Computacenter practice leader Colin Williams says businesses are focusing on an application-oriented approach to network security. Specifically, he has seen greater interest in universal threat management appliances, which combine techniques such as intrusion detection, intrusion prevention and virtual private network security, all in a single box.
"Two to three years ago, appliances were not fast enough to run everything at the same time," says Williams, since they needed to check IP traffic at the speed of the network. But with modern UTM devices, he says, it is now possible to monitor network traffic at "wire speed" ie without affecting bandwidth.
Network security usually relies on monitoring the front-end (or header) in a TCP/IP packet to determine if it is legitimate. According to Chenxi Wang, an analyst at Forrester Research, "Header-only processing limits what you can see from packet processing and, hence, cannot detect content-based threats or differentiate applications using common communication platforms like http [web traffic]."
Deep Pack Inspection (DPI) overcomes this by allowing network managers to monitor the actual data passing over the network. Instead of simply banning staff from using applications like Skype, Gmail, Hotmail or Facebook, DPI can determine exactly what information is being sent out of the corporate network.
However, DPI has many limitations. First, it is a complex and often expensive piece of technology. the risk of wrongly categorising legitimate traffic is high (false positives) and many experts regard DPI as an intrusion on people's privacy.
"DPI is very much a hot potato," warns Rhys Williams, communications partner at international law firm Bird & Bird. "There may be a number of perfectly legitimate reasons why operators might wish to implement DPI technology on their networks, for example network management purposes.
"There may well, however, also be RIPA [Regulation of Investigatory Powers Act 2000] and DPA [Data Protection Act 1998] implications in any analysis of data packets. There is a difference between monitoring a network to ensure that traffic shaping is as efficient as possible and examining data packets for other purposes, such as blocking or prioritising traffic for commercial purposes. A number of players in the market have expressed concerns over this latter approach as a potential invasion of privacy."
Further Williams says, "Operators will need to be very careful to ensure that any such use of DPI complies with both RIPA and the Data Protection Act."
But despite Virgin Media's love of DPI, it may not be the answer you seek. Data has to be protected. Today this means strong data encrption, audited access to confidential files and locked-down PCs. In such an environment, network security will still have a role.
Simmonds at the Jericho Forum believes the future of network security will involve packet-level network security. In other words, the network will understand what protocols are running, stopping anything it does not recognise.
Photo credit: Dan Talson/Rex Features
This was first published in April 2010