Four techniques that will become essential for securing growing IP-enabled networks

IP devices are creating a network architecture that demands better security

Do you know what is attached to your network? Do you really know what's inside the devices attached to your network? Are your security technologies able to understand more than just the threats from PCs and people? If you cannot answer these three questions with 100% certainty, then your network is at risk.

Corporate networks are predicted to grow exponentially over the next five years. However, little of that growth will be from adding new people to the network. Instead, growth will come from a desire to "IP-enable" everything that we possibly can.

From IP-enabled phones to IP inventory systems based on radio frequency identification technology, the possibilities are limitless, and it is crucial that an enterprise's security model evolves in accordance with the technology.

There are four approaches, that can eliminate the risks.

The first is to apply access control to IP devices. Although a Windows PC may use technology such as 802.1X to authenticate its identity and gain access to the network, a photocopier or camera cannot. That does not mean the need for access control should be ignore, but rather new and different methods of access control for such devices must be used.

Secondly, many companies have begun to offer proactive protection tools for the typical Windows PC. They usually involve the placement of an agent on the PC, which informs the network of the patch, AV and configuration state of the PC, so that mis-configured PCs are controlled.

Although this is a great method for a PC, it is usually quite hard to find an IP device that can accept such an agent. In order to determine the risk of a machine, a network-based assessment must be used on attachment.

Typically, this technique involves some sort of vulnerability scanning tool linked to the policy rules of the switches or access points, so that when the scan sees unusual configurations (open ports, strange responses to probes, etc) the network can act to control such risk.

The third requirement in the machine-centric world is the ability to provide assistance in the remediation of mis-configured systems after isolation.

Manual remediation of issues on a PC can be done via a floppy disc or CD-Rom. However, IP-enabled devices only allow updates via the network interface. This makes putting a machine into quarantine undesirable - you cannot simply turn off the port it is attached to when a problem occurs. Instead, a much more granular level of control is needed, where the attached switch or access point can suppress all protocols and applications except for the inbound administrative ones needed to update the device.

This type of quarantine policy is found only on the most sophisticated policy-enabled networking devices and far exceeds the quarantine VLan model that is generally used.

The final component needed to support a secure machine-centric network model is the ability to deliver a dynamic response capability.

Although access control and proactive protection allow a network to decide who and what should be allowed onto the system, there is still a risk of an authorised system becoming compromised after attachment. As such, the communications network must use traditional and new detection capabilities coupled with rapid location and policy adjustment functions.

For example, if a radiology server in a hospital gets infected with a virus after it is in operation, the most likely first detection of this situation will come from effective intrusion detection systems in the network.

These systems will see the attack and know the IP address of the source, but they can do little to suppress the situation fully. By having a network infrastructure that can be told of the detected threat and search for the interface of the offending station it is attached to, a local policy change can remove, suppress or quarantine the system.

This link between detection, location and response is currently found only in advanced secure network products, but it will be critical in the machine-centric network as the number of nodes increases beyond the ability of IT staff to perform these steps manually in a timely manner.

These four techniques - access control, proactive protection, assisted remediation and dynamic response - have initially been applied to protect and respond to the threats of the Windows PC. As networks inevitably expand from the introduction of IP-enabled devices of every kind, these tools will be critical in delivering a secure network.

The challenge will be to expand their assumptions and capabilities to properly protect the enterprise from threats and risk originating from any type of entity that could attach to it.

John Roese is chief technology officer at Enterasys Networks

Read more on IT risk management