Keep watch beyond the perimeter

Wireless connectivity, mobile workers and network convergence make security a moving target, but too many users still ignore the basics of good practice

Wireless connectivity, mobile workers and network convergence make security a moving target, but too many users still ignore the basics of good practice

It is easy to see why the IT managers responsible for network security have a hard time increasing their budgets. Business bosses understandably wonder why the money they handed over last year has not fixed the problem. What is the point of pouring more money into yet more firewalls, intrusion detection systems and anti-virus software if the problem will not go away?

The standard IT reply is that security threats continue to grow, and that we will always need new technology and techniques to combat them. And as other parts of the company load more applications onto the network, the threat profile changes. Voice over IP, for instance, makes network security and performance far more important.

But are these arguments valid? The fact remains that despite all the money and effort poured into network security, companies continue to experience security breaches, both from the internet and from within their organisations. Yet many of these problems could be easily avoided.

For instance, a failure to patch known vulnerabilities is one of the most common security errors. The SQL Slammer outbreak that caused such chaos three years ago exploited a known vulnerability in SQL Server. Thousands of companies were severely damaged by it just because they had failed to apply a patch that had been available for six months.

An associated problem is the misconfiguration of network components, which can leave the whole organisation exposed to outside threats. Products installed with default passwords and configurations are an open invitation to hackers, but the problem is far more complex.

"The biggest problem is configuration errors in any part of the network - firewalls, switches, routers," says Tim Leehealey, head of business development at Guidance Software.

He points out that networks are complex and constantly changing. "Management systems do not cut it in giving you a comprehensive view of how everything is configured and understanding where the conflicts might be," he says.

"Inevitably, you end up with something misconfigured - a firewall that will accidentally let you establish a connection from outside and go into certain servers, or a firewall that is more lenient than the router that sits in front of it and therefore largely useless. Lots of things that look innocuous by themselves are, when viewed with the whole network, a security hole."

Rhodri Davies, technical architect at security consultancy Vistorm, says problems often arise from a basic lack of understanding of the network, and where defences should be placed.

"We have seen cases where a firewall has just been plugged into a patch panel," he says. "When you track the connections you find that the inside and outside of the firewall and the internal and external networks have all been patched together."

Davies warns that configuring a firewall is no trivial task. "An ordered firewall rules base may seem simple enough to understand, but there can be problems if you do not consider carefully what a source or destination network really includes, particularly when adding to existing rules. There are ways of structuring configurations to minimise the risks of making mistakes later. But do not assume that because someone can drive the graphical interface, the result will be secure."

Anthony Rawlings, managing consultant at IT consultancy Xantus, adds that networks are constantly changing, with devices being added or moved. Such changes need to be reflected in the firewall rules, but he says this is often overlooked.

The problem can arise because companies have separate teams involved on infrastructure and security. Unless they talk to each other, such errors can arise. Rawlings favours having system changes signed off by someone different from the person who made the changes. "We need a team to sit outside of the operation, doing nothing but checking and auditing what has happened," he says. "They could also do penetration testing as well."

That other great stalwart of traditional security, the intrusion detection system (IDS), can also prove problematic. The IDS is like a burglar alarm on the system, telling you when someone is trying to do something they should not. But unless the IDS is properly configured and monitored, it becomes like one of those annoying alarms that goes off all the time - people do not bother to respond or call the police.

As Phil Cracknell, UK president of global information security organisation the Information Systems Security Association (ISSA), points out, unless you have some kind of incident plan, and people know what they should do, or who to report to, then monitoring is an expensive waste of money.

Cracknell, who is also the new director of technology assurance at Deloitte, recommends that users carry out a regular review of the network, as the whole infrastructure is likely to be in a constant state of flux. Without initial and ongoing planning, he says, new devices and segments will be appended to the existing logical structure in an ad hoc manner.

"Periodic assessment of the functionality, traffic and use of systems, their location physically and logically, and the network rights of those systems should be conducted," Cracknell says.

"With a poorly designed architecture, security incidents start to become hard, if not impossible, to detect. Network convergence can rapidly compound such problems. Inclusion of VoIP, wireless and multimedia traffic in even the most expertly configured network architectures can bring the environment to its knees."

Cracknell's advocacy of a holistic approach is echoed by Paul Simmonds, head of information security at chemicals firm ICI and a founding member of security user group the Jericho Forum. Unless companies really understand their network traffic, he says, the first they know of a worm attack is when the network slows down.

This lack of understanding also convinces companies to work on what Simmonds perceives as "the flawed assumption that the internal network is secure" and that network-based security schemes - such as network intrusion detection systems, Network Admission Control from Cisco, and Network Access Protection from Microsoft will keep you safe. Equally, he says companies "do not understand the systems connecting to their network. Dynamic Host Configuration protocol (DHCP) and BootP allow any system to connect."

The biggest challenge for business, as the Jericho Forum has underlined, is knowing where the network begins and ends. Customers, suppliers, consultants and remote workers all expect to have seamless access to your systems, which means the traditional hard perimeter approach to security can no longer be effective. Most people agree that a more layered form of defence is required, rather than relying on a single hard shell.

But how do you control this more fluid workforce without stopping legitimate workers from doing their job? As anyone with a laptop knows, the first thing you do when visiting another office is look for a spare Ethernet socket to plug into, and quite often you are successfully connected in seconds.

"This becomes a major problem where the physical perimeter allows untrusted individuals, including visitors or contractors, inside it," Cracknell says. He recommends disabling switch ports and floor and wall sockets until they are required.

And one way around the problem of DHCP, which handles the addressing of new connections, is to use known media access control (Mac) addresses, although this can be a network administration headache. Any machine with an unknown Mac address will not be given the credentials to join the network fully.

Wireless networks and mobile workers present a further challenge. The mobile worker can bring in viruses acquired outside and infect the rest of the organisation. And the worker who decides he would rather work by the window and install a wireless access point can expose the company to anyone sitting outside with a computer.

Some form of network access control can go a long way to mitigating these threats by imposing pre-conditions on any endpoint devices trying to gain access to the network. A virtual private network (VPN) will create an encrypted connection for remote workers, which should make the connection secure.

But, as Steve Matthews of Context Information Security warns, even VPNs (specifically SSL VPNs) can create security holes for hackers to climb in. "In one particular instance, Context identified that an SSL VPN was running an admin console with PHP command.exe, which enabled us to take full control of the system and get full access to the network behind it. The perception of the SSL VPN was that, because it was a security device, it would be secure in itself," he says.

And while most companies are adopting encryption, such as WPA2, for their wireless networks, Matthews warns that many laptops are open to attack. "Because many users of wireless laptops will connect to a number of different access points - wireless hotspots in airports, hotels, cafes, not to mention their own homes - we increasingly identify clients broadcasting association requests for different service set identifiers," he says. This means users can be fooled into entering a bogus website.

But security needs to be a mix of people, process and technology. The best security comes from having well-trained and motivated staff, who will not click on dodgy e-mail attachments, and will not be lured into spyware-infected websites.

And like every other aspect of the security jigsaw, security training and awareness is not a one-off exercise. It needs to be a continuous programme of education, incentive and information.


Network Security Best Practice

● Keep patches up to date
● Do not leave devices in default configurations
● Review the whole network regularly to see what has changed
● Have an incident response plan for incident response alerts
● Train staff to be security-aware
● Disable unused switch ports and network sockets
● Scan regularly for rogue wireless access points
● Apply endpoint security – check that devices meet minimum standards
● Encrypt wireless networks and lock clients to limit broadcasting requests

Secure web use for all >>

David Lacey's security blog >>

Read more on Hackers and cybercrime prevention