By Barry Cioe, Senior Director of Product Management Symantec
Friday, 20 August 2004 13:15 EST

A decade ago, Internet security pioneer Bill Cheswick proposed a network security model that he famously characterized as a "crunchy shell around a soft, chewy center." Today, as more and more "outsiders" – remote users, business partners, customers, contractors – require access to corporate networks, enterprises are finding the idea of a "soft center" obsolete, if not downright dangerous.

Consider this: Gartner Inc. estimates that more than 70 per cent of unauthorized access to information systems is committed by employees, as are more than 95 per cent of intrusions that result in significant financial losses. The "2003 Computer Crime and Security Survey," meanwhile, compiled by the Computer Security Institute and the FBI, found that 62 per cent of respondents reported a security incident involving an insider, up from 57 per cent in 2002.

In such an environment, which is also increasingly beset by so-called blended threats that dynamically target the vulnerabilities of isolated security products, enterprises must adopt an integrated strategy that addresses network security at all tiers: gateway, server, and client.

Bolstering the perimeter

The traditional perimeter firewall no longer provides adequate protection against intrusions and threats. In part that's because the very definition of "perimeter" has become blurred. The addition of remote access servers, peer connections to partners' networks, VPN servers, and wireless access points means that a once well-defined network boundary is no longer so well-defined. As a result, there are now multiple outside paths into the corporate network. Inevitably, these are bound to result in someone circumventing the firewall to improperly access network resources.

Take, for instance, the costly Slammer worm that stormed around the globe earlier this year. That blended threat was able to enter networks via standard ports on perimeter firewalls. Security administrators learned the hard way that simply blocking TCP and UDP ports is no longer sufficient. The bottom line: even with a perimeter firewall in place, enterprises are not safe from these attacks.

Integrated security uses the principles of defense in depth and employs complementary security functions at multiple levels within the IT infrastructure. By combining multiple functions, integrated security can more efficiently protect against a variety of threats at each tier to minimize the effects of network attacks. Key security technologies that should be integrated include:

Enterprise-Class Firewalls. These control all network traffic by screening the information entering and leaving a network to help ensure that no unauthorized access occurs.

Real-Time Intrusion Detection and Response. Detects unauthorized access and provides alerts and reports that can be analyzed for patterns and planning.

Content Filtering. Identifies and eliminates unwanted traffic. Content filtering helps organizations enforce acceptable use policies so that network resources are not misused.

Virtual Private Networks (VPN). Secures connections beyond the perimeter, enabling organizations to safely communicate across the Internet.

Vulnerability Management. Uncovers security gaps and suggests improvements.

Virus Protection. Protects against viruses, worms, and Trojan horses.

With these security technologies integrated into a single solution, an enterprise is better able to withstand a modern-day network threat, be it a malicious code attack, a denial-of-service attack, unauthorized access (either internal or external), or blended threat.

Securing the core

A Chief Technology Officer at a security consulting firm put it aptly: when it comes to protecting digital assets, enterprises should heed the lessons of the banking industry, which evolved physical security to include controls both at the perimeter (i.e., formidable doors and walls) and internally (safes).

Seen in this light, a client firewall provides an additional layer of security for the applications and data that reside on clients that travel outside the perimeter firewall and connect to the network, as well as for desktop clients residing inside the security perimeter.

A client firewall that also includes intrusion detection and antivirus technology works this way: as information is received by the client, it is passed through the client firewall and scanned for network attacks and viruses by the intrusion detection and antivirus technologies. If an intrusion is detected, the client firewall is instructed to block network access from the offending IP address. In the case of a virus, the file is corrected or safely isolated. In this way the threat is identified and contained at the client level, stopped in its tracks before it can spread to the rest of the network.

The insider threat

Can enterprises truly protect themselves from threats emanating inside the firewall? Not entirely. But they can foster a culture that reduces the reasons and opportunities for employee threats. Moreover, proper controls can be put in place so that, should an incident occur, they can act in a timely fashion.

Create an effective security policy. Enterprises should have a policy outlining their information assets and all access rights to that information. Make sure all users are aware of the policy. Educate them about the risks involved in allowing others to have access to their accounts and passwords. Alert them to the dangers of "social engineering," whereby intruders seek to gain unauthorized access to information by preying on users' lack of suspicion. Social engineering exploits the human desire to "do the right thing," and all users need to be aware of these types of attacks.

Set proper access levels. Make sure employees get access only to the data and systems they need access to. It sounds basic, but it's not unusual for employees to have 10 to 20 times more access to resources than they need to do their jobs. (Access can be restricted by implementing specialized access control software. This can be used to limit a user's activities associated with specific systems or files and keep records of individual users' actions on the computer.)

Stay on top of "trusted relationships." If relationships with outside contractors call for them to access the network, make sure the access is designated only for the specific services required. It is common for users to need access to information of different levels of value. When assigning access levels, ensure that one level of protection does not expose a more valued asset. (One tactic that some companies use is to provision contract and temporary workers with network accounts that have automatic "stop dates," after which they cease to function, unless extended.)

Establish a documented procedure for handling employee terminations. From a security point of view, the process of letting people go can be chaotic -- both for those directly affected and for those left behind. A security policy that spells out what steps should be taken can allay much of the confusion. For example, a good policy should state clearly how to disable an affected employee's information systems access. A study released this spring by Novell, Stanford University, and Hong Kong University found that nearly half of the companies surveyed take longer than two days -- and many longer than two weeks -- to revoke the network access of terminated employees. Make sure controls are in place to revoke access on any employee's last day -- regardless of the reason the person has for leaving the company.

Enforce it. Once a security policy is in place, determine if it is being followed, and evaluate security violations to ensure no events reoccur. An effective, meaningful way to manage security goes beyond break-in statistics and measures actual security performance against pre-determined, objective criteria. Enforce it. Once a security policy is in place, determine if it is being followed, and evaluate security violations to ensure no events reoccur. An effective, meaningful way to manage security goes beyond break-in statistics and measures actual security performance against pre-determined, objective criteria.

Conclusion

In today's dynamic business climate, old notions about "insiders" and "outsiders" are being relegated to the scrap heap. The blurring of the enterprise perimeter has seen to that. Likewise, the idea of building a Great Wall around corporate data, the better to protect it from external threats, is proving unrealistic, particularly as blended threats proliferate and elude perimeter firewalls. Enterprises need to establish security frameworks that offer protection at all levels -- gateway, server, and client. As insider threats increase, integrated security must extend from the perimeter to the core.

Barry Cioe is senior director of Product Management at Symantec and a 13-year veteran of the IT industry, with eight years of experience developing Internet security products.