Centrally managed network security: hope or reality? Don't wait for the standards to evolve. (Software Intelligence).Ask any IT professional to predict the future of computer networking
Computer networking is the engineering discipline concerned with communication between computer systems or devices. and you will get different answers. Guessing the future of technology has always been a dicey business TVB drama series production Dicey Business (賭場風雲) is a 35 episode series which aired in Hong Kong after TVB 39th Anniversary Awards Ceremony. at best. Planning ahead for the next set of security threats and building security solutions that are not vulnerable to these threats is even more difficult, because building network technology is, on the face of it a purposeful design process, whereas security threats are typically exploitations of sloppy engineering or cleverly threading together unintended uses for software. Future security threats and vulnerabilities are not something that is easy or even possible to anticipate. The best hope for a security solution that protects enterprise-wide networks while allowing for centralized cen·tral·ize v. cen·tral·ized, cen·tral·iz·ing, cen·tral·iz·es v.tr. 1. To draw into or toward a center; consolidate. 2. management is the emergence of standards. Security standards like DCE (1) (Distributed Computing Environment) Software from The Open Group that allows applications to be built across heterogeneous platforms in a network. DCE includes security, directory naming, time synchronization, file sharing, RPCs and multithreading services. , Kerberos, SAML (Security Assertion Markup Language) An XML-based format from OASIS for exchanging security information for single sign-on. The "assertions" are statements from a SAML authority that authenticate a user, confirm some attribute about the individual and grant or , elements of IPv6 and others continue to be the Holy Grail Holy Grail: see Grail, Holy. A very desired object or outcome that borders on a sacred quest. There are several Holy Grails in the computer business. for which we wait. However, the wait continues after decades with little hope for a standards-based security solution in the immediate term. Why wait for a new standard when an existing standard will do. Let's take a look at some of the security issues facing the IT professional and see what management problems they have in common. All data, including passwords, flows in the clear over most networks The insider threat is on the rise Wireless networking See wireless network. means networking is not restricted to wires any more. In today's computer architectures, all data flows over the network. If the data stream is watched long enough, some juicy titbits are sure to turn up. Password sniffing sniff v. sniffed, sniff·ing, sniffs v.intr. 1. a. To inhale a short, audible breath through the nose, as in smelling something. b. To sniffle. 2. , watching the network stream for unencrypted passwords, is the most obvious example. Unfortunately, it is just the tip of the iceberg tip of the iceberg n. pl. tips of the iceberg A small evident part or aspect of something largely hidden: afraid that these few reported cases of the disease might only be the tip of the iceberg. . Uncontrolled access to all network traffic ensures sensitive data will eventually be compromised. Access to the network stream must be limited to only the data bound for the host. Another huge security problem that has been mainly ignored, because it is hard to solve, is the insider threat. An insider can abuse their privilege to collect sensitive data for the fun and profit of the individual, with no regard for the organization. The insider threat has always been much greater than the hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. threat, but mild-mannered, trusted employees stealing data is not headline material like a thirteen year old hacking the Pentagon. In reality, the disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employee has more motivation and more access to sensitive data than any outsider. The network must not turn into an enabling technology for the disgruntled employee to compromise data or have access to data beyond that with which they are trusted. Today, wireless networks are common place, sending and receiving data packets within corporate meeting rooms, office bays and even beaches. With the expanded network perimeter, it is even more important that each packet coming in be authenticated au·then·ti·cate tr.v. au·then·ti·cat·ed, au·then·ti·cat·ing, au·then·ti·cates To establish the authenticity of; prove genuine: a specialist who authenticated the antique samovar. to make sure it is coming from a valid user. Additionally, each packet going out must be checked to ensure sensitive data is not being broadcast to allow just anyone to pickup. One way to solve all three of these problems is to control the data packets going in and out of each host. If each host only looks at the packets bound for it, the password sniffing problem is solved. If users are only allowed to access the hosts they need to do their job, they are limited to only the data with which they are trusted. As result, as much as possible, insider threat protection is gained. Finally, if each packet is checked going in and out of a host, the wireless hub would never see sensitive packets, and outsider packets entering via the wireless hub would be read only by the intended host. However the solution creates its own problems. If the software controlling the host's access to the network can be modified from the host, then all that's been accomplished is to create a little bit more work for the hacker. The hacker simply disables the security software and then proceeds normally. If the policy can be changed on the host it is protecting, the policy is basically useless. Another problem with controlling every host's access to the network is the management of multiple security policies. Setting up policy on an individual host-by-host basis is an insurmountable task. A better solution is a centrally managed policy approach that scales for large organizations and cannot be tampered with by the individual hosts. The solution in a nutshell nut·shell n. The shell enclosing the meat of a nut. Idiom: in a nutshell In a few words; concisely: Just give me the facts in a nutshell. Adv. 1. is a distributed packet filtering See packet filter. firewall in front of each host on the network. Why packet filtering? There are many higher-layer protocols that could be selected, but it comes down to a question of standards. All higher-level protocols run over the same packet protocols. By controlling the information flow at the packet level, the information flow for all of the subsequent protocols will be controlled, without the need to adopt a new network packet standard. The solution requires simple packet filtering, as opposed to a stateful inspection A firewall technology that ensures that all inbound packets are the result of an outbound request. Also called "stateful packet inspection" (SPI), it was designed to prevent harmful or unrequested packets from entering the computer. approach. The more complicated the packet inspection, the greater the impact on throughput. Authenticating the packet's tree origin is much more effective than trying to understand the contents of the packet. Every host on the network today communicates using a network packet standard protocol that can be utilized to perform centralized management. The current accepted and deployed standard makes centralized management a reality, eliminating the need to wait for a new standard to evolve. The current situation is very similar to the dawn of the Internet. In the beginning, organizations had to be educated on what a firewall was, and why it was a good idea to protect assets from the Internet. Today, no one even considers connecting an organization to the Internet without a firewall. In ten years firewalls have gone from a concept for researchers to a practical requirement understood by the average Internet user Internet user n → internauta m/f Internet user Internet n → internaute m/f . Similarly, the concept of a distributed firewall on every host is a new concept that has not caught on. Ten years from now, no one will consider connecting a computer to a network without a distributed firewall to protect it. Editorial Note Infosecurity Europe is Europe's largest and most important information security event. Now in its 5th year, the show features Europe's largest FREE education programme, and over 200 exhibitors at the Grand Hall at Olympia. The above features are being presented at Infosecurity Europe 2003.29th April-1st May. www.infosec.co.uk |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion