Over the past 12-months, internal network security has become a much talked about topic. This should come as no surprise. Highly publicized worm outbreaks capture headlines. Security administrators nervously hope they won't get a late night call of systems being brought down by hackers. The time between vulnerability and exploit is quickly shrinking, and in many cases exploits spread before most organizations can deploy appropriate vendor patches. To complicate matters, some of the most insidious attacks are those that don't make the headlines - internal hacking, electronic extortion, and other attacks targeted at specific organizations for financial gain or retaliation are occurring more frequently.
While network threats have existed for decades, today's environment is different. The traditional enterprise perimeter has expanded, or effectively disappeared in some cases. Mobile devices like laptops, PDAs, and USB memory sticks constantly travel from one side of the "perimeter" to the other. Wireless LANs allow external connections that bypass firewalls. Secure Socket Layer access to web portals and other internal applications can allow encrypted traffic to bypass perimeter firewalls and intrusion prevention systems.
A strong perimeter security infrastructure is critical, but is no longer enough. With today's evolving network and application landscape, the spread of worms and viruses inside the network has become a critical concern. Once inside the corporate network, sophisticated threats like MyDoom and Blaster have demonstrated the ability to quickly proliferate, causing severe productivity and financial losses. While estimates vary, a single outbreak can easily cost a company millions of dollars.
Internal network security compliments perimeter security solutions by providing additional layers of defense.
Internal
Security Requires a Dedicated Solution
While internal security is critical, it is very different
than perimeter security, and thus poses new and unique
challenges for network administrators. Frequently, these
challenges necessitate a dedicated internal security
solution. Products that began life as perimeter offerings,
and have been repositioned for internal security, often
don't succeed.
First, most organizations don't have dedicated internal network security. These organizations associate internal network security with anti-virus (AV) products. While AV is an important element of security, it has major limitations. AV relies on signatures, and is by definition a reactive solution. AV is an anti-nuisance technology because it prevents the nuisance of being infected by known exploits. Even if AV signatures are constantly updated, they will not block unknown attacks. Also, anti-virus products are designed to stop the spread of viruses, not worms. While many people think of worms and viruses interchangeably, they are different and require different defense mechanisms. AV products have a very poor record of slowing worms.
Second, defining security rules and policies inside the network is more difficult than at the perimeter because the application environments are different. At the perimeter there exists a well-defined set of applications and protocols. Because the set is well defined, creating security rules and policies is relatively straight-forward. Conversely, inside the network there are many more applications and protocols than at the perimeter, and these applications and protocols are often homegrown. The result is that security and system administrators often don't know which applications are running inside the network, or exactly how they may communicate. In short, they know that things are working and communicating, but not know how. Without knowing which applications are running, or how they communicate with each other, defining security rules and policies becomes challenging.
Third, the standard protocols and applications that are used inside the network are different than at the perimeter. For example, inside the network more database and Microsoft protocols are used than at the perimeter. This point is important because many perimeter security solutions don't analyze internal protocol and application traffic for threats because the ability isn't required at the perimeter. Microsoft protocols alone account for a large portion of internal traffic, and most perimeter-based security does a poor job of understanding Microsoft protocols well enough to provide proactive protection. A dedicated internal security solution doesn't have this luxury, and to be effective must broadly and deeply understand Microsoft and other popular internal network protocols.
Fourth, in many organizations, the default security policies differ between internal and perimeter networks. At the perimeter, default security policies usually block all traffic except that which is explicitly allowed. Inside the network the opposite default is in effect, one that allows all traffic except that which is explicitly blocked.
Fifth, internal networks frequently operate at higher bandwidths than perimeter networks. Internal network security must support the higher bandwidth. Perimeter security products that are repositioned for internal security often can't meet the bandwidth requirements. Further, this bandwidth requirement implies something that isn't obvious: internal networks are susceptible to vary rapid infection, and to brute force attacks that typically aren't feasible over the perimeter.
Ultimately, the above differences illustrate why deploying perimeter security products inside the network is very difficult, and often counter-productive. Internal security requires a dedicated solution. Products designed to fortify the perimeter do not meet the unique needs of internal network security.
Essential Elements of Internal
Security
To protect internal resources,
an internal security solution should encompass the following
elements:
1. End-point Security -
- Personal application firewall, residing on client devices, that enforces network access and security policy.
2. Internal Security Gateway -
- Security enforcement-point that protects the internal network from attacks which can enter from insecure or infected end-points, servers, or internal hackers.
3. Host-based Security -
- Protects host servers or PCs from malicious traffic, and monitors the state of the host's software and configuration.
In addition, to ensure the cohesiveness of a security policy and defenses, and to allow for scalable deployment, the above elements should work together and include integrated deployment and management. Also, the above elements must provide pre-emptive security. Specifically, since many exploits occur before organizations can install patches, and traditional signature-based approaches can be applied only after an exploit has occurred, the ideal solution should provide defense mechanisms that can stop both known and unknown exploits.
1. End-Point
Security
Many blended threats and worms enter the network when
legitimate users connect compromised machines into the
corporate network. In many cases, before an attack causes
actual damage, it exposes itself only on the end-point.
Also, in many cases, no central gateways exist to protect
the end-points.
End-points can become compromised due to ineffective patch management or exposure to unprotected environments outside the corporate network. Patches are resource-intensive and often out-of-sync with emerging vulnerabilities. Anti-virus signature updates become available only after an attack has occurred, so they are reactive and by definition cannot prevent or protect against unknown threats.
End-point security resides on client devices, usually in the form of personal application firewalls (PAF), and allows or denies traffic-flow based on user or administrator defined rules. PAFs should provide application control by monitoring all application requests to access local and network resources. Being rule and not signature-based, PAFs should provide pre-emptive protection against viruses, worms, spyware, and malware. PAFs should also allow administrators to centrally enforce end-point security policies. For example, network access could be blocked from end-points that are not current on patches, anti-virus signatures, and other required application updates.
Also, it is critical that end-point security be "enterprise-ready" in terms of flexible policy setting, administration, and ability to ensure conformance to policy via integrity checks. "Enterprise-ready" means that an administrator can centrally configure and deploy security policy to multiple end-points. Many personal firewalls are individually managed, and are not designed to be centrally-managed. Such products are good for consumers, but are not appropriate for medium or large organizations because of the severe limitations on the scalability of management and deployability.
2. Internal
Security Gateways
While end-point security provides a solid front-line
defense, not all end-points that connect to the internal
network are protected. Often times, customers, partners
and consultants access your internal network without
end-point integrity verification. These authorized end-points
can often connect directly to the internal network without
traversing perimeter security. An example is an employee
with a laptop who works offsite and then plugs the laptop
directly into the corporate network at his/her desk.
If this employee's laptop became infected offsite, then
once connected to the internal network the infection
could propagate instantly across the corporate network.
Also of concern is intentional hacking by legitimate and authorized internal users. An internal user with a grudge, or profit motive, can inflict serious direct and indirect harm. Such a user has legitimate access to the internal network, and while inside a segment of the network could unleash a worm that spreads an infection or searches for proprietary data.
An Internal Security Gateway (ISG) should block both known and unknown attacks that may enter the network from insecure or infected end-points (client or server), and from internal hackers. Unknown attacks can be identified by various security methods, including:
- Validating compliance to standards
- Validating expected usage of standards
- Controlling hazardous application operations
- Analyzing and blocking dangerous executable code embedded in network traffic
Using sophisticated techniques, ISGs detect protocol anomalies and malicious code at both the network and application layers. Unlike traditional intrusion prevention solutions, ISGs are designed specifically for internal networks and incorporate appropriate management, defense, and LAN protocol capabilities. Once a threat is identified, an ISG can restrict traffic based on security settings and policy.
If an outbreak does occur, the ISG should contain the threat from spreading by segmenting the internal network into security zones, and quarantining infected zones or individual end-points as appropriate. The ISG would be placed inline between all traffic into and out of the security zone. Zones can be physical or virtual, and examples include departments in an organization, floors of a building, or all wirelesss access points.
3. Host-Based
Security
Internal networks are a tempting target for hackers
because they contain business critical servers with
proprietary intellectual property. Therefore, an effective
internal security strategy requires host-based security
software that runs on individual hosts and inspects
traffic to and from a host server or PC. This software
has the ability to detect new host software or configuration
changes, and determine resulting security exposure.
Host-based security software also accumulates data on
normal host functions and traffic, and can lock down
servers if it detects a threat or malicious code trying
to access off-limit resources.
Internal
Security is a Requirement
As traditional network perimeters blur or completely
disappear, threats to the internal network increase.
In today's environment internal security is a requirement
which compliments perimeter security. Internal security
is also very different than perimeter security, and
poses unique challenges for network administrators and
vendors. Because of these unique challenges, internal
security requires a dedicated solution that is specifically
designed to deal with internal network issues.
Protections for end-points, internal gateways, and host computers must all work in tandem, and must scale with respect to deployment and every-day management.
Implementing the key elements of an internal security solution will protect valuable corporate resources from intrusions, intruders, and internal hackers.
Authored by: Marius Nacht, Vice Chairman and Senior Vice President of Check Point Software Technologies. For more information, please contact info@us.checkpoint.com.