InfoSecurity -- A comprehensive magazine on IT Security (a Security magazine)

InfoSecurity May 2009

Back to Contents

Cover Story

Next Generation Network Security: Multi-Layered and Integrated Approach is Future

Powerful and devastative threats are likely to be nightmare for CIOs, while organizations approve implementation of next generation networks. To prevent such next generation threats, integrated and multi-layered security approach is imperative for organizations. This article discusses the threats and preventive measurements in detail.

Emergence of new innovative and highly productive technologies has impacted dramatically the way we do business and communicate worldwide. From good old PSTN to new age IP networks, the transformation has seen more than its fair share of challenges. This transformation is business driven; it’s not solely driven by the technological changes that have enabled service transformation from old telephony systems to VoIP. The transformation journey is far reaching in scale and complexity. Companies today invest significant time and resources in getting the new technology to work and perform, and in the upgradation of the legacy network architecture for new business requirements, but unfortunately they tend to pay limited attention to security.

New protocols, new technologies and new devices connected to network bring in new challenges. New services and new opportunities like IPTV, Telepresence, WiMax require enhanced online authentication are changing both the nature of the process by which networks are secured and the security components used by companies. Most organizations have implemented first-generation security solutions to manage their networks' security. But this has resulted in the need to manage a complex set of multi-vendor products for their own networks and for providing managed network security services to their customers. For securing the next generation network, multi-layered security approach is needed which can look beyond the traditional network security and encompass every facet of the NGN architecture which can result new business paradigm. But before adopting multi-layered security solutions, we need to look at the vulnerabilities or loophole that can invite unexpected attacks.

Is your Security Infrastructure enough tight?

As new innovative technologies promise better infrastructure and superior benefits for organizations, they also open up possibilities of new complicated attacks to the infrastructure. As more and more new devices like smartphones, USB devices, tablet PCs etc. being connected everyday, it’s really becoming a daunting task for network administrators to control the access of sensitive information and to prevent these new infection channels. In addition, desktop antivirus programs face new challenges, such as hard-to-detect, zero day malware. New threats also arrive through unprotected channels, such as Webmail, or through holes in a wireless network.

As threats become more sophisticated and workplace data leaks grow more prevalent, today’s security solutions are lacking. Conventional technologies such as firewalls, IDPS, and VPNs traditionally focus on perimeter protection to stop outside threats, failing to address “inside threats” from employees who browse infected Web sites, access Web mail, or use instant messaging to accidentally infect the corporate network.

Greater numbers of telecommuting and traveling employees and the blurring between home and work offices have increased mobile device use. According to the Yankee Group, almost 40 percent of all U.S. workers are now considered mobile, which translates to nearly 50 million employees. This creates a challenge for today’s companies to protect against the loss of corporate data assets—either by employees or contractors.

In the past, organizations would learn about a new vulnerability and then have weeks or even months to receive and implement a corresponding patch - or at least to receive and implement updates to their anti-virus software and intrusion detection systems. However, threats/attacks are now being launched only days after the announcement of vulnerability. Furthermore, today's threats are routinely capable of spreading at an alarming pace, often reaching a substantial portion of susceptible targets within a matter of mere minutes.

Equally troubling is the fact that threats are becoming more elusive. On one hand, this stems from a rise in the frequency of blended threats. By creatively employing multiple exploit mechanisms, payloads, and propagation techniques, hackers can enhance the likelihood of their creations being able to elude an organization's defenses. On the other hand, it is also stems from hackers shifting their attention to focus less on exploiting network-layer vulnerabilities and more on those associated with application services, logic, and even data itself. In both cases, the result is the same: an increasing capability and frequency of threats slipping through the predominately network-layer focused defenses that most organizations have deployed to date.

New threats mostly arrive through unprotected channels such as Web mail or wireless networks. In addition, employees are using potentially vulnerable technologies, such as P2P file sharing, streaming media, and instant messaging, which allow malware to enter while also draining valuable network bandwidth. In addition, desktop antivirus programs, which usually act as a first line of defense, are not always effective in fighting hardt-o-detect, zero-day malware. As IT departments work with security vendors to identify new malware threats and undertake the time-consuming process of developing patterns to detect and fix the problem, clean-up costs increase progressively as the infection spreads. In addition, the huge volume of today’s threats creates problems in updating employee machines with the latest malware pattern files.

So, these growing diversity and quantity of computing resources, both infrastructure and information, that now needs to be secured are driving the need for multi-layer security platforms. Recent years have seen businesses trying to remain competitive, or even get ahead in the game, by implementing a rapidly expanding array of new technologies (as discussed above), by dramatically increasing their online presence, and by deploying a wide variety of revenue generating and/or productivity enhancing applications.

A Multi-layer Security Approach

The need for one-stop solutions and the numerous benefits associated with integrated solutions are the major factors driving growth in this market. Customers are looking for seamless convergence of multiple security technologies packaged into a single solution to address their security needs. With convergence being the defining trend in the security industry, system providers are developing products with enterprise-wide integration in mind. Given that the primary objective of using a multi-layer security platform is to obviate the need for a series of point products, it is clearly a fundamental requirement that such solutions incorporate a wide range of the most commonly needed security services.

In part this is necessary to ensure applicability in the greatest number of use cases, which is a topic that will be covered more thoroughly in the next section. However, from a security perspective it is also about having the ability to protect against all manner of threats with a single device. It should also be noted that this blending of techniques and mechanisms can occur not just across different services, but also within the individual countermeasures. For instance, a reactive (i.e., signature-based) anti-virus engine can be made more effective by coupling it with a proactive intrusion prevention engine and/or by enhancing it to include a proactive, heuristics-based virus detection capability. In fact, because it correlates well with security effectiveness, the characteristic of having a high-degree of both inter and intra-service blending should be considered an important criterion when selecting a multi-layer security platform.

For a comprehensive security approach--and the most effective approach--the entire network should be protected with multiple logical security components applied in layers (see Figure 1):

Figure: 1

Network AAA Approach

Because of the greater access authority and functional privilege granted to network management personnel, their access and activities must be carefully secured to protect network configuration, performance, and survivability. The more open the enterprise and the more centralized the network management system, the greater the requirement for stringent security for network management processes. AAA (authentication, authorization, and accounting) and access control should be in place to discourage opportunistic attacks from outsiders.

Authentication and Authorization answers two very important questions: "Who" is entering the network and "What" service is being delivered, respectively. Once the user and service is verified, the experience delivered for the application/service can be varied per user based on user subscription, profile and additional contractual agreements. Device health and location data is then determined in order to deliver granular access control.

Accounting must contain sufficient information to establish individual accountability, reconstruct past events, detect intrusion attempts, and perform after-the-fact analysis of security incidents and long-term trend analysis. Accounting information helps identify the root cause of a security problem and prevent future incidents. For instance, activity logs can be used to reconstruct the sequence of events that led up to a problem, such as an intruder gaining unauthorized access to system resources, or a system malfunction caused by an incorrect configuration or a faulty implementation.

Network operator authentication based on strong centralized administration and enforcement of passwords ensures that only. Authenticated operators gain access to management systems. Centralized administration of passwords enables enforcement of password strength and removes the need for local storage of passwords on the network elements. Authorization for network operators uses authenticated identity to determine the user’s access privileges—what systems they can access, what functions they can perform.

Router-based Security

In both wireless and wired networks, intelligent routers should be deployed to prevent IP spoofing. On the data plane, routers should perform anti-spoofing by implementing access control lists (ACLs) and IP fragment filtering to drop all inbound traffic with suspicious source IP addresses or IP address ranges. Concurrently, BGP sessions, secure FTP, and SSH should be secured on the router’s network protocol level.
Additionally, with the proliferation of VoIP and IMS systems, securing session flow--a relatively new function of router-based security--is becoming more and more relevant. Routers are the perfect place to perform session flow protection due to their Border Gateway Functionalities (BGF). BGF can filter & block unwanted flows, rate limit flows based on BW, prioritize flows across the core network, and enable NAT-traversal without tromboning.

And, of course, law enforcement security requirements have always been an integral part of router-based security: CALEA requirements (or other government approved), Lawful Intercept (LI), and VLAN Mirroring can be performed at the second layer of security.

Figure-2

Firewalls with Deep Inspection

Just like in the computer world, smarter, more sophisticated attacks have the ability to penetrate the first two lines of defense. Thus a sturdy firewall with Deep packet inspection is necessary as a third layer. These firewalls create a VPN using IPSec for authenticating and encrypting IP packets, Transport Layer Security (TLS), and SSL VPN capabilities to provide critical protection against Denial of Service (DoS), Distributed Denial of Service (DDoS), and other types of attacks.

If an attack is launched from an email attachment received at a user's PC, it is very likely that you might allow these protocols to traverse security zones on your network. How can we prevent issues carried by protocols that our businesses require to function? The answer is Deep Packet Inspection. Deep Packet Inspection devices are concerned with the content of the packets. Antivirus software has been doing it at the host and mail server level, and network IDSs have been doing it on the wire for years. However, these products have limited visibility and capability to deal with the malicious payloads they find. A major disadvantage of content filtering at these levels is that the worm, Trojan horse, or malicious packet has already entered your network perimeter. Firewalls offering Deep Packet Inspection technology have the ability to detect and drop packets at the ingress point of the network. What more appropriate place to stop malicious traffic than at the firewall?

In the past, you have been able to use router or firewall content-filtering technologies to enter the signature of a worm or other malicious event and block it at the exterior of your network. However, what newer Deep Packet Inspection devices bring to the table are preloaded signatures, similar to those used by an antivirus solution. This way, your firewall is aware of and able to detect and remove malicious content as it arrives at your network. Also, because the packet's content is being considered at the application layer, traffic anomalies representative of an attack or worm can also be considered and filtered even if a specific signature isn't available for it. For example, if some attack uses a command that is considered nonstandard for a particular protocol, the device doing Deep Packet Inspection would be able to recognize it and drop the malicious content.

A Deep Packet Inspection firewall is responsible for performing many simultaneous functions. The entire content of a packet's application layer information needs to be reviewed against a list of attack signatures as well as for anomalous traffic behaviors. These firewalls also have to perform all the standard functions a stateful firewall typically handles. Therefore, advanced hardware is required to perform all these processes in a timely manner. This advanced hardware integration (typically dedicated "processors" just for this task) is what has set Deep Packet Inspection firewalls apart from their predecessors. It enables the swift processing and removal of anomalous traffic, with the added advantage of the stateful firewall's perspective on the overall communication flow of the network. This offers a major edge when determining which traffic is malicious and which is not.

Firewalls must be able to scale to handle drastically increasing volumes of mobile traffic flow so that the network’s performance is not negatively impacted during spikes.

There are several distinct features of firewall security:

Scalable performance: ability to leverage new services with appropriate processing capabilities without sacrificing overall system performance
System and network resiliency: Carrier-class reliability
Interface flexibility: Highly flexible I/O configuration and independent I/O scalability
Network segmentation: Security zone, virtual LANs (VLANs), and virtual routers allow administrators to tailor security and networking policies for various internal, external, and demilitarized zone (DMZ) subgroups
Robust routing engine: Carrier-class routing engine provides physical and logical separation of data and control planes to allow deployment of consolidated routing and security devices and ensure the security of routing infrastructures
Comprehensive threat protection: Integrated security features and services include a multi-gigabit firewall, intrusion detection and prevention (IDP), denial of service (DoS), network address translation (NAT), and quality of service (QoS).

Intrusion Detection and Prevention (IDP)

The most sophisticated mobile attacks will require a fourth logical level of defense: Intrusion detection and prevention (IDP). IDP provides important content inspection and antivirus/anti-spam capabilities. Content inspection is designed to stop L7/application attacks and is the only way to detect what is really running on the L7/application or the signaling application layers.

IDP detects unusual or suspicious behavior on the application layer by using customizable signatures based on stateful protocol inspection, attack patterns and behavioral learning. This capability is vital for mobile service providers who want to protect their networks against penetration and proliferation of worms and other malware including Trojans, spyware, Keyloggers and adware.

These systems should be designed to detect the presence of attacks within permitted traffic flow to the network by using stateful signatures that scan for attacks based on known patterns. Stateful signatures need to be easily customizable in order to fit into different provider requirements and specific concerns.
Unification of Security Monitoring Modern enterprise networks face a plethora of technical, political and business hurdles that make accurate security and compliance monitoring difficult and costly. Unified Security Monitoring approach is revolutionizing the way organizations are monitoring (i.e. gathering, evaluating, communicating and reporting) security and compliance information.

The combination of network scanning, passive network monitoring and integration with existing asset and network management data allows the Security Center to organize network assets into categories. This enables an auditor to review all components of a particular application.

Typically, an auditor reviews a long list of IP addresses that may have vulnerabilities of various severities associated with them. What is usually missing is the correlation of interdependencies of the application’s components. The Security Center is a powerful tool in compliance monitoring by providing a complete asset list for applications and ensuring that the weakest link in the chain is accounted for.

For example, consider a typical PeopleSoft deployment for a human resources group. The actual PeopleSoft application may run on one or more Windows servers. Those applications will interact with several databases, be connected over some network switches and possibly have front-end web servers for load-balancing. The entire group of servers comprise the “PeopleSoft” asset. A security problem with a switch or database may be just as critical to one found in the actual PeopleSoft program. To an auditor, being able to work with all of the security issues for one asset type at a time is very efficient.

Sensitive Data Monitoring

Both Active and Passive Vulnerability Scanners can identify sensitive data. The active scanner can be easily configured to look for common data formats such as credit card numbers and social security numbers. It can also be easily modified to search for documents with unique corporate identifiers such as employee names, project topics, sensitive keywords and so on. Active scanner can perform these searches without an agent and only requires credentials to scan a remote computer. Passive Vulnerability Scanner can monitor network traffic to identify sensitive traffic in motion over email, web and chat activity. It can also simply identify servers that host office documents on web servers. Both active and passive vulnerability scanners also act as a deterrent. If organizations realize they will be audited for their use of certain types of data, they will be less likely to give it to others or perhaps leave it on unauthorized systems.

Configuration Audits

Security policies, guidelines, standards and procedures provide a mandate for maintaining network security. A policy is defined as what will and will not be permitted, such as “users are required to have passwords and keep them secure”. Guidelines are suggested methods of how to adhere to the policy, such as “users should change passwords on a regular basis”. Standards are specific technical rules for a particular platform, such as Microsoft IIS or database servers. A standard might state “passwords must be set to expire every 90 days and must force the user to use a combination of alpha-numeric characters”. Finally, procedures provide users and systems administrators with methods for maintaining security, such as “how to install a Microsoft IIS Server Securely”. It is important to understand the distinction between these to ensure appropriate compliance.

A configuration audit is one where the auditors verify that servers and devices are configured according to an established standard and maintained with an appropriate procedure. The Security Center can perform configuration audits on key assets through the use of active vulnerability scanner’s local checks that can log directly onto a Unix or Windows server without an agent.

The Security Center ships with several audit standards. Some of these come from best practice centers like the National Institute of Standards and Technology (NIST) and the National Security Agency (NSA). In addition to the base audits, it is very easy to create customized audits for the particular requirements of any organization. These customized audits can be loaded into the Security Center and made available to anyone performing configuration audits within an organization. Once the audit policies have been configured in the Security Center, they can be repeatedly used with little effort. Also, with the knowledge of assets, the Security Center can perform audits intended for specific assets. Through the use of audit policies and assets, an auditor can quickly determine the compliance posture for any specified asset.

Conclusion

Today's attacks are stealthy, targeted and financial motivated. You can't afford to wait until you hear about them. Small or large, every business looks today at threat-protection technologies to manage and secure laptops, mobile devices and other endpoints. Those technologies include firewalls, intrusion protection and device controls that prevent anyone from loading company data onto USB keys, MP3 players or other portable storage devices. So, prevention of serious blended threats originating from different devices in the network demands multi-layered security approach and to manage a network connected with several devices, which are sources of serious threats, require unified monitoring and management.

—By: ‘InfoSecurity’ Bureau.