"A Not So Technical"

Technical Whitepaper

‘Taking Security to the Edge’ – The New Paradigm for Network Security

By James Ealer

Your company's computer network is under attack. And your laptop may be doing the attacking.

The attack begins innocuously enough. You get to the airport a few minutes early, turn on your laptop, log on to a public wireless hotspot—and within minutes, you are infected by another laptop user at the airport whose computer is on the same network you are.

You return to the office the next day and plug your laptop into your corporate network. It’s business as usual, until you realize your laptop is acting ‘funny’ and you call your IT help desk. But by then it’s too late—you may have already introduced a virus or other network threat into your corporate network.

The problem of mobile computers is compounded by the fact that laptops and wireless access are more commonplace than ever. In May 2005, for the first time ever, laptops outsold desktops. And wireless Internet access is now available almost everywhere business people travel—hotels, airports, restaurants and convention centers.

Given these threats, how can we learn to trust our laptops again? We need to take network security from the traditional ‘perimeter’ of the network (where we protect ourselves with a firewall) to the endpoints of the network as well (where all our network devices plug into the network).

Establishing complete endpoint security requires three distinct components:

Securing all connection points on the network (both to the Internet and to our local area network)

• Check all computers to make sure they are clean before they connect (wherever they may be)
• Monitor the traffic on the network to isolate problems before they spread

Put another way, if our network was a house, in the past we just locked the front door and considered ourselves safe. Today, instead of locking just the front door, we have to lock all the doors, and put security cameras on all of them to boot.

The combination of the above will allow us to regain control over our networks—and make us feel good about our laptops again.

Little Padlocks

In most companies, there is little or no physical security on the local area network. You plug your laptop or desktop into a network jack—any network jack—and you’re “on.”

This setup makes network access very convenient for legitimate network users. And hackers. And computer viruses.

So our first step in improving security is to prevent unknown or untrusted computers from getting on our networks in the first place. Our paradigm needs to shift from “any computer on my local network must be OK” to one of “if I don’t know where it’s been, it won’t get in.”

But how do we make this change? You can’t very well put padlocks on all the RJ-45 jacks in your office, can you?

The answer is: you can. The current Generation of managed Ethernet switches supports a number of authentication protocols—including 802.1x—which force any network device to ‘login’ to the network before they can even touch your mission critical servers or data.

Putting this level of security in our networks was possible in the past, but it was almost always a very static configuration and required a tremendous amount of IT manpower to keep the systems properly configured and maintained. This made the cost of implementing such a system unacceptable for most businesses.

With 802.1x, however, your network switches can automatically authenticate your users against your existing user directory, without your users even knowing. Most operating systems have the client software built-in (including Windows XP and Apple OS X), and the configuration on your servers is generally straightforward.

While some additional IT expertise is required to setup 802.1x, once the system is up and running, it is generally simple to use and maintain.

The Guest Room

Keep in mind that when you implement 802.1x across your network, you will get exactly what you asked for: a network that does not allow unauthorized users. So what happens when our company guests—sales people, vendors and even clients—come to visit and need to get on-line?

In the past, the temptation for most network administrators was to circumvent security rules and grant these users access—“just for now”. Great hospitality, but very poor security.

Fortunately, we can extend our 802.1x implementation to create ‘guest rooms’ on our network for visitors and friends. If a user does not have a login to the network, the network can force them onto a virtual network (VLAN) that provides the user with Internet access, but which does not grant them any access to our mission critical business systems.

And even better, 802.1x can grant such access dynamically—if a guest user plugs his or her laptop into a conference room network jack, that user will get Internet access only. A trusted laptop can plug into the same network jack, however, and get full access to the network—all without a single call to the IT help desk, and without the user even noticing the security changes going on behind the scenes.

Wash Your Computer Before Returning To Work

Authenticating our network endpoints using 802.1x is the first step in securing our internal network, but it is not the final step. While 802.1x makes sure only authorized computers get on the network, there is still a risk that an authorized computer is ‘dirty’—infected with a virus or Trojan horse.

In addition to authentication, we therefore also need to have a way of doing a health check on computers before they log in. The good news is that software vendors such as Sygate and Checkpoint have all developed endpoint security systems which tie into 802.1x and can do exactly this.

These vendors software puts software agents on your computer that monitor your system for virus updates, security patches, and known vulnerabilities that can lead to your system getting hacked.

When you connect to the network, not only does the laptop have to login, but your system gets checked for problems. If you’re system is not clean, you do not get access to the network.

These systems can go a step further as well—if they detect a problem with your system, they can temporarily put your computer in solitary confinement on the network, allowing you enough access to get your system clean (by downloading updates and anti-virus software), without putting the rest of your network in jeopardy.

As with 802.1x, when these systems are properly implemented, they do not necessarily require the intervention of the IT department. Instead, the user can be redirected to a web page that informs them of how to update virus definitions, install security updates—and get back on the network.

You Need a Big Brother

The final component in our new network security strategy is our big brother—in the Orwellian sense. You need someone—or something—watching over your network at all times.

Even with good security at the endpoints, there is still a risk than a previously unknown network virus or other vulnerability can get past our endpoint defenses and make its way onto the system.

The big brother we need is an intrusion detection system—a network monitoring system that is always listening to our network traffic and looking for signs of virus infections and other security problems.

These systems work on the premise that legitimate network activity looks very different from illegitimate activity. Think of it this way: if you see someone walk out of a jewelry store with a small box, you’re probably safe in assuming they bought a ring. If you see someone running out of a jewelry store with an armful of necklaces, you can be pretty confident they are stealing.

In the network world, most viruses and infections spread by trying to contact as many other computers on the network as they can. This results both in a large quantity of network activity as the virus tries to spread, and also an unusual pattern of network activity as the infected computer tries to contact every other device on the network.

An intrusion detection system can pick up this activity and send an alert to IT staff instantaneously. Hewlett Packard has a new software feature set on its flagship network switches that can detect probable virus infections on a network, shut down that traffic, and alert system administrators. By detection problems early, they can be contained before they cause widespread damage to the network.

Summary

 With our corporate networks expanding into hotels, coffee shops and any location where there is broadband access, we need to expand our security perimeter to counter threats at every point in our network.

Using the 802.1x authentication protocol as the core of our security infrastructure, we can secure every jack on our networks, provide secure access to our guest users and make sure all systems are clean before they get on our network.

And, properly implemented, 802.1x can actually reduce the workload on our IT staffs be eliminating the fire drills associated with virus outbreaks and related network meltdowns.

	Quick Find Menu ____________________ Overview Resources When you Need Them -- Regular Support -- Project Help -- Help Desk Whitepapers Affiliations and Partnerships GenIX Central Monitoring -- About GenIX Central -- GenIX Central Screen Shots -- Request a Test Drive

Generation IX’s GenIX Central Monitoring allows our system engineers to remotely monitor your network efficiently and securely to troubleshoot your network, and provide your company with a higher level of service and more dependable response times.. More...

Read on »   

Read on »   

Read on »