When it comes to network security, there is far more than the hacker to worry about these days. Mounting security breaches -- from both the inside and the outside -- mean companies had better start taking their network protection seriously.
May 1, 2002
Darren Hamilton of HP Canada Ltd. calls it a daunting cat-and-mouse game. Gartner Group research director, Anthony Allan, describes it a balancing act that should involve people, processes and technology. Nick Hutton, a consultant with WorldCom Corp., refers to it simply, as the issue that will never go away.
The subject is network security, a state of mind the Yankee Group considers a “reactive process of identifying policies, procedures, vulnerabilities and threats” in order to ensure a secure operating environment. The problem being that in spite of the rising number of security breaches (from both the inside and outside), the technological breakthroughs, and the years of evangelizing by vendors and analysts about the need to get protected, an inordinate number of organizations still don’t get it.
As an example, an Ernst & Young survey released in February contained sobering statistics about the state of network security readiness in Canada. Sixty-five percent of the 80 CEOs and CIOs from leading companies across the country admitted that even though it was critical that systems be restored within 24 hours in the event a security breach occurred, they simply could not do it.
The flip side was that most of those surveyed remained confident that their systems were secure and the likelihood of a major disruption minimal. Eighty-three per cent of respondents believed the information stored and transmitted on their systems via the Internet and on LANs was secure, yet 25 per cent had no disaster recovery plan.
The results worry Bill Demers, Ernst & Young’s Canadian leader for e-business. “We have to question how accurately businesses are perceiving system security risk and how adequately they are guarding against it,” he says. “We were very concerned by the percentage of businesses that have no plans in place to deal with a disruption of their technology systems, Web-based or otherwise.”
“A particular company may be justifiably confident in the security of its own systems. But business leaders need to understand that the other organizations they are connected to — those that enable their business — can also disable their business. [This] ‘it won’t happen to me thinking’ needs to be replaced by it may happen to me and it will happen to one of my business partners.”
Getting to the point where a company has a sound network security strategy should not start with the installation of state-of-the-art firewalls or bullet-proof encryption software, but something that takes only time and no capital. It is called a policy statement and, according to Hutton, any organization that doesn’t have one in place before an installation begins is making a big mistake.
It doesn’t matter if the policy is posted electronically on a corporate intranet or put in three-ring binders. What does matter is that it become required reading by every staff member with access to a computer. It should also cover a range of issues, such as what constitutes acceptable use of a system, when can it be used, the type of system monitoring procedures that are in place, what access rights are granted to different departments and user groups, and what is the best way to respond to a suspected security breach.
“[It] will help with internal education,” wrote Hutton in a WorldCom white paper released this year. “Experience tells us that when we impose draconian restrictions upon bright individuals they will usually find a work-around. All the effort to define and implement corporate security will be for nothing without the cooperation of your staff.”
The assumption here is that staff members disgruntled enough to purposely do some damage is a reality that these days has become as prevalent as the hackers on the outside roaming through cyberspace. And while external denial-of-service attacks are generally well-publicized, organizations tend not to issue a press release when one of its employees crashes a system, or worse, destroys or steals valuable data.
HOW MUCH IS ENOUGH?
That network security has become a war on two fronts is one of the greatest challenges facing organizations today. As Hutton points out: “There is no such thing as perfect security. Every network or system that connects to the Internet is, to a greater or lesser extent, vulnerable. To benefit from the Internet you have to become part of it. The question is how far do you allow this integration to progress?”
Gartner Group’s Allan agrees, saying that while perfect security is impossible, enterprises should aim to provide a level of security appropriate to their business and operation needs. “Security is achieved by a balanced focus on three factors: people, processes and technology,” he says. “It can’t be attained by focusing on any one of these factors to the exclusion of the others.”
Any enterprise that wants to make significant improvements in security must take a broad view of its information assets and understand their value, and the threats and vulnerabilities to, and of, these assets, he says.
In an executive overview entitled Why Networks Must Be Secured, Cisco Systems Inc. suggests that without proper protection, any part of any network can be susceptible to attacks or unauthorized activity. “Routers, switches and hosts can all be violated by professional hackers, company competitors or even internal employees. In fact, according to several studies, more than half of all network attacks are waged internally. To determine the best ways to protect against attacks, IT managers should understand the many types of attacks that can be instigated and the damage that these attacks can cause.”
Hamilton, category business manager for networking and storage at HP Canada, says that the initial goal should be to keep out the “99.9 per cent” of people that may attempt to infiltrate an organization’s network. That is especially true now that critical data, which may have once sat in a locked filing cabinet or standalone PC, must be made readily available for people who have become used to accessing information anytime and anywhere.
The good news, he says, is that organizations no longer need to worry about securing as many access points (i.e., Internet connections, leased lines, dial-up lines) into a network, as “those access points to the world are converging.”
That’s not to say it isn’t a complex and daunting task. But according to Hamilton, the basic rule is to secure a system to the point where “you feel you have everything engaged.”
James Teel, senior director of 3Com Corp.’s Security Solutions Business Management division, says the big issue today is that organizations have to perform a balancing act of attempting to remain profitable during “challenging economic times,” while at the same time addressing various security needs. “My belief is that they’re prioritizing these things,” he says. “They may be hitting the top one or two priorities and the rest they pick up when they can.”
Ken Nishidera, product manager of managed network services for the Canadian operation of AT&T Global Network Services, adds that the key to a sound network security strategy is understanding what resources “you have in your environment, what has to be protected, and who can get to where.”
Having a solid network security strategy is critical in a wired environment, and even more so with wireless LANs (WLANs), where the “Swiss cheese” theory still prevails despite advancements such as the recently announced fix to the much maligned Wireless Equivalent Privacy (WEP) standard.
WEP, which outlined how data should be encrypted on the IEEE 802.11 wireless LAN, looked to be the Holy Grail until it was discovered that it was vulnerable to attack. In a statement announcing a fix to the problem, RSA Security Inc. and Hifn Inc., two companies that sat on the WEP committee, said it was implemented in a way that makes it vulnerable to attack.
The companies said this poses serious risk for businesses that have deployed WLANs because any confidential data that is flowing over these networks can be compromised or exposed.
CABLING IS KEY
game is being played, a sound network security strategy revolves around having the right topology, technology and structured cabling design in place. R.A. Duff & Associates Inc., a security and electrical engineering consulting firm based in Victoria, B.C. says structured cabling can bring many tangible benefits to a security manager.
The company suggests installing field devices using standard jacks and plugs, testing all field wiring using standard cable tests, and organizing communications closets using BIX blocks and/or patch panels. By using an organized approach to security installations, it says, long-term maintenance and troubleshooting of security networks will be improved.
“Structured cabling systems provide more flexibility for the carrying of data, and they also include a broad range of tools to organize and increase the efficiency of networks,” according to a company report. “This includes standards for cabling based on the data being transmitted, patch panels to terminate cables in closets, standard tests to verify cables and a broad range of termination for field devices.”
From both a cabling and hardware perspective, it is critical that any organization’s communications room is well protected. Since this is the nerve centre in which everything from data routers and switches to hubs and firewalls are housed, keeping this equipment out of the hands of a disgruntled employee intent on doing some damage is a must.
Communications rooms, says Wayne Burnstad, senior security project manager at R.A. Duff, need to be secured in some form or another, whether it’s a simple monitoring of the door, access control, cameras, or all of the above. In terms of the cabling itself, he says “when it leaves the room” it should either be in conduit or cable tray, although for additional protection, covered and closed cable trays can be used.
Once that job is done, there is the issue of what type of firewall to install. According to WorldCom’s Hutton, several factors need to be considered when choosing a firewall solution that is right for you, including the longevity of the vendor.
Bill Simpson, director of marketing for Borderware Technologies Inc., a Toronto-based firewall and network security vendor, says that firewalls are as much about securely enabling access as they are about denying access. Because of that, they should be treated with the utmost respect. “The fundamentals of a network have to be addressed properly,” he says. “As far as the cabling goes, an enterprise firewall system is going to set a company back around $20,000 and then it has to be administered and supported. There’s not much to be gained by low-balling on hubs, switches and cabling.”
In terms of advancements, the next big wave is expected to be the distributed or embedded firewall, an initiative first introduced by 3Com and Secure Computing Corp. last year. Designed to thwart threats from both the outside and inside, 3Com says the embedded firewall “breaks the attack chain” by preventing the intruder from ever sniffing passwords or reaching the sensitive servers.
Leveraging technology from Secure Computing, firewalls are placed at desktops, workstations and servers within the network. The offering also consists of software that can be securely downloaded into an NIC from a “Policy Server” that provides all of the user interface, policy management, NIC group management and audit database functions.
John Pescatore, Vice-President and research director at Gartner, views distributed firewalls as “an important” new piece of security, as organizations of all sizes extend their internal networks into extranets in order to conduct e-business. Firewalls, intrusion detection and policy enforcement capabilities on smart network interface cards, he says, will bring security closer to the information that enterprises are trying to protect.
Network security, adds Hutton, is all about balance. “On the one hand you need to provide employees and partners with reasonable access to the information they need,” he says. “On the other, you need to prevent unauthorized access to sensitive data.”
AT&T’s Nishidera agrees, saying it comes down to determining how much security a company needs and wants, and how much money they’re willing to spend.
In the end, it’s really that simple.
Paul Barker, a contributing editor with the Business Information Group, specializes in e-commerce and Internet issues.