| From disappearing boundaries to security governance Boundaries between the internal and external network are becoming blurred, providing a substantial challenge for IT continuity and security. Philippe Langlois explains.
On the other hand, many large corporations have begun to implement strict internal partitioning and segmentation, using appliances such as InterSpect from Check Point and the NetScreen firewall product line. The main objective of this latter trend is to prevent internal worm outbreaks due to "network bouncing" from external DMZ networks to critical innermost network segments. Though they appear to be heading in different directions, these two movements actually share the same goal: refining the granularity of network zone definition in the enterprise network. There is no external and internal, no black and white, there is only a spectrum of greys that you now must control much more tightly. Global opening This new approach to application delivery can be seen at early adopter sites such as Nike and Boeing. Indeed, Web applications can even provide core services such as SAP ERP or BMC Remedy Help Desk. The flexibility of such Web applications motivates the need and the will to open up the company to the external world. The Jericho Forum strives to encourage this trend, especially in cases where strong collaboration between different organisations is required. The radical security change here is in the kind of granularity that is needed. Traditionally, a sizable set of new network services had to be enabled for any rich client to connect to the application host within the enterprise. Now, with the explosion of thin client architectures, only Web-based application services are required, but from multiple origins and within different networks, defining a more varied set of ‘trust colours’ or ‘trust zones’. The ‘what service do I let in’ question is less important than questions like ‘who do I let in?’, ‘When should this person be able to connect?’, and ‘For how long will this rule be valid?’. The difference is also that the entities allowed in for a particular access will change over time. It is clear that the challenge for network administrators and IT security professionals has become a management problem rather than a technology problem.
Some industry experts surmised that these worm outbreaks demonstrate the inadequacy of firewalls. Actually, these incidents only showed that firewall rules management as it is typically done is inadequate. In fact, firewalls are specifically needed in these cases and require tighter configuration to allow only what is needed for a specific service, a practice also known as ‘deny by default’. For example, with the NIMDA worm, Web servers should only be able to receive Web requests and the necessary IP protocols (DNS requests and response, SSH or FTP incoming connections for Web content upload, maybe ICMP ‘ping’ for troubleshooting) and should be prevented from exchanging any other kind of traffic (including Windows shares, outgoing FTP or SSH) with any other host. Such a security rule would have prevented mass infection with NIMDA, confining infection to the DMZ. There are reasons why basic security principles such as ‘defence in depth’ and ‘deny by default’ are not applied. Defining such tight security rules for each service on each firewall is tiring when done by hand, much more tiring than, say, an ‘allow all’ rule between all internal machines. Deny by default combined with defence in depth makes firewall administration much more difficult, even when using the vendor's management client. This process cannot be done by hand, even with a homogenous set of firewalls, due to the number of rules that are needed to correctly achieve defence in depth. Everybody likes a ‘once for all’ approach; however, when aiming for tight security, you are going to allow HTTP on the Cisco border router, then once again only HTTP on the Check Point corporate firewall, then once again HTTP on the PIX DMZ firewall. This is only for the Web server and yet, learning the different configuration dialects and metaphors of each vendor can cause headaches. You'll likely have several other servers and traffic types to allow, and the ‘deny by default’ principle will force you to reconfigure several devices each time a new service is requested by a user or offered by the company. This dynamic is not at all in contradiction with the Jericho approach because you will still enable global access to different ‘grey’ zones of your company, yet you will be in control of what you're letting through. Service oriented architecture (SOA)
and network orchestration Access control granularity needed here leads to a wider variety of trust levels (or shades of grey) instead of the black/white, internal/external perimeter definition. As we've seen earlier with the ‘radical externalisation’ or ‘global opening’ dynamics, SOA promotes a greater opening of the company's perimeter and, at the same time, requires tighter control of the network traffic and a finer definition of zones and relationships between network hosts. Security governance As companies begin to tackle the management problem, the need to deliver is so stringent that the pressure on security staff can be pretty high. Issues have to be tracked and to be solved in a timely manner. The organisation of the IT security group is therefore changing, acting as a service to all company business units and aligning itself with the business imperatives of the enterprise. Change management, policy, help desk, and workflow systems are being integrated to automate the security process and to enable real security governance. With these changing conditions in mind, we have been working to integrate Solsoft Policy Server with help desk, event correlation engines, network management solutions, and intrusion detection systems using a Web Service API. The goal of our efforts is to facilitate a complete and affordable security governance system where customers can leverage Solsoft’s policy management platform alongside existing security management solutions, including commercial products such as BMC Remedy or ArcSight TruThreat, or free open source software like Request Tracker or SNORT. Indeed, the variety of Web Services libraries makes interoperability possible with nearly any kind of IT system, including billing and request tracking systems. Closing the loop with the needs of end-users is the only way to have a working security process and to ensure good security governance. A ticket opened by an end-user will trigger a chain of events, including firewall policy modification with Solsoft Policy Server, and will finally end up back in the help desk or ticketing system to inform the requester. Without such processes and tools, it is hard to see how network administrators can keep track of all needs and at the same time master the ever-changing configurations of new devices (be it command line languages for routers like Cisco’s or graphical interfaces for firewalls such as Check Point FireWall-1). Even with the proper tools, automating security tasks by integrating existing IT management solutions within the company becomes vital to face the deadlines and the challenges of the new enterprise organisation. Philippe Langlois is sr security architect, Solsoft Solsoft are exhibiting at Infosecurity Europe 2004. Now in its 9th year, the show features Europe's most comprehensive free education programme, and over 200 exhibitors at the Grand Hall at Olympia from 27th to the 29th April 2004. www.infosec.co.uk
•Date:
2nd April 2004 •Region: Worldwide •Type:
Article •Topic: IT
continuity |
