Thông tin tài liệu
LAYERED NETWORK SECURITY:
A best-practices approach
Prepared by:
Mitchell Ashley
VP of Engineering & CIO
Latis Networks, Inc.
January 2003
Reducing your risk has never been this easy.
StillSecure
TM
White paper
© 2003, Latis Networks, Inc. All rights reserved.
Table of Contents
Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Increasing the hacker’s work factor . . . . . . . . . . . . . . . . . . . . . . . . .2
The layered-security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2
Level 1: Perimeter security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Pros: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Considerations: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3
Level 2: Network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Level 3: Host security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Level 4: Application security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6
Level 5: Data security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
StillSecure network security products:
pillars of the layered approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7
Border Guard: Protects you from the cost of malicious attacks . .7
VAM: Assessment and management that continuously
ensures network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8
Defending against common threats and attacks . . . . . . . . . . . . .9
Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10
Layered Network Security: A best-practices approach
1 of 10
StillSecure
TM
About the authors
Mitchell Ashley is Vice President of Engineering and CIO of Latis
Networks, Inc. He is responsible for product strategy and develop-
ment of the StillSecure
™
suite of network security software. Mr.
Ashley brings to Latis Networks and its customers more than 20
years of experience in data networking, network security and soft-
ware development. Mr. Ashley is a graduate of the University
of Nebraska, with a Bachelor of Science degree in Computer Science
and Business Administration.
Latis Networks, Inc.
361 Centennial Parkway
Suite
270
Louisville, CO 80027
P: [303] 381- 3800
F: [303] 381- 3880
www.stillsecure.com
© 2002-2003 Latis Networks, Inc. All rights reserved. Latis, the Latis logo, StillSecure and the StillSecure logo
are trademarks of Latis Networks, Inc. All other trademarks are the property of their respective owners. The
products and services listed may not be available in all regions.
INTRODUCTION
Network security is now a mission-critical concern for enterprises,
government agencies, and organizations of all sizes. Today’s
advanced threats from cyber-terrorists, disgruntled employees,
and hackers demand a methodical approach to network security.
In many industries enhanced security is not an option — it’s
mandatory. Recently enacted federal regulations require organiza-
tions such as financial institutions, health care providers, and
key federal agencies to implement stringent security programs to
protect digital assets.
This paper introduces you to a layered approach for securing your
network. The layered approach is both a technical strategy,
espousing adequate measures be put in place at different levels
within your network infrastructure, and an organizational strategy,
requiring buy-in and participation from the board of directors
down to the shop floor.
The layered-security approach centers on maintaining appropriate
security measures and procedures at five different levels within
your IT environment:
1. Perimeter
2. Network
3. Host
4. Application
5. Data
In this paper, we’ll define each of these levels and provide an
overview of the various security measures that operate on
each. Our goal is to provide a foundation-level understanding
of network security and suggest a best-practices approach to
protecting digital assets. Our target audience includes IT profes-
sionals, business managers, and high-level decision-makers.
Protecting your proprietary information does not require magic
or unlimited funds. With an understanding of the overall problem,
creating both a strategic and tactical security plan can be a
straightforward exercise. Furthermore, with the best-practices
approach introduced in this paper, you can erect effective barriers
without breaking your budget.
INCREASING THE HACKER’S WORK FACTOR
Network security professionals speak in terms of “work factor,”
which is an important concept when implementing layered security.
Work factor is defined as the effort required by an intruder to
compromise one or more security measures, which in turn allows
the network to be successfully breached. A network with a high
work factor is difficult to break into, while a network with a low
work factor can be compromised relatively easily. If hackers deter-
mine that your network has a high work factor, which is a benefit
of the layered approach, they are likely to move on and seek
networks that are less secure — and that’s exactly what you want
them to do.
The security technologies discussed in this paper collectively repre-
sent a best-practices approach for securing your digital assets.
In an ideal world you would have the budget and the resources to
implement all the measures we discuss. Unfortunately, most of us
don’t live in an ideal world. As such, you should evaluate your net-
work — how it is used, the nature of the data stored, who requires
access, its rate of growth, etc. — and then implement a blend of
security measures that provides the highest level of protection
given your available resources.
THE LAYERED-SECURITY MODEL
Figure 1 presents the layered-security model and some of the
technologies that function at each level. These technologies are
discussed in more detail in the sections that follow.
Layered Network Security: A best-practices approach
2 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
Figure 1. The security levels in the layered approach and the technologies that function on each.
Security level
Applicable security measures
• Firewall
• Network-based anti-virus
• VPN encryption
• Intrusion detection /prevention system (IDS/IPS)
• Vulnerability assessment (VA) tools
• Access control /user authentication
• Host IDS
• Host VA
• Anti-virus
• Access control/user authentication
• Host IDS
• Host VA
• Access control/user authentication
• Input validation
• Encryption
• Access control/user authentication
1. Perimeter
2. Network
3. Host
4. Application
5. Data
LEVEL 1: PERIMETER SECURITY
The perimeter is the first line of defense from outside,
un-trusted networks. The perimeter acts as the first
and last point of contact for security defenses protecting
the network. It is the area where your network ends
and the Internet begins. The perimeter consists of one or more
firewalls and a set of strictly controlled servers located in a portion
of the perimeter referred to as the DMZ (demilitarized zone).
A DMZ typically contains the Web servers, email gateways, net-
work anti-virus, and DNS servers that must be exposed to the
Internet. The firewall has strict rules about what can enter inside
the network as well as rules about how servers in the DMZ can
interact with the Internet and the inside network.
The network perimeter, in short, is your gateway to the outside
world and, conversely, the outside world’s gateway to your net-
work. A compromised network perimeter can cripple your ability
to conduct business. For example, if your organization relies on
your Web servers for revenue generation, and those servers have
been hacked and are off-line, you lose money for every minute
they are down.
The following technologies provide security at the network perimeter:
• Firewall — A firewall is typically installed on a server connected to
the inside and the outside of the network perimeter (see Figure 2).
A firewall performs three general functions; 1) traffic control, 2)
address translation, and 3) VPN termination. The firewall performs
traffic control by examining the source and destination of all incom-
ing and outgoing network traffic; it ensures that only permissible
requests are allowed through. Additionally, firewalls help secure the
network by translating internal IP addresses to IP addresses that are
visible to the Internet. This prevents the disclosure of critical infor-
mation about the structure of the network inside the firewall. A
firewall can also terminate VPN tunnels (discussed below.) These
three capabilities make a firewall an indispensable part of your net-
work security.
• Network-based anti-virus — Installed in the DMZ, network-based
anti-virus software compares incoming and outgoing email message
content to a database of known virus profiles. Network-based anti-
virus products block infected email traffic by quarantining suspicious
and infected email messages and then notifying recipients and
administrators. This prevents email infected with a virus from enter-
ing and spreading across your network, and it prevents your net-
work from spreading virus-infected email. Network-based anti-virus
is a complement to anti-virus protection performed on your email
server and individual desktop computers. To work effectively, the
database of known viruses must be kept up to date.
• VPN — A virtual private network (VPN) uses high-level encryption
to create a secure connection between remote devices, such as
laptops, and the destination network. It essentially creates an
encrypted ‘tunnel’ across the Internet, approximating the security
and confidentiality of a private network. A VPN tunnel can termi-
nate on a VPN-enabled router, firewall, or server within the DMZ.
Enforcing VPN connections for all remote and wireless network
segments is an important best-practice that is relatively easy and
inexpensive to implement.
PROS
These well established perimeter-level technologies have been
available for many years, and most IT professional are well
acquainted with their capabilities and operational requirements.
Therefore, they are relatively straightforward and cost effective
to implement. A range of vendors offer solid solutions for these
technologies, and most are reasonably priced.
CONS
Because these systems are quite basic and have been available for
some time, most sophisticated hackers have figured ways around
them. An anti-virus tool, for example, cannot detect a virus unless
it already has the virus signature or if the virus is embedded within
an encrypted file. Although VPN provides effective encryption, it
does impose an administrative burden on your IT staff, as encryp-
tion keys and user groups must be managed on an ongoing basis.
CONSIDERATIONS
The complexity of your network architecture can have a consider-
able impact on the effectiveness of these technologies. Multiple
external connections, for example, would likely require multiple
firewalls and anti-virus instances. Architecting all of your connec-
tions to terminate in a common area allows a single instance of
a given technology to provide effective coverage.
Layered Network Security: A best-practices approach
3 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
Figure 2. A typical firewall installation.
The types of devices located in your DMZ are also an important
factor. How critical are these devices to your business? The higher
the criticality, the more stringent security measures and the policies
that govern these devices must be.
LEVEL 2: NETWORK SECURITY
The network level of the layered-security model refers
to your internal LAN and WAN. Your internal network
may include desktops and servers or may be more
complex with point-to-point frame relay connections
to remote offices. Most networks today are fairly open behind the
perimeter; once inside, you can travel across the network unim-
peded. This is especially true for most small- to medium-size
organizations, which makes them tempting targets for hackers
and other malicious individuals.
The following technologies provide security at the network level:
• Intrusion detection systems (IDSs) and intrusion prevention
systems (IPSs) — IDS and IPS technologies analyze traffic moving
across your network in much greater detail than your firewall.
Similar to anti-virus systems, IDS and IPS devices analyze traffic
and compare each packet to a database of known attack profiles.
When attacks are detected, these technologies take action. IDS
tools alert your IT staff that an attack has occurred; IPS tools go
a step further and automatically block the harmful traffic.
IDSs and IPSs have many characteristics in common. In fact,
most IPSs have an IDS at their core. The key difference between
the technologies is implied by their names: IDS products only
detect malicious traffic, while IPS products prevent such traffic
from entering your network. Standard IDS and IPS network
configurations are show in Figure 3.
Layered Network Security: A best-practices approach
4 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
Intrusion detection system (IDS)
Intrusion prevention system (out-of-band configuration)
Intrusion prevention system (in-line configuration)
Figure 3. Typical IDS/IPS installations
• Network vulnerability assessment (VA) — VA tools scan devices
on a network for flaws and vulnerabilities that could be exploited
by hackers or harmful traffic. VA systems typically maintain a
database of rules that identify known vulnerabilities for a range
of network devices and applications. During a network scan, the
VA tool tests each device/application by applying the appropriate
rules. The process outputs a list of discovered vulnerabilities, which
can then be assigned to IT staff for remediation.
• Access control/authentication — Access control entails authenti-
cating users who access your network. Authentication is typically
performed against the user information in a RADIUS, LDAP, or
Windows ACTIVE directory. Both users and devices should be
controlled by access control measures at the network level.
Note: In this paper we discuss access control and authentication
at the network, host, application, and data levels of our layered
security framework. A considerable amount of overlap and inter-
action commonly exists among the access control/authentication
schemes that function across these levels, and authentication
can be passed from one level to the next. Such interaction is
usually transparent to the user. While we discuss these concepts
briefly in upcoming sections, keep in mind that access control and
authentication are sophisticated processes that should be carefully
managed to provide maximum security throughout the network.
PROS
IDS, IPS, and VA technologies perform sophisticated analyses on
network threats and vulnerabilities. Where your firewall allows
or disallows traffic based on its ultimate destination, IPS and IDS
tools conduct a much deeper analysis and, therefore provide a
higher level of protection. With these advanced technologies,
attacks embedded in ‘legitimate’ network traffic, which can get
through a firewall, will be identified and potentially terminated
before damage occurs.
VA tools automate the process of checking your network for
vulnerabilities. Performing such checks manually — with the fre-
quency required to ensure security — would be highly impractical.
Also, networks are dynamic. New devices, application upgrades
and patches, and adding and removing users can all introduce
new vulnerabilities. VA tools allow you to scan your network
frequently and thoroughly for newly introduced vulnerabilities.
CONS
Intrusion detection systems (IDSs) have a tendency to produce
numerous false alarms, also referred to as false positives. While
an IDS will likely detect and alert you of an attack; such informa-
tion could be buried under a mountain of false positive or trivial
data. IDS administrators can quickly become desensitized to the
sheer volume of data produced by the system. To be effective,
an IDS must be closely monitored and continually fine-tuned
to the usage patterns and vulnerabilities discovered in your envi-
ronment. Such maintenance typically consumes a fair amount
of administrative resources.
The level of automation within intrusion prevention systems (IPSs)
can vary significantly among products. Many must be carefully
configured and managed to reflect the traffic patterns characteris-
tic of the network on which they are installed. Possible side-effects
of non-optimized performance include terminating legitimate user
requests and locking out valid network resources.
Access control technologies may have technical limitations. For
example, some may not work with all the devices on your net-
work, so you may need multiple systems to provide the necessary
coverage. Also, multiple vendors market access control systems,
and functionality can vary greatly among products. Implementing
an integrated solution across your network may be difficult. Such
a patchwork, multi-product approach may actually introduce addi-
tional vulnerabilities to your network.
CONSIDERATIONS
The success of network-level security measures is somewhat
dependent on the speed of your internal network connections.
Because IDS/IPS and VA tools can consume resources on the
networks they protect, increased connection speeds will minimize
the impact they have on overall network performance. In imple-
menting these technologies you must consider the trade-off
between improved security and ease of use, as many of these
products must be continually managed to perform effectively, and
they may make it less convenient to move around on the network.
Keep in mind the ongoing evolution of your network when
assessing these technologies. Scalability may be an issue on rapidly
expanding and highly dynamic networks.
LEVEL 3: HOST SECURITY
In the layered-security model, the host level pertains
to the individual devices, such as servers, desktops,
switches, routers, etc., on the network. Each device
has a number of configurable parameters that,
when set inappropriately, can create exploitable security holes.
These parameters include registry settings, services (applications)
operating on the device, or patches to the operating system or
important applications.
The following technologies provide security at the host level:
• Host-based intrusion detection systems (IDSs) — Host-based
IDSs perform similarly to network IDSs — the key difference being
that they monitor traffic on a single network device. Host-based
IDSs are fine-tuned to the specific operational characteristics of
the host device and therefore provide a high degree of protection
when properly administered.
• Host-based vulnerability assessment (VA) — Host-based VA
tools scan a single network device for security vulnerabilities.
Host-based VA tools are fine-tuned to the devices they monitor.
They are extremely accurate and make minimal demands on the
host’s resources. Because they are configured specifically for the
host device, they provide an excellent level of coverage when
properly administered.
Layered Network Security: A best-practices approach
5 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
• Anti-virus — Device-specific anti-virus applications provide an
additional layer of protection when used in conjunction with
network-based anti-virus tools.
• Access control/authentication — Access control measures at the
device level are a best-practice that ensures device access is grant-
ed to authorized users only. Again, there is likely to be a high level
of interaction between network access-control measures and host
access-control measures.
PROS
These host-based technologies provide excellent protection
because they are configured to meet the specific operational
characteristics of a single device. Their accuracy and responsiveness
to the host environment allow administrators to quickly identify
which device settings require updating to ensure secure operation.
CONS
Host-based systems can be extremely time-consuming to deploy
and manage. Because they need to be continually monitored
and updated, they often consume an inordinate number of man-
hours to manage properly. Installation is often difficult, and a
considerable effort is often required to fine tune them to the host
device. Also, the more operating systems you have on your
network-i.e., the more heterogeneous the network-the more
expensive a host-based approach becomes, and the more difficult
these devices are to manage. Also, with a large number of host-
based security devices on a network, the number of alerts and
false positives can be enormous.
CONSIDERATIONS
Because of their expense and administrative overhead, host-based
devices should be deployed judiciously. Many organizations install
these measures only on the ‘crown jewels’ of their network.
LEVEL 4: APPLICATION SECURITY
Application-level security is currently receiving a great
deal of attention. Poorly protected applications can
provide easy access to confidential data and records.
The hard truth is that most programmers don’t code with security
in mind. This is a historical problem with many commercial-off-
the-shelf (COTS) applications. You may become aware of security
shortcomings in the software, yet you may be powerless to correct
them.
Applications are being placed on the Web for access by customers,
partners or even remote employees with increasing frequency.
These applications, such as sales force, customer relationship
management, or financial systems, can provide a ready target to
individuals with malicious intent. Therefore, it is especially
important to impose a comprehensive security strategy for on each
network application.
The following technologies provide security at the application level:
• Application shield — An application shield is frequently referred
to as an application-level firewall. In ensures that incoming and
outgoing requests are permissible for the given application.
Commonly installed on Web servers, email servers, database
servers, and similar machines, an application shield is transparent
to the user but highly integrated with the device on the backend.
An application shield is finely tuned to the host device’s expected
functionality. For example, an application shield on an email server
would likely be configured to prohibit an incoming mail message
from automatically launching any executables, because that is not
a typical or necessary email function.
• Access control/authentication — Like network- and device-
level authentication, only authorized users are able to access the
application.
• Input validation — Input validation measures verify that
application input traveling across your network is safe to process.
Although this is crucially important for Web-based input, any
interaction between people and a user interface can produce
input errors or be exploited if the proper security measures are
not in place. In general, any interactions with your Web server
should be considered unsafe.
As an example, consider a Web-form with a zip code field. The
only acceptable input from this field should be five characters,
digits only. All other input should be denied and produce an error
message when submitted. Input validation should occur at multiple
levels. In this example, a Java script could initially perform browser-
based validation on the client side, while CGI-bin validation controls
could be put in place on the Web server. Additional rules of thumb
include:
– Filter key words. Common command-related terms, such as
“insert,” should be checked for and prohibited.
– Only accept data that’s expected for a given field. For example,
a 75-character first name is not standard input.
PROS
Application-level security measures enhance your overall security
posture and allow you to better control your applications. They
also provide a higher level of accountability as many of the actions
monitored by these measures are logged and traceable.
CONS
Implementing comprehensive application-level security can be an
expensive endeavor as each application and its host device must
be assessed, configured, and managed individually. Also, retro-
fitting a network with application security can be a daunting
and impractical task. The earlier you can implement policies for
incorporating these measures, the more efficient and less expensive
the process will be.
CONSIDERATIONS
The key considerations are prioritizing your applications and
planning for the long term. Implement security on application
where you’ll get the most bang for your buck. Long-term planning
allows you to implement security measures in a controlled way
as your network grows and avoids the additional expenses that
retrofitting will likely require.
Layered Network Security: A best-practices approach
6 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
LEVEL 5: DATA SECURITY
Data-level security entails a blend of policy and encryp-
tion. Encrypting data where it resides and as it travels
across your network is a recommended best practice
because, if all other security measures fail, a strong
encryption scheme protects your proprietary data.
Data security is highly dependent on organization-wide policies
that govern who has access to data, what authorized users can
do with it, and who has ultimate responsibility for its integrity and
safekeeping. Determining the owner and the custodian of the data
lets you identify the appropriate access policies and security meas-
ures that should be applied.
The following technologies provide security at the data level:
• Encryption — Data encryption schemes are commonly implemented
at the data, the application, and the operating-system levels.
Almost all schemes involve encryption/decryption keys that all
parties accessing the data must have. Common encryption strate-
gies include PKI, PGP, and RSA.
• Access control/authentication — Like network-, and host-, and
application-level authentication, only authorized users are given
access to the data.
PROS
Encryption provides a proven method for safeguarding your data.
Should intruders compromise all other security measures on your
network, encryption provides a final, effective barrier protecting
your proprietary information and intellectual property.
CONS
There is overhead associated with encrypting and decrypting the
data, which can result in significant performance impacts. Also,
key management can become an administrative burden in large
or growing organizations.
CONSIDERATIONS
In-depth data encryption must be carefully managed. Encryption
keys must be set and synchronized for all affected devices and
applications. As such, a fair amount of management overhead is
required for an effective encryption program.
STILLSECURE NETWORK SECURITY PRODUCTS: PILLARS OF
THE LAYERED APPROACH
Latis Networks’ StillSecure line of network security products can
provide the foundation for an effective layered-security approach.
The StillSecure line includes:
Border Guard — a highly automated, user-friendly family of
network intrusion prevention products.
VAM — a family of network-based vulnerability assessment tools
that bring workflow management to the remediation process.
If you currently have security measures in place on your network,
StillSecure products leverage your existing security investments
and greatly enhance your overall security. If you have little or no
network security in place, StillSecure products provide immediate
security and give you a running start on building a comprehensive
layered-security system. The following sections introduce you to
these best-of-breed products.
BORDER GUARD: Protects you from the cost of malicious attacks
Latis Networks developed the StillSecure Border Guard family of
IPS products to protect networks from attack and, through a high
level of automation, reduce the IT resources required to operate
a secure network. Operating on both the perimeter and the net-
work levels of the layered security model, the Border Guard family
can protect a variety of network architectures and includes:
Border Guard Standard — Border Guard Standard works in concert
with your existing firewall to block attacks.
Border Guard Gateway — Border Guard Gateway, which has
traffic-blocking functionality built in, is ideal for perimeter defense
and for securing traffic behind the firewall, such as extranet con-
nections to satellite offices and suppliers.
Border Guard Wireless — Border Guard Wireless is designed
specifically for wireless networks. It prevents intruders from
compromising your network through notoriously insecure wireless
access points.
Border Guard products plug the most dangerous security holes
on your network. Each product:
• Automatically blocks incoming attacks using Dynamic Attack
Suppression
TM
technology, which reduces IT man-hours spent
on security and protects your network 24/7/365.
• Includes automatic rule updates, ensuring protection and
eliminating the need to manually research and integrate the latest
attack profiles.
• Learns to gauge the response to suspicious traffic, greatly reducing
the number of false positives.
•Provides detailed reporting to satisfy management and auditors.
• Employs an easy-to-use, entirely Web-based interface.
Figure 4 shows how Border Guard products are typically installed.
With attack rules that can be updated as frequently as every hour,
Border Guard products stop even the latest attacks. Through
Intelligent Attack Profiling
TM
, each Border Guard installation
characterizes the traffic moving across the network and learns
how to best respond to anomalous patterns — by terminating
the traffic, sending alerts, or allowing access. As a result, false-
positives are greatly reduced and the need for manual interaction
is minimized. When interaction is required, Border Guard products
can notify you via email or pager, send an SNMP trap or execute
a custom script. This level of automation dramatically reduces
the administrative burden on your IT staff.
Layered Network Security: A best-practices approach
7 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
Each product includes a robust database that logs all network
activity, and the built-in, drill-down reporting engine offers a
wide range of customizable, actionable reports. The products’
at-a-glance, Web-based interface is managed by the StillSecure
Console, which lets you control all instances of Border Guard
products installed on your network from a single user interface.
VAM: Assessment and management that continuously ensures
network security
Latis Networks developed its VA tool, VAM (Vulnerability
Assessment and Management) to not only identify all network
vulnerabilities, but to manage and validate the vulnerability
repair process as well. VAM comprises three integrated products:
Server VAM — scans servers, routers, switches, and firewalls.
Desktop VAM — scans for vulnerabilities specific to desktops,
laptops, and printers.
Remote VAM — scans Internet-visible servers, routers, switches,
and firewalls.
Collectively, VAM products assess and manage vulnerabilities on
all segments of your network. Figure 6 shows a typical VAM
installation. Each VAM product includes:
• Exclusive Intelliscan
TM
technology, which automatically determines
which scan rules are appropriate for each device.
• The built-in VAM Vulnerability Repair Workflow
TM
.
• Automatic scan rule updates.
•Variable scanning frequency based on device importance.
• Detailed reporting to meet the needs of IT staff, management,
and auditors.
• Easy-to-use, entirely Web-based interface.
VAM effectively addresses many of the threats that the firewall
is incapable of detecting. Through its regularly scheduled and
automated scanning process, VAM identifies any vulnerabilities
introduced by mobile devices or through risky practices such as
application downloads, instant messaging, and peer-to-peer
connections. It also scans for vulnerabilities inherent in third-party
applications, which hackers readily seek to exploit.
VAM’s comprehensive vulnerability database, which can be updated
automatically as often as every hour, enables the system’s depth
and flexibility of scanning. This library of scan rules includes
research and advice to help you determine how to repair specific
vulnerabilities.
The VAM built-in Vulnerability Repair Workflow tracks and
assigns security vulnerabilities from identification to repair, ensuring
accountability in the repair process. It makes remediation an integral
part of the vulnerability assessment. For your IT staff, VAM allows
for a variety of access privileges based upon a user’s role relative to
the detection, repair, and verification process.
VAM logs all scan and repair activities, and includes a comprehen-
sive reporting engine that delivers customizable reports appropriate
to specific audiences — board members, auditors or regulators,
executives or fellow IT professionals. VA tools have traditionally
Layered Network Security: A best-practices approach
8 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
Standard
Inside firewall Outside firewall
Remote officeWireless network
Standard
Wireless Gateway
Figure 4. Typical Border Guard product installations.
Common network attacks
Web server attacks
Unauthorized Internet mail relaying
System-level remote host compromise
Unauthorized P2P / IM usage
Unauthorized internet services available
Virus detection
been seen as one-dimensional products used and understood only
by network specialists. Server VAM introduces much-needed man-
agement tools to VA technology, transforming VA from a solely
technical process to a business process vital to an organization’s
success.
DEFENDING AGAINST COMMON THREATS AND ATTACKS
Figure 6 demonstrates how the layered-security approach protects
against common threats and attacks. The figure shows how each
level plays a key role in contributing to comprehensive, effective
network security. The shaded regions indicate where Border Guard
and VAM products function in the layered-security model. The
common threats presented in Figure 6 include:
• Web server attacks — Web server attacks encompass a wide
variety of problems with nearly every Web server available.
From simple page defacement, to remote system compromise, to
a complete denial of service (DOS), Web server attacks are one
of the most common attacks today. Code Red and Nimda are well
known Web server attacks.
Layered Network Security: A best-practices approach
9 of 10
StillSecure
TM
© 2003 Latis Networks, Inc. All rights reserved.
Figure 6. A typical StillSecure VAM installation. All three VAM products can be installed on a single machine and managed from one user
interface. The shading indicates the coverage each VAM product provides.
Figure 7. Each level contributes to the security of your network. Functioning on levels 1 to 4, StillSecure products defend against
these common threats and others, as the shaded regions indicate.
Border Guard Wireless
VAM (Server, Desktop, Remote)
P
P
P
P
P
P
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
D
P
P
P
P
P
P
D
D
D
D
D
D
P = Prevents.
Border Guard prevents the attack.
D = Detects.
VAM detects the enabling vulnera-
bility and prevents attack through
remediation.
1. Perimeter
2. Network
3. Host
4. Application
5. Data
[...]... IM application itself, or improper allocation of corporate resources in regard to the bandwidth being used CONCLUSION Hackers and cyber terrorists are launching network attacks with increasing frequency and sophistication The traditional approach to security — namely a firewall combined with an anti-virus — is incapable of protecting you from today’s advanced threats You can, however, erect a formidable... control is at the system level, giving the attacker the same privileges as the local system administrator • Unauthorized P2P / IM usage — Most corporations have in place an acceptable-use policy that prohibits the use of peerto-peer (P2P) applications as well as instant messaging (IM) applications Each type of application poses various significant threats to the corporation such as remote exploitation of... 10 of 10 Layered Network Security: A best-practices approach • Unauthorized internet mail relaying — Improperly configured Internet email servers are a common cause of email spam Many spam-generating companies specialize in finding these servers and send hundreds if not thousands of spam messages through them • System-level remote host compromise — A number of vulnerabilities provide an attacker with... by implementing network security using a layered approach By selectively installing security measures on five levels within your network environment (perimeter, network, host, application, and data), you can adequately protect your digital assets and greatly reduce your exposure to a catastrophic network breach Latis Networks’ StillSecure line of intrusion prevention and vulnerability assessment products... which an effective layered security strategy can be erected • Unauthorized Internet services available — The ability to easily deploy a Web server or other Internet service on one’s desktop poses a potential threat due to the risk of unintentional information disclosure Often such services go undetected, all the while operating under the radar of most organizations • Virus activity detection — While anti-virus... Virus activity detection — While anti-virus (A/ V) software is particularly adept at detecting viruses, A/ V software is not designed to detect virus activity Be it a new service available for remote control or an active process searching for other hosts to detect, a network IDS deployment is well suited to detect this type of activity © 2003, Latis Networks, Inc All rights reserved . programs to
protect digital assets.
This paper introduces you to a layered approach for securing your
network. The layered approach is both a technical strategy,
espousing. firewall.
Similar to anti-virus systems, IDS and IPS devices analyze traffic
and compare each packet to a database of known attack profiles.
When attacks are detected,
Ngày đăng: 14/03/2014, 22:20
Xem thêm: LAYERED NETWORK SECURITY: A best-practices approach docx, LAYERED NETWORK SECURITY: A best-practices approach docx