Enforcing Complex Security Policies in the Fabric of the Network

Tech Headlines

Comm

Wednesday, 23 December 2009 06:42

Orcun Tezel o 3Com

By Orcun Tezel

Advanced network security solutions are now being deployed as much for sophisticated policy enforcement as external attack prevention. This is, of course, a natural extension of what network security products have always been designed to do: ensuring that only legitimate network packets reach only appropriate destinations in the network.
What constitutes legitimate network activity, however, is becoming increasingly complex, reflecting more sophisticated policies, business initiatives, and compliance requirements that are stretching the capabilities of today’s enterprise networks. As a result, organizations are rethinking their network security requirements and looking to build policy awareness and enforcement into the fabric of the network.

Initially, network security policies were relatively simple to design. The primary objective was to partition the “trusted” internal network and systems from the “untrusted” external world. Securing the network perimeter could be implemented after the high-performance internal network had been laid down with a relatively small number of appliances and policy rules, depending on what internal services needed to be made available to external users (usually web access, email, and remote access for external employees).

Security policy frameworks are becoming more complex to deploy given the higher connectivity and sophistication of the network architecture and access needs due to:

1.Prevalence of insider threats from intellectual property theft to improper access of mission critical financial data.
2.Malware (viruses, worms and Trojan horses) on the internal network, which have become more sophisticated.
3.Presence of more untrusted users and systems on the internal network, such as partners and contractors.
4.Increase in compliance, regulatory and risk management initiatives, such as Sarbanes-Oxley, HIPAA in health care or the payment card industry (PCI)

In response to these challenges and the internal nature of threats, organizations are moving from a secure perimeter to a Secure Network Fabric where networks are built to reflect the pervasive need for security and policy enforcement throughout the network. The key components are:

Automated Remediation – Blocking network threats in real-time by intelligently identifying illegitimate network packets or activity and dropping the offending traffic without manual intervention or creating an alert for every security incident as is the typical case today.

Global Enforcement –Modern security policies have to be enforced everywhere throughout the fabric of the network with security devices embedded in the network topology. Centralized Management – The policy management framework needs to be able to define a policy once, centrally, and enforce it everywhere to reduce inconsistencies, management overhead and costs in managing multiple security devices like firewalls, IPS, and NAC.

Figure 1. – A Secure Network Fabric is characterized by a comprehensive network security portfolio embedded at all points of the network and managed under a unified policy framework. Building out a Secure Network Fabric takes a multi-pronged, multi-layer defense-in-depth approach to analyzing traffic and making policy enforcement decisions. For this reason the trend in security products has been towards tighter integration between firewalls, intrusion prevention systems, and other devices.

There is less reliance on doing these policy enforcement tasks on endpoint systems, which may not be trusted and usually offers only partial remediation. A Secure Network Fabric relies on advanced packet analysis and policy enforcement features of next generation systems to implement more sophisticated policies. Security devices are now able to provide greater insights to network traffic and policy awareness, such as:

Identity-awareness – Alignment with groups, roles, individual IDs and classes of resources. Having network security devices enforce these policies requires that the network have this identity-awareness designed in. This includes being able to inspect a packet and decide the individual ID of the user that sent it, his role in the organization and whether it was appropriate for this session or access to a particular resource to proceed. Building an identity-aware network can be a much more manageable alternative to achieve equivalent policy objectives than using virtual LANs or other network segmentation strategies.

Content-awareness – Similarly, policies are frequently designed around access to types of content, and are likely to be the core of data loss prevention (DLP) strategies. When the network is aware of content breaches, such as detecting credit card numbers or social security numbers being sent in the clear, there is an extra layer of breach prevention, making it much easier to conform to regulatory requirements such as the PCI specification.

Application-awareness – Another advanced policy capability that networks are gaining increasing visibility to is the applications involved in the network traffic. Newer generation firewalls, networking equipment, as well as many IPS devices have the ability to determine some application signatures in the network and enforce the desired policy resulting in both better security and improved network performance.

Different organizations will have their own unique priorities for implementing some of these advance policy objectives in the network. Enforcing identity-, content-, and application-based policies together may be more than many organizations will choose to focus on initially.

University and large campus networks are focusing on identity-based policies and user access management issues because they have a large population of users that change frequently, bring their own unmanaged systems onto the internal network, and are not completely trusted. Assigning new users to groups, such as staff and administrators, or grouping students by major, can ensure appropriate access to various resources in a very manageable fashion.

For instance, Quinnipiac University in the US is using 3Com gear to manage the transaction and payment processing portion of it Q-Card system, an ATM-like card for students to use on campus. Their IT organization had to ensure that their network security was in compliance with the PCI security standard. The IT team now has instant access, via single centralized management console, to critical security data, including network usage and possible threats. They can also more easily deploy, update and enforce access and configuration policies.

Through the H3C enterprise product brand, 3Com has deployed some of the largest networking and security infrastructures in the world. At Sinopec, the Chinese oil and chemical giant and China’s largest company at #23 in the Global 500 (2006 data), 3Com helped deploy a payment card network to service roughly 10,000 distributed filling stations. This secure payment card project involved redundant firewalls to ensure high-availability, while securing transactions and enforcing policies at each of the filling stations, resulting in a manageable deployment of over 20,000 VPN firewalls.

Policy definitions fall within a spectrum of complexity, from granular, low-level policies that are focused on specific devices, all the way up to highly sophisticated compliance and risk management initiatives that are independent of the network design.

For the network to meet these business needs, various policies may have to be implemented across the entire spectrum. Leading organizations, however, as their policies mature, are building Secure Network Fabrics that better align their networks with rapidly evolving business and compliance requirements, while reducing complexity and management costs.

Orcun Tezel, Technical Director, 3Com Asia Pacific

< Prev		Next >