A new approach to securing the network

Increasingly, enterprises must open up their internal networks to suppliers, customers and other guests in order to forge strong relationships. But what challenges does this scenario present from a network security standpoint? Dominic Wilde, VP of Marketing and Product Management at Nevis Networks Inc., provides his view.

Traditionally, network security has focused on the external perimeter. The vast majority of threats to the enterprise network have arisen from outside the organization and from the open nature of the internet.  This naturally led to securing the perimeter of the corporate network very early on. Internal users and systems were generally ‘trusted’ to be secure and there were few internal security mechanisms beyond securing the endpoints themselves. In such an environment, an employee who had access to the network could get around on the corporate network unchecked. Access to resources such as file servers, application servers, etc. was controlled at the server directly via access privileges. 

However, with the advent and pervasive deployment of mobile devices, portable storage media, wireless communications and ubiquitous access points, security policies grew more complex and more security infrastructure proliferated as point solutions to diverse risks. The once-perceived secure internal perimeter now has to accommodate a myriad of ‘untrusted’ users such as guests, contractors, business partners, customers, mobile systems, employee-owned systems and other unmanaged endpoints. The ability to create a secure DMZ has effectively become outdated, and the entire LAN or internal corporate network has become the new DMZ. Administrators now have to defend the entire network from untrusted endpoints with conflicting and diverse security policies and access requirements, while dealing with conflicting goals of productivity and security. To address these issues, identity has become a key requirement in the policy definition and enforcement process.

Unfortunately, network infrastructures – and the network security solutions built on top – are not identity-aware. Enforcing identity-based policies with identity-blind systems has proven to be a futile endeavor in light of increasingly complex security policies, open networks, mobile systems and unmanaged endpoints. The dilemma facing network security administrators has become an insurmountable obstacle and cash drain, resulting in poorly designed security models being implemented at the wrong places in the network.

Exacerbating the problem is that without an identity-aware network infrastructure, it is almost impossible to demonstrate compliance with identity-based policy initiatives. The events of interest are occluded in the network cloud of machine-address-oriented technology.

Security policy enforcement must move into the network to address the dissolving network perimeter problem, and when it does, the network infrastructure and the security policy enforcement layer must be identity-aware. Network access control (NAC) technologies have a strong role to play in building user identity knowledge into the network fabric itself, but they must be capable of enforcing identity-based policies dynamically and in real-time within the secure network for the entire duration of a user session. To date, most organizations and industry experts have looked at NAC to mitigate the risk of vulnerabilities on endpoints, hoping to reduce outbreaks of malware and prevent exploits that can compromise the security of sensitive data.  However, with the correct NAC solution implemented, network security policies can be more easily mapped from business drivers into the network security architecture, with clear visibility to user activity through the pre-connect (authentication, endpoint validation, authorization) and post-connect (access control, threat detection, remediation, reporting) phases. This offers a more tangible and faster ROI by greatly improving network administration and user management costs, reducing the complexity of ill-fitting network security infrastructure, as well as reducing the costs of managing policy breaches and compliance reporting.

It is important to note that not all NAC technologies are created equal, and that vendors have taken different architectural paths with varying degrees of success in addressing the problems of the dissolving perimeter. At Nevis Networks, we have differentiated ourselves by approaching the problem with deep security expertise, but viewing the problems presented by our customers through networking eyes. We recognize that achieving the goal of ubiquitous identity-based policy enforcement requires us to integrate the performance, scalability and cost needs of the network manager with the security functionality and policy needs of the CSO without compromise on either side. Our LANenforcer switch and appliance solutions take NAC to the next level, providing identity-based deep packet inspection at LAN speeds and leveraging existing policy stores in the network.

NAC solutions should provide the following minimum functions:

• Endpoints: prevent unauthorized access by noncompliant systems
• Users: control and monitor access to network resources dynamically and in real-time
• Network: detect and contain threats at the source
• Compliance: monitor in real-time and report historically on user activity