Network security doesn't stop at the perimeter
- By William Jackson
- Feb 26, 2004
SAN FRANCISCO?The proliferation of mobile devices connecting with networks and of blended threats exploiting multiple avenues of attack are changing the way security is implemented.
Exhibitors at the RSA Security Conference this week are focusing on what is inside the network, not just on what is outside trying to get in.
"Firewalls don't stop everything," said Greg Stock, vice president of sales and marketing for Mirage Networks Inc. of Austin, Texas.
And insiders are recognized as the largest source of security headaches. "In most cases, it is not malicious intent" that produces insider threats, it is carelessness, Stock said.
Poorly configured computers, unauthorized software and sloppy security practices can move threats into the core of the enterprise, and outward-facing security is not enough. Mirage is touting its new Inverted Firewall as a tool to identify and isolate malicious behavior inside a network.
InfoExpress Inc. of Mountain View, Calif., is announcing a gatekeeper that enforces security policy on all devices connecting to the network, whether internal or external, and WebWasher USA AG of Santa Clara, Calif., is releasing a filter for instant messaging and peer-to-peer file sharing.
Unlike a perimeter firewall that blocks all traffic except what is allowed, Mirage's Inverted Firewall allows all traffic except that recognized as malicious.
"It's a traffic cop rather than a roadblock," Stock said.
The Internal Firewall is deployed in access layer switches. Behavioral algorithms "learn" normal network patterns to identify abnormal behavior. The firewall also detects packet activity against unused IP addresses, a telltale sign of an attack, to provide early warning of malicious activity. It also uses a network's unused IP addresses as a sort of honeynet, providing them with false attributes and counterfeit responses to help camouflage real network devices and draw the attention of attackers.
Mirage, which released the firewall in December, has attracted some state and local customers and is talking to some feds, Stock said. But the product has not yet been certified to the Common Criteria for security devices.
"For a company our size to spend the $150,000 to $200,000 to get a certification is difficult," Stock said.
Federal regulations allow agencies to buy uncertified products with a promise from the vendor that it will become certified. Stock said Mirage expects to follow that path with its Inverted Firewall.
InfoExpress takes what some might call a cynical approach in enforcing security policy with its CyberGatekeeper.
"Systems are untrusted by default," said chief executive officer Stacey Lum. Every device trying to connect with the network is quarantined until an audit is performed.
The original product released in 2002 audited remote devices connecting to a network. CyberGatekeeper LAN, being announced this week, performs the same function on devices?desktop and notebook PCs, PDAs and wireless access points?logging onto the network from inside the enterprise.
Upon logging on, each device is shunted to a secure quarantine area and not allowed on the network until it passes muster.
"Authentication is not enough," to reach the network, Lum said. An audit is conducted to ensure that each device meets policies for configuration and for required and forbidden software.
CyberGatekeeper has three components:A policy manager creates policy and defines requirements for access, and distributes them to appliances.Appliances request and evaluate the audits at sign-on. They sit between remote-access servers and the network to screen remote devices, and on internal network access points for internal devices.Agents installed on end devices perform audits. Web agents also can be downloaded at the time of sign-on for one-time access. If necessary, the appliances can do the audit remotely with no agent, but this is a more time-consuming process, Lum said.
WebWasher began business three years ago with a Web-blocking product and has found growing demand for more-comprehensive filtering.
"We saw that instant messaging and peer-to-peer was next," said Frances Schlosstein, vice president of business development.
Instant messaging can work over Hypertext Transfer Protocol, but it also uses other protocols on different ports, making Web blocking ineffective. And "peer-to-peer is a serverless application, and URL blocking doesn't help you at all with that," said senior architect Tom Bryant.
So the company developed WebWasher IM Filter, a new module for its filtering product. Its capabilities are basic in the initial release. It blocks peer-to-peer traffic and can block instant messaging.
Plans call for subsequent versions to more finely manage instant messaging traffic, allowing its use by specified persons or groups and inspecting content and adding security for the traffic.
The vendor has no plans to do anything with peer-to-peer traffic except block it, said general manager Gary Taggart. "Nobody wants to manage peer-to-peer. There is no business application for it. They want to block it."William Jackson, who writes for Government Computer News magazine, was at this week's RSA Security Conference.
William Jackson is a Maryland-based freelance writer.