July 27, 2015 at 13:07How to turn the network itself into a full-fledged security system?
Many enterprises are still building their security system based on the already outdated perimeter approach, focusing all security tools at one or two control points on the network, completely forgetting about the presence of bypass channels - Wi-Fi, flash drives, 4G, ActiveSync, etc. And about the internal intruder, who is already inside the network and can carry out his “dirty deed”, without fear of being detected by perimeter defense, many also forget. What to do in such a situation?
There are three options. The first is to build another, but already superimposed security network, in the internal network? I think any manufacturer of security products will be happy to prepare a proposal for this option, including many IPS sensors and firewalls that will monitor and control internal network flows and detect malicious code and unauthorized applications. But this option is fraught with a number of difficulties. Firstly, the not always existing network design allows for such a connection. Either the network runs at speeds not subject to security, the span ports for connecting IDS are already taken, the company is actively using virtualization and security tools cannot effectively control traffic that does not go beyond the physical server. Secondly,
The second often recommended option is to install security features on servers and workstations, detecting and blocking unauthorized user activity or against users. Everything is so, but ... What to do with printers, scanners, industrial controllers, IP video surveillance and access control systems? After all, users do not work for them (and they cannot be authenticated by traditional methods) and they cannot be installed with antivirus, HIPS, or other means of protection. It so happened that often these devices, and there may even be more than user computers, become a target for attackers or a platform for further promotion on the company's internal network. On such devices, you can install a traffic interceptor and it will sniff everything that it can reach. And such security policy violations will not be noticed in principle by any means of protecting PCs and servers. And the presence of bypass channels in the form of an unprotected Wi-Fi or 4G modem will lead to the fact that confidential data can leak bypassing the means of protecting the corporate perimeter.
Or maybe try to assign this task to what already exists and to which considerable funds have been invested? We are talking about network infrastructure, routers, switches and access points that can not only transfer traffic from point A to point B, but also effectively protect this traffic, acting simultaneously as a sensor, a protective wall and a tool for responding to security incidents. Indeed, in essence, each network device is a sensor of the network protection system - traffic passes through it, traffic is identified and classified, traffic is directed to the destination. Why not take another step and add the phrase “in terms of IS policy” to each of these points? Why can't applications be identified at the router or switch level? without bringing their traffic to ITU on the perimeter? Why is it impossible to identify attacks without switching traffic through the span port to IDS, but using the capabilities of infrastructure equipment? Why can't traffic be blocked on the switch port to which the intruder connects, and not wait for traffic to reach the ITU? Why is it impossible to dynamically change access control lists depending on the location of the user or device, and not turn a blind eye to the uncontrolled circulation of traffic within the network and unlimited user access to internal resources? when will traffic reach ITU? Why is it impossible to dynamically change access control lists depending on the location of the user or device, and not turn a blind eye to the uncontrolled circulation of traffic within the network and unlimited user access to internal resources? when will traffic reach ITU? Why is it impossible to dynamically change access control lists depending on the location of the user or device, and not turn a blind eye to the uncontrolled circulation of traffic within the network and unlimited user access to internal resources?
And why, in fact, is impossible? Can! This is exactly what Cisco does in its network infrastructure, which acts not only as a sensor of a security system (Network as a Sensor), but also as a security system (Network as a Enforcer) and a system for investigating information security incidents. As the source data, we use the Netflow protocol, which gives us all the necessary data about the passing traffic, answering all the questions important for the IS policy - who, what, when, where / where, how. With NetFlow, we can classify traffic, identify applications, identify attacks and leaks, detect the use of unauthorized applications or the appearance of extraneous nodes, conduct incident investigations and identify the entry points of intruders into the network. All this allows you to make Netflow, on which information security analytics is superimposed, embedded in the Cisco Cyber Threat Defense solution. Differentiation and blocking of unauthorized access is implemented using access control lists and security tags SGT (Security Group Tag), laying the foundations for the technologyCisco TrustSec , and Cisco Identity Service Engine (ISE) helps to effectively manage all security settings on tens of thousands of devices.
What is interesting about such a network security solution that is built into the network infrastructure itself? In addition to solving the security problems of the internal network and localizing problems at the time of their occurrence, and not when they reach the perimeter or some of the control points in the network where the security equipment is installed, we get another advantage - protection of investments made in the infrastructure and the ability to provide enterprise protection in the context of budget cuts. After all, we already have the infrastructure. All we need is a Netflow analytics and visualization system from the point of view of the Cisco Cyber Threat Defense information security system, as well as a dynamic access control list management system - Cisco Identity Service Engine.
A little more details about Cisco’s approach to network security with built-in infrastructure mechanisms can be seen in our presentation:
Threat. But the protection of the perimeter and the installation of IDS / IPS / ITU within the network still has not been canceled. It’s just that in itself it no longer saves. Ideally, it should be integrated with the protection of the internal network and function according to uniform policies.
There are three options. The first is to build another, but already superimposed security network, in the internal network? I think any manufacturer of security products will be happy to prepare a proposal for this option, including many IPS sensors and firewalls that will monitor and control internal network flows and detect malicious code and unauthorized applications. But this option is fraught with a number of difficulties. Firstly, the not always existing network design allows for such a connection. Either the network runs at speeds not subject to security, the span ports for connecting IDS are already taken, the company is actively using virtualization and security tools cannot effectively control traffic that does not go beyond the physical server. Secondly,
The second often recommended option is to install security features on servers and workstations, detecting and blocking unauthorized user activity or against users. Everything is so, but ... What to do with printers, scanners, industrial controllers, IP video surveillance and access control systems? After all, users do not work for them (and they cannot be authenticated by traditional methods) and they cannot be installed with antivirus, HIPS, or other means of protection. It so happened that often these devices, and there may even be more than user computers, become a target for attackers or a platform for further promotion on the company's internal network. On such devices, you can install a traffic interceptor and it will sniff everything that it can reach. And such security policy violations will not be noticed in principle by any means of protecting PCs and servers. And the presence of bypass channels in the form of an unprotected Wi-Fi or 4G modem will lead to the fact that confidential data can leak bypassing the means of protecting the corporate perimeter.
Or maybe try to assign this task to what already exists and to which considerable funds have been invested? We are talking about network infrastructure, routers, switches and access points that can not only transfer traffic from point A to point B, but also effectively protect this traffic, acting simultaneously as a sensor, a protective wall and a tool for responding to security incidents. Indeed, in essence, each network device is a sensor of the network protection system - traffic passes through it, traffic is identified and classified, traffic is directed to the destination. Why not take another step and add the phrase “in terms of IS policy” to each of these points? Why can't applications be identified at the router or switch level? without bringing their traffic to ITU on the perimeter? Why is it impossible to identify attacks without switching traffic through the span port to IDS, but using the capabilities of infrastructure equipment? Why can't traffic be blocked on the switch port to which the intruder connects, and not wait for traffic to reach the ITU? Why is it impossible to dynamically change access control lists depending on the location of the user or device, and not turn a blind eye to the uncontrolled circulation of traffic within the network and unlimited user access to internal resources? when will traffic reach ITU? Why is it impossible to dynamically change access control lists depending on the location of the user or device, and not turn a blind eye to the uncontrolled circulation of traffic within the network and unlimited user access to internal resources? when will traffic reach ITU? Why is it impossible to dynamically change access control lists depending on the location of the user or device, and not turn a blind eye to the uncontrolled circulation of traffic within the network and unlimited user access to internal resources?
And why, in fact, is impossible? Can! This is exactly what Cisco does in its network infrastructure, which acts not only as a sensor of a security system (Network as a Sensor), but also as a security system (Network as a Enforcer) and a system for investigating information security incidents. As the source data, we use the Netflow protocol, which gives us all the necessary data about the passing traffic, answering all the questions important for the IS policy - who, what, when, where / where, how. With NetFlow, we can classify traffic, identify applications, identify attacks and leaks, detect the use of unauthorized applications or the appearance of extraneous nodes, conduct incident investigations and identify the entry points of intruders into the network. All this allows you to make Netflow, on which information security analytics is superimposed, embedded in the Cisco Cyber Threat Defense solution. Differentiation and blocking of unauthorized access is implemented using access control lists and security tags SGT (Security Group Tag), laying the foundations for the technologyCisco TrustSec , and Cisco Identity Service Engine (ISE) helps to effectively manage all security settings on tens of thousands of devices.
What is interesting about such a network security solution that is built into the network infrastructure itself? In addition to solving the security problems of the internal network and localizing problems at the time of their occurrence, and not when they reach the perimeter or some of the control points in the network where the security equipment is installed, we get another advantage - protection of investments made in the infrastructure and the ability to provide enterprise protection in the context of budget cuts. After all, we already have the infrastructure. All we need is a Netflow analytics and visualization system from the point of view of the Cisco Cyber Threat Defense information security system, as well as a dynamic access control list management system - Cisco Identity Service Engine.
A little more details about Cisco’s approach to network security with built-in infrastructure mechanisms can be seen in our presentation:
Threat. But the protection of the perimeter and the installation of IDS / IPS / ITU within the network still has not been canceled. It’s just that in itself it no longer saves. Ideally, it should be integrated with the protection of the internal network and function according to uniform policies.