Business Defense: Perimeter to Core
Business infrastructure is seriously threatened by persistent malicious-code attacks on multiple fronts, including networks, data and applications. Organizations need to look at the deployment of several layers of security technologies, including firewalls, intrusion detection and prevention and strong authentication. Just deploying a firewall at the perimeter will not secure the business infrastructure.
‘Hardening’ Critical Systems
Critical assets that businesses need to protect include systems typically at the perimeter such as Domain Name System (DNS) and Web servers, as well as core systems such as file, e-mail, database, e-commerce, application and print server systems. All critical systems should be “hardened”—meaning all unnecessary services are disabled.
Security Architecture: Defense-in-Depth
A defense-in-depth architecture results in multiple layers of security. The threat is from both outsiders and insiders. Entities have to counter attacks by developing a robust and roving shield to reduce vulnerabilities and deter those with the capability and intent to harm the business infrastructure.
Robust and Roving Shield
A robust and roving shield delivers both passive and active security components to defend enterprise assets. “Robust” refers to passive defensive components on the business infrastructure, while “roving” identifies the active defensive components. A roving shield is important because the threat today is dynamic and requires the business defense to be adaptive, active and alert in detecting gaps that may be exploited by those who make it past the robust shield.
Layers of technology that can be deployed as part of the defense-in-depth architecture include:
- Firewall systems.
- Intrusion detection and prevention systems (IDS, IPS).
- Strong authentication solutions, such as biometrics, smart cards and tokens.
- Access-control solutions, such as role-based access control (RBAC).
- Encryption solutions.
The implementation of these layers of security technology will make it highly unlikely that unauthorized individuals will gain access to vital systems. Let’s take a closer look at a couple of these multiple layers of security: firewall systems and strong authentication.
Perimeter Defense: Firewall Systems
The cornerstone of any organization’s perimeter is its deployment of a firewall system or systems. Firewall systems are typically configured on the organization’s perimeter as well as on end systems, such as PCs. Network firewalls protect the entire network by inspecting all packets and connections coming into or leaving the network. Personal firewalls are installed on each system. Personal firewalls also secure remote devices connected to enterprises over virtual private networks (VPNs).
The objective of all types of firewall systems is to block traffic that is not authorized. Firewall systems can filter traffic on the basis of:
- Source IP addresses.
- Destination IP addresses.
- Source TCP and UDP ports.
- IP protocol.
- Destination TCP and UDP ports.
- The interface on which the packet arrives.
- The interface where the packet is destined.
There are three types of firewall systems: packet filtering, stateful inspection and application-layer gateways. Packet-filtering firewall systems filter traffic based on rules defined for IP addresses, port numbers and the protocol type. Stateful-inspection firewall systems maintain state information about connections that pass through the firewall. Filtering is then performed based on the access policy defined. Thus, packets for a given connection may be accepted or denied based on the policies defined within the firewall system. Application-layer gateways can accept or deny traffic based on the content of the application that established the connection. They are capable of understanding application command syntax such as that used in FTP, Telnet or other applications. Application-layer firewalls use agents, also called application proxies, to establish connections with the destined system.
When researching firewall systems for your enterprise, check to see if the firewall can perform deep packet inspection at wire speeds. Performance of firewall systems and their ability to look into application content are important to effectively block cyber-attacks. Also, security professionals must seriously consider the deployment of personal firewalls. In the first half of 2003, Microsoft issued 12 critical vulnerability alerts that required organizations to patch every Windows-based PC. Organizations are increasingly deploying personal firewalls on all PCs to further secure Internet connections and keep unauthorized executables from running.
There are many firewall vendors in the marketplace. Check Point’s Firewall-1 Gateway is a leader in the network firewall space. Another product, Microsoft’s Internet Connection Firewall (ICF) is included with Windows XP as well as Windows Server 2003. This is an example of a personal firewall. Most routers provide the capability to filter traffic and can serve as firewalls as well. Microsoft’s Internet Security Acceleration (ISA) is an example of a software-based network firewall. Reputable vendors that offer specialized network-based firewall system solutions include Check Point, SonicWall, Microsoft and Cisco Systems.
Identity Management: Strong Authentication
Authentication is about verifying the identity of an individual or an entity. Digital identification is a major challenge for all businesses. Businesses are taking a close look at “strong authentication” solutions to firmly establish the identity of the individual engaged in electronic transaction. The strength of an authentication method is based on the number of factors it uses in verifying the identity of the entity. Strong authentication is where two or more authentication factors are used. Two-factor authentication is considered much stronger than one-factor authentication. Passwords are the oldest authentication method and the weakest form of authentication. They are vulnerable to being guessed, stolen or otherwise compromised by password cracker applications.
The authentication factors may be something you know (knowledge), something you have (possession) or something you are (person). Strong authentication solutions include tokens, smart cards and biometrics.
An authentication token is a device that generates a new value to be used for authentication each time it is accessed. These devices are small, about the size of the remote control used to lock and unlock a car. A smart card is a credit-card-like device with both CPU and memory built in. It is used to store keys, certificates, credentials and other information. Biometrics is about verification and identification. It is about verifying the identity of an individual based on measurable physiological or behavioral characteristics. Examples of biometrics techniques include fingerprints, facial recognition, retinal scanning, iris scanning, hand geometry or voice patterns.
It is likely that your organization may select a combination of these strong authentication solutions to protect highly sensitive assets. For example, you may choose to deploy a smart-card solution for system and network administrators, while all end users may be required to change their password every 60 to 90 days. The passwords that end users select may be required to have a minimum of eight characters and must include a combination of alphabets and numerals so password-cracking programs cannot determine end-user passwords.
Establishing a Demilitarized Zone (DMZ)
Implementation of a defense-in-depth strategy can substantially improve the protection of sensitive business assets on the enterprise architecture. Another design ide