By Cleona Godinho
How and why should you keep network intruders out of your firm’s local area network (LAN)? Windows talks to the experts...
|~||~||~|There is a world of difference between one internet-connected PC and a network of Ethernet-linked computers. These differences, at the simplest level, are two-fold: one - more computers equals more potential threat entrance points; and two - the more users there are on a network, the more data is generated that might be of interest to outsiders.
“Whether we look at a small to medium business and a large enterprise, the fundamental security threats are the same,” explains Symantec’s senior security consultant for this region, Ivor Rankin. “At the end of the day we’re talking about IP and the internet, so an organisation needs to realise that there are basic elements of security that must be in place in order to provide their organisation and therefore their customers with some degree of security.”
Know your enemies
So when we talk about network protection, what exactly do we mean? From whom or from what must our networks be protected?
“We have to first distinguish between internal and external threats,” says Linksys’ regional manager, Mohammad Hoda. “External threats can be, for example, DOS (Denial of Service) attacks, worms, viruses and ‘war drivers’ that try to access wireless local area networks.”
Internal threats meanwhile, are those posed by your own employees, the users. “It’s important to control users’ operating environment, so that staff cannot endanger your business and its data,” says McAfee’s senior security consultant, Faisal Khan. “For instance, here in the McAfee office we have a complete operating environment (or COE) which applies to each PC; this configuration controls the applications we have and use, and what each user can install. This is important as most worms and botnets for instance are user initiated, usually through inappropriate downloads.”
All the elements
So when moving from a single AV-protected PC to securing a small network, what are the elements of protection that should be in place?
In speaking to software and hardware-focused IT security companies, the Windows team recorded a whole raft of strategies and many different answers to this question, however one recurrent theme ran throughout, namely that of comprehensive ‘multi-layered’ protection.
“It’s something that a lot of people are talking about - the fact that we need to have multiple tiers - essentially the same level of protection covering all the various entry points into a business,” says Symantec’s Rankin, “primarily the internet gateway, the servers of course, and last but not least the desktops. That would be the most fundamental type of protection that any organisation - even a five user business - would need to consider.”
Sonicwall’s regional sales manager, Shahnawaz Sheikh, concurs: “Absolutely we’re talking about a multi-layered approach. We’re not talking about security that offers 50% or 60% protection - either you’re fully secured or you’re not secured; even a small vulnerability could be the same as your (business) not having any security at all.”
Multi-layered security, by default, relates to the OSI concept of network layers (see box opposite). At the lowest workstation level (level seven - or the ‘application’ layer), properly figured anti-virus and personal firewall applications are key.
In the case of the AV software itself, many SMB and enterprise-specific products such as those from Symantec, McAfee and Trend Micro, can be controlled and managed by a central IT manager, who can decide the degree of freedom each user may have when it comes to things like installing software or using instant messaging apps.
“For SMBs we have Office Scan; a server version (with central management) and a client version, with licenses, for individual user PCs,” states Trend Micro’s sales engineer, Samir Kirouani. “This includes AV functions, anti-spyware, personal firewalls, an adware remover, and a network layer scanner. The software’s manager doesn’t need to be a techie, but in the morning they should put aside some time to log in through their browser and assess the situation.”
The need for a personal firewall on each user’s PC is something all the security software vendors we spoke to were particularly keen to stress, particularly in relation to laptop users who work in the field, then return to the company office and log in again using the same machine.
“Most organisations, because of the cost of broadband internet coming down and their business requirements, have a mobile user who travels and uses a laptop,” says Sonicwall’s Sheikh. “When they go away, connect elsewhere, then come back to the network and connect, the moment they do this - if they have a virus or worm, they bring this into your network. If you have desktop security, including a personal firewall, for these remote users, you’re able to protect those PCs and stop such threats.”
Trend Micro’s Kirouani agrees and says this is a key issue: “The main route we see of people getting into the network at the moment is when an employee brings their laptop in and connects to the LAN. At work, you should be protected by your network firewall, but a personal firewall will also provide this protection when you're at home or away from the office.”
So this double protection at the PC level is key. However higher level protection - at the perimeter of a network - is obviously also required to gain true multi-layer security.
“Firewalls are always on the first ‘layer’ of the network,” explains Trend Micro’s Kirouani, “they’re the interface between the internet and your network. When we talk about SMBs, the firewall will usually include a built-in router, plus often now some anti-virus functionality too. AV software looks at a packet of data’s content and decides whether this is malicious or not, whereas a firewall is simply like having a nightclub ‘bouncer’; it’s got a list of people that are allowed in (i.e. onto the network), and not allowed in. After a packet (of data) is in, it then becomes the anti-viruses job.”
Symantec’s Rankin adds that firms should really pay attention to the type of firewall on offer. “If we go back five years, protection at the high level was adequate. A dedicated firewall and some big form of AV protection - to all intents and purposes the network was deemed to be secure. But that’s changed. Even though an organisation may have a perimeter firewall, it’s the technology in that firewall that determines the degree of security that the firewall is capable of providing.”
“In most cases the firewalls that are used in SMBs are primarily circuit-level gateways - they operate at a much lower level in terms of functionality, and as a result provide less degrees of complexity,” he continues. “This means they may be able to stop certain traffic coming into the network, but they may not be able to stop malicious traffic,such as a worm spreading over the network. Blaster, CodeRed and so on came in and infiltrated probably 90% of all networks, even though they were being protected by some sort of perimeter firewall, and fundamentally the reason is because the firewalls themselves were substandard to deal with the new threats; they could block basic ports, but on legitimate ports they didn’t have the ability to deliver full inspection - to determine whether inbound HTTP traffic is real HTTP traffic, or the type of traffic that will be used to create a buffer overflow on my web server and as a result gain control of that server.”
A standard firewall will block and open ports, but this alone isn’t enough. “Viruses and hackers always know which ports are open,” Rankin continues. “You’re bound to have everyone browsing the internet, and usually this browsing is through HTTP traffic, which is port 80. E-mail comes through port 25. So even though you have a firewall, you’ll still need to open those ports, otherwise you’ll just block everything. So whichever company I scan, I know that their port 80 and port 25 will be open on the firewall. Therefore the job of a firewall is not enough on its own - you need to examine the content too.
“A company needs a firewall that can inspect traffic and determine whether or not it’s legitimate - whether it contains anything that may result in a breach or attempted breach of security systems,” he concludes.
This is also where an IPS - a.k.a. an intrusion prevention system - comes in. Largely in the past bought in as a separate hardware device to sit at the network’s perimeter, IPSs’ traffic monitoring functions are now being included in more advanced firewall products, as well as forming part of
unified threat management solutions (UTMs). It’s the latter however that are the real growth area in the SMB network security space.
Effectively a single hardware appliance that sits at the perimeter of the network next to the switch or router, the UTM is aimed very squarely at time- and cash-limited SMBs.
Growing in popularity
“The UTM is catching on, for three reasons,” asserts Sonicwall's Sheikh. “It’s a simple, all-in-one device and cost-effective. For the SMB and entry-level enterprise, this type of network does not have dedicated expertise - one manager for network security, one for VPN, one for IPS, wireless and so on. They want everything on a single device that they can understand.”
“Secondly,” Sheikh adds, “they don't want to invest in multi-point products; they don’t want to talk to different vendors and have different vendor solutions. Thirdly, business with five- up to two hundred users, they primary business is something else - not managing their IT infrastructure. The UTM takes away the headache, a firm doesn’t need to have lots of security expertise. Even a person with some network knowledge will be able to manage this UTM box.”
“What we offer on the software side isn’t offered as a dedicated McAfee solution although it’s based on the McAfee engine; it’s a Sonicwall Anti-virus. What we add is what we call ‘client enforcement’. What I mean by that is that in a network with 50 users, if two users don’t have updated anti-virus info, or for some reason the AV on their PCs is disabled, they still have to pass through the Sonicwall UTM to access the internet. This UTM can detect that these users’ protection is not 100%, so it stops them and forces them to update
their protection. Once a user is compliant, then they’ll be allowed to access the internet.”
As far as the pricing of such an all-in-one hardware solution is concerned, Sheikh suggests a 50-user business for example should budget around US $3000. “$2500 to $3000 will cover the cost of the UTM plus desktop software and server licenses.”
For budget-strapped yet security-conscious organisations, this route could be one that’s well worth investigating further.
Symantec Client Security
Symantec Mail Security for Exchange
RVS4000 & WRVS4400N secure routers
2040 Pro series
Trend Micro (trendmicro.com)
Office Scan (client/server)
McAfee Total Protection for
McAfee IntruShield Network IPS appliances
McAfee IntruShield Security Manager appliance
McAfee Secure Internet Gateway
OfficeConnect Secure Router
OfficeConnect VPN Firewall||**||