There's an arsenal of tools,
systems, services and processes to protect enterprise
networks and its data. Are you using the right ones
to secure your IT infrastructure? by Brian Pereira
Like Virginia Slims cigarettes,
enterprise security has come a long way. Yesterday,
security products mainly comprised of firewalls and
anti-virus software. Today, enterprise security is a
lot more complex and includes various security tools
There are two trends that are
taking place in the area of security products: product
integration and embedded security.
"Technology (like encryption)
has reached a maturity level. Security products are
more effective when integrated. It is the mixing of
the products that offers tighter security," says
Capt. Raghu Raman, Practice Head, SSG, Mahindra Consulting.
In recent times we've seen
integrated solutions like Firewall/VPN appear. Anti-virus
software, firewall applications, and privacy tools have
also been integrated in security software suites.
Security is now built into
or embedded in IT products like networking equipment,
operating systems, applications and even notebook computers.
Not surprisingly, the major
networking equipment vendors are also the leading security
Here's an introduction to current
enterprise security systems and solutions.
As the number of users and applications on enterprise
networks increases, it becomes increasingly difficult
to manage identities. Users both within and outside
the organization, need to have selective access to servers
and applications. This can potentially diminish network/data
security as sensitive information is exposed. It also
raises a couple of challenges: Does a user really need
to have a separate identity (login ID and password)
for each server/application? How are you going to ensure
that users change their respective passwords every month
or so? And how are you going to protect identities and
mitigate identity theft? That's where Identity Management
(IM) comes in.
IM is the creation, management
and use of online or digital identities. It involves
managing the full life cycle of a digital identityfrom
creation and maintenance to termination, as well as
enforcing policies that concern access to electronic
IM is related to Directory
Services, since machines and applications also have
identities. A directory service is a database of all
network resources and users on the network. Each user
or resource has a unique identity.
While there are various authentication systems, user
ID and password is the simplest form of authentication.
But passwords must be encrypted before being transmitted
from the client to the back-end authentication server,
via the network. There are protocols like Kerberos and
SSL that handle the encryption of passwords and other
The trend here is a shift towards
multiple forms of authentication. With two-factor authentication
users identify themselves using two unique factorssomething
they know and something they have. Users are given a
hardware token such as a smart card or USB token that
contains a unique code. So after keying in the user
ID and password, the software will prompt them to insert
their unique tokens in the card reader or slot. There
are software tokens too.
Public Key Infrastructure is an online environment that
assures privacy and integrity for data in transit. It
establishes trustworthy identities, communications and
transactions. This is done through the use of Encryption
Each user or application has
a unique pair of related encryption keys (or codes).
One key is kept private and only the owner knows it;
the other key is 'public' and is available to others.
Public keys are kept on public servers or users may
distribute their public keys to others.
Here's how private and public
keys are used. A person wishing to transmit a confidential
document electronically will use the recipient's public
key to encrypt the electronic document. Thus the document
is coded and is unreadable to anyone except the intended
recipient. But the recipient has to use his private
key to decode/decrypt the document and render it to
its original form.
So public and private keys are paired, and are unique
to each user. These keys are issued by Certifying Authorities
(CAs), who verify the identity of the user. In India,
there are four CAs so far: SafeScrypt, IDRBT, TCS and
PKI can be used for e-mail
and also for digitally signing electronic documents
using Digital Signatures.
Intrusion Detection System
Intrusion Detection is the process of monitoring computers
or networks for unauthorized entry points, suspicious
activity, or unauthorized file modification. IDS can
also be used to monitor network traffic, thereby detecting
any unusual increase in traffic or unusual network requests.
Intrusion Detection System
(IDS) is becoming an important part of network security.
These systems complement firewalls and are used to detect
attempted network attacks (such as a Denial of Service
attack), and misuse of network resources. IDS can alert
the administrator about such intrusions and it also
has mechanisms/processes for reacting to such intrusions
and protecting the targeted system.
IDS tools thus form an integral
part of a thorough and complete security system. However,
IDS by itself cannot guarantee complete security. IDS
can greatly enhance security when backed by a security
policy and when used in conjunction with vulnerability
assessments, data encryption, user authentication, access
control and firewalls.
There are two types of IDS:
host-based and network-based. Each has its own method
of monitoring and securing data, and each has its pros
and cons. Briefly, a host-based IDS examines data held
on individual computers that serve as hosts; a network-based
IDS examines data exchanged between computers, i.e.
data in transit.
Virtual Private Network
A VPN is a secure and private channel that uses a public
network (usually the Internet) to connect remote sites
or users together. A VPN uses "virtual" connections
routed through the Internet from the company's private
network to the remote site or employee.
Before the advent of VPNs,
an organization interconnected its offices using WAN
interconnects like leased lines and VSAT.
But these are expensive to operate/maintain.
The cost also increases with the distance between remote
sites. So connecting remote locations via a public network
like the Internet is economical and cost beneficial.
Since data transmitted through
the Internet is routed through several servers, it is
accessable to others. A VPN can secure data in transit
and preserve its integrity. This is done through a concept
called 'VPN tunneling.' The VPN employs various methods
to create a secure channel through the Internet. Data
passing through this channel/tunnel is not visible/accessible
to unauthorized users on the Internet.
The various methods used to
secure the VPN tunnel are firewalls, encryption, protocols
like IPSec, and AAA servers (authentication, authorization
and accounting). These have been explained elsewhere
in this article.
Managed Security Services
Threats to enterprise networks have increased today.
Viruses and worms spread between networks in a few hours
giving network administrators in organizations very
little time to set up defenses. Network operating systems
and applications aren't perfect; hackers soon exploit
weaknesses or loopholes in software to gain entry into
corporate systems. Patches and fixes aren't available
fast enough. Even if they are, many forget to update
their softwareremember the Slammer worm incident?
That's why you need Managed Security Services (MSS).
With MSS you outsource the
task of maintaining your security software and systemsso
that it is always up-to-date and ready to counter the
next threat. MSS relieves you from the task of strengthening
your network defensesso that you can concentrate
on your core business processes.
For example, an anti-virus
software vendor can regularly 'push' the latest virus
definitions and software updates to your server via
the Web. In another case, a service provider can monitor
your network for intrusions on a 24x7 basis from his
network operations center. He can also provide 'managed'
VPN and Firewall services. These are two examples of
Security Management System
This provides a single point of control and gives a
holistic view of all the security solutions and systems
deployed on the enterprise network. With a Security
Management System (SMS) one can gauge the level of infrastructure
security and proactively take decisions to secure vulnerable
systems, or to spruce up security on more critical systems.
Through the SMS one can take stock of the situation
and take corrective action during an incident.
Some security systems are closely related in their functions.
To improve the efficiencies of such interdependent systems,
vendors provide tighter integration and combine different
products into one large solution.
Here is an example of how integration
can make security systems more efficient. The client
firewall automatically instructs the anti-virus scanning
and intrusion detection engines to scan all outgoing
files. If a threat is detected, the anti-virus and/or
intrusion detection engine instructs the firewall to
increase security measures and block the file. The client
firewall alerts administrators to potential threats
through a common console, and contains the threat within
the client, thereby preventing the spread of infection
to the entire network.
Firewall/VPN products are quite
common now, and are an example of product integration.
Policy compliance management
Having a documented and comprehensive security policy
is a major step towards securing IT infrastructure.
But effectiveness of security policy depends on how
well it has been implemented and practiced within the
organization. Policy compliance management (PCM) solutions
give administrators the ability to manage policies and
deploy security systems. PCM solutions have a number
of functions: keeping security software up to date;
cleaning and removing viruses and worms to prevent an
outbreak; performing assessments to check with compliance
with standards such as ISO 17799, HIPAA and GLBA, etc.
This primarily concerns the Physical Security of IT
infrastructure. Traditional access control systems include
electronic locks, bar code readers, swipe card/smart
card systems, and RFID for doors to server and storage
rooms, and other sensitive areas within the organization.
But access control has now
been extended to include security of computing resources
like servers, notebook computers, PCs and storage systems.
This is done using Biometrics interfaces that are built-in
or directly attached to these resources.
Biometrics is the science of
building a security system that requires human input
for authentication/ identification. Biometrics security
solutions capture some physical characteristic, unique
to each individual. There are five basic methods of
human identificationa fingerprint, voiceprint,
retina/iris scan, hand geometry, and facial recognition.
Using either one or a combination of these, one can
restrict access to rooms, to data, or to equipment (computers,
This is actually a set of procedures to determine vulnerabilities
in an organization's IT infrastructure. So it is also
called Vulnerability Scanning/Testing.
Security consultants and specialists
use various tools to scan your information systems and
look for vulnerabilities: open ports, holes in security
software, backdoors set by Trojans, etc. This process
is akin to what a hacker might do, so some call this
Risk Assessment is highly procedural
and involves a number of steps. It involves checking
all controls (procedural controls, administrative controls,
technical controls etc). The second step is to move
into attack mode and check if every control, procedure
or product is configured or implemented properly. And
the third step is to do the audit.
Risk assessment is based on
auditing standards like BS7799, ISO 17799 and COBiT.
Brian Pereira can be reached at