Archives ||  About Us ||  Advertise ||  Feedback ||  Subscribe-
-
Issue of April 2003 
-
  -  
 
 Home > Cover Story
 Print Friendly Page ||  Email this story

Cover Story: Enterprise Security
Setting up defenses

There's an arsenal of tools, systems, services and processes to protect enterprise networks and its data. Are you using the right ones to secure your IT infrastructure? by Brian Pereira

Like Virginia Slims cigarettes, enterprise security has come a long way. Yesterday, security products mainly comprised of firewalls and anti-virus software. Today, enterprise security is a lot more complex and includes various security tools and mechanisms.

There are two trends that are taking place in the area of security products: product integration and embedded security.

"Technology (like encryption) has reached a maturity level. Security products are more effective when integrated. It is the mixing of the products that offers tighter security," says Capt. Raghu Raman, Practice Head, SSG, Mahindra Consulting.

In recent times we've seen integrated solutions like Firewall/VPN appear. Anti-virus software, firewall applications, and privacy tools have also been integrated in security software suites.

Security is now built into or embedded in IT products like networking equipment, operating systems, applications and even notebook computers.

Not surprisingly, the major networking equipment vendors are also the leading security solutions providers.

Here's an introduction to current enterprise security systems and solutions.

Identity Management
As the number of users and applications on enterprise networks increases, it becomes increasingly difficult to manage identities. Users both within and outside the organization, need to have selective access to servers and applications. This can potentially diminish network/data security as sensitive information is exposed. It also raises a couple of challenges: Does a user really need to have a separate identity (login ID and password) for each server/application? How are you going to ensure that users change their respective passwords every month or so? And how are you going to protect identities and mitigate identity theft? That's where Identity Management (IM) comes in.

IM is the creation, management and use of online or digital identities. It involves managing the full life cycle of a digital identity—from creation and maintenance to termination, as well as enforcing policies that concern access to electronic resources.

IM is related to Directory Services, since machines and applications also have identities. A directory service is a database of all network resources and users on the network. Each user or resource has a unique identity.

Authentication System
While there are various authentication systems, user ID and password is the simplest form of authentication. But passwords must be encrypted before being transmitted from the client to the back-end authentication server, via the network. There are protocols like Kerberos and SSL that handle the encryption of passwords and other sensitive information.

The trend here is a shift towards multiple forms of authentication. With two-factor authentication users identify themselves using two unique factors—something they know and something they have. Users are given a hardware token such as a smart card or USB token that contains a unique code. So after keying in the user ID and password, the software will prompt them to insert their unique tokens in the card reader or slot. There are software tokens too.

PKI
Public Key Infrastructure is an online environment that assures privacy and integrity for data in transit. It establishes trustworthy identities, communications and transactions. This is done through the use of Encryption Keys.

Each user or application has a unique pair of related encryption keys (or codes). One key is kept private and only the owner knows it; the other key is 'public' and is available to others. Public keys are kept on public servers or users may distribute their public keys to others.

Here's how private and public keys are used. A person wishing to transmit a confidential document electronically will use the recipient's public key to encrypt the electronic document. Thus the document is coded and is unreadable to anyone except the intended recipient. But the recipient has to use his private key to decode/decrypt the document and render it to its original form.
So public and private keys are paired, and are unique to each user. These keys are issued by Certifying Authorities (CAs), who verify the identity of the user. In India, there are four CAs so far: SafeScrypt, IDRBT, TCS and NIC.

PKI can be used for e-mail and also for digitally signing electronic documents using Digital Signatures.

Intrusion Detection System
Intrusion Detection is the process of monitoring computers or networks for unauthorized entry points, suspicious activity, or unauthorized file modification. IDS can also be used to monitor network traffic, thereby detecting any unusual increase in traffic or unusual network requests.

Intrusion Detection System (IDS) is becoming an important part of network security. These systems complement firewalls and are used to detect attempted network attacks (such as a Denial of Service attack), and misuse of network resources. IDS can alert the administrator about such intrusions and it also has mechanisms/processes for reacting to such intrusions and protecting the targeted system.

IDS tools thus form an integral part of a thorough and complete security system. However, IDS by itself cannot guarantee complete security. IDS can greatly enhance security when backed by a security policy and when used in conjunction with vulnerability assessments, data encryption, user authentication, access control and firewalls.

There are two types of IDS: host-based and network-based. Each has its own method of monitoring and securing data, and each has its pros and cons. Briefly, a host-based IDS examines data held on individual computers that serve as hosts; a network-based IDS examines data exchanged between computers, i.e. data in transit.

Virtual Private Network
A VPN is a secure and private channel that uses a public network (usually the Internet) to connect remote sites or users together. A VPN uses "virtual" connections routed through the Internet from the company's private network to the remote site or employee.

Before the advent of VPNs, an organization interconnected its offices using WAN interconnects like leased lines and VSAT.

But these are expensive to operate/maintain. The cost also increases with the distance between remote sites. So connecting remote locations via a public network like the Internet is economical and cost beneficial.

Since data transmitted through the Internet is routed through several servers, it is accessable to others. A VPN can secure data in transit and preserve its integrity. This is done through a concept called 'VPN tunneling.' The VPN employs various methods to create a secure channel through the Internet. Data passing through this channel/tunnel is not visible/accessible to unauthorized users on the Internet.

The various methods used to secure the VPN tunnel are firewalls, encryption, protocols like IPSec, and AAA servers (authentication, authorization and accounting). These have been explained elsewhere in this article.

Managed Security Services
Threats to enterprise networks have increased today. Viruses and worms spread between networks in a few hours giving network administrators in organizations very little time to set up defenses. Network operating systems and applications aren't perfect; hackers soon exploit weaknesses or loopholes in software to gain entry into corporate systems. Patches and fixes aren't available fast enough. Even if they are, many forget to update their software—remember the Slammer worm incident? That's why you need Managed Security Services (MSS).

With MSS you outsource the task of maintaining your security software and systems—so that it is always up-to-date and ready to counter the next threat. MSS relieves you from the task of strengthening your network defenses—so that you can concentrate on your core business processes.

For example, an anti-virus software vendor can regularly 'push' the latest virus definitions and software updates to your server via the Web. In another case, a service provider can monitor your network for intrusions on a 24x7 basis from his network operations center. He can also provide 'managed' VPN and Firewall services. These are two examples of managed services.

Security Management System
This provides a single point of control and gives a holistic view of all the security solutions and systems deployed on the enterprise network. With a Security Management System (SMS) one can gauge the level of infrastructure security and proactively take decisions to secure vulnerable systems, or to spruce up security on more critical systems. Through the SMS one can take stock of the situation and take corrective action during an incident.

Integrated Security
Some security systems are closely related in their functions. To improve the efficiencies of such interdependent systems, vendors provide tighter integration and combine different products into one large solution.

Here is an example of how integration can make security systems more efficient. The client firewall automatically instructs the anti-virus scanning and intrusion detection engines to scan all outgoing files. If a threat is detected, the anti-virus and/or intrusion detection engine instructs the firewall to increase security measures and block the file. The client firewall alerts administrators to potential threats through a common console, and contains the threat within the client, thereby preventing the spread of infection to the entire network.

Firewall/VPN products are quite common now, and are an example of product integration.

Policy compliance management
Having a documented and comprehensive security policy is a major step towards securing IT infrastructure. But effectiveness of security policy depends on how well it has been implemented and practiced within the organization. Policy compliance management (PCM) solutions give administrators the ability to manage policies and deploy security systems. PCM solutions have a number of functions: keeping security software up to date; cleaning and removing viruses and worms to prevent an outbreak; performing assessments to check with compliance with standards such as ISO 17799, HIPAA and GLBA, etc.

Access Control
This primarily concerns the Physical Security of IT infrastructure. Traditional access control systems include electronic locks, bar code readers, swipe card/smart card systems, and RFID for doors to server and storage rooms, and other sensitive areas within the organization.

But access control has now been extended to include security of computing resources like servers, notebook computers, PCs and storage systems. This is done using Biometrics interfaces that are built-in or directly attached to these resources.

Biometrics is the science of building a security system that requires human input for authentication/ identification. Biometrics security solutions capture some physical characteristic, unique to each individual. There are five basic methods of human identification—a fingerprint, voiceprint, retina/iris scan, hand geometry, and facial recognition. Using either one or a combination of these, one can restrict access to rooms, to data, or to equipment (computers, etc).

Risk Assessment/Audit
This is actually a set of procedures to determine vulnerabilities in an organization's IT infrastructure. So it is also called Vulnerability Scanning/Testing.

Security consultants and specialists use various tools to scan your information systems and look for vulnerabilities: open ports, holes in security software, backdoors set by Trojans, etc. This process is akin to what a hacker might do, so some call this 'Ethical Hacking.'

Risk Assessment is highly procedural and involves a number of steps. It involves checking all controls (procedural controls, administrative controls, technical controls etc). The second step is to move into attack mode and check if every control, procedure or product is configured or implemented properly. And the third step is to do the audit.

Risk assessment is based on auditing standards like BS7799, ISO 17799 and COBiT.

Brian Pereira can be reached at brianp@networkmagazineindia.com

 
     
- <Back to Top>-  

Copyright 2001: Indian Express Newspapers (Bombay) Limited (Mumbai, India). All rights reserved throughout the world.
This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Bombay) Limited. Site managed by BPD.