“Security is getting decentralised” - In Person

Archives || Search || About Us || Advertise || Feedback || Subscribe-

Issue of November 2006

Home > In Person

Print Friendly Page ||

Email this story

“Security is getting decentralised”

Jayshree Ullal, Senior Vice-president, Data Centre, Switching and Security Technology Group, Cisco, talks to Anil Patrick R about the threat scenario in a world where mobile devices are increasingly connecting to the corporate network.

Jayshree Ullal

As mobile devices proliferate and connect to enterprise networks in greater numbers, what are the changes that are needed in an organisation’s security policy to tackle vulnerabilities that arise as a consequence of this trend?

Every mobile device such as a laptop or PDA that is added to the network carries a potential threat because it can be exposed to a worm or virus at any time and can easily propagate that worm throughout an organisation. In recent years, infections such as MyDoom, Blaster, Sasser, SQL Slammer and SoBig have disrupted corporate applications, Web sites, banks, and airlines, and have revealed how vulnerable organisations are to attack. These attacks pose a greater threat as they are increasing in severity, speed and number, leaving organisations in need of greater security resources.

To counter this, a company’s security policy needs to address network security that protects it from threats such as access breaches, Day Zero worm attacks and viruses, and internal threats, and adopt a system-level approach to network security. It should also deploy an automated system to react to and isolate threats so they can halt them before they spread too far.

Critical information is lost every day across the world due to mobile devices being lost or stolen. What measures can an organisation take on the technology front to ensure that even if a device is lost, the information on it does not reach unauthorised hands?

In terms of lost or stolen mobile devices, an effective counter would be to ensure that password protection is enforced across all levels before a user gains access to sensitive data

Organisations should consider employing and integrating multiple layers of security practices throughout their enterprise. In terms of lost or stolen mobile devices, an effective counter would be to ensure that password protection is enforced across all levels before a user gains access to sensitive data. At Cisco, a remote user on a laptop would have to first provide a password to access the VPN client to allow encrypted authentication into internal network, then provide passwords for all Web sites or documents deemed sensitive enough to warrant password protection. Further, our IT insists that users create and maintain difficult passwords consisting of diverse and case-sensitive alphanumeric characters.

Virtualisation is the buzz-word in servers and storage. Is this also true of networking?

One can look at two stages of security services being virtualised into networks—vertically and horizontally.

Vertical integration is where single-purpose appliances are bundled into a set of security functions within one appliance. Firewalls are offered on special purpose hardware as are IDS/IPS, VPN, NBAD (network-based anomaly detection) and other security products. The vertical movement towards enterprise threat defence is increasingly integrating firewalls, IDS/IPS systems, VPNs (both IPSec and SSL), etc into one appliance. This integration allows for greater software collaboration between security elements, lowers cost of acquisition, and streamlines operations with fewer security management interfaces to master. For example, alarms stemming from the IDS function inspecting VPN flows could cause the firewall software to take action and change its rules to block this VPN flow.

The second stage of virtualisation is a horizontal threat defence, where a network becomes more responsive to a broad set of possible attacks and threats by security functions working together as a networked system. In this model the network has the power to shut down or compartmentalise segments, VLANs, end-points, ports, flows, etc. In short, it is adaptive and powerful in its ability to automate the mitigation of attacks in near real-time. The important ingredient in horizontal threat defence is a shift from relying on signature-based defence towards ‘behavioural’-based defence.

The connection between a mobile device and an enterprise network is encrypted and secure. What happens if the device in question is already infected with trojans (which anti-virus software may not detect)? Doesn’t this open up the network to intruders?

I don’t think that enterprises will move to a single VPN network since that implies a more centralised model. Rather, security is becoming more decentralised through an integrated security model in which multiple security services are provided in a router, switch, firewall or wireless access point distributed throughout the managed network

While anti-virus and personal firewall software is effective against threats with recognisable ‘signatures,’ it is often not enough. An intelligent and secure network can look for behaviour patterns common in viruses, and proactively detect and stop new viruses as well as manual attacks.

Is limiting data access levels to mobile devices a practical solution?

No, limiting data access levels to mobile devices is not a practical solution. One could eliminate the same by using a blend of network security measures which identify threats, collaborate with different elements of the network, and help in mitigating the same.

Can you tell us about the latest threats that mobile devices connected to a network can bring in?

Mobile devices introduce various forms of worms and viruses, and malicious code with them. These ‘flash’ outbreaks are an increasing security problem for organisations, and can cost companies more than lost sales and employee productivity. Some worms and viruses can open ‘back doors’ to personal computers to enable theft of information, or they can use infected computers as ‘zombies’ to propagate more viruses, spam or other attacks. Many worms currently in circulation are designed to generate distributed denial of service attacks on unsuspecting organisations. As network connectivity becomes more pervasive and bandwidth increases, the spread of worms and viruses can happen at a faster pace, further compounding the problem. For example, the Blaster/Lovsan worm infected more than 1.4 million hosts worldwide, with 138,000 infected within four hours of its release.

On the connectivity front, many mobile users connect over VPN (for example, SSL-VPN) to the enterprise network, which may be on another type of VPN (say MPLS). This creates a mess of technologies and (possibly) security vulnerabilities as well. Are there any upcoming developments which will make it possible for the enterprise to be on a single VPN network?

As you would expect, networks today are more extensive in reach, both from a geographical perspective and end-user community perspective. And you have described what we believe—that the division between private and public networks has blurred. However, I don’t think that enterprises will move to a single VPN network since that implies a more centralised model. Rather, security is becoming more decentralised through an integrated security model in which multiple security services are provided in a router, switch, firewall or wireless access point distributed throughout the managed network. Going forward, these devices will have the required intelligence to deliver the appropriate security services for the network.

-	<Back to Top>-

Untitled Document

Indian Express - Business Publications Division

© Copyright 2001: Indian Express Newspapers (Mumbai) Limited (Mumbai, India). All rights reserved throughout the world. This entire site is compiled in Mumbai by the Business Publications Division (BPD) of the Indian Express Newspapers (Mumbai) Limited. Site managed by BPD.