Security is getting decentralised
Jayshree Ullal, Senior Vice-president, Data Centre,
Switching and Security Technology Group, Cisco, talks to Anil Patrick R
about the threat scenario in a world where mobile devices are increasingly connecting
to the corporate network.
As mobile devices proliferate and connect to enterprise
networks in greater numbers, what are the changes that are needed in an organisations
security policy to tackle vulnerabilities that arise as a consequence of this
Every mobile device such as a laptop or PDA that is added to the network carries
a potential threat because it can be exposed to a worm or virus at any time
and can easily propagate that worm throughout an organisation. In recent years,
infections such as MyDoom, Blaster, Sasser, SQL Slammer and SoBig have disrupted
corporate applications, Web sites, banks, and airlines, and have revealed how
vulnerable organisations are to attack. These attacks pose a greater threat
as they are increasing in severity, speed and number, leaving organisations
in need of greater security resources.
To counter this, a companys security policy needs to address network security
that protects it from threats such as access breaches, Day Zero worm attacks
and viruses, and internal threats, and adopt a system-level approach to network
security. It should also deploy an automated system to react to and isolate
threats so they can halt them before they spread too far.
Critical information is lost every day across the world
due to mobile devices being lost or stolen. What measures can an organisation
take on the technology front to ensure that even if a device is lost, the information
on it does not reach unauthorised hands?
In terms of lost or stolen mobile
devices, an effective counter would be to ensure that password protection
is enforced across all levels before a user gains access to sensitive
Organisations should consider employing and integrating multiple
layers of security practices throughout their enterprise. In terms of lost or
stolen mobile devices, an effective counter would be to ensure that password
protection is enforced across all levels before a user gains access to sensitive
data. At Cisco, a remote user on a laptop would have to first provide a password
to access the VPN client to allow encrypted authentication into internal network,
then provide passwords for all Web sites or documents deemed sensitive enough
to warrant password protection. Further, our IT insists that users create and
maintain difficult passwords consisting of diverse and case-sensitive alphanumeric
Virtualisation is the buzz-word in servers and storage.
Is this also true of networking?
One can look at two stages of security services being virtualised into networksvertically
Vertical integration is where single-purpose appliances are bundled into a set
of security functions within one appliance. Firewalls are offered on special
purpose hardware as are IDS/IPS, VPN, NBAD (network-based anomaly detection)
and other security products. The vertical movement towards enterprise threat
defence is increasingly integrating firewalls, IDS/IPS systems, VPNs (both IPSec
and SSL), etc into one appliance. This integration allows for greater software
collaboration between security elements, lowers cost of acquisition, and streamlines
operations with fewer security management interfaces to master. For example,
alarms stemming from the IDS function inspecting VPN flows could cause the firewall
software to take action and change its rules to block this VPN flow.
The second stage of virtualisation is a horizontal threat defence, where a network
becomes more responsive to a broad set of possible attacks and threats by security
functions working together as a networked system. In this model the network
has the power to shut down or compartmentalise segments, VLANs, end-points,
ports, flows, etc. In short, it is adaptive and powerful in its ability to automate
the mitigation of attacks in near real-time. The important ingredient in horizontal
threat defence is a shift from relying on signature-based defence towards behavioural-based
The connection between a mobile device and an enterprise
network is encrypted and secure. What happens if the device in question is already
infected with trojans (which anti-virus software may not detect)? Doesnt
this open up the network to intruders?
I dont think that enterprises
will move to a single VPN network since that implies a more centralised
model. Rather, security is becoming more decentralised through an integrated
security model in which multiple security services are provided in a router,
switch, firewall or wireless access point distributed throughout the managed
While anti-virus and personal firewall software is effective against threats
with recognisable signatures, it is often not enough. An intelligent
and secure network can look for behaviour patterns common in viruses, and proactively
detect and stop new viruses as well as manual attacks.
Is limiting data access levels to mobile devices a practical
No, limiting data access levels to mobile devices is not a practical solution.
One could eliminate the same by using a blend of network security measures which
identify threats, collaborate with different elements of the network, and help
in mitigating the same.
Can you tell us about the latest threats that mobile devices
connected to a network can bring in?
Mobile devices introduce various forms of worms and viruses, and malicious code
with them. These flash outbreaks are an increasing security problem
for organisations, and can cost companies more than lost sales and employee
productivity. Some worms and viruses can open back doors to personal
computers to enable theft of information, or they can use infected computers
as zombies to propagate more viruses, spam or other attacks. Many
worms currently in circulation are designed to generate distributed denial of
service attacks on unsuspecting organisations. As network connectivity becomes
more pervasive and bandwidth increases, the spread of worms and viruses can
happen at a faster pace, further compounding the problem. For example, the Blaster/Lovsan
worm infected more than 1.4 million hosts worldwide, with 138,000 infected within
four hours of its release.
On the connectivity front, many mobile users connect over
VPN (for example, SSL-VPN) to the enterprise network, which may be on another
type of VPN (say MPLS). This creates a mess of technologies and (possibly) security
vulnerabilities as well. Are there any upcoming developments which will make
it possible for the enterprise to be on a single VPN network?
As you would expect, networks today are more extensive in reach, both from a
geographical perspective and end-user community perspective. And you have described
what we believethat the division between private and public networks has
blurred. However, I dont think that enterprises will move to a single
VPN network since that implies a more centralised model. Rather, security is
becoming more decentralised through an integrated security model in which multiple
security services are provided in a router, switch, firewall or wireless access
point distributed throughout the managed network. Going forward, these devices
will have the required intelligence to deliver the appropriate security services
for the network.