A series of developments in network security are leading to the emergence of a comprehensive solution that could make the network so resilient that it is impervious to most attacks. Although no product vendor has proposed the specific combination discussed here all of the pieces are available today and early adapters could assemble the pieces. Note that my predictions are for a combination of technologies that fly in the face of Network Admission Control.
Two major drivers have pushed internal network security to a crisis point. These are:
1. Worms and viruses. MSBlaster was the first worm to be effectively blocked at the firewall yet still infect most networks by coming in through infected laptops connecting to the LAN. As these and future worms add to the background radiation of malicious noise on the Internet enterprises must mount a continuous defense against mis-configured and infected machines. 2. Malicious insiders. The number of tools and techniques available to the average end user for hacking, scanning, and exploiting network resources has increased dramatically. Over time the number of insider incidents that lead to real losses of either information or business resources will only go up.
Intrusion prevention (IPS) has seen a dramatic uptake because it can counter the spread of worms. Yet a common concern raised by enterprises IT admins over IPS is that it creates a "clean" side and a "dirty" side within the network. In other words machines on the same LAN segment as an infected machine would be at risk. In order to be completely effective IPS would have to sit in front of every end point device.
Internal segmentation has always been problematic because the level of policy setting required is too granular. Most organizations cannot determine and enforce a policy that controls which machines get to talk to which resources over which protocols. Behavior based network modeling based on NetFlow data is a way to create these policies without explicit pre-determination. Knowledge of protocols, and the way each end point uses them is gathered from NetFlow data and models are built of normal network usage over any hour of the day/week/year. ACL's in switches can then be used to enforce "normal" behavior and block abnormal behavior such as a desktop acting as an FTP server or the scanning activity associated with a worm infestation.
There is an opportunity to secure the network fabric by combining the functions of NetFlow based behavior modeling, the switch, IPS and firewalls. One result of the proposed secure fabric is that infected machines would be rendered impotent. In other words, the disciplines of network and host security would be de-coupled. Since this aligns well with the way most enterprises operate it is easy to predict the rapid adoption of this architecture.
The Proposed Solution
This solution relies most heavily on a switched network architecture. These usually involve core switches as well as access switches. VLANs would be used to provide granularity down to the device where needed. The switch enforces policy based on layer 2 and 3 information. It is directed by the NetFlow based behavior monitoring system. Data streams that are normal and therefor allowed would be filtered by additional IPS functionality. The IPS filtering could be performed by a separate device or ideally a processor card supported by the switch. Connections to the Internet and third parties would be made with firewall capabilities provided by additional cards in the switch. The onboard firewall would also provide additional network segmentation such as for Transaction Zones and departmental barriers.
Vendors that currently provide NetFlow based behavior modeling include:
-Arbor Networks -Mazu Networks -Protego -Q1 Labs
Firewall capabilities could be provided by many of the existing vendors. One in particular, Juniper, is well positioned because after the Netscreen acquisition Juniper has switches, firewalls, and IPS in their product line up. Look at the recent acquisition of TippingPoint by 3Com for an example of a company that is thinking along these lines.
IPS capabilities exist in several dozen products. Mcafee, 3Com, Reflex Security, ISS, and all of the old IDS vendors are examples.
Switch vendors would dearly love to see Cisco’s hold on the network infrastructure shaken. Security is the killer app of networking. Look for more combinations between switch vendors, IPS vendors, and network modelers.
Originally published at www.threatchaos.com