The enterprise is exploding! Bits of it are winding up on mobile phones and tablets and dangling from Internet...
connections -- used as WAN links -- in the corner Starbucks and on Amtrak's Acela Express trains.
This concept of the extended enterprise -- in which sensitive and valuable data often resides outside the traditional network perimeter -- poses an increasingly vexing problem for IT security organizations. To secure an organization against multi-modal and low-and-slow adaptive persistent threats, IT organizations are deploying a dizzying array of new network security devices: next-generation firewalls; IDS and IPS boxes; security information event management, or SIEM, systems; and advanced threat-detection systems. Ideally, these systems are managed in concert, in accordance with a central security policy, as part of a pervasive protection strategy.
Common mistakes that organizations make when deploying these devices can severely hinder their ability to offer pervasive protection, however. This tip examines what to watch out for when planning the deployment of new network security devices and how to avoid the problems that can result in failed defense-in-depth.
Unlearn assumptions about security appliances
The single biggest mistake is to assume that security appliances are themselves secure. This seems too obvious for words, but it's critical as a starting point. How secure is that "hardened" OS? How current is it? What about that "ultra-hardened" Web server it runs?
Before you do anything else, create a test plan to validate that your network security devices are actually secure. Start with the basics: Are you delivering timely upgrades, patches and bug fixes to individual devices and to their supporting network, server and storage infrastructure? Check with clearinghouses such as the National Vulnerability Database that maintain current catalogues of known vulnerabilities, and make sure you regularly upgrade and patch your devices.
Then move on to the harder stuff: regularly assess multi-device configurations for potential weaknesses. Putting an encryption system and application delivery optimization (ADO) device in the wrong sequence can leave data exposed, even when each device is working perfectly. This process can work in concert with regularly-scheduled penetration (pen) tests.
Evaluate how you work with network security devices
For any security device, the management/control channel is the greatest vulnerability. So pay attention to how you expect to configure and modify the security device -- and to who is allowed to do the configuration. If you expect to work with a security system via a Web browser, the security appliance is running a Web server and allowing Web traffic. Is that traffic encrypted? Is it on a standard port? Is it on the same port on every device (and, therefore, guessable by an intruder)? Is it accessible via a regular network connection (in-band) or a separate management network connection (out-of-band)? If it is in-band, then any machine that can send traffic across that interface can attack that appliance. If it is on a management network, at least, you only have to worry about the other things on that network. (And if it's configured via a serial port connection and a KVM solution, so much the better.)
Your optimal scenario: Ensure that all configuration changes require encryption and multifactor authentication, if not direct physical access to the device. And tightly track and control credentials for device administration so that only authorized users can gain admin rights.
Apply standard pen testing tools
If you've taken the first two steps, you're off to a good start -- but you're not home free. Hacks, assaults and threat vectors constantly grow and evolve, and you need to regularly test your systems to ensure they're protected against recognized attacks, not just vulnerabilities.
More on network security devices
Mobile device security controls: Protecting the enterprise
Survey finds users neglect enterprise mobile device security measures
Mobile device security strategy for corporate network protection
What's the difference between an attack and a vulnerability? An attack is an organized effort to exploit vulnerabilities. System vulnerabilities make an attack possible, but the existence of the attack raises the stakes -- the exploit has moved from the hypothetical to the real.
Pen testing tools and services will tell you if your network security devices are vulnerable to attacks. Open source tools and frameworks -- Network Mapper, or Nmap, Nikto, Open Vulnerability Assessment System (OpenVAS) and Metasploit, for example -- have been around for many years. And, of course, there are multitudes of commercial tools from the likes of McAfee (an appliance to scan your appliance!) and Qualys.
These tools are widely used to map out the ports on which a network device will respond to network traffic; record its responses to standard test packets; and with OpenVAS and Metasploit, test its vulnerability to common attacks (more kinds with the commercial versions).
Other pen testing tools specifically focus on Web servers and applications, such as OWASP Zed Attack Proxy, or ZAP, and Arachni. By applying standard tools and techniques, and identifying vulnerabilities in security appliances -- SQL injection attacks via a management Web interface, for example -- you can build a clear picture of how the network security devices themselves need to be protected.
Mitigate the risks when deploying network security devices
Nothing is perfect and no system is invulnerable. Failing to take the proper precautions when deploying and configuring new network security devices will introduce more risk into the environment. Take appropriate measures to protect the appliances that will defend the rest of your infrastructure, including commonsense precautions that often get overlooked:
- Change default passwords and account names.
- Disable unneeded services and accounts.
- Make sure underlying OSes and systems software are patched and up to date with manufacturer specs.
- Restrict access to the administrative interfaces of management networks; if that's not possible, use ACLs on upstream devices (switches and routers) to restrict where management sessions can originate.
- Revisit pen testing regularly, as attacks evolve. Tools such as OpenVAS and Metasploit have advanced to keep up, and the library of exploits they can use grows steadily.
The bottom line? Having a pervasive protection strategy is just the beginning. To protect devices and data in today's increasingly perimeter-less world, you need three things: a pervasive protection strategy, the tools and technologies to implement the strategy -- and the policies and processes for ensuring those tools and technologies work in concert to maximize protection. All policies and processes need to take into account both the vulnerability of the network security devices themselves (individually and in concert), as well as the ever-changing landscape of attacks and threat vectors that exploit those vulnerabilities.
About the author:
John Burke is a principal research analyst at Nemertes Research, where he advises key enterprise and vendor clients, conducts and analyzes primary research, and writes thought-leadership pieces across a wide variety of topics. John leads research on virtual enterprise, focusing primarily on the virtual and mobile desktop, application delivery optimization, and management and orchestration tools for the virtualized data center and the cloud.