Evaluate Weigh the pros and cons of technologies, products and projects you are considering.

The self-defending network: Is it real technology or market speak?

Cisco and other security vendors are touting the "self-defending" network. Is it real technology or market-speak?

Ever seen the Cisco Systems TV commercial of the little girl tapping away at her dad's office computer? She downloads what she thinks is a video game when, all of a sudden, a dialogue box pops up: "Warning! Virus Detected." She's shocked; worry washes over her face.

Behind the scenes, though, the network is jumping into action. The AV scanner is communicating with a central policy server, which automatically issues instructions to the firewall to shut down ports, the router to redirect the worm to a quarantine zone, and the patch management server to plug the exploited hole.

Seconds later, she's relieved to see another dialogue box: "Virus Destroyed!" Of course, we must suspend disbelief and assume that this precocious child understands what a virus is and the damage it can cause. And, we must also believe that something like a "self-defending" network is available today.

In reality, it's the stuff of the future.

Cisco is working with AV vendors to perfect its Network Access Control strategy, which ultimately builds security intelligence into every Cisco network device. Microsoft is working on a similar approach for Windows. Enterasys relaunched with the aim of providing end-to-end automated security across heterogeneous networks. And IBM and Hewlett-Packard are developing self-protecting technologies.

The concept is simple: Remove the human element from network security, make every device security-aware and enable those devices to automatically respond and prevent threats. It's like the human body's autoimmune system, which forms antibodies to automatically defend itself without the brain having to "think" about it.

Self-defending networks, and the technology that will enable them, are in their infancy. Some say it will be decades before we see networks with enough interoperability and artificial intelligence to fulfill the self-defending promise. However, significant building blocks are available today--advanced protocols such as 802.1X, host-based IDS/IPS, personal firewalls, anomaly detection and advanced AV. The challenge is making these immature technologies interoperate.

In this article, we look at the concept of self-defending networks, what it will take to make them work, what's available today, and what they will and won't do.

Familiar Concept
The self-defending network is based, in part, on defense-in-depth security. You layer various technologies at strategic points on the network to create a thick fabric of security. The key is automation; each device is sharing intelligence through standardized protocols and coordinating responses based on predefined policies.

Vendors' visions for self-defending networks take different forms, but each aims to achieve the same basic objectives and components.

These are a self-defending network's characteristics:

Endpoint security: Host-based agents keep track of workstations' compliance with corporate security policies, ensuring they have up-to-date AV signatures, working firewalls, proper OS security configurations and the latest patches. Some networks will use agentless endpoint security, or downloadable applets, to check for policy compliance on untrusted machines, such as home computers and Internet kiosks. Based on their level of compliance, users will be granted full, limited (redirected to a lesser-privilege VLAN or quarantine area) or no access. Vendors such as Sygate, InfoExpress, StillSecure and Endforce offer endpoint products that integrate into the core network infrastructure.

AAA: Even with the proper configurations, you want to make sure only those with legitimate, authorized credentials gain access to the network. Conventional access control, authentication and authorization will work with network and point security solutions to guard against unauthorized intrusions. Protocols such as 802.1X bolster authentication on a port level (see "X'd Out").

Intrusion detection/prevention: An array of point technologies, ranging from stateful inspection firewalls to signature-matching AV, inline network-based IDS sensors and anomaly/traffic flow monitors, will work in concert to inspect traffic at various points of the network for malicious activity. Suspicious traffic can be blocked by firewalls or redirected to honeypots or the ether. In the Cisco paradigm, routers and switches play a key role by manipulating ARP tables or filtering by MAC addresses. Numerous, diverse solutions exist in this space, including offerings by Check Point Software Technologies, McAfee, Trend Micro, TippingPoint and Mirage Networks.

Policy checking/enforcement: This is the brain of the operation. A central policy server will collect and correlate security-related data from nearly every device, ranging from LAN-connected PCs to VLAN switches and core routers, as well as security products. The meta-console will compare the refined intelligence against predefined policies (e.g., no FTP traffic on accounting subnet) and issue instructions to the most appropriate device to stop the unauthorized action (e.g., instructing the firewall to drop an FTP connection). The magic is in the automation.

Maintenance and remediation: Recovering and repairing from incidents and viruses, as well as maintaining the network security integrity, are the jobs of endpoint security, patch management, vulnerability assessment scanners and self-auditing tools. If an endpoint agent reports that a host needs the latest Windows patch and a Symantec AV signature update, the maintenance server--located in a quarantined area--will push the appropriate files. Likewise, a remediation server will help clean up infections, repair damage and push patches and configuration changes to prevent reinfection.

Making all of these point products work together are communication and management protocols that, outside of homogenous Cisco environments, are largely absent today. Management protocols, such SNMP and syslog, can facilitate high-level communications between disparate devices, but don't provide the level of granularity needed for self-defending networks.

Where's the Magic?
Just because we have many of the self-defending network's components doesn't mean we can make them work harmoniously together, much less automatically, with nearly flawless performance.

When it comes to security, enterprises live in a best-of-breed world, with point solutions scattered across their networks. They don't exactly play well with others.

Just look at the challenge SIM vendors have getting their correlation engines to pull data from every proprietary security device. The same problem exists for self-defending networks, but on a much larger scale. The management server must pull security intelligence from every networked device--routers, switches, IDSes, VPN concentrators, hosts, AV scanners, firewalls, etc. It must normalize that data, analyze it for threats and attacks, and then issue response instructions--drop connections, redirect traffic, block access, push patches--to multiple devices. And it must do this instantaneously under all traffic loads. Pulling logs for correlation and analysis simply isn't enough.

Interoperability challenges are why Cisco is building automated management tools for its products and integrating select third-party point solutions.

The first phase of Cisco's self-defending scheme, released last spring, covers only Cisco routers communicating with endpoint agents on Microsoft NT/2000/XP hosts. The policy server can issue ACL changes to redirect noncompliant machines to a remediation server, where they'll receive patch, configuration and policy updates. Cisco is also working with McAfee, Symantec and Trend Micro to incorporate AV into this scheme.

In the next phase, coming in 2005, Cisco will add switches to the defensive scheme, giving it the ability to quarantine noncompliant systems into VLANs that contain remediation servers. Also to come is support for various operating systems and IPSec VPNs.

In time, Cisco will gradually bring more devices under its security cordon, including firewalls, wireless access points and load balancers.

Even leveraging its widely deployed products and scores of proprietary protocols, Cisco is still years away from a fully operational self-defending network. It also has to deal with gaps in its own infrastructure, which is why it's working with partners with complementary technologies.

Standards bodies may try to craft unified frameworks to enable heterogeneous self-defending networks, but it will take years to develop, and longer for widespread adoption to take place. Nevertheless, we may already have the foundation in place. SSH, SNMP, syslog and Application Vulnerability Description Language (AVDL) could provide the foundation for new protocols and standards that have the reach and granularity required to manipulate device and software configurations.

Elusive Reliability
Even if you get every device to talk to each other, there are even greater reliability and accuracy challenges.

Many security solutions, particularly IPSes and application proxy firewalls, can automatically deny suspicious traffic, but few enterprises use this capability because the systems aren't reliable enough. False positives could trigger actions that would shut down mission-critical services or lock out legitimate traffic.

Self-defending networks' reliance on human-generated policies could be their Achilles' heel. Enterprises are notoriously bad at policy creation and maintenance. Poorly crafted security policies could limit the effectiveness of self-defending networks by issuing improper instructions that could drop connections or break applications.

Additionally, self-defending networks will only respond to conditions for which their security managers have written policies. Conceptually, they'll be able to ward off zero-day attacks, but only if there's a policy that can anticipate the attack and an appropriate response. There are default response actions, such as "when in doubt, drop connection," but this could also result in self-imposed DoS.

Simply put, self-defending networks are only as good as the people who create and maintain them.

Big Picture View
Consolidating all security intelligence into a central management point will give security managers a meta-dashboard that provides a holistic, comprehensive view of an enterprise's security posture. Under ordinary use, the dashboard will provide valuable intelligence for honing high-risk systems and fine-tuning the policies that drive the self-defending network.

However, there's no perfect security technology on the market today, much less widely integrated, interoperating self-defending networks. No amount of pixie dust will make this concept a reality anytime soon. It will take years for vendors to overcome integration and interoperability issues, while simultaneously improving the reliability and accuracy of the supporting point devices.

About the author:
Eric Cole, CISSP, GIAC, is chief scientist of the Sytex Group. He is author of Hackers Beware, is a SANS Institute instructor and a member of The Honeynet Project. 

Dig Deeper on Network intrusion detection and prevention (IDS-IPS)