When it comes to perimeter defense, identifying the network edge is a challenge in itself. This video offers insight on defending the enterprise in a perimeterless world, including the issues of a perimeterless network and leading technologies for endpoint security.
Read the full text transcript from this video below. Please note the full transcript is for reference only and may include limited inaccuracies. To suggest a transcript correction, contact firstname.lastname@example.org
Perimeter defense in the era of the perimeterless network
Presenter: Welcome to Search Security's Intrusion Defense School, Lesson 5, Perimeter Defense in the Era of the Perimeterless Network with guest instructor Joel Snyder. Joel is a senior partner with Opus One, a consulting firm in Tucson, Arizona. Joel will forecast the future of intrusion defense and offer tips for applying intrusion defense in a perimeterless network. Thank you for joining us today, Joel.
Joel Snyder: Thank you very much. Good day everyone, and this is Lesson 5, which is sort of beyond perimeter intrusion defense. So this is the fifth of a set of five, and the first four talked about perimeter defense and what some of the issues are. They tried to go into what UTM is. This talk is sort of going beyond that. How do we go beyond basic intrusion defense when we're don't have a perimeterful network anymore?
I have a couple things I want to talk about today. If we don't have perimeters anymore, how do we defend ourselves? What are leading technologies for endpoint security? I'm going to talk about the issues in future for this perimeterless network, and what we can do to provide intrusion defense in a perimeterless network. I want to point out that while you were out we went and dissolved your perimeter. People talk about this concept of a dissolving perimeter, but it's very, very true.
I just have a little picture showing you how it works if you haven't already thought about this little bit. I've got my firewall around the network, but then look. Up in the left hand corner I've got a bunch of people inviting us to UTM. People coming and buying UTM. I might have branch offices with their own little firewalls, and I've got partners that might be coming into our network, plus I'm punching holes in my network for things like mail or for DNS of course. I've got holes as well for things like web queries if I'm running a little web farm inside my network. This perimeter of having a single spot where everything goes through and everything is well-defended is actually beginning to kind of dissolve. This is a big issue that people have talked about, and we're talking about it today.
Perimeter-based security isn't going to work all the time if I have all these holes in the network. So what can you do? Well, on the left-hand side I have a whole lecture on the defense in depth strategy and I've got a whole bunch of things that you can do to improve defense in depth. I'm not going to talk about those today. You can actually go on to the Search Security website and find some of my old information security decisions lectures that talk about defense in depth. What I'm talking about is the concept of re-perimeterizing your network in order to have perimeter-type defenses in place. I don't mean that you're somehow patching up holes in the firewall. I'm saying we're identifying places where we've punched a hole or we've broken up the perimeter and we're going to add defenses, virtual defenses, to create a new perimeter that we can then defend and apply these perimeter-based securities.
The three things that I'm going to talk about briefly today are using network admission control, what I'm going to call NAC, which is not to be confused with Cisco's NAC which is the same words and the same acronym but this is the generic term NAC. On in-points we're going to talk about using NAC. We want to talk about using touchdown points like tunnel servers to re-establish controls, and the recreation of little micro-perimeters where we can. Let's first start with this whole concept of re-perimeterizing. I don't want to say these holes need to be patched. All I'm saying is that where we've opened up and dissolved our perimeter, we can create virtual perimeters. For example on the left hand side I'm saying, "Look. I've got all these people coming in via a VPN, either an SSL VPN or IPSec VPN."
Well, those VPN's have to touchdown in a device and that device can be your virtual perimeter. You just need to now look at that point and say, "Okay. This was a hole, but now I'm going to apply perimeter defense thinking to that device or to the hole that's created by that device." Now some people will just run around and slap a firewall behind the device. I don't think that's really the right way to do it. I think you want to integrate the security with the device itself.
Look at these holes on the right-hand side where I've brought in mail or DNS or web. Each of those holes have very definable and definite characteristics and they define a defendable border. We can actually apply a lot of defense right to that specific border point that we've just re-perimeterized instead of just saying, "Hey, I'm going to open this hole and let everything that wants through." No, no, no. I can have very, very defined defenses at those borders.
The first technology I want to talk about is network admission control. Again, I want to make sure that you understand that I'm not talking about Cisco NAC specifically. Cisco NAC, Network Admission Control, is a particular implementation of network admission control. You also find that Microsoft has a network admission control technology. They call it NAP for Network Access Protection, I think. The computing group, Kelsey Computing Group, has TNC, the Trusted Network Connect framework, which is a kind of NAC. Juniper has their infranet strategy, and that's a NAC. Of course we have all of these other companies that are participating in these. Symantecs is a perfect example. They're playing probably with Cisco, Microsoft, TCG and Juniper to be part of all of their NAC strategy. There are lots and lots of partners.
Network admission control, or network access control, wraps a perimeter around the network. No matter what company you're talking about, they're saying at this access point. Now, I'm showing here this access point being the SSL VPN, but the access point to the network can be a wireless point of access, not a WAP, but a wireless point of access; a wire point of access, that's a jack in the wall; it could be an SSL VOPN; it could be an IPSec VPN. Anywhere where someone touches the network, this network admission control can come into play.
The network admission controls essentially do things together. First of all, who are you? A huge compute of network admission control is the authentication aspect. When you try to come into my network whether you're jacking in or wirelessing in or SSL-ing in or IPSec-ing in, you must provide authentication as part of NAC. And -- a huge thing that people are into -- does your endpoint actually comply to policy, which is to say does this endpoint security, is the security of the device you're trying to connect up to the network, have the security policy implemented as required by the organization?
For example if you say everyone has to be running Sophos and your updates have to be no more than 30 days old, do you comply with that? Everyone has to have Black Ice firewall with the official corporate policy no more than 30 days old. Does your device comply with that? Everyone has to have Webroot antispyware. Does your device comply with that? So NAC is who are you and do you comply to policy. Based on that, it either lets you into the network or it doesn't let you into the network. It sends you to a remediation place or whatever. That's the whole concept of NAC.That's a new perimeter defense that's being applied not just at that internet point of connection but at every single point of entry into the network by an end system.
I'm going to bring up a caveat here when people start throwing this NAC stuff around, which is the endpoint security is not actually very compelling when you face reality. I've got a graph here, and I don't even know if you can see this graph, but I just want to say what's going on. What I'm showing here is a bunch of different SSL VPN devices, and a bunch of different scenarios that I use with endpoint security. Green means that the device worked with the scenario and red means that it didn't with endpoint security. The whole point of this graph is not to say this brand is better or worse than that, but that there's a whole lot more red than green. I have a quote here from the article: "If there's a train wreck of a technology in this product niche, endpoint security is it."
So my point here is that endpoint security really only works on managed desktops and laptops. If you pass out the laptops to the user or you control the desktop, if you are able to manage it and control every aspect of it, then you're going to see a lot of green in this graph. But if you have the idea that someone is going to connect up to the network and they're going to suddenly get pushed down some Java or Active X thing, that's going to make this decision about whether or not they need to be re mediated or access controlled or whatever not work. This is just basic testing. We tested these products, we tested them with a simple security policy and most of these products failed because it doesn't work really well in the unmanaged desktop environment.
So endpoint security as part of NAC is great stuff in the managed world, but do not let marketing PR people tell you that it's going to work very well in the unmanaged environment. That's not to say that the authentication piece is not just great, just that the security part was not great. So NAC is great stuff. I don't want to say anything bad about NAC. It's a fantastic idea. We're going to authenticate and authorize users at the point where they enter the network. We're going to try and check their endpoint security. Just be aware that you can't turn it on with a switch and it's going to work for everyone including your partners and people who are unmanaged and all these other folks who might be coming into your network.
Now there's an alternative to that, which is to actually say I'm going to have access controls, but I'm going to make the VPN device the UTM firewall in and of itself. I've got a little picture here showing someone coming in through a typical SSL VPN device. Of course, like any SSL VPN device or any IPSec VPN device, I not only have identity-based access control -- which is I know who the user is, I'm controlling their access to the network based on their authentication information and I've got fine-grained security -- but I might have additional other features.
What I'm seeing in the market place is that these SSL VPN devices are becoming UTM-ized perimeter controls, which means their having things thrown into them including stuff like stateful firewall, intrusion prevention and anti-virus. The biggest example, of course, is going to be something like the Fortinet box or the checkpoint box where from the very beginning had intrusion prevention and anti-virus. You're going to see things like the Symantec box also letting you have this additional technology in place when someone comes in by an SSL VPN or an IPSec VPN. We're applying additional perimeter controls. It's not the Texas Hold 'Em theory of VPN which is when you're in, you're all in. Instead it's you're in, but I am putting additional controls on you which give me a little baby perimeter. I can apply controls at that perimeter like stateful firewall controls and intrusion prevention controls. I'm adding perimeter-like stuff to what people used to call a hole in my network. It's not truly a hole. The devices and the products are letting me add controls. What's great about these controls is that they're based on identity and that is a fantastic way to have controls.
In addition to these VPN devices becoming parameterized, I had talked about the holes in the firewall for services. Well, if we add holes in our firewall, that just gives us an opportunity for another different kind of firewall. For example I've drawn some pictures here. I'm not advocating any of these companies. I'm just giving you examples of devices you might have. I'm saying mail comes into the network. I'm not just going to let mail drop directly into my exchange server. That would be stupid. Instead I'm going to go out and buy an e-mail security appliance, and I'm going to throw that in there and that is just a different kind of firewall.
I've not dissolved the perimeter, I've just changed where the access control goes from big, huge firewall to my big, huge firewall in my big, huge e-mail security appliance. Or maybe not even a big, huge security appliance. If I'm doing DNS, I'm not just going to throw DNS against my normal Unix-based or Windows-based DNS servers. Instead I'm going to go out and buy a DNS appliance and stick that at the edge to give me a different kind of firewall. I'm doing web access in, I could be doing something like Citrix web access controls -- I just picked them because the logo was kind of small and it fit really well here. I'm not saying any one of these companies is perfect, just that these are great little firewalls that you can put in front of services to provide very specialized fire walling. You haven't dissolved the perimeter. You've just changed the point of control to something which is really very specialized.
These are all incoming pictures, but incoming isn't the only issue. We also have outgoing. Again, I've thrown Blue Coat up here as an example, but they're not the only people in this business. When people are going out, we want to help protect them. We want to have protection which is user-focused. That is a huge new trend in security enterprise networks: focusing on the user. What can we do to protect them as they're wandering the big bad crack house of an internet that we've got out there today? What I'm saying here is that these users might have some kind of device which is trying to protect them. An outbound web proxy server is a real good example.
Again, Blue Coat is just one example. Lots of companies do this kind of thing. What we can look for is they're not getting spyware; they're not touching websites that have spyware on them and then downloading spyware; or we're trying to help them deal with viruses; or we might be doing content filtering or regulatory compliance; all these difference things focused on protecting that user. These are holes in the firewall, but they are just an opportunity for a different kind of firewall to re-establish this perimeter. You can call it defense in depth if you want or whatever you want to call it. What I'm saying is just because we punched holes doesn't mean that we are actually opening up these holes in our firewall, we're just moving the locus of control to another point. That gives us our re-perimeterizer, a little micro-perimeter, a virtual perimeter here.
I have four trends here -- I don't have tips, but I have trends -- things that I want you to write down, put on a little post-it, stick it on your cubicle or however you house in your organization, things I want you to just watch for this year and probably next year as well. First of all, identity-based access control. Identity-based access control. Things like [802-1 X], NAC, SSL VPN, IPSec VPN. This is saying we're not doing access controls based on IP address, which is what most firewalls do, but based on the identity of the user. That is going to be a huge, huge direction where we really get very specialized in our access controls. Possibly outbound as well as incoming but certainly incoming, where we're going to make security an access control based on who you are not just on your IP address.
Second huge trend is endpoint security posture assessment. We see that in Cisco NAC, PCG's TNC, Microsoft's NAP, all that kind of stuff. That's going to be a big trend. I don't know whether that's right for you. It depends on your user community. It depends on how managed they are. It depends on what your real threats are. It's going to be a big trend. Watch for it under a lot of different names.
These two trends, by the way, are actually joined. NAC itself is both an identity-based access control and endpoint security posture assessment. Some folks when they talk about NAC all they seem to care about is that endpoint security. Both things are built in together and they should go together because that gives us the best level of new perimeter and micro perimeter security.
The third big trend is watch devices that have defensive technology built into them. So, when I looked at SSL VPN's a couple of months ago there were two or three of them that had a little bit of security features in addition to the basic SSL VPN functionality, things like internal stateful firewall or internal intrusion prevention. Watch as all these VPN devices begin to add greater features in the form of stateful firewalls, intrusion prevention, even anti-virus, into them, which is going to try to help add defensive perimeter-based intrusion defense technologies into these perimeter hole-poking devices.
Then finally, a big, huge trend which I think a lot of people are going to go for because it makes a lot of sense is user-focused security. Security which is not focused on the Internet, but on the users in the organization and how we can protect them as they go into dangerous places, which is to say anywhere outside of the company boundary. Things like proxy gateways for outbound access, you see a lot of motion in there partially because of Blue Coat's success in the market place. That's going to attract other companies trying to help meet that same requirement at different price points or slightly different requirements.
These four trends watch for. Is every single one of them right for you? No. I'm not going to say that. Absolutely not. Nevertheless, you're going to see this happening, so keep this in mind as you start looking at security strategies for this year and the next. I want to thank you.
Presenter: Thank you, Joel. This concludes Lesson 5, Beyond Intrusion Defense. Be sure to read Joel's article "The Future of Intrusion Defense" and take our final exam. You can access these and other resources on demand at searchsecurity.com/intrusiondefenseschool. Thank you for joining us.
About the speaker:
Joel Snyder is a senior partner with consulting firm Opus One in Tucson, Ariz.