GATEWAY-NETWORK SECURITY

UNDER
Protecting the gateway and network from Predators requires new layers of security. Are you still undecided about investing in leak-proof gateway-network security? Look no further than last years massive TJX data security breach.
1

SIEGE

TJX companies, with a market capitalization of almost $13 billion, was robbed of 45.6 million credit and debit card numbers from one of its systems over a period of more than 18 months, by an unknown number of intruders. A recent report from the technology and research company Forrester of Cambridge, Mass. estimated that breaches cost companies between $90 and $305 per lost record. This includes notifying customers, hiring contractors to fix computer systems, fines and lost business. Whats more, over 95 percent of network attacks are entirely financially motivated. This is different than two or three years ago where it may have been a college student who wanted to crash your computer. Threats today burrow deep in computers and hide. They are a lot less visible today. Indeed, the new threats are much more sophisticated than those security experts had foiled in the past. The easy things viruses, Trojans and worms are generally stoppable by most firewalls or certainly inline intrusion prevention. But now, hackers and the organizations that fund them have upped the ante for gateway and network security.

Threats today burrow deep in computers and hide. They are a lot less visible today.

oUTSIDE APPLIcATIoNS
At SonicWALL in Sunnyvale, Calif., developers are looking at all the ways these and other attacks are getting on servers and PCs. Theres more focus on using applications outside the corporate network, such as Application Service Provider (ASP)-type applications like Salesforce.com and Google Docs which can upload and share files, says Jon Kuhn, SonicWALL director of product marketing. Its creating a network thats much more expansive than what administrators had to go over before. Whats more, tech-savvy employees are more likely than ever to expose the corporate network to threats without malicious intent. Everyone has high-speed Internet access, they know how to use online applications, and theyre inadvertently connecting applications into the workplace, Kuhn adds. They inadvertently download malicious software when they think theyre downloading the latest song from Mariah Carey. The result is a new conduit for hackers that could allow them direct access into corporate environments. Blogging is another example consumer and personal use. Now you see a trend where enterprise execs are blogging. As soon as it starts being used by the business, it becomes an attractive way to hack in and rewrite what theyve written which can impact the firms image.

INcREASING PREDAToRS
Were seeing more instances like TJX, which was a sophisticated wireless attack, says John Kindervag senior analyst, Security & Risk Management at Forrester Research. He also points to similar breaches involving Hannaford Supermarkets and Dave & Busters restaurants. The sad truth is that the vast majority of such attacks are preventable. This is according to the 2008 Data Breach Investigations Report, put together by Verizon Business, a unit of Verizon Communications that operates public IP networks. The report took four years to compile and analyze. The study of 500 forensic investigations, involving 230 million compromised customer records, found that nine out of 10 breaches attributed to hacking attacks took advantage of a vulnerability for which a fix was available at least six months prior to an attack. And assaults on applications, service or software layers were more common than assaults on operating systems. Within the corporate network, If you have credit cards, bandwidth and hard drive space available, youre a target, Kindervag adds. If youve got holes in your network, someone will find those holes. They dont care who you are, he adds. Youre just an IP address to them. Theyre scanning 24x7 looking for new things that have come online and new potential holes that they might be able to exploit. So if you put a device out there on your network that isnt properly secured, somebody is going to attack it, he says. Thats just how it works.

ATTAchED DEvIcES
At Juniper Networks, located in Sunnyvale, Calif., network security developers are seeing more attacks related to consumer devices used at work. These include iPhones, MP3 players, USB flash drives and other attachments. Each could lay networks vulnerable to attacks through those applications. The emphasis now is more from a consumer perspective crossing over to the business, says John Yun, product marketing manager, Security Layer Technology Group at Juniper Networks.

NEw SEcURITy LAyERS

When it comes to gateway security, the layered approach is still the best approach, industry watchers say. Deploy defenses at the perimeter, inside the network with respect to firewalls and Intrusion Prevention Systems (IPSs). Also, provide protection from remote devices coming in through Virtual Private Networks (VPNs) and wireless connectivity.
2

Protect your networks chokePoints

Start protecting the core of your data, says John Kindervag, senior analyst at Forrester Research. Consider intrusion prevention types of security not at just the Internet connection, but at the chokepoints where hackers can grab big chunks of data. add intrusion protection at these chokepoints: The aggregation point of your wireless network The frame relay or WAN connection In front of your Database (DB) server farm in addition: Wireless links should be aggregated through a single gateway and that should have intrusion protection. Put web application firewalls in front of your web servers. Put DB auditing devices or firewalls in front of your DB servers. Put encryption on your databases. A Virtual Private Network (VPN) connection shouldnt be bridged directly to your network and should have a device looking at all the packets that have been decrypted.

bandwidth or block it all together. It gives them this visibility they didnt have before, which is to focus on the application use, Kuhn adds. Another critical layer that must be added is the classification of applications so administrators can get greater visibility into the network use of every employee. The object is to see who is abusing the network or who is legitimately using some type of P2P or Web 2.0 applications and inadvertently attracting the threat, Kuhn says. SonicWALLs E-Class NSA Series UTM solutions offer multitiered defenses through high-speed, deep-packet inspection, a traffic classification engine, and real-time inspection of applications, files and content-based traffic across all ports and protocols. The solutions also extend protection over both external and internal networks.

ENcRyPTIoN PLUSSES
Forresters Kindervag says the new layer needs to be database encryption or encrypting your data at its core. Protect that core data with encryption, he says. Had TJX done that, maybe the thieves would have just stolen gobbledygook, unless they had the whole encryption keys to the kingdom, Kindervag adds. Cisco, Juniper Networks, SonicWALL, Symantec and others offer data encryption solutions.

Solutions providers, including CA, Cisco Systems, Juniper Networks, SonicWALL, Symantec and Trend Micro, offer multilayer gateway security solutions. In addition, to protect against the newest threats, gateway and network security solution providers now recommend adding new layers of security to the information gateway.

IDENTIfy ThE USER

The inside-out approach to gateway-network security has blurred a bit. This is because employees take home their seemingly secure notebooks and download new applications and devices at home. Holes on the outside of the network, were now bringing inside, explains Juniper Networks John Yun. The traditional sense of inside out is going away because they see the benefit of verifying not only the device but the user. More and more were looking at [gateway security] from a user perspective, he says. If somebody stole your password and logged in, now you can set policies based on that user. If there is suspicious behavior, you just dont look at the behavior, but at the user, he adds. For example, why is the person in R&D trying to access financial data? Then administrators can write policy to block them. Juniper Networks Unified Access Control (UAC) solution combines user identity, device security state and location information for session-specific access policy by user enforced throughout the network. If something happens or a network detects something weird going on with a user, you want to react quickly, Yun says. One of the things that UAC does is receive information from our IDP [Intrusion Detection and Prevention] product of a suspicious behavior and correlates what the user is doing relative to the application.

APPLIcATIoN ScANNING
SonicWALLs Kuhn recommends adding an application layer to the gateway. If you look at security solutions that are in most networks today, were still largely an environment of networks that base security on stateful inspection. The minority of networks have implemented Unified Threat Management (UTM) or some form of deep-packet inspection, Kuhn says. As we go toward 2009, it becomes more important for these UTM solutions to operate and disseminate information on an application-by-application basis. Thats not easy to do because proxying all application traffic between a host and a server creates latency and performance problems, he adds. You have to look at those application conduits and methods of bringing in files, and have a solution thats aware of those applications and how they function. The application layer should also look at the applications in use across the network. These shared applications are not static to one port or protocol. A lot of these Peer-to-Peer (P2P) applications tend to hop around to find a connection out to the Internet, Kuhn explains. SonicWALLs solutions scan through all those ports. They find out where that application is functioning, and give that control point back to the administrator to either limit
3

User XYZ is trying to access the application, and thats not an accepted behavior. So the solution dynamically changes the configuration of our firewall, Yun notes. The network is intelligent enough to figure out whats going on and takes action on that user. Juniper Networks IDP products offer in-line network IPS functionality to protect the network from a wide range of attacks. The IDP solutions also provide information on rogue servers, as well as types and versions of applications and operating systems that may have unknowingly been added to the network. Application signatures, available on the Juniper Networks IDP, enable detection of specific applications such as peerto-peer or instant messaging, so administrators can more easily enforce security policies and maintain compliance with corporate application use policy. Juniper Networks IDP also provides DiffServ markings to allow the routers to enforce bandwidth limitations on nonessential applications. Not only can administrators control the access of specific applications, but they can ensure that business-critical applications receive a predictable quality of service.

SEcURITy INvESTmENT
All gateway and network security devices should be reviewed for reliability and accuracy every two to three years, Forresters Kindervag says. This is because the threat environment is constantly changing, That doesnt always mean that software and appliances should be replaced. Possibly new protections might need to be added. Regardless, make sure the security solutions continue to meet the growing demands of your business. If you were to buy an antivirus engine, you can buy one cheap, says Juniper Networks Yun. But that doesnt give you much protection. You need to be backed by a full suite of security experts and products. Yun adds that while prices havent gone down, new built-in management features are reducing the manpower costs. There is more value in solutions today versus firewalls of the past because the solutions were largely stagnant before, says SonicWALLs Kuhn. Today, with continuous monitoring and updates of threats, these solutions last longer. Instead of thinking How will I get a return on investment of my security dollars, think about, Do my security dollars reduce my risk? Kindervag says. Most people dont understand the adversary. A hacker is not the guy who robs [convenience stores] with a stocking over his head. These are people with Ph.D.s in computer science, he notes. They think theyre smarter than all of us, and theyre significant and difficult adversaries. Everything we do, theyll have a countermeasure to it. So you can never ever be complacent. Security is not a product. It is a long-term and continuous process.

GATEWAY-NETWORK BreAch reAsoNs

Additional findings from the 2008 Data Breach Investigations report, put together by Verizon Business, include: Three in four (73 percent) of the breaches studied stemmed from external attacks, compared to 18 percent that were blamed on insiders. The finding runs counter to the conventional wisdom that misbehaving internal employees pose a bigger threat than hackers or other external sources. Two in five security miscues (39 percent) were blamed on business partners. Most breaches happened as a result of a cascading sequence of events rather than a single gaping hole. In three in five cases (62 percent) internal errors contributed to breaches.

cDw offERS LAN/wAN SPEcIALISTS To ASSIST wITh yoUR NETwoRkING NEEDS.