Using Ranch Networks for Internal LAN Security

Transcription

1 Using Ranch Networks for Internal LAN Security The Need for Internal LAN Security Many companies have secured the perimeter of their network with Firewall and VPN devices. However many studies have shown that despite this protection, the frequency of security breaches of various types is on the rise. The number of reported security incidents has been doubling year-over-year, to 82,000 in The number of actual security incidents is estimated to be approximately five times the number of reported incidents. A large subset of the total number of security breaches actually comes from within the LAN. The sources of these internal breaches include: - Disgruntled employees - Contract employees - Laptops and other portable devices that have been connected elsewhere and brought back into the corporate LAN - Other companies that are connected in various ways to the corporate LAN: customer access, outsourcing, partnerships, or shared LAN environments - Improperly secured Wireless LANs - Peer-to-peer applications such as those for Instant Messaging or File Sharing - Malicious code that passes through the perimeter protection, infects an internal system by exploiting an unpatched vulnerability, then launches an internal attack These security breaches can cause many serious issues such as: - Damage from Worms and Viruses - Theft of Intellectual Property or other sensitive company data - Financial fraud - Internally launched Denial of Service Attacks - Violation of laws such as HIPAA, Sarbanes-Oxley, the Patriot Act, or Gramm- Leach-Bliley - Sabotage There are many statistics that justify these concerns: - The FBI/CSI Computer Crime and Security Survey of US corporations, government agencies, and universities found: i. The theft of proprietary information cost US$70 Million in 2002 with an average of US$2.7 Million per reported loss ii. In 2001 the financial loss from financial fraud totaled US$116 Million, with an average loss of US$4.4 Million iii. For those respondents who knew where security breaches came from, about half came from inside their network iv. 77% of respondents listed disgruntled employees as a likely source of attack

2 - A survey of US corporations entitled Managing Security Information from The McKinsey Corporation found: i. 49% of respondents experienced unauthorized network access by insiders ii. 26% experienced a theft of proprietary information, with an average loss of US$4.5 Million iii. 12% experienced financial fraud, with an average loss of US$4.4 Million - A survey conducted at the InfoSecurity 2003 Conference found: i. 49% of respondents listed potential security breaches from current employees as the most-common cause of concern ii. Over one-third of respondents named current employees as a source of the majority of corporate security breaches in the past year However, some companies think it won t happen to me and sweep the issue under the rug..

3 How Ranch Networks Helps to Solve These Problems Providing Internal LAN Security as an Overlay to an Existing Network Ports trunked together, containing VLANs RN20 Internet Existing Network Layer 2 Backbone Switch Conf Rm A Desktops WLAN 4 WLAN 3 Third Floor L2 VLANs Conf Rm B Conf Rm C Desktops Second Floor L2 WLAN 2 Selective Access Control Policy: Guests entering through Wireless LANs or other Zone 1 points are allowed to access the Internet but no other segment of the network Employees entering through these same points can access the areas of the networks they are permitted to enter by Authenticating with the RN20, which contains Authorization Profiles for each type of user VLANs VLANs VLANs First Floor L2 Desktops Data Center L2 Lobby Guest Office WLAN 1 RN20 Zone Plan: Zone 1: VLANs for all WLANs, all Conf Rms, Guest Office, Lobby Zone 2: VLANs for all Accounting Desktops Zone 3: VLANs for all Sales Desktops Zone 4: VLANs for all HR Desktops Zone 5: VLANs for Financial Servers Zone 6: VLANs for Sales Servers Zone 7: VLANs for HR Servers Zone 8: VLAN for Internet S1: Servers with Financial Apps S2: Servers with Sales Apps S3: Servers with HR Apps If you believe that increasing internal LAN security is important, Ranch Networks has an inexpensive, easy-to-implement way to address this need. The above diagram helps illustrate the various ways that a Ranch device can be used to increase the security of an existing LAN and complement the functions already provided by a perimeter Firewall/VPN device. Adding the Ranch product is an easy migration due to our Split Subnet feature which means that many layers of security can be added without rewiring the existing network or reconfiguring IP addresses. In this example, VLANs are used to subdivide the existing network. These VLANs are then brought back to the Ranch device where they are grouped into areas of trust or Secure Zones. The resulting increase in network security includes: - The LAN is subdivided into multiple Secure Zones with each Secure Zone having its own independent security policies. The RN20 provides up to 12 Secure Zones, with separate Virtual Firewalls between each pair of Zones in both directions, totaling 132 Virtual Firewalls. The RN5A/B/C provide up to 5

4 Secure Zones and a total of 20 Virtual Firewalls. Firewall rules can be set at Layers 2, 3, or 4. A full range of NAT options is available. Unauthorized access to Zones or IP addresses can be denied as can unauthorized access from Zones or IP addresses. - Denial of Service protection is provided between each pair of Secure Zones. - Authentication can be enabled so that it is required to enter or exit a Secure Zone. This means that no packets from a user will be allowed through the Ranch device until the user first enters their Username and Password. Once the user is authenticated, they are then permitted to only enter those areas of the network to which they have been authorized. This enables a Single-Sign-On approach: once the user is authenticated by the Ranch device, they can be allowed access to those applications to which they are permitted without further sign-on if desired. - Security breaches can be automatically or manually isolated and quarantined within a Zone. i. Leveraging your investment in an Intrusion Detection System (IDS) Ranch products can be used to increase the performance, coverage, and effectiveness of an IDS in two ways: 1. Ranch products can be configured to mirror traffic to the IDS. Traffic can be selected by Source or Destination Zone, IP address (or range), MAC address, or Port number (or range). Given the centralized location of a typical Ranch installation (see the above figure), it is in a perfect position to selectively filter and mirror traffic from most any area of the network. By performing this function, traffic to the IDS can be regulated to match the IDS throughput capacity and prioritized to mirror the traffic the network admin most wants to monitor. This approach effectively increases the performance and coverage of the IDS and can significantly decrease the cost of an IDS deployment. 2. If the IDS detects an attack or the presence of some malicious code, it can send a message to the Ranch device instructing it to isolate the infected Zone and/or IP address. In this way the Ranch product becomes an enforcement point for the IDS. ii. Leveraging your investment in a Security Policy Management or Event Correlation system Just as with an IDS, these security management systems can be configured to automatically send a message to an RN device to isolate a Zone and/or IP address. iii. Manual Isolation Just as an IDS can be programmed to perform an automatic isolation of a Zone or IP address, a network admin can implement this isolation manually through SNMP. iv. Alarms can be initiated when port scanning occurs so that malicious code can be identified and removed before it can do damage beyond the Zone. This function can be quite valuable in containing worm attacks because port scanning is the most common method for the propagation of worms.

5 v. Alarms can be initiated when an unauthorized connection is attempted. With many Client/Server applications, the Server should never initiate a new connection it only responds the queries by the Client. If however the Server becomes infected and attempts to launch a new connection out of the Zone, the Ranch device can not only deny the attempted connection but also initiate an alarm so that the Server can be cleaned. - Wireless LANs can be separated into their own Zone, with stricter security policies applied to this Zone. The diagram above illustrates this scenario. Even if Wireless LAN Access Points are scattered randomly throughout the LAN, VLANs can be used to segment them from the rest of the LAN. These VLANs are then brought back to the Ranch device and grouped together into a Secure Zone. Other LAN connections where Guests, Contractors, or other third parties are likely to connect can also be grouped into this same Zone. Then special security policies can be applied to this Zone: i. If the company wishes, it can allow Guests to have access from this Zone to the Internet, but not to the rest of the network. ii. If the company wants to restrict the total bandwidth from this Zone to the Internet a maximum bandwidth rule can be configured. iii. If the company wants to implement a Username and Password before Guests can access the Internet this can be configured. iv. If an Employee enters the network through this same Zone (for instance, by using the Wireless LAN), they can enter the internal network by using the Authentication feature so that they can access those portions of the network to which they have been authorized. - Network hiding is provided between each pair of Secure Zones. Since the Ranch device sits in-line in front of the Servers, Desktops, and other devices in the Zone, it hides these devices from many types of hacking attempts: i. Port scanning is blocked and does not get to the Servers and other devices ii. Operating System vulnerabilities become less accessible iii. Patch management can be performed in reasonable time periods iv. Devices that may not themselves have adequate internal security are hidden and protected (such as many Printers, IP Phones, Routers, Switches, PBXs, Network Attached Storage (NAS), PDAs and other devices with exotic Operating Systems) - Rate limiting and port mirroring can be configured for any Zone. - VPN will be available in 2Q04

6 In addition to these security functions, Ranch products also provide many useful nonsecurity functions: - Overlay without reconfiguration i. Ranch products can be added as an overlay to upgrade an existing LAN without needing to (1) rewire the LAN to achieve Secure Zones, or (2) reconfigure IP addresses. This is possible due to the Virtual Zones and Split Subnetting features included in all Ranch devices. - Quality of Service i. Bandwidth Management / Traffic Shaping 1. Guaranteed, minimum, maximum, and burst bandwidth can be allocated based upon Source or Destination Zone, IP address (or range), MAC address, or Port number (or range). Thus it is possible to prioritize traffic on a per-user or per-application basis. 2. Bandwidth allocations can be either permanent or dynamic (only used when needed, and if not needed, it is shared) ii. Full support for end-to-end QoS can be provided by (1) setting TOS or DiffServ priority for outgoing traffic and (2) classification and prioritization of incoming traffic based on TOS or DiffServ. - Support for Voice-over-IP includes low latency, high throughput, Bandwidth Management, TOS / DiffServ, dynamic firewall control, Per-User Authentication, and the ability to segment voice devices into their own Secure Zone. - Load Balancing i. Load Balancing can be provided for multiple server groups (up to a total of 1024 server groups per Ranch device) ii. Common Load Balancing algorithms such as Round Robin, Weighted Round Robin, and Least Connections are provided. iii. Persistency can be provided via: Cookie, SSL, Client IP HTTP, HTTPs, FTP (active and passive) - Health Monitoring i. Any device with a reachable IP address, within the LAN or elsewhere, can be monitored via ICMP ping verification (Layer 3). If the device does not respond, an SNMP alarm/trap and/or Syslog message is sent. ii. TCP connection verification can be used to monitor devices with a reachable IP address and TCP enabled (Layer 4). iii. Link monitoring (Layer 2) is performed for links physically connected to Ranch device. iv. Web (HTTP) and FTP servers can also be monitored at Layer 7 v. An HTTP server can be requested to perform a database query into another server. If this database query is not successful an alarm will be sent. - Multicasting and Switching i. Layer 2-4 Switching is provided with VLAN support.

7 ii. Multicasting is based on RFC 1112/2236/2933 and is hardware assisted to provide up to 1 Gbps of Multicast traffic. - Accounting i. All Ranch devices have the ability to count packets and bytes so that network usage can be monitored or charged back to users. Traffic can be classified for Accounting purposes based on Source or Destination Zone, Source or Destination IP Address, Source or Destination Protocol Port, or other Protocol information. The number of packets (or bytes) corresponding to the classification specification are then counted. An external Accounting, Billing, or Network Management System can query the Ranch device periodically in order to read the counters and bill (or measure) users accordingly. Over a thousand Classification Categories can be defined. Monitoring of network usage can thus be performed by customer, application, user (or group of users), server (or group of servers), or network segment - Remote Management i. Currently two types of Remote Management are provided: a Web-based GUI (Graphical User Interface) and SNMP. ii. In January 2004 Ranch will be adding a third method of Remote Management which will be a PC-based tool. This tool will allow RN devices to be easily configured using a Drag and Drop user interface. The tool will also store Configuration Files for multiple RN devices, thus serving as a central repository for all Config Files.

8 The Advantages of This Approach This Ranch solution is advantageous over other alternatives in the following ways: - Unprecedented Value: Ranch Networks devices contain greater functionality for the price than any competitive product. - More robust internal network security: Ranch devices are specifically optimized for internal network security and provide more security between Zones than any competitive product. Some competitors say that they provide zones but typically there are not even separate firewalls between these zones, nor Denial of Service protection, nor most of the other security functions Ranch provides. - Lower Capital Expense: The cost of purchasing the separate products required to perform a similar set of functions is much more expensive. (up to 5-7 times more expensive depending on vendors and products used) - Lower Operating Expense: The cost of maintaining the separate products required to perform these functions is similarly much more expensive. These costs include vendor maintenance, software support, and technical support, internal staff time, training time, installation and configuration time, per-user licensing fees as users on the system increase, and network monitoring costs. - Ease of Upgrade: Ranch devices can be easily added as an overlay to upgrade an existing Data Center without needing to (1) rewire the Data Center to achieve Secure Zones, or (2) reconfigure IP addresses. This is possible due to the Virtual Zones and Split Subnetting features included in all Ranch devices.

9 - Higher Reliability: The presence of multiple devices instead of one decreases the reliability of the system since more boxes means more cables, more connectors, more power supplies, more fans, and more electronic components. The greater the number of these components, the more likely there will be a system failure. Increased Reliability and Performance Firewall Bandwidth Manager Load Balancer Switch Servers Traditional Approach Enterprise LAN Ranch Approach Enterprise LAN RN20 - Higher Performance: When a packet needs to traverse multiple devices, each device must process the packet up and down its own TCP/IP stack. With Ranch Networks patent-pending Single Pass Packet Scanning technology, each packet is only processed once, regardless of how many services (security, bandwidth, etc.) are applied to it. - Lower Complexity: Fewer boxes means less network complexity and fewer opportunities to make mistakes. Training can be standardized on a single user interface, rather than multiple. Providing redundant configurations in far easier. - A higher level of security than VLANs: VLANs do a great job of segmenting a network, but what happens when traffic needs to pass between VLANs? VLAN switches alone provide no security policies between VLANs, whereas Ranch provides all the security functionality described above. - A higher level of security than ACLs: Access Control Lists provide filtering of traffic to specific IP addresses. However ACLs alone provide a very low level of security: they are not Stateful, they provide no Denial of Service protection, they

10 do not include Per-User Authentication, nor do they provide many other functions that Ranch security provides. - Greater leverage of an IDS investment: Ranch selective mirroring allows customers to save money on their IDS deployments by reducing the per-port, per-leg, or per-user licensing they may otherwise be required to pay. An RN device also provides a powerful enforcement point so that an IDS can automatically stop an attack and isolate it. - Assist rather than impede application performance: Usually when security is increased on a network the availability and performance of applications is decreased so business productivity suffers. Because of Ranch s QoS support, Single Sign On support, high throughput, low latency, and application prioritization through bandwidth management, application performance is improved rather than impeded while network security is simultaneously increased. - Security can be matched to the areas of trust associated with a specific organization. - Complement and enhancement to host-based security: RN devices provide many security functions that host-based security does not: i. Denial of Service protection ii. Security for systems that may not contain adequate host-based security such as many Printers, IP Phones, Routers, Switches, PBXs, Network Attached Storage (NAS), PDAs and other devices with exotic Operating Systems. iii. Blockage of port scanning iv. Prevention of unauthorized access into a network segment v. Hiding of Operating System vulnerabilities vi. Protection of devices during patch management vii. Traffic mirroring to an IDS and enforcement for the IDS viii. Detection of malicious communication from an infected host ix. Easier management because there are many fewer enforcement points to configure (or misconfigure!), monitor, modify, and maintain.