Enterprise Security AN ALCATEL WHITE PAPER

Transcription

1 AN ALCATEL WHITE PAPER August, 2004

2 Introduction Despite all of the advances in security for enterprise networks, IT managers still lie awake at night worrying over new security threats. The perimeter firewall has proven necessary, but not sufficient. Even deploying several levels of defense around key assets in the network has not successfully repelled all attacks. This fact has become even more apparent in the aftermath of recent virus and worm attacks. Alcatel understands the danger of such attacks and how they can negatively affect corporate resources and productivity. Alcatel believes that it is time to evolve the traditional approach to security by using a security-in-depth model, which is a core component of Alcatel's CrystalSec security infrastructure, and extend it one step further. The goal is to create several additional security capabilities that reside within the networking infrastructure allowing all security layers to work together with external security devices such as intrusion detection systems (IDS/IPS) and firewalls. By integrating security functions within the LAN switch and allowing them to interact with external security measures, it is possible to provide a unified security front at every switched port that is capable of immediately detecting and neutralizing network attacks without sacrificing manageability, mobility, availability, or performance. Security Trends The consensus among industry analysts is that 98% of enterprise networks are equipped with firewalls. Still the number of reported "successful" attacks has been growing exponentially in the past few years. This is because most new attacks are taking a different approach and circumventing perimeter defenses. For instance, attackers are disseminating viruses and worms through applications where inattentive users activate the virus and infect their computer and eventually the entire network. Attackers may also find application flaws and activate them to gain unauthorized access to individual machines where passwords and information can be stolen. 200, , ,000 50,000 Incidents CERT Coordination Center Vanson Bourne Limited Trojans/Worms /Web Attacks Database Attacks Exploits Denial of Service Port/Network Scans IP Spoofing Besides external attacks, additional threats arise from attacks within a company or through wireless connections and other mobility devices that are designed to help employees gain access to corporate resources, but do not have the security they should. The shift in how networks are being used (i.e., WLAN and mobility) coupled with the new techniques that are being used to attack networks are proving that current security methods and technology need to be reevaluated. > 2 AN ALCATEL WHITEPAPER

3 Traditional firewalls are not enough To defend against the next breed of network attacks and protect enterprise networks as their nature changes, the focus must change from securing one or two perimeter connections, to a pervasive network-wide strategy where security functions are divided into components or layers. Security still needs to be deployed at the perimeter, but it must also be applied in front of resources (e.g., servers), in network hosts, and so on all the way to the core of a network. Each layer must provide its own security functions as well as work with adjacent layers to thwart the ever-increasing attacks on enterprise networks. Security best practices Deploying security in a network has taken many directions over the years, but it has always had the constant goal of finding the right place for a defense to be set up. Defenses include proactive and reactive ones using software and hardware solutions that are built into the network itself, or simply added to the network through an appliance or server. Experience has shown us that using a single strategy is applicable in specific configurations and situations, but the evolving nature of attacks often renders that type of approach ineffective. To have a pervasive security strategy you need a little of each type of strategy working in conjunction with each other to create a flexible and adaptable barrier against attack. As with all things, there must be a balance between security, cost, and usability. Optimal security often means that the entire network is so locked down that it becomes almost unusable, and many times an extremely expensive security infrastructure is not as secure as it needs to be. Alcatel's approach to security Alcatel takes a non-traditional approach by striking a balance between security, cost, and usability. Alcatel believes in securing the actual network infrastructure of a network through a layered defense called CrystalSec. CrystalSec is built upon layers of security deployed throughout the network from the user level to the core infrastructure. A layered approach to network security allows organizations to create multiple levels of defense around key assets. The result is security-in-depth such that a breech at one layer does not compromise the entire network. Even with multiple layers of security, each security measure still operates independently. Plus, many of the security measures are not enabled to react to a threat on their own, but are designed to alert an administrator who must then initiate a plan of action to resist the attack. While a layered security strategy is the industry's best practice today, one problem it shares with all multi-layered approaches is that many modern attacks occur faster than a manual response can react. The result is a network that is not as safe as it needs to be since an attack can be launched and be successful before an administrator can react. Furthermore, without communication between security layers, other layers may not detect or react to a security threat in time. AN ALCATEL WHITEPAPER 3 <

4 To address modern types of network attacks, CrystalSec's network security layers need to have a cooperative relationship where they communicate with each other and have enough intelligence to react to many different types of attacks in an independent, efficient, and effective manner. CrystalSec 2004 is the evolution of the original CrystalSec. It continues Alcatel's strategy that security needs to be extended to and deployed through multiple technologies, from the network core to the edge through a mixture of external appliances and security functions. All of which use open, standards-based technologies to reduce the overall complexity and cost of the security infrastructure. CrystalSec 2004 also views network and security interaction from the perspective of the LAN switch because it is the most common element by which all network traffic must travel and therefore is the most logical place to focus security efforts. From the perspective of the LAN switch, CrystalSec 2004 security should still be applied: IN the switch Security by default Denial of service defense Guaranteed bandwidth for management / traffic control TO the switch Role-based management Secure traffic support: SSH, SSL, SNMPv3 Intrusion management Vulnerability management THROUGH the switch High availability and continuous operation Secure network access Dynamic user partitioning Differentiated quality of service (QoS) The extension of CrystalSec into CrystalSec 2004 begins with the creation of additional network security functions. These functions are built into the networking and security infrastructures to bind security layers together through intelligence, creating a flexible and adaptable security model that is effective, efficient, and transparent to users. The Alcatel CrystalSec the progression of network security Extending the CrystalSec security model broadens the focus of security to include third-party devices and other security tools. The extended CrystalSec model divides network security into three areas: Embedded security Enabled security Managed security Each has its own unique strengths and weaknesses, but if they are deployed and configured to work together, they create a cooperative relationship such that the strengths of one will cover the weaknesses of another. This evolves the original CrystalSec infrastructure into CrystalSec > 4 AN ALCATEL WHITEPAPER

5 Managed Network Security Policy-based Management LAN access and VLANs (users, traffic type) QoS for network control protocols Policies that span multiple layers of multi-layer defense Security to the LAN switch Role-based management Secure traffic Intrusion management Enabled Security Security services integrating information from the security appliances/applications and LAN switch policies Preventing virus attack by integrating host Integrity Check and authenticated LAN access Containing virus attacks by integrating IDS and VLAN policies Embedded Security Security through and of the LAN switch VLAN Device hardening Protocol hardening Packet filtering Network partitioning High availability & redundancy Alcatel trusted networks go beyond a multi-layer defense with managed network security, enable network security and embedded network security. Embedded network security Embedded security pertains to functions that are naturally built into the switch such as VLANs, device hardening, protocol hardening, packet filtering, network partitioning, and authentication. Typically, embedded security is reactive to network conditions and activity such as port access. It also services user queries such as in the case of authentication. Embedded security is efficient and useful because it consists of functions that are built into the network or automated services as a matter of standard practice. Unfortunately, they have little to no visibility into other higher network layers and cannot react to a situation they were not originally configured to handle. Enabled network security Enabled security functions regulate access to the switch through devices that are external to the network infrastructure such as host integrity checks, intrusion detection and prevention systems (IDS/IPS), firewalls, and anti-virus scanners. Enabled security functions are both active and reactive. The active components can search out and stop network attacks before they start, such as in the case of a virus sent by , or they can react to an attack such as when an IDS/IPS detects suspicious activity and reports it to an administrator. Each security tool can stop many attacks individually, but no one tool has a comprehensive way of following up and actually dealing with the root of the problem. For instance, if a user's computer is infected with a virus and is sending out infected s while probing the network for other potential victims, the network can stop the scanning and stop the virus by detecting the suspect traffic through a firewall or an IDS/IPS. A firewall can stop the scanning from getting to other parts of a network but it cannot stop the AN ALCATEL WHITEPAPER 5 <

6 computer from probing computers on the same network segment and infecting them. An IDS/IPS can only alert an administrator who then turns off the access port. Neither security layer is able to eliminate the virus or update the software on the infected computer. There are ways to compensate for such a lack of coverage in this example by implementing a host integrity check to stop users from logging onto the network if they have not installed anti-virus or firewall software. However, if the user is denied access to the network, how can they get the software? They can't unless someone physically installs it from a CD or other media. This problem is magnified when dealing with remote or mobile users. Although user-unfriendly at times, it's clear from this example that enabled security is effective. One drawback is that enabled security only deals with the symptoms of the problem, not the root cause. As with embedded security, enabled security has the reverse problem in that it has little visibility or control over lower levels of the network. Even with multiple security techniques and multiple layers, if the techniques work in isolation, there are still gaps in the security infrastructure, which leads to tangible problems with user productivity. The solution is to allow the different layers of security to interact with each other. This is the beginning of a proactive security strategy that fills the security gaps, yet is transparent to the average user and removes roadblocks to productivity. However, without intelligence, cooperative security layers are severely limited in their usefulness. Managed network security provides the intelligence needed to allow the security infrastructure to make automated decisions based on the network administrators' needs. OmniSwitch AAA Server Internet Authentication Traffic Secure Communications Remote Administrator > 6 AN ALCATEL WHITEPAPER

7 Managed network security Traditional managed security provides a way to monitor and regulate traffic to and through the switch. It is useful to gather network metrics and react to detected attacks, but often relies on an administrator to respond to alerts and therefore creates a window of opportunity for an attacker to strike before the network can react. The addition of security policies saves time by automating many tasks that previously would require administrator intervention and greatly increases the accuracy of security by eliminating user error. For instance, when managing ports within a network, it is possible to create a policy that allows or denies access to the network based on media access controller (MAC) addresses. Without management, every switch in the network would have to be configured manually with MAC addresses and policies. Management software allows an administrator to automate the task of updating the switches and reduces the opportunity for input error. By broadening the focus away from the LAN switch, Alcatel provides a more flexible way for network administrators to implement security on their network. A standards-based approach also helps to get away from a single manufacturers proprietary solution, ultimately creating a more secure, modular network while saving time and reducing the overall operating expense of the network. CrystalSec 2004 links the embedded, enabled, and managed security functions together to create a cohesive security solution and closes the gaps that were open in previous implementations of a layered security strategy. Alcatel CrystalSec 2004 What is Alcatel CrystalSec 2004? Alcatel CrystalSec 2004 is an extensible model that combines active and reactive network components, security components (servers, appliances), and the management functions of both. Alcatel CrystalSec 2004 creates a secure environment where the essential pieces of the security infrastructure are working together to create flexible, adaptable, and proactive barrier to thwart security threats while minimizing the impact on network performance and remaining transparent to the users. Proactive managed security If you look at all the pieces of the puzzle, each part has a compelling set of tools to use to secure the network. The problem is when they are not integrated; holes appear in the security fabric that allows clever attacks to slip through. How do you combine the elements of enabled, embedded, and managed security to mend the holes? The most elegant solution is to use policies. Managed security has successfully used policies to manage network infrastructures because they are a semi-automated way to react to network conditions as explained in the managed security section. However, policies can use input from other devices - all you need is a way to feed the management system the information. Therefore, it becomes possible to use enabled security devices to gather information about the network that they cannot affect (such as in the case of an IDS/IPS) and relay it to the management system. The information can then be applied to policies to control the embedded security features that already exist in the devices of the network infrastructure (VLAN, secure network access). AN ALCATEL WHITEPAPER 7 <

8 This proactively contains and eliminates security threats that cannot be handled by enabled security and makes policies the glue that unifies the security front. Another benefit of security policies is that they can be quickly applied network wide through the management system with razor-like accuracy, minimizing the window for an attack to find an alternate route through the network. Policies unify embedded, enabled, and managed security in the proactive Alcatel CrystalSec The Alcatel CrystalSec 2004 evolves to always meet security needs because of its open, standards-based approach and its open-ended modular design. It offers integrated host integrity check and network authentication as well as active intrusion prevention through network response. Preventing virus attacks by integrating host integrity check and network authentication Alcatel believes that the seamless integration of network access control (also known as network authentication) and host integrity checking is key to automatically enforcing host security policies and hence preventing most virus and worm attacks. Alcatel's approach is two-fold: The first piece is through virtual local area network (VLAN) capabilities that Alcatel pioneered and offers in its LAN switch product family. VLANS give users the ability to log onto the network and be placed into an authorized VLAN based on their credentials; effectively controlling who accesses the network and the resources, they have access to. The second piece of the solution is using a server to provide host integrity check services. Through the network authentication transaction, the host integrity enforcement server collects information about the host including the operating system version and service pack, anti-virus version, anti-virus signature file, personal firewall version, which is compared to the enterprise security policies. If the host complies with the security policies, it will be authorized onto the network and given access to the authorized resources. If the host does not comply with the security policies, it will be placed into a quarantine VLAN, also called a penalty VLAN. In that VLAN, the host is able to update itself with the Sequence of Events User authenticates using 802.1x (authenticator is workgroup switch) Authentication message includes user name and password Authentication message includes host integrity status (OK or not OK) Authentication request reaches the proxy authentication server Checks integrity status (check is OK) Forwards authentication information to RADIUS RADIUS authenticates and sends VLAN information Authorization is sent to switch User is placed in VLAN User is monitored Unique If Host Integrity is not OK, user is placed in quarantine VLAN / Remediation VLAN Client Integrity Agent End Stations 802.1x Switches Management Server Data Center Switch Client Integrity Server Radius Server Critical Resources Alcatel supports cooperative defense in two ways. First, our products are standards based enabling our reseller and end-users to build multivendor solutions using standards' interfaces. Second, we have integrated the purchasing, installation, and service of products supporting the integration of information from host integrity check with actions by the LAN switch in our own product portfolio. > 8 AN ALCATEL WHITEPAPER

9 required anti-virus signature files, operating system patches, etc. Once the host is updated, the authenticated process happens and the host is placed into the authorized VLAN. In effect, the VLAN/host integrity check solution ensures that the entire security and infrastructure investment is at work before allowing access to the corporate network. Each computer is checked and verified to be in a trusted state before being allowed network access. To be in a trusted state, the end point must first be authenticated through VLAN access. The endpoint must also conform to network policies such as requiring anti-virus, personal firewall, and intrusion prevention products to be turned on, be the correct version, and have the latest signature files or policies applied, thereby ensuring each endpoint is fully protected before being allowed to connect to the network. Containing virus attacks by integrating information from an intrusion detection system (IDS/IPS) with action by the LAN switch The porous perimeter of modern networks allows attacks from viruses, worms, and Trojan horses to infect individual computers that are not outfitted with current anti-virus protection. In addition, with the proliferation of mobile access technologies, unauthorized access to the network can instantly place a rogue device on a network. Once a vulnerable computer or server is compromised, an infection can spread rapidly throughout all unprepared systems. To an administrator, this is a nightmare to repair. The best approach is prevention, however, it is a daunting task to verify that all systems are properly updated given that there may be thousands of systems in a network. Because of the large number of systems to manage, it is inevitable that one or more them will eventually become vulnerable. For example, the deployment of an intrusion prevention system (IPS) and an IPS deployed in line before critical servers can protect the server. However, the IPS in line before the server cannot protect the PC or IP phone, or every other device on every port in the network. The deployment of IDS and IPS systems are a good way to detect suspicious activity through traffic signatures and locate the infected machine manually with available tools. Unique Sequence of Events Infected station attacks server (e.g. port scan) IDP identifies the attack and source of attack IDP notifies OmniVista of type of attack and source of attack Trap appears and Network administrator is offered pre-determined responses Shut down faulty user port Create ACL on (port / VLAN / Switch / Network) Move faulty MAC to quarantine VLAN (Network wide) Client Integrity Agent Automated Quarantine Engine!!! Attack detected!!! You can: - Shut down faulty user port - Create an ACL - Move faulty MAC to quarantine 4 IDP 5 Response is activated in the network End Stations p Switches Data Center Switch Critical Resources Attack Containment through LAN switch Response AN ALCATEL WHITEPAPER 9 <

10 Unfortunately, the use of manual tools does not always provide a quick enough response and may result in a cat and mouse game around the network as the infection jumps from system to system. What is needed is a way for the IDS/IPS to interact directly with the LAN switches to quickly detect and automatically isolate infected computers so they can be dealt with before they can find and infect other vulnerable systems. Alcatel has devised a way to implement the concepts of Alcatel CrystalSec 2004 by allowing an IDS/IPS to pass information to the OmniVista network management system. OmniVista works with the integrated Automatic Quarantine Engine (AQE) to apply policies to place the infected system into a penalty VLAN where it can no longer infect the rest of the network. Once the infected system is isolated, the network administrator is notified and given choices on how to handle the infected system. By leveraging managed, embedded, and enabled security and allowing them to communicate, the Alcatel CrystalSec 2004 security infrastructure becomes a flexible, proactive solution that can significantly increase the protection from viruses, worms, and Trojan horses. Conclusion The implementation of the Alcatel CrystalSec 2004 strategy is a transition from the layers of security approach that protected certain portions of the network to a blend of network and security infrastructures working together in a cooperative, layered defense. Through this blended approach, security measures reach further than individual security measures alone and responds faster through automated policy based security enforcement. Such pervasive and cooperative security supports user access or mobility and seeks to minimize the impact security has on network resources. The open-standards nature of the Alcatel CrystalSec 2004 allows it to be flexible with existing network configurations and security deployments to reduce the need for additional capital expenditure and eases the transition to an enhanced security infrastructure. Moreover, the introduction of specific strategies maximizes protection against viruses, worms, Trojan horses, and other types of attacks and therefore, innately reduces network down time. All of this is accomplished through the Alcatel CrystalSec 2004's host integrity checking and integrated intrusion detection system strategy, and is just the beginning of the portfolio Alcatel provides to defend modern enterprise networks. For more information on Alcatel and its products and strategies please visit: > 10 AN ALCATEL WHITEPAPER

11 Alcatel West Agoura Road Calabasas, CA USA Contact Center (800) US/Canada (818) Outside US Product specifications contained in this document are subject to change without notice. Contact your local Alcatel representative for the most current information. Copyright 2004 Alcatel Internetworking, Inc. All rights reserved. This document may not be reproduced in whole or in part without the expressed written permission of Alcatel Internetworking, Inc. Alcatel and the Alcatel logo are registered trademarks of Alcatel. All other trademarks are the property of their respective owners. P/N /04