LAYERED NETWORK SECURITY: A best-practices approach Prepared by: Mitchell Ashley VP of Engineering & CIO Latis Networks, Inc. January 2003 Reducing your risk has never been this easy. StillSecure TM White paper © 2003, Latis Networks, Inc. All rights reserved. Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Increasing the hacker’s work factor . . . . . . . . . . . . . . . . . . . . . . . . .2 The layered-security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Level 1: Perimeter security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Pros: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Considerations: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Level 2: Network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Level 3: Host security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Level 4: Application security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Level 5: Data security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 StillSecure network security products: pillars of the layered approach . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Border Guard: Protects you from the cost of malicious attacks . .7 VAM: Assessment and management that continuously ensures network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Defending against common threats and attacks . . . . . . . . . . . . .9 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .10 Layered Network Security: A best-practices approach 1 of 10 StillSecure TM About the authors Mitchell Ashley is Vice President of Engineering and CIO of Latis Networks, Inc. He is responsible for product strategy and develop- ment of the StillSecure ™ suite of network security software. Mr. Ashley brings to Latis Networks and its customers more than 20 years of experience in data networking, network security and soft- ware development. Mr. Ashley is a graduate of the University of Nebraska, with a Bachelor of Science degree in Computer Science and Business Administration. Latis Networks, Inc. 361 Centennial Parkway Suite 270 Louisville, CO 80027 P: [303] 381- 3800 F: [303] 381- 3880 www.stillsecure.com © 2002-2003 Latis Networks, Inc. All rights reserved. Latis, the Latis logo, StillSecure and the StillSecure logo are trademarks of Latis Networks, Inc. All other trademarks are the property of their respective owners. The products and services listed may not be available in all regions. INTRODUCTION Network security is now a mission-critical concern for enterprises, government agencies, and organizations of all sizes. Today’s advanced threats from cyber-terrorists, disgruntled employees, and hackers demand a methodical approach to network security. In many industries enhanced security is not an option — it’s mandatory. Recently enacted federal regulations require organiza- tions such as financial institutions, health care providers, and key federal agencies to implement stringent security programs to protect digital assets. This paper introduces you to a layered approach for securing your network. The layered approach is both a technical strategy, espousing adequate measures be put in place at different levels within your network infrastructure, and an organizational strategy, requiring buy-in and participation from the board of directors down to the shop floor. The layered-security approach centers on maintaining appropriate security measures and procedures at five different levels within your IT environment: 1. Perimeter 2. Network 3. Host 4. Application 5. Data In this paper, we’ll define each of these levels and provide an overview of the various security measures that operate on each. Our goal is to provide a foundation-level understanding of network security and suggest a best-practices approach to protecting digital assets. Our target audience includes IT profes- sionals, business managers, and high-level decision-makers. Protecting your proprietary information does not require magic or unlimited funds. With an understanding of the overall problem, creating both a strategic and tactical security plan can be a straightforward exercise. Furthermore, with the best-practices approach introduced in this paper, you can erect effective barriers without breaking your budget. INCREASING THE HACKER’S WORK FACTOR Network security professionals speak in terms of “work factor,” which is an important concept when implementing layered security. Work factor is defined as the effort required by an intruder to compromise one or more security measures, which in turn allows the network to be successfully breached. A network with a high work factor is difficult to break into, while a network with a low work factor can be compromised relatively easily. If hackers deter- mine that your network has a high work factor, which is a benefit of the layered approach, they are likely to move on and seek networks that are less secure — and that’s exactly what you want them to do. The security technologies discussed in this paper collectively repre- sent a best-practices approach for securing your digital assets. In an ideal world you would have the budget and the resources to implement all the measures we discuss. Unfortunately, most of us don’t live in an ideal world. As such, you should evaluate your net- work — how it is used, the nature of the data stored, who requires access, its rate of growth, etc. — and then implement a blend of security measures that provides the highest level of protection given your available resources. THE LAYERED-SECURITY MODEL Figure 1 presents the layered-security model and some of the technologies that function at each level. These technologies are discussed in more detail in the sections that follow. Layered Network Security: A best-practices approach 2 of 10 StillSecure TM © 2003 Latis Networks, Inc. All rights reserved. Figure 1. The security levels in the layered approach and the technologies that function on each. Security level Applicable security measures • Firewall • Network-based anti-virus • VPN encryption • Intrusion detection /prevention system (IDS/IPS) • Vulnerability assessment (VA) tools • Access control /user authentication • Host IDS • Host VA • Anti-virus • Access control/user authentication • Host IDS • Host VA • Access control/user authentication • Input validation • Encryption • Access control/user authentication 1. Perimeter 2. Network 3. Host 4. Application 5. Data LEVEL 1: PERIMETER SECURITY The perimeter is the first line of defense from outside, un-trusted networks. The perimeter acts as the first and last point of contact for security defenses protecting the network. It is the area where your network ends and the Internet begins. The perimeter consists of one or more firewalls and a set of strictly controlled servers located in a portion of the perimeter referred to as the DMZ (demilitarized zone). A DMZ typically contains the Web servers, email gateways, net- work anti-virus, and DNS servers that must be exposed to the Internet. The firewall has strict rules about what can enter inside the network as well as rules about how servers in the DMZ can interact with the Internet and the inside network. The network perimeter, in short, is your gateway to the outside world and, conversely, the outside world’s gateway to your net- work. A compromised network perimeter can cripple your ability to conduct business. For example, if your organization relies on your Web servers for revenue generation, and those servers have been hacked and are off-line, you lose money for every minute they are down. The following technologies provide security at the network perimeter: • Firewall — A firewall is typically installed on a server connected to the inside and the outside of the network perimeter (see Figure 2). A firewall performs three general functions; 1) traffic control, 2) address translation, and 3) VPN termination. The firewall performs traffic control by examining the source and destination of all incom- ing and outgoing network traffic; it ensures that only permissible requests are allowed through. Additionally, firewalls help secure the network by translating internal IP addresses to IP addresses that are visible to the Internet. This prevents the disclosure of critical infor- mation about the structure of the network inside the firewall. A firewall can also terminate VPN tunnels (discussed below.) These three capabilities make a firewall an indispensable part of your net- work security. • Network-based anti-virus — Installed in the DMZ, network-based anti-virus software compares incoming and outgoing email message content to a database of known virus profiles. Network-based anti- virus products block infected email traffic by quarantining suspicious and infected email messages and then notifying recipients and administrators. This prevents email infected with a virus from enter- ing and spreading across your network, and it prevents your net- work from spreading virus-infected email. Network-based anti-virus is a complement to anti-virus protection performed on your email server and individual desktop computers. To work effectively, the database of known viruses must be kept up to date. • VPN — A virtual private network (VPN) uses high-level encryption to create a secure connection between remote devices, such as laptops, and the destination network. It essentially creates an encrypted ‘tunnel’ across the Internet, approximating the security and confidentiality of a private network. A VPN tunnel can termi- nate on a VPN-enabled router, firewall, or server within the DMZ. Enforcing VPN connections for all remote and wireless network segments is an important best-practice that is relatively easy and inexpensive to implement. PROS These well established perimeter-level technologies have been available for many years, and most IT professional are well acquainted with their capabilities and operational requirements. Therefore, they are relatively straightforward and cost effective to implement. A range of vendors offer solid solutions for these technologies, and most are reasonably priced. CONS Because these systems are quite basic and have been available for some time, most sophisticated hackers have figured ways around them. An anti-virus tool, for example, cannot detect a virus unless it already has the virus signature or if the virus is embedded within an encrypted file. Although VPN provides effective encryption, it does impose an administrative burden on your IT staff, as encryp- tion keys and user groups must be managed on an ongoing basis. CONSIDERATIONS The complexity of your network architecture can have a consider- able impact on the effectiveness of these technologies. Multiple external connections, for example, would likely require multiple firewalls and anti-virus instances. Architecting all of your connec- tions to terminate in a common area allows a single instance of a given technology to provide effective coverage. Layered Network Security: A best-practices approach 3 of 10 StillSecure TM © 2003 Latis Networks, Inc. All rights reserved. Figure 2. A typical firewall installation. The types of devices located in your DMZ are also an important factor. How critical are these devices to your business? The higher the criticality, the more stringent security measures and the policies that govern these devices must be. LEVEL 2: NETWORK SECURITY The network level of the layered-security model refers to your internal LAN and WAN. Your internal network may include desktops and servers or may be more complex with point-to-point frame relay connections to remote offices. Most networks today are fairly open behind the perimeter; once inside, you can travel across the network unim- peded. This is especially true for most small- to medium-size organizations, which makes them tempting targets for hackers and other malicious individuals. The following technologies provide security at the network level: • Intrusion detection systems (IDSs) and intrusion prevention systems (IPSs) — IDS and IPS technologies analyze traffic moving across your network in much greater detail than your firewall. Similar to anti-virus systems, IDS and IPS devices analyze traffic and compare each packet to a database of known attack profiles. When attacks are detected, these technologies take action. IDS tools alert your IT staff that an attack has occurred; IPS tools go a step further and automatically block the harmful traffic. IDSs and IPSs have many characteristics in common. In fact, most IPSs have an IDS at their core. The key difference between the technologies is implied by their names: IDS products only detect malicious traffic, while IPS products prevent such traffic from entering your network. Standard IDS and IPS network configurations are show in Figure 3. Layered Network Security: A best-practices approach 4 of 10 StillSecure TM © 2003 Latis Networks, Inc. All rights reserved. Intrusion detection system (IDS) Intrusion prevention system (out-of-band configuration) Intrusion prevention system (in-line configuration) Figure 3. Typical IDS/IPS installations • Network vulnerability assessment (VA) — VA tools scan devices on a network for flaws and vulnerabilities that could be exploited by hackers or harmful traffic. VA systems typically maintain a database of rules that identify known vulnerabilities for a range of network devices and applications. During a network scan, the VA tool tests each device/application by applying the appropriate rules. The process outputs a list of discovered vulnerabilities, which can then be assigned to IT staff for remediation. • Access control/authentication — Access control entails authenti- cating users who access your network. Authentication is typically performed against the user information in a RADIUS, LDAP, or Windows ACTIVE directory. Both users and devices should be controlled by access control measures at the network level. Note: In this paper we discuss access control and authentication at the network, host, application, and data levels of our layered security framework. A considerable amount of overlap and inter- action commonly exists among the access control/authentication schemes that function across these levels, and authentication can be passed from one level to the next. Such interaction is usually transparent to the user. While we discuss these concepts briefly in upcoming sections, keep in mind that access control and authentication are sophisticated processes that should be carefully managed to provide maximum security throughout the network. PROS IDS, IPS, and VA technologies perform sophisticated analyses on network threats and vulnerabilities. Where your firewall allows or disallows traffic based on its ultimate destination, IPS and IDS tools conduct a much deeper analysis and, therefore provide a higher level of protection. With these advanced technologies, attacks embedded in ‘legitimate’ network traffic, which can get through a firewall, will be identified and potentially terminated before damage occurs. VA tools automate the process of checking your network for vulnerabilities. Performing such checks manually — with the fre- quency required to ensure security — would be highly impractical. Also, networks are dynamic. New devices, application upgrades and patches, and adding and removing users can all introduce new vulnerabilities. VA tools allow you to scan your network frequently and thoroughly for newly introduced vulnerabilities. CONS Intrusion detection systems (IDSs) have a tendency to produce numerous false alarms, also referred to as false positives. While an IDS will likely detect and alert you of an attack; such informa- tion could be buried under a mountain of false positive or trivial data. IDS administrators can quickly become desensitized to the sheer volume of data produced by the system. To be effective, an IDS must be closely monitored and continually fine-tuned to the usage patterns and vulnerabilities discovered in your envi- ronment. Such maintenance typically consumes a fair amount of administrative resources. The level of automation within intrusion prevention systems (IPSs) can vary significantly among products. Many must be carefully configured and managed to reflect the traffic patterns characteris- tic of the network on which they are installed. Possible side-effects of non-optimized performance include terminating legitimate user requests and locking out valid network resources. Access control technologies may have technical limitations. For example, some may not work with all the devices on your net- work, so you may need multiple systems to provide the necessary coverage. Also, multiple vendors market access control systems, and functionality can vary greatly among products. Implementing an integrated solution across your network may be difficult. Such a patchwork, multi-product approach may actually introduce addi- tional vulnerabilities to your network. CONSIDERATIONS The success of network-level security measures is somewhat dependent on the speed of your internal network connections. Because IDS/IPS and VA tools can consume resources on the networks they protect, increased connection speeds will minimize the impact they have on overall network performance. In imple- menting these technologies you must consider the trade-off between improved security and ease of use, as many of these products must be continually managed to perform effectively, and they may make it less convenient to move around on the network. Keep in mind the ongoing evolution of your network when assessing these technologies. Scalability may be an issue on rapidly expanding and highly dynamic networks. LEVEL 3: HOST SECURITY In the layered-security model, the host level pertains to the individual devices, such as servers, desktops, switches, routers, etc., on the network. Each device has a number of configurable parameters that, when set inappropriately, can create exploitable security holes. These parameters include registry settings, services (applications) operating on the device, or patches to the operating system or important applications. The following technologies provide security at the host level: • Host-based intrusion detection systems (IDSs) — Host-based IDSs perform similarly to network IDSs — the key difference being that they monitor traffic on a single network device. Host-based IDSs are fine-tuned to the specific operational characteristics of the host device and therefore provide a high degree of protection when properly administered. • Host-based vulnerability assessment (VA) — Host-based VA tools scan a single network device for security vulnerabilities. Host-based VA tools are fine-tuned to the devices they monitor. They are extremely accurate and make minimal demands on the host’s resources. Because they are configured specifically for the host device, they provide an excellent level of coverage when properly administered. Layered Network Security: A best-practices approach 5 of 10 StillSecure TM © 2003 Latis Networks, Inc. All rights reserved. • Anti-virus — Device-specific anti-virus applications provide an additional layer of protection when used in conjunction with network-based anti-virus tools. • Access control/authentication — Access control measures at the device level are a best-practice that ensures device access is grant- ed to authorized users only. Again, there is likely to be a high level of interaction between network access-control measures and host access-control measures. PROS These host-based technologies provide excellent protection because they are configured to meet the specific operational characteristics of a single device. Their accuracy and responsiveness to the host environment allow administrators to quickly identify which device settings require updating to ensure secure operation. CONS Host-based systems can be extremely time-consuming to deploy and manage. Because they need to be continually monitored and updated, they often consume an inordinate number of man- hours to manage properly. Installation is often difficult, and a considerable effort is often required to fine tune them to the host device. Also, the more operating systems you have on your network-i.e., the more heterogeneous the network-the more expensive a host-based approach becomes, and the more difficult these devices are to manage. Also, with a large number of host- based security devices on a network, the number of alerts and false positives can be enormous. CONSIDERATIONS Because of their expense and administrative overhead, host-based devices should be deployed judiciously. Many organizations install these measures only on the ‘crown jewels’ of their network. LEVEL 4: APPLICATION SECURITY Application-level security is currently receiving a great deal of attention. Poorly protected applications can provide easy access to confidential data and records. The hard truth is that most programmers don’t code with security in mind. This is a historical problem with many commercial-off- the-shelf (COTS) applications. You may become aware of security shortcomings in the software, yet you may be powerless to correct them. Applications are being placed on the Web for access by customers, partners or even remote employees with increasing frequency. These applications, such as sales force, customer relationship management, or financial systems, can provide a ready target to individuals with malicious intent. Therefore, it is especially important to impose a comprehensive security strategy for on each network application. The following technologies provide security at the application level: • Application shield — An application shield is frequently referred to as an application-level firewall. In ensures that incoming and outgoing requests are permissible for the given application. Commonly installed on Web servers, email servers, database servers, and similar machines, an application shield is transparent to the user but highly integrated with the device on the backend. An application shield is finely tuned to the host device’s expected functionality. For example, an application shield on an email server would likely be configured to prohibit an incoming mail message from automatically launching any executables, because that is not a typical or necessary email function. • Access control/authentication — Like network- and device- level authentication, only authorized users are able to access the application. • Input validation — Input validation measures verify that application input traveling across your network is safe to process. Although this is crucially important for Web-based input, any interaction between people and a user interface can produce input errors or be exploited if the proper security measures are not in place. In general, any interactions with your Web server should be considered unsafe. As an example, consider a Web-form with a zip code field. The only acceptable input from this field should be five characters, digits only. All other input should be denied and produce an error message when submitted. Input validation should occur at multiple levels. In this example, a Java script could initially perform browser- based validation on the client side, while CGI-bin validation controls could be put in place on the Web server. Additional rules of thumb include: – Filter key words. Common command-related terms, such as “insert,” should be checked for and prohibited. – Only accept data that’s expected for a given field. For example, a 75-character first name is not standard input. PROS Application-level security measures enhance your overall security posture and allow you to better control your applications. They also provide a higher level of accountability as many of the actions monitored by these measures are logged and traceable. CONS Implementing comprehensive application-level security can be an expensive endeavor as each application and its host device must be assessed, configured, and managed individually. Also, retro- fitting a network with application security can be a daunting and impractical task. The earlier you can implement policies for incorporating these measures, the more efficient and less expensive the process will be. CONSIDERATIONS The key considerations are prioritizing your applications and planning for the long term. Implement security on application where you’ll get the most bang for your buck. Long-term planning allows you to implement security measures in a controlled way as your network grows and avoids the additional expenses that retrofitting will likely require. Layered Network Security: A best-practices approach 6 of 10 StillSecure TM © 2003 Latis Networks, Inc. All rights reserved. LEVEL 5: DATA SECURITY Data-level security entails a blend of policy and encryp- tion. Encrypting data where it resides and as it travels across your network is a recommended best practice because, if all other security measures fail, a strong encryption scheme protects your proprietary data. Data security is highly dependent on organization-wide policies that govern who has access to data, what authorized users can do with it, and who has ultimate responsibility for its integrity and safekeeping. Determining the owner and the custodian of the data lets you identify the appropriate access policies and security meas- ures that should be applied. The following technologies provide security at the data level: • Encryption — Data encryption schemes are commonly implemented at the data, the application, and the operating-system levels. Almost all schemes involve encryption/decryption keys that all parties accessing the data must have. Common encryption strate- gies include PKI, PGP, and RSA. • Access control/authentication — Like network-, and host-, and application-level authentication, only authorized users are given access to the data. PROS Encryption provides a proven method for safeguarding your data. Should intruders compromise all other security measures on your network, encryption provides a final, effective barrier protecting your proprietary information and intellectual property. CONS There is overhead associated with encrypting and decrypting the data, which can result in significant performance impacts. Also, key management can become an administrative burden in large or growing organizations. CONSIDERATIONS In-depth data encryption must be carefully managed. Encryption keys must be set and synchronized for all affected devices and applications. As such, a fair amount of management overhead is required for an effective encryption program. STILLSECURE NETWORK SECURITY PRODUCTS: PILLARS OF THE LAYERED APPROACH Latis Networks’ StillSecure line of network security products can provide the foundation for an effective layered-security approach. The StillSecure line includes: Border Guard — a highly automated, user-friendly family of network intrusion prevention products. VAM — a family of network-based vulnerability assessment tools that bring workflow management to the remediation process. If you currently have security measures in place on your network, StillSecure products leverage your existing security investments and greatly enhance your overall security. If you have little or no network security in place, StillSecure products provide immediate security and give you a running start on building a comprehensive layered-security system. The following sections introduce you to these best-of-breed products. BORDER GUARD: Protects you from the cost of malicious attacks Latis Networks developed the StillSecure Border Guard family of IPS products to protect networks from attack and, through a high level of automation, reduce the IT resources required to operate a secure network. Operating on both the perimeter and the net- work levels of the layered security model, the Border Guard family can protect a variety of network architectures and includes: Border Guard Standard — Border Guard Standard works in concert with your existing firewall to block attacks. Border Guard Gateway — Border Guard Gateway, which has traffic-blocking functionality built in, is ideal for perimeter defense and for securing traffic behind the firewall, such as extranet con- nections to satellite offices and suppliers. Border Guard Wireless — Border Guard Wireless is designed specifically for wireless networks. It prevents intruders from compromising your network through notoriously insecure wireless access points. Border Guard products plug the most dangerous security holes on your network. Each product: • Automatically blocks incoming attacks using Dynamic Attack Suppression TM technology, which reduces IT man-hours spent on security and protects your network 24/7/365. • Includes automatic rule updates, ensuring protection and eliminating the need to manually research and integrate the latest attack profiles. • Learns to gauge the response to suspicious traffic, greatly reducing the number of false positives. •Provides detailed reporting to satisfy management and auditors. • Employs an easy-to-use, entirely Web-based interface. Figure 4 shows how Border Guard products are typically installed. With attack rules that can be updated as frequently as every hour, Border Guard products stop even the latest attacks. Through Intelligent Attack Profiling TM , each Border Guard installation characterizes the traffic moving across the network and learns how to best respond to anomalous patterns — by terminating the traffic, sending alerts, or allowing access. As a result, false- positives are greatly reduced and the need for manual interaction is minimized. When interaction is required, Border Guard products can notify you via email or pager, send an SNMP trap or execute a custom script. This level of automation dramatically reduces the administrative burden on your IT staff. Layered Network Security: A best-practices approach 7 of 10 StillSecure TM © 2003 Latis Networks, Inc. All rights reserved. Each product includes a robust database that logs all network activity, and the built-in, drill-down reporting engine offers a wide range of customizable, actionable reports. The products’ at-a-glance, Web-based interface is managed by the StillSecure Console, which lets you control all instances of Border Guard products installed on your network from a single user interface. VAM: Assessment and management that continuously ensures network security Latis Networks developed its VA tool, VAM (Vulnerability Assessment and Management) to not only identify all network vulnerabilities, but to manage and validate the vulnerability repair process as well. VAM comprises three integrated products: Server VAM — scans servers, routers, switches, and firewalls. Desktop VAM — scans for vulnerabilities specific to desktops, laptops, and printers. Remote VAM — scans Internet-visible servers, routers, switches, and firewalls. Collectively, VAM products assess and manage vulnerabilities on all segments of your network. Figure 6 shows a typical VAM installation. Each VAM product includes: • Exclusive Intelliscan TM technology, which automatically determines which scan rules are appropriate for each device. • The built-in VAM Vulnerability Repair Workflow TM . • Automatic scan rule updates. •Variable scanning frequency based on device importance. • Detailed reporting to meet the needs of IT staff, management, and auditors. • Easy-to-use, entirely Web-based interface. VAM effectively addresses many of the threats that the firewall is incapable of detecting. Through its regularly scheduled and automated scanning process, VAM identifies any vulnerabilities introduced by mobile devices or through risky practices such as application downloads, instant messaging, and peer-to-peer connections. It also scans for vulnerabilities inherent in third-party applications, which hackers readily seek to exploit. VAM’s comprehensive vulnerability database, which can be updated automatically as often as every hour, enables the system’s depth and flexibility of scanning. This library of scan rules includes research and advice to help you determine how to repair specific vulnerabilities. The VAM built-in Vulnerability Repair Workflow tracks and assigns security vulnerabilities from identification to repair, ensuring accountability in the repair process. It makes remediation an integral part of the vulnerability assessment. For your IT staff, VAM allows for a variety of access privileges based upon a user’s role relative to the detection, repair, and verification process. VAM logs all scan and repair activities, and includes a comprehen- sive reporting engine that delivers customizable reports appropriate to specific audiences — board members, auditors or regulators, executives or fellow IT professionals. VA tools have traditionally Layered Network Security: A best-practices approach 8 of 10 StillSecure TM © 2003 Latis Networks, Inc. All rights reserved. Standard Inside firewall Outside firewall Remote officeWireless network Standard Wireless Gateway Figure 4. Typical Border Guard product installations. Common network attacks Web server attacks Unauthorized Internet mail relaying System-level remote host compromise Unauthorized P2P / IM usage Unauthorized internet services available Virus detection been seen as one-dimensional products used and understood only by network specialists. Server VAM introduces much-needed man- agement tools to VA technology, transforming VA from a solely technical process to a business process vital to an organization’s success. DEFENDING AGAINST COMMON THREATS AND ATTACKS Figure 6 demonstrates how the layered-security approach protects against common threats and attacks. The figure shows how each level plays a key role in contributing to comprehensive, effective network security. The shaded regions indicate where Border Guard and VAM products function in the layered-security model. The common threats presented in Figure 6 include: • Web server attacks — Web server attacks encompass a wide variety of problems with nearly every Web server available. From simple page defacement, to remote system compromise, to a complete denial of service (DOS), Web server attacks are one of the most common attacks today. Code Red and Nimda are well known Web server attacks. Layered Network Security: A best-practices approach 9 of 10 StillSecure TM © 2003 Latis Networks, Inc. All rights reserved. Figure 6. A typical StillSecure VAM installation. All three VAM products can be installed on a single machine and managed from one user interface. The shading indicates the coverage each VAM product provides. Figure 7. Each level contributes to the security of your network. Functioning on levels 1 to 4, StillSecure products defend against these common threats and others, as the shaded regions indicate. Border Guard Wireless VAM (Server, Desktop, Remote) P P P P P P D D D D D D D D D D D D D D D D D D P P P P P P D D D D D D P = Prevents. Border Guard prevents the attack. D = Detects. VAM detects the enabling vulnera- bility and prevents attack through remediation. 1. Perimeter 2. Network 3. Host 4. Application 5. Data [...]... IM application itself, or improper allocation of corporate resources in regard to the bandwidth being used CONCLUSION Hackers and cyber terrorists are launching network attacks with increasing frequency and sophistication The traditional approach to security — namely a firewall combined with an anti-virus — is incapable of protecting you from today’s advanced threats You can, however, erect a formidable... control is at the system level, giving the attacker the same privileges as the local system administrator • Unauthorized P2P / IM usage — Most corporations have in place an acceptable-use policy that prohibits the use of peerto-peer (P2P) applications as well as instant messaging (IM) applications Each type of application poses various significant threats to the corporation such as remote exploitation of... 10 of 10 Layered Network Security: A best-practices approach • Unauthorized internet mail relaying — Improperly configured Internet email servers are a common cause of email spam Many spam-generating companies specialize in finding these servers and send hundreds if not thousands of spam messages through them • System-level remote host compromise — A number of vulnerabilities provide an attacker with... by implementing network security using a layered approach By selectively installing security measures on five levels within your network environment (perimeter, network, host, application, and data), you can adequately protect your digital assets and greatly reduce your exposure to a catastrophic network breach Latis Networks’ StillSecure line of intrusion prevention and vulnerability assessment products... which an effective layered security strategy can be erected • Unauthorized Internet services available — The ability to easily deploy a Web server or other Internet service on one’s desktop poses a potential threat due to the risk of unintentional information disclosure Often such services go undetected, all the while operating under the radar of most organizations • Virus activity detection — While anti-virus... Virus activity detection — While anti-virus (A/ V) software is particularly adept at detecting viruses, A/ V software is not designed to detect virus activity Be it a new service available for remote control or an active process searching for other hosts to detect, a network IDS deployment is well suited to detect this type of activity © 2003, Latis Networks, Inc All rights reserved . programs to protect digital assets. This paper introduces you to a layered approach for securing your network. The layered approach is both a technical strategy, espousing. firewall. Similar to anti-virus systems, IDS and IPS devices analyze traffic and compare each packet to a database of known attack profiles. When attacks are detected,