‘All things change, and we change with them,’ goes the ancient Chinese proverb. There could not be a more fitting way of describing the challenges IT directors are faced with in 2006 as they tackle day-to-day obstacles in keeping corporate networks secure and safe for business.

With new security vulnerabilities emerging by the hour, a more imaginative approach is required if the question of information security is to be addressed on a fully end-to-end basis. Against some predictions, security has remained the number one concern for CIOs.

To counter the numerous threats, organisations must provide ‘diversity of defence’ with threat protection and remediation at all levels, from the data centre itself to the edge device and the application.

The security challenge posed by the dramatic increase in the number and diversity of end devices connecting to the network is clearly identified in the technology pages. These challenges are driving the need to apply security within the network infrastructure itself, independent of - and in addition to - the point or perimeter security platforms already deployed, which may include firewalls and anti-virus software.

As private and public organisations alike seek to implement ambitious new technology projects requiring increasingly sophisticated IP-based devices and applications - from the much referenced take-up in IP telephony to less obvious examples such as security cameras, PDAs, Wi-Fi voice handsets and HVAC systems - IT directors have an interest in staying one step ahead of the game.

Unfortunately, traditional infrastructure technologies that have been optimised for moving data are presenting a stumbling block in the drive to locate, isolate and contain security threats. Over the last decade these technologies - specifically switching and routing technologies - have lived up to their promise in terms of increased performance and the addition of extra features and functionality. However, they have remained status quo in light of the overall architecture and in relation to security.

Within these networking communication devices, security has for too long been limited to the tried and tested Access Control List (ACL). The ACL has been a central feature of the network since the early 1990s. Today, platforms that apply ACL lists matched to Virtual LANs (VLANs) in a network architecture design are severely restricted in providing the level of control necessary to combat current and future evolving security threats.

Applying an ACL - a set of permit/deny rules associated to an IP interface configured on a physical port or set of ports and mapped to a VLAN - is an inadequate security mechanism when considering the breadth of devices and applications supported in the more complex communications infrastructures in use today. ACLs are simply a list of permit/deny rules relating to either a MAC address, IP address or socket number, usually identifying particular host or device, and either permitting or denying access through a routed network. These rules have generally been applied to logical router interfaces bound to a physical port, rather than to the physical ports themselves.

The security architecture must include provisioning parameters capable of providing granular, application specific, behavioural policy control independent of the number of devices or users connected to a physical port, and most importantly, independent of the VLAN or IP subnet or network prevalent on that port. It is the independence of VLAN association that allows network policy controls to be specific to device type or user groupings, without the need to overcomplicate the communications infrastructure by restricting certain user, application or device types to particular VLANs.

The traditional approach of applying ACL control to VLANs contributes to a lack of mobility throughout the network and an overly complex VLAN model where each security threat, device type or technology can only be controlled effectively by grouping into a specific VLAN with associated ACLs.

However, with this dramatic growth in the number of device types and applications now supported on the typical corporate network, allied to the need for security and bandwidth provisioning for each, the VLAN has ultimately become something of a barrier to deploying effective security for all device types and applications. This feat simply cannot be achieved without a dramatic increase in the number of VLANs within a network.

Using VLANs for security containment presents additional challenges - namely the increased operational overhead in having to configure multiple VLANs network-wide, requiring additional time and network expertise. More restrictive, though, is the lack of protection between device traffic within the same VLAN. If a virus or worm infects a VLAN, the malicious code will propagate throughout the VLAN freely without any real time protection.

VLAN technology has been applied in networking for many years and is fundamentally a broadcast containment technology, rather than a security technology. Because VLANs were originally designed as a broadcast containment mechanism, they cannot be relied upon to act as the perfect security mechanism. The VLAN will continue to be a vital component within a communications infrastructure; however, in the current environment, organisations should be looking to embrace a more flexible security model rather than a vehicle that has traditionally been dependent on the simple association of ACLs with VLANs.

VLANs can today be used for security, but with the increase in the number of multi-modal devices connecting to the network, the VLAN security model lacks the flexibility of providing end-to-end security whilst keeping the network topology practically manageable and efficient from a support perspective. Containment is usually applied when it is desirable to group certain users, protocols or applications together often within a single broadcast domain.

The grouping of users this way into VLANs, manageable via an easy to use configuration tool, has been common practice within network infrastructure solutions for a number of years, helping to reduce the costs of moves and changes and allowing multiple networks to co-exist within layer 2 environments without the need for physical network separation. A policy enabled infrastructure supporting multi-layer frame classification policies applied at the physical port level offers the same or greater level of granularity as an ACL but can be associated with multiple device types and applications independent of VLAN association on the port the device is connected to.

Additional parameters such as port rate limiting and packet prioritisation for Class of Service (CoS) traffic expediting can be included within the same policy, reducing the amount of configuration required in associating the same traffic controls to separate VLANs. A security architecture using policy controls per port rather than VLAN ACLs offers greater flexibility in real time security response mechanisms. For example, in the event of a DoS or DDoS attack, any intrusion that involves a dramatic increase in traffic through the network will be identified and prevented from achieving the negative impact at the port of ingress.

Using functions such as dynamic port policy assignment, rate limiting and flow set-up throttling, expected traffic behavioural patterns can be enforced through the control of traffic specific to a port either by applying a restrictive policy, controlling the bandwidth associated with the port itself through rate limiting or by reducing the number of new flows set up on a particular port. Dynamic policy assignment, and the other methods explored in this white paper, do not require a new VLAN ID to be associated to the port in order to apply a new restricted set of rules.

With a centralised policy control mechanism, policy changes can be pushed out to all network devices at once, represented in management terms by an automated ‘single click equals a thousand actions response.’ Pushing out updated policy controls to network devices should not impact significantly on the network support function. Today’s sophisticated threats call not only for a fresh approach to securing devices within the VLAN, but a more granular and easily-managed platform through which the finer details of security policy can be controlled, and most importantly, affected in a timely manner.

With virus writers and hackers changing tactics constantly, enterprises must make the effort to understand how and why they must maintain a quicker pace than those who would seek to do them harm. The devastating effect a simple DDoS attack can have through an unprotected physical port demonstrates well how even the most dated, well-known and heavily documented methods of attack can cripple day-to-day business operations without preventative action. By contrast, measures such as port rate limiting demonstrate how simple the necessary preventative action can be, and how the advent of the IP network can be embraced without fear.

BIOS, Jun 15, 06 | Print | Send | Comments (0) | Posted In Networking