Secure Access Challenges
|
Secure access requirements are driven by the on-going interplay of
new business strategies and available IT technologies. Successful organizations
realize to survive and thrive they must constantly improve employee
productivity; lower their operating costs; and enhance their relationships
with business partners, consumers and governmental agencies. At the
same time they must also comply with an expanding set of government
regulations that impact their IT environment and operations..
|
 |
Overall, the advances in devices, access networks, intranet/extranets, content management, application infrastructures, portal software, and new security solutions are enabling more users to perform more activities from different devices and locations, 24-hours a day. The idealized business/IT vision is a simple one: selective, flexible and secure universal access. This means organizations can easily implement security policies that define and vary user access privileges, enforce security compliance measures, and automatically block or prevent a broad range of network and application-level attacks. While the current industry focus is primarily on expanding and securing remote access, similar security technologies are already being applied to internal network access, as well. In the not-too-distant future, business strategy will drive the actual capabilities implemented in individual business networks and security will no longer be an economic and risk impediment to innovation.
The Breakaway Security Group expects multi-function access security gateways to play a major role in extended networks alongside complementary endpoint, network and server security products, but before they can organizations must believe these gateways are sufficiently flexible, extendable, manageable and trustworthy. In 2006 VPN gateways will have evolved to a point where widespread adoption will be well underway. Theses systems will offer security functions and administrative tools far richer than those of earlier SSL VPN gateways.
Before describing the different types of security gateways that are now available it is useful to review the wide variety of threats that a comprehensive security policy implementation should address. Naturally, the type and degree of protection that should be provided will vary by organization but all should understand the nature of these threats before deciding on specific policies and solutions.
Access networks present countless opportunities for misuse by both authorized and unauthorized users regardless of whether the their device is remote or directly attached to the private network behind a perimeter DMZ. Therefore, Breakaway expects organizations will eventually deploy mulit-layer security architectures that include similar security mechanisms across their entire intranets and extranets.
 |
Source: Check Point Software Technologies, Inc.
End Point. Every user device represents a potential launching point for unauthorized access to internal applications and data , attacks on network operations, and for unauthorized viewing/collection of information residing on the end device. These attacks can either be initiated by direct users of the device or others who remotely and illegally gain access to the device. Even though user devices are protected by personal firewalls, anti-virus software, and anti-spyware, the presence of these defenses does not guarantee endpoints are secure. New threats and variants appear continuously and organizations cannot assume their users will religiously update their system and security software as new "fixes" become available. And even if they do keep their own device software updated, they can carelessly leave confidential data on shared private and public devices which they do not tightly control.
Organizations must also increasingly deal with a mix of managed and unmanaged devices. Some will be owned and tightly controlled by the IT staff. Others will be owned and controlled either by their employees or business partners. And others will be owned and administered by unknown parties, e.g., public kiosks. Each environment provides a different set of security challenges in terms of vulnerabilities and one's ability to "secure the device". An organization might outlaw the usage of peer-to-peer applications on corporate devices but have no such power on unmanaged devices.
Public Networks. The fixed and wireless internet has created enormous business benefits and vulnerabilities. Information that once flowed over private networks now moves through the air between devices and access gateways that can serve a corporate campus, cafe or city neighborhood. If left unprotected both transmitted information and the actual communication sessions can be intercepted by diligent attackers.
Network Perimeter. Every organization that connects to the Internet is potentially exposed to externally launched, network-level and application attacks and most have deployed some perimeter defenses to protect their internal networks. Firewalls control inbound and outbound traffic using addresses and application protocols. Denial of service (DoS) protection prevents internal networks from being swamped by unauthorized traffic surges. And intrusion detection and prevention systems identify and block attempts to survey internal networks and gain entry to internal web servers, application servers and networking systems. Unfortunately, portable media and devices and wireless connectivity enable users to easily bypass perimeter security and directly attach to LAN-based, corporate devices.
Web, File and Application Servers. Since threats upon private networks resources are not limited to ones initiated from the outside, organizations typically protect these resources with internal defenses including DoS, network IDS/IDP and web application firewalls. Application-specific protections like email anti-virus are also widely used.
Additional Readings re: Common Security Vulnerabilities:
The SANS Institute annually publishes its Top 20 Internet Security Vulnerabilities. The SANS Top-20 is a living document. It includes step-by-step instructions and pointers to additional information useful for correcting the security flaws.
The Open Web Application Security Project (OWASP) maintains a Top 10 List of common critical web application security flaws. To learn more about what they are and how to protect against attacks that exploit them visit their web site