The new perimeter
- 09 July, 2012 17:41
Back in 2008, guarding Motorola's perimeter was a lot simpler than it is today, recalls Paul Carugati, the company's information security architect. "It was OK to just open up [firewall] port 480 [to network traffic], because we knew that everything that ran over it was HTTP," he says.
But with the rapid growth of Web 2.0 applications, e-commerce environments and cloud services, he adds, "in 2010, that wasn't so true; in 2011, it wasn't true at all."
Management was continually questioning Carugati about the risk exposure related to a critical service or a social media environment, and the possibility of infiltration of the company's data through social media. Motorola's then-current firewall technology could trace users' IP addresses, but it could not track applications and so was unable to monitor which ones were exposed.
[Also read The 7 deadly sins of network security]
To address the issue, Motorola's security department added a next-generation firewall (NGFW) to its perimeter defense mix. In addition to traditional Level 3 and 4 firewall security, the platform can track outgoing and incoming traffic at the application level. This has brought huge gains in visibility, control and enforcement, Carugati reports. Now, it's clear "which apps are flowing through that egress environment, including apps we thought we weren't allowing outbound and ones we didn't know about," he says.
That visibility enables the security team to enforce far more granular security policies at the application level, rather than at the network protocol and port levels. Furthermore, management can now draw a far more accurate picture of the company's social network presence and interactions, for risk assessment and compliance with regulations such as PCI DSS, Carugati says.
NGFWs are just one way in which companies are revamping their defenses in response to new threat vectors that have grown out of businesses' growing use of and dependency on Web applications, social media, cloud computing, virtualization, wireless networks and mobile devices. These technologies continue to change the fundamental nature of business computing and communications.
As a result, the corporate boundary has become increasingly porous and difficult to define--some would even contend that it's nonexistent--rendering traditional notions of "protecting the perimeter" obsolete. Not that companies like Motorola have jettisoned traditional defenses, such as legacy firewalls, intrusion prevention and detection systems, antivirus and antispam programs, VPNs, and the like. Rather, they have started looking at perimeter defense in a more multileveled, multilayered way.
A Multilayered Perimeter Defense
Industry experts advise CSOs to take a defense-in-depth approach that deploys multiple layers of security, so that malware and other threats that slip by the first line of defense get caught by the second or third.
That means going well beyond traditional perimeter defenses--namely, network firewalls--which monitor and control traffic on the basis of source and destination IP addresses, network protocols and port numbers. That leaves them incapable of defending against the 60 percent to 70 percent of attacks that now occur at the application level, according to Jon Oltsik, senior principal analyst at Enterprise Strategies Group.
For example, a network firewall can accept HTTPS traffic and block HTTP traffic from the Internet to a Web server. Without app awareness, however, it cannot distinguish between customer and hacker HTTPS traffic, Oltsik says.
Smart CSOs are bolstering this first line of defense with technologies such as NGFWs and Web application firewalls (WAFs), which can perform deep-packet inspection and identify known hacker signatures and abnormal behavior.
NGFWs typically monitor inbound and outbound enterprise traffic, identifying malware that may be riding on top of a trusted link, as well as app-level end user activities that are inappropriate, risky or prohibited. WAFs specifically monitor traffic between Web clients and servers.
Polk, a leading provider of data and marketing services for the auto industry, has supplemented its traditional firewall with F5 Networks' Big-IP Application Security Manager. The WAF protects Web servers from common app-level attacks such as SQL injection, says Ethan Steiger, the company's CSO. This has saved the company from the expense of redeveloping a number of Web apps with known code-related vulnerabilities.
NGFWs and WAFs can also help with one of the biggest headaches for CSOs: the threat of hackers using social engineering and other techniques to exploit trusted sources such as employees, partners and customers who have access rights to sensitive portions of the corporate network.
The growing use of mobile devices and the social Web for business purposes has greatly exacerbated this problem, industry experts agree. Once a hacker gains access to an employee's client device, "all of sudden you've got malware or a bot trying to communicate via an established connection, back out through your perimeter" to the hacker's control center, says Andrew McCullough, manager of information security for hotel chain operator Accor North America.
Accor's security team deployed an NGFW five years ago, when application-level attacks first started showing up, McCullough says. While such attacks were infrequent back then, their number "has gone through the roof" in the past year or two, he says.
An NGFW's ability to enforce security policies on a granular level is critical, given business users' growing dependence on the Web, and social networking in particular, Oltsik says. "A lot of people see [perimeter security] as an ingress problem, malware arriving on incoming traffic," he says. At least as important, though, is determining which websites users are visiting and whether they are known malware-distribution or command-and-control sites, McCullough says.
Rather than deny, say, the marketing group all access to Facebook, companies can use an NGFW to limit access to those apps that business users consider to be critical to their jobs, Oltsik says. "That's a perfect intersection of supporting and protecting business."
McCullough agrees. "Our marketing, purchasing and HR teams all use Facebook now, often for very valid reasons," he says. Rather than trying to block employees from using Web-based applications with proven business value, "our job is to wrap controls around those apps, so they can be used with as little risk as possible."
Too Many Eggs in One Basket?
Most leading NGFW vendors, including Check Point Software Technologies, Palo Alto Networks, Juniper Networks, Fortinet, F5 and, most recently, Cisco, combine traditional stateful firewall capabilities with a range of other functions, such as application-aware traffic monitoring, intrusion prevention and data loss prevention.
These multifunctional security gateways are considered either synonymous with or a subset of unified threat mitigation (UTM), depending on whom you ask. The basic concept is the same: instead of purchasing, deploying and managing various perimeter defense mechanisms on separate appliances, a company can deploy a multilayered security strategy on a single hardware platform.
The main advantage of taking the UTM route is cost savings, sources agree. Products that are designed to handle one security function tend to be quite expensive, says Accor's McCullough. Intrusion-protection systems for a small organization can easily cost $10,000 or $20,000 a year, and for a large enterprise, annual costs can reach a quarter of a million dollars, he says. In contrast, that capability on an NGFW platform would be about $20,000 a year, according to McCullough.
Still, many CSOs remain leery of a single-vendor perimeter solution. Gartner's 2011 "Magic Quadrant for Enterprise Network Firewalls" report found that less than 5 percent of Internet connections were currently secured using NGFWs. That number will rise to 5 percent of the installed base, and 60 percent of new purchases by 2014, the report predicts.
Holding some CSOs back from taking the plunge is the cost of writing off legacy perimeter security devices. "Our infrastructure is incredibly expensive; it doesn't make business sense to replace it wholesale," says McCullough. Rather, his team is taking it slow, testing devices and planning to replace one existing set of firewalls with a more advanced product over the next year.
Best of Toolbox
Going with one vendor's all-in-one solution often means sacrificing functionality for cost savings, McCullough adds. "You don't get the best in class, in my opinion," he says. Accor purchases its antispam and antivirus products from specialized vendors.
Furthermore, once the device starts looking into the actual content of packets, "you need a beefier box," says Eric Maiwald, a research vice president at Gartner. "Add anti-malware and attack signatures, then DLP, and you need even more power." That's why UTM devices work best in locations where throughput requirements are lower, such as small companies and branch offices, he adds.
"When you talk about front-ending a bandwidth-heavy location like a data center, you usually need to have separate devices for different functions," Maiwald says.
Accor's NGFW runs on a hefty hardware platform, but the company has had to "take some very serious jumps [in capacity] in a very short time, in order to keep up with demand," says McCullough. The hotel chain uses one type of perimeter device with cut-and-dried access-control rules for the transport VPN, and a second one to enforce granular app-based security rules for traffic going to and from the data center, McCullough says.
Accor is likely to remain a multivendor shop for the foreseeable future, according to McCullough. "We never want to get to the point of using a single perimeter security device; we want a mesh of products." While this means complexity, and potentially more administrative headaches, the benefits include increased assurance and risk reduction. "A hacker that bypasses firewall vendor A gets stopped by vendor B," he says.
Virtual Data Centers, Virtual Firewalls? Virtualization of the data center has "thrown an interesting wrench into the perimeter security works," says Gartner's Maiwald. Different levels of trust can exist on the same physical server, and conversely, virtualized applications can run on different virtual machines that reside on physical servers in different security zones.
Virtual server vendors like VMware, as well as leading NGFW vendors, now offer "virtual security controls" that create a "virtual perimeter behind the physical perimeter," says Oltsik of Enterprise Strategy Group. Such products can be configured to control access across security zones in a virtualized environment.
However, Oltsik says his company's research shows that many security and IT staffs are still learning how to use such tools. Among the issues they face is how to segment the two types of networks to make sure physical and virtual security devices are working in sync. Another is how to enforce security policies when applications and virtual machines keep moving from server to server.
[Also read Bernard Golden's 3 key issues for secure virtualization]
Still, some enterprise CSOs are starting to make good use of such tools. McCullough's team recently moved critical applications into Accor's data center, where a virtualized firewall provides "the same protection as the perimeter, including the same level of app awareness and control and threat prevention," he says.
There are two main perimeter defense strategies for virtualized environments, each with trade-offs, according to Gartner's Maiwald. The first is to compress all zones into a single virtual environment. This provides the most resource allocation flexibility but eliminates cross-zone security, which is not ideal from a risk-management perspective.
The alternative is to make each zone its own virtual environment. This allows companies to keep existing firewall mechanisms and is the best choice for risk management, Maiwald says. The downside is that flexible resource allocation, which provides the bulk of virtualization's cost savings, is limited to servers within a given zone, he says.
At Polk, for example, "We try to treat our virtual hosts with the same level of control as our physical hosts," says Steiger. "This has meant moving intrusion prevention within the virtual network, so to speak," and limiting movement between some virtual hosts.
The company still gets direct value from its virtualization strategy, just not as much as would be possible without these safeguards.
Making and Managing the Rules
Keeping up with the ever-changing threat landscape is another major issue for companies working to protect the perimeter. While leading NGFW platforms come with tools for auditing and updating security rules and monitoring security events from a central console, most businesses currently have a mix of perimeter security products, not to mention network devices, which can make administering those policies a major headache.
Adding app awareness to the mix makes the task that much more complex and arduous, industry experts agree. "You want the ability to make granular access decisions on an app-by-app basis," says Oltsik. Furthermore, policies have to be regularly updated in order to keep up with major new social media services and apps, which show up on a daily basis. If your firewall sees these new entries as generic traffic, it cannot control them, Oltsik points out.
Companies are increasingly turning to third-party policy administration tools from vendors such as FireMon, RedSeal and Skybox Security. RedSeal's risk-assessment and policy-administration software scans for vulnerabilities and monitors the rules and configurations across Polk's collection of firewalls, network switches and routers, says Steiger. "It also helps us implement policies consistently across the network perimeter, according to best security and business practices."
[Learn more about firewall audit tools - features and functions]
"FireMon lets us track changes on various vendors' devices and monitor compliance from a unified system," says McCullough. This is especially key given that the security team at Accor's parent company has occasionally made changes to the division's perimeter security policies without notifying McCullough's staff first. On one occasion, this resulted in several hours of network downtime, he reports. "Now when a change happens, FireMon immediately alerts us and allows us to trace it back to the source."
FireMon also helped Accor tackle the huge task of rewriting its entire security rule base. "We found rules that were eight or 10 years old, whose owners weren't around anymore," McCullough says. Other rules were invoked only once every couple of months, but those times were important, he says.