Chapter 1. The Weakest Link: Internal Network Security

This chapter covers the following topics:

• Security Is a Weakest-Link Problem
• Hard Outer Shell with a Chewy Inside: Dealing with Internal Security Risks
• The Software Update Race: Staying Ahead of Viruses, Worms, and Spyware

The rapid spread of e-commerce, e-learning, and e-business coupled with the growing reliance on information technology (IT) as a business enabler brings new information security challenges to organizations, including the following:

• Increased vulnerability-based attacks, which can cause large-scale business disruptions and directly result in productivity loss.
• Diminished security boundaries resulting in an increase in unauthorized access and internal attacks. The lack of an established security boundary increases an organization's risk of suffering the loss of intellectual property and disclosure of confidential information.
• Regulatory and compliance laws requiring specific security policies and procedures.
• Security policy enforcement challenges for clients connecting to the internal networks.
• Limited IT security budget and resources to counter the growing and complex security threats.

With today's security challenges and threats growing more sophisticated, perimeter defense alone is no longer sufficient. Organizations need to have internal security systems that are more comprehensive, pervasive, and tightly integrated than in the past. The purpose of this chapter is to make clear the internal security risks and challenges that drive the need for a solution such as Cisco Network Admission Control (NAC) Appliance.

Cisco NAC Appliance, formerly known as Cisco Clean Access, provides a powerful host security policy inspection and enforcement mechanism designed to meet these new challenges. Cisco NAC Appliance allows organizations to enforce their host security policies on all hosts (managed and unmanaged) as they enter the interior of the network, regardless of their access method, ownership, device type, application set, or operating system. Cisco NAC Appliance provides proactive protection at the network entry point. It allows for pervasive and in-depth security defenses throughout an organization's internal infrastructure with multiple points of protection. Cisco NAC Appliance integrates with current and advanced security products and technologies and serves as a critical component in an organization's overall security strategy.

Security Is a Weakest-Link Problem

Information security is commonly characterized as a weakest-link problem. The information you are trying to protect is only as secure as the weakest entry point to that information. Today's networks provide multiple access points to users in the form of virtual private network (VPN), wireless, dial-in, business-to-business (B2B) connections, web portals, and traditional onsite access to name but a few. Hardly any organizations today are closed entities with well-defined security perimeters. This leads to the concepts of ubiquitous access and perimeterless networks. Gone are the days when we had a nicely defined network security perimeter made up of a firewall that guarded against unauthorized access from the Internet. The rapid spread and adoption of e-commerce, B2B commerce, outsourcing, wireless, and VPN remote access have all helped to bring about the transformation of how we look at defending our networks and the information they contain. The demand to make network resources and information easily accessible will result in exposure to higher security risks. Security architecture is changing from a point defense perimeter approach to a defense-in-depth self-defending network design. Although this architecture change is happening, most networks are currently in the transition or adoption stage.

Today, networks are most secure at their traditional network perimeter: the Internet-facing access points. However, the security of the internal networks behind those impressive perimeter fortress walls is sorely lacking. By and large, after users gain access to the internal networks, they have free and unrestricted network access. In addition, a robust trust model usually exists between internal resources such as servers, applications, and databases. The model typically exists to make it easier to share information between systems and users.

The problem is that the trust model does not take into account who or what actually needs to be trusted; it defaults to trusting everything. Yes, these resources are located internally, but the same internal network that has very limited security in place has seen a dramatic increase in the number of entry points into it, and it gives everyone who connects free and unrestricted access. This is certainly a cause for concern. Internal network security is the weakest link in most organizations' network security architecture. IBM recently reported in a survey of 600 IT managers that 75 percent of respondents believed that threats to corporate security now come from within their own organizations.

Note

You can find information on the IBM survey at http://www.networkworld.com/news/2006/031406-ibm-survey-cybercrime.html.

The results from the 2006 CSI/FBI Computer Crime and Security Survey show the risks and damages that result from a breach of internal network security. The survey shows that 68 percent of respondents reported losses caused by insider threats. It also shows that insider abuse of the network takes third place in the most reported attack type. Unauthorized access to information takes fourth place in the survey. Viruses and theft of laptops took the first and second spots, respectively. The results of this survey draw attention to the pervasive lack of internal network security controls in today's organizations. This chapter provides an overview of the security threats and enforcement challenges common in the internal networks of today's organizations.

Note

You can find the 2006 CSI/FBI Computer Crime and Security Survey at http://i.cmpnet.com/gocsi/db_area/pdfs/fbi/FBI2006.pdf.

Hard Outer Shell with a Chewy Inside: Dealing with Internal Security Risks

Ninety-nine percent of all networks today have a firewall in place to filter traffic coming from the Internet. In fact, most organizations have a robust set of outer defenses. These typically include one or more demilitarized zones, intrusion detection system or intrusion prevention system, spam filters, VPN concentrators, and antivirus scanners. These outer defenses are in place to protect the organization from very high-risk environments such as the Internet. The problem is that these defenses are virtually no help if an attacker, virus, or worm gains access to the internal networks behind the outer defenses.

Most organizations have extremely limited security on their internal networks. The same robust outer defenses just do not exist internally. The reasons for this deficiency vary, but typically include the following:

• It is seemingly too expensive, lacks scalability, and is overly complex.
• The perceived threat risk to the internal network is low.
• Too much internal security could impede business continuity requirements.

What organizations are starting to discover, however, is that the risk associated with having little or no security controls on their internal networks is becoming unacceptable. The previous reasons given to justify the lack of internal security are not holding up anymore. Because organizations have invested so heavily over the past several years in beefing up the security of their outer perimeters, the number of viruses and worms getting through from the Internet has greatly decreased. Given that security is a weakest-link problem, it comes as no surprise that organizations are increasingly finding that most of their virus or worm outbreaks originate from an internal or remote access source. Due to the proliferation of mobile, contract, and guest users needing access to the internal networks of organizations, it is very common for an outbreak to spread from a nonemployee or noncorporate PC. Additionally, most corporations are moving from desktop PCs to laptop PCs for their employees. This increase in mobile devices elevates the risk that hosts will become infected while offsite and introduce that virus back into the corporate network.

The vast majority of internal networks have no mechanisms in place that would allow an organization to control who can gain access to the internal network, what the security posture of the host they are using is, and based on these results determine what network rights the user will be granted. These three security controls are essential for properly locking down a network. They have existed for years on the network perimeter, but they are just now starting to make their way into the internal networks. It is startling that you can walk into almost any organization, sit down in an empty cube or office, plug into an Ethernet jack with your PC, and gain complete unrestricted access to the network. In too many cases this is true for wireless access as well, either because of lack of awareness or because an employee set up a rogue access point.

To proactively defend the internal networks from malicious users and virus and worm outbreaks, any security controls implemented must be able to do the following:

• Control who is allowed access This is typically done by forcing the user to log in or authenticate before network access is granted. This authentication could be in the form of a username and password or a unique MAC address.
• Determine whether the connecting client meets your host security requirements The goal is to reduce your exposure to viruses and worms by checking the host's security posture. This typically involves making sure that the host has up-to-date operating system patches, antivirus software, antispyware software, and that a virus or worm is not actively infecting it.
• Quarantine any host that does not meet the host security requirements While in network quarantine, the host is given only the minimum network access required to patch and come up to compliance.
• Control the amount of network access given to a connecting client The goal is to restrict network access, as much as is practical, to only those resources that the user truly needs. The amount of network access is typically determined based on the user's identity and the security posture of the user's host.

You must implement these network admission controls pervasively throughout your internal network for them to be effective. All clients trying to gain access to the internal network resources, by whatever means, must first be authenticated, authorized, and have their posture assessed as described earlier. Hardening your internal network in this way gives you ultimate control over who, how, when, where, and what connects to your internal resources. It also allows for the enforcement and verification of any endpoint security compliance regulations your organization must adhere to. These may include government regulations such as the Health Insurance Portability and Accountability Act and the Sarbanes-Oxley Act, or industry compliance regulations such as the Peripheral Component Interconnect (PCI) standard.

The Software Update Race: Staying Ahead of Viruses, Worms, and Spyware

How much more secure would your network be if every PC on it had the latest operating system patches, ran an up-to-date antivirus and antispyware client, and scanned for the top 20 known worms and viruses every time it reconnected? The answer is obvious, of course: It would be much more secure. But to find out just how much more secure, you would have to know how many security incidents would be mitigated by having the protections in place. If everything is up to date, the remaining risks are day zero attacks and misconfigured hosts. Day zero attacks are those released into the wild before a patch or signature is available to catch them. Most security studies indicate that day zero attacks, which actively propagate in the wild, make up only 1–2 percent of active attacks. So, just by patching, you are stopping 98 percent of what's out there.

Fortunately, the good guys discover most software vulnerabilities. This means that the vulnerability information is not disclosed publicly, which gives the affected company time to create a fix. After the company announces the fix or patch, the black hats get to work trying to create an exploit for the fixed vulnerability. At this point the exploit can infect only the weakest links: those systems that have not applied the patch. Unfortunately, many users do not keep their systems up to date and become easy prey for these attacks. In addition, the time between the public release of a software vulnerability notice and the release of the exploit that takes advantage of the vulnerability is rapidly shrinking. This is driving the need for organizations to make sure that only up-to-date systems are allowed full internal network access.

After the compromise or infection of a system, it needs cleaning or rebuilding. The cost incurred by an organization that needs to rebuild thousands of PCs can be staggering. Even though case study after case study proves that keeping PCs up to date results in decreased productivity loss and decreased IT expenditures, most organizations do not do a good job of it. In addition, it is not much use deploying a robust patch management system, such as Microsoft's Windows Server Update Services, if you cannot guarantee that it is enabled while users are connected to your network. This brings us back to the weakest-link problem: Your data is only as secure as the weakest access point to it. Any clients that disable their patch management software become glaring targets themselves and greatly increase the security risk to data in the organization as a whole. Add to this the enormous diversity present in today's networks, and the challenge gets even greater. Almost all organizations today have no way to dynamically and pervasively enforce a comprehensive host security policy on all hosts that connect to their network. The following are some of the challenges an organization faces when trying to keep all systems compliant with a host security policy and official regulations, and up to date:

• Supporting the myriad of operating system types and host security software available. For example, there are more than 20 antivirus software vendors.
• Detecting that an out-of-date system is on or attempting to gain access to the network. After detection, there must be a way to network quarantine that system until it is current.
• Dealing with mobile PCs. You must check to make sure that a system occasionally connecting via VPN is up to date before allowing it access to your network.
• Dealing with guest users. Guest users pose a unique problem. In general, the only thing guest users should be allowed to do while on the internal network is go to the Internet. They should be restricted from accessing all internal machines. If this enforcement is possible, there is no need to check and maintain the patch levels of a guest system.
• Dealing with PCs that are not owned or maintained by your organization but need access to your internal network resources. The machines of contract and temporary workers typically fall under this category.
• Enforcing—preferably at the network layer—that all systems have to be up to date before allowing them access.
• Enforcing—preferably at the network layer—that no host runs any applications that violate the corporate host security policy guidelines.
• Ensuring that all PCs are running the required security, backup, and encryption software necessary to satisfy compliance with official regulations (such as PCI) and your corporate host security policy guidelines.
• Distributing updates and patches to systems in a timely and scalable manner. Most organizations have patch management systems in place for their systems but provide no update services for the student, guest, and nonmanaged PCs that connect to their internal networks.

Summary

This chapter examined why, with today's security challenges and threats growing more sophisticated, perimeter defense alone is no longer sufficient. It discussed why organizations need to have internal security systems that are more comprehensive, pervasive, and tightly integrated than in the past. Cisco NAC Appliance is such a security system. It allows for pervasive and in-depth host security defenses throughout an organization's internal infrastructure with multiple points of protection. The chapter covered network security as a weakest-link problem and offered that the internal networks constitute the weakest link today. The internal networks are typically lacking the proper amount of security measures. This results in an increased likelihood of compromise to internal hosts and data by another internal host, not by an external source.

Also examined were the myriad of issues and challenges regarding the patch management update race of hosts. The chapter discussed that the time between the public release of a software vulnerability notice and the release of the exploit that takes advantage of the vulnerability is rapidly shrinking. This is driving the need for organizations to enforce that they allow full internal network access only to up-to-date systems.