How to Approach Access Control in the Social Networking Age

 
 
By John Yun and Jay Kelley  |  Posted 2008-07-18 Print this article Print
 
 
 
 
 
 
 


}

Balancing Requirements

Whether your company has identified a business need for social networking applications or simply decided to get ahead of the trend, managing consumer applications on corporate networks is a matter of balancing the following four priorities:

1. Security - to protect networks from external and internal threats, and sensitive information from breach and/or theft.

2. Quality of service - to meet the network bandwidth and latency requirements of business applications first.

3. Visibility - to monitor the type and volume of activity on corporate networks, especially useful and necessary to meet regulatory compliance.

4. Control - to align network activity of all kinds to company policy.

No single set of policies can meet these requirements for every business. Network security and performance requirements differ between and within organizations. Policies - especially access policies - must reflect the uniqueness of individual networks, the differing types of users and/or devices requiring network access, the level of network access required, and the information the network protects.

Regulating Application Usage

Whether they apply across the corporation or to an individual user, effective policies require accurate identification of application traffic. Because identifying applications by port numbers is no longer reliable, many organizations now regulate applications using IPS (Intrusion Prevention Systems).  

Without compromising their contribution to network security, advanced IPS products support signatures specifically designed to detect applications. These IPS appliances use their ability to decode protocols and these signatures to identify application traffic quickly and accurately. Policies can then be set to block an individual application, or group of applications, or to follow QoS requirements.

Implementing Corporate-wide Policy

Equipped with tools to accurately identify application traffic, enterprises can implement corporate-wide policies based on applications, individually or in groups. But even these policies rarely cover growing enterprise requirements. When new applications are deployed, for example, application policies must add controls for their individual features and capabilities (based on the business requirements and security risks).

Some IPS appliances can identify not only the type of application traffic, but traffic associated with individual application features - for example, IM text messages vs. IM file attachments. This level of detail gives IT administrators the control they need to deploy and manage applications effectively.

Usage Based on Users and Applications

Policies that equate users with IP addresses (as firewalls do) are inadequate in modern enterprise environments. Genuine user-based policies need NAC (network access control) solutions to provide accurate user information (i.e., user "Joe Smith" instead of 192.168.1.235). But identifying users is not enough. There must also be a way to apply policies to users as well as applications.

Today, advances in NAC and IPS products have increased their interoperability. Now it's possible to deploy a solution in which an IPS appliance signals a NAC appliance that a particular application is in use, and supply relevant data. The NAC solution can then identify the user or device and determine whether access is legitimate. If not, it can then set enforcement point policies - such as firewalls and switches - in real time, either to cease the user's session, quarantine the user or block the user entirely from accessing the network. Working together to isolate network threats down to individual users or devices, NAC and IPS help enterprises to mitigate threats quickly, thus minimizing network and user downtime.

Operation

In everyday use, policies implemented across the network assure that mission-critical applications receive the network bandwidth and latency they require. They also assure that any social networking and other low-priority activities are restricted to authorized users, consuming only the capacity the business decides to allocate to them. At the same time, security policies protect the corporate network against viruses, worms, spyware and other malicious code that might otherwise be downloaded from social networking sites.

The compelling advantages of a coordinated approach come into play when the network is under attack - either from outside or inside. Instead of responding in piecemeal fashion, IPS and NAC solutions work together. If an external Denial of Service attack floods network gateways with junk traffic, a NAC solution working with IPS may restrict employees to applications with high business priority - sacrificing MySpace and Facebook, for example, to save VOIP telephone service. Internally, acting through the firewall, it can limit guest network access, disable wireless network legs and raise authorization thresholds to sensitive information until the problem can be isolated and solved. 

Bottom Line: Consider a Balanced Approach

Many companies will choose a social networking policy somewhere between unrestricted access and an outright ban. Using granular access control policies and interoperable solutions, they can grant access when, where and to whom they want - adapting permissions and defenses as required to counteract internal and external threats.

John Yun is the senior product marketing manager for Juniper Networks. He has more than 15 years of experience in network security, VOIP and wireless communication. At Juniper Networks, Yun is responsible for Intrusion Detection and Prevention, and High-end Security Systems firewall and IPS solutions. Prior to Juniper, Yun was the primary marketing manager for Nokia security products in partnership with Check Point, where he also served as a key evangelist for SSL VPN solutions. Yun holds a Bachelor of Science in Electrical Engineering from Rensselaer Polytechnic Institute. He can be reached at john-yun@juniper.net.

Jay Kelley is the product marketing manager for access control products at Juniper Networks. Prior to serving in his current role, Kelley managed the product management and marketing for Endpoint Assurance, a network access control solution from Funk Software, Inc. (until that company's acquisition by Juniper in December 2005). Kelley holds a BS in Business Management from Daniel Webster College. He can be reached at jay-kelley@juniper.net. 



 
 
 
 
John Yun is the senior product marketing manager for Juniper Networks. He has more than 15 years of experience in network security, VoIP and wireless communication. At Juniper Networks, Yun is responsible for Intrusion Detection and Prevention, and High-end Security Systems firewall and IPS solutions. Prior to Juniper, Yun was the primary marketing manager for Nokia security products in partnership with Check Point, where he also served as a key evangelist for SSL VPN solutions. Yun holds a Bachelor of Science in Electrical Engineering from Rensselaer Polytechnic Institute. He can be reached at john-yun@juniper.net.---------------------------------------------------------------------------Jay Kelley is the product marketing manager for access control products at Juniper Networks. Prior to serving in his current role, Kelley managed the product management and marketing for Endpoint Assurance, a network access control solution from Funk Software, Inc. (until that companyÔÇÖs acquisition by Juniper in December 2005). Kelley holds a BS in Business Management from Daniel Webster College. He can be reached at jay-kelley@juniper.net.
 
 
 
 
 
 
 

Submit a Comment

Loading Comments...
 
Manage your Newsletters: Login   Register My Newsletters























 
 
 
 
 
 
 
 
 
 
 
Rocket Fuel