By Chet Heath  |  Posted 2003-03-13 Print this article Print

There is a growing problem of system intrusion from both the outside and inside. Overall, according to Gartner, the problem of intrusion has grown 377% in 2 years and nearly 80% of that is assumed to be from the inside according to the FBI, InterGov, and CERT studies. This is the portion that is known, and reported. The unreported, undetected, or concealed incidents may be far more. Traditional approaches with perimeter gateways, layered, segmented, and departmentalized configurations, and intrusion detection systems on the perimeter are not effective against the most probable mode of attack – one launched from the inside.
The general topology for the vast majority of existing LANs is flawed with security exposures on the internal "trusted" intra-network. These existing LANs depend too heavily on perimeter protection, which also leaves many avenues for infection open to the outside as well. Numerous open intra-network ports on these same systems leave them vulnerable on the inside. It is impossible to fully plug all the internal and external vulnerabilities; the only feasible defense is to protect the target of attack.
Of the five examples in the initial paragraph of this story, all can be defended by a distributed intrusion prevention strategy using Server-Specific Security. The current investment in intrusion defense becomes the foundation for a coordinated solution to prevent both internal and external attack. A strong perimeter gateway firewall is typically required to defend against the external threat; use it as the guard at the gate. Intrusion detection systems will monitor gateway effectiveness and provide a defense against denial of service attacks. A selection of Server-Specific Security protection options including Host Based software, and internal and external embedded solutions, is then required to provide a scalable, tailored, total defense. The degree of protection required by each server will vary with the potential impact of compromise for each given function. Some servers inside the perimeter may not need any additional protection, but a majority may, if only to prevent worm attacks from spreading rapidly. Server-Specific Security, where each server is individually protected by a customized firewall / VPN is therefore the only effective defense against internal digital espionage. This same Server-Specific Security approach treats the entire intranet as a DMZ and vastly complicates the attack from outside as well. It can be configured as solid protection against "Code Red / Nimda / Slammer" type worm infection. The ability to resist and limit external attack is a reason to adopt single server protection, even with a thoroughly trusted workforce inside. Single server protection is the next logical step in the digital arms race between intruders and IT professionals. This leaves you with a decision to be the victor, or the victim of an inside job.


Submit a Comment

Loading Comments...
Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel