Your data is extremely important to you, and it may be even more valuable to someone else! While it may be hard to accept, digital espionage launched through an intranet is statistically the most common mode of attack. It is also the most costly, and the least defended.
The assets of the corporate intranet are real targets. The information it contains would be damaging if it were available to anyone outside, and even needs to be shielded from most internal users. This includes marketing plans, customer data, personnel records and financial results. Despite the security requirements, the servers containing this data need to be accessible from multiple places within, and outside your organization, and via existing wiring.
Well outline the current problems, and show how traditional security measures cannot prevent internal intrusion. We will also identify an effective intrusion prevention strategy, with alternatives for implementation.
The Problem by Example – Events of 2002:
- A software firm loses key talent when news of a layoff spreads after the CEOs mail is compromised.
- A CFO signs an affidavit that that no one can get unauthorized advance access to financial results, and then he must explain to the SEC how a trusted associate made a suspicious, highly profitable transaction.
- A college discovers massive classroom grade changes in its servers.
- A tabloid gets personal medical data on a celebrity from a hospital and prints it1.
- A virus bypasses the perimeter gateway to attack one server in a data center then instantly infects hundreds more peer systems inside.
In all these scenarios, the silent attack on critical data actually came from inside an externally secured LAN. A perimeter defense had no effect against an intranet intruder, who used commonly available software snooping tools to steal data.
The perimeter gateway was also ineffective against the internal spread of a Nimda / Code Red type worm across a data center intranet. In four of the five scenarios above, a trusted individual took advantage of an unprotected data asset on the internal “trusted” LAN.
This highlights the problem initially illustrated by an FBI survey and consistently verified by multiple studies since then2: The majority of all data intrusion is from the inside and it is costing hundreds of millions overall3. The research of InterGov4 verifies that insiders account for about 80 percent of all computer and Internet-related crime. They find “Inside Jobs” cause an average loss of about $110,000 per corporate victim.
Certainly 99% of people are honest, but it takes just one who is not – in any business. The majority of inventory shrinkage in many stores comes from trusted employees; most of the money lost in banks is not from armed robbery, but embezzlement; and most press leaks in government come from staffers with an agenda. The intruder on the inside benefits most from access to secured information, because they know its relevance and therefore they are most dangerous. The sad truth is: it is easier to take advantage of a trusted situation than it is to lay attack by siege.
An inside job becomes even more probable as the legal consequences for a curious employee are typically less severe than those for an outside attacker – and the insiders chance of getting caught, given the current state of protection, is minimal. It all adds to a dangerous combination and a problem that will come looking for those who are not prepared.
Traditional Defenses
– the Typical LAN”>
The security measures we use today are not wrong; they are simply incomplete. Even if current approaches appear to provide adequate external defense, there is still a high level of exposure. The example that follows is a “worst case” situation that may still exist in older parts of many networks today. Switches may isolate much traffic where hubs do not, but networks can still be open upstream of the switch and on segments connected with older hub technology.
Open Inside Typically, unless a switched-segment VLAN has been established, everyone likely communicates over the same “trusted” network (using hubs, as pictured in the legacy architecture above), and access can be electrically common to everyone. While VLANs will help prevent security breaches (albeit with added setup and management complexity), they arent positive assurance. If trunks or arteries are accessible and able to be tapped, then one can still sniff all or most traffic. Management of a complex VLAN is quite difficult, and can hamper its scalability. Well discuss a more effective Server-Specific Security method soon.
Conventional access control to servers is via IDs and passwords. Typically, for convenience, there are unguarded open terminations of the “trusted” LAN. They may be found in conference rooms, guest offices, in the reception area, or on at desks of employees who travel often. Instant messenger, shareware, traveling laptops, and unprotected external PCs with VPN connections may import vulnerabilities that would not even show up on a scan of network assets. AND – The grand daddy of all open ports is the wireless access point, which can add square miles of access, inside and outside the building if proper secure access safeguards are not taken.
Openings to the Outside
Perimeter vulnerabilities exist through numerous holes at various network layers. Using a firewall still generally requires various ports open to the outside world including the Web server (port 80), services such as File Transfer Protocol (port 21), POP3 Mail (port 110),and perhaps secure web service, HTTPS at (port 443) or Telnet (port 23). E-business and B2B interaction often drive this complexity. As the functionality of the internal LAN increases, there are more openings to the outside, and therefore more pathways inbound. Simple passwords and usernames will not deter those who are intent on intruding into an open intranet. In network architectures, where all data and mail travel past all users, with numerous unguarded terminations, a simple software snooper can collect critical data. This software can capture IDs and passwords, then decrypt them, without leaving any evidence of compromise5.
Traditional Approaches to Network
Security”>
Whats called the “trusted network” should not be trusted. As we explained earlier, a common network infrastructure may be wide open for someone to monitor traffic containing IDs and passwords. Further, a worm infecting one server may discover IP addresses and access controls to quickly infect other servers. The perimeter gateway opens many alternate external pathways, which may be used for general external intrusion or placement of a worm.
Traditional approaches to establishing an effective external defense include:
- Perimeter Firewall – this isolates the internal LAN from the outside world. It is usually the first form of network security added to a newborn enterprise LAN. It loses effectiveness as the LAN grows and becomes more complex with more functionality, such as when VPN ports are exposed outside.
- Layered Security – partitioning of the LAN into different segments for controlling access or for providing more bandwidth when many participants use the LAN at once. It works, but problems arise with scaling and maintenance.
- Intrusion Detection Systems – monitor the gateway to alert when an intrusion has occurred. They can record statistics and even learn to block certain modes of attack. False positive alerts require human intervention. They are more an alarm than a defense, and typically are not aimed at the intranet
To put this in perspective, lets understand the traditional defenses in more detail.
Approach 1 – Perimeter Security
Much focus on the outside threat over the past 10 years has created a so-called “Tootsie-Pop” structure (coined by the Burton Group6) with a hard external shell surrounding a soft inside. This shell is perforated with openings to the outside for each specific server function. Theres also an assumption that everything on the soft inside is trusted. Modern internal network include multiple access points, and methods such as WAP/802.11, B-2-B VPN terminations, dial-up/VPN remote users and offices, and assume individual inside the network is trusted. These factors lead to excessive openings in the best-planned hard-shell based security strategy.
Approach 2 – Layered Security
Following the Tootsie Pop structure, a “Control” layer C is enclosed within the Perimeter Layer. Layer C imposes identity and access management services, as well as security and policy management internal to the data center. Layer C then encloses the “Resource”, or R-layer of servers and their data. Layer C can be distributed across individual regions or servers.
This systematic multi-layered approach is a best practices method for protecting the network, analogous to layers of skin to isolate the body from infection. The control layer can optionally be implemented by segmenting the LAN into workgroups, cascading firewalls to create VLANs. But too often this is just a semi-effective form of ID authentication and password control. Implementing all the options can make life more difficult for the intruder, but the solution can also be difficult to scale. Reconfiguration and growth of the network, or service operations, can leave pathways open that were assumed to be isolated. Prospective intruders will invariably find an entry point with automated tools that “crawl” about the Intranet, investigating systems where there are openings.
All the control layers behind the common perimeter gateway assume the same firewall security policies to a common intranet. Even with layering, each server is still open to service holes and can have excessive exposure to the outside. While 80% of intrusion occurs from the inside, the remaining 20% of intrusions come by way of these open holes in the perimeter. The perimeter gateway remains a critical element; its the front door lock.
Approach 3 – Intrusion Detection Systems
With a perimeter defense that is too open, the first inclination is to guard the gateway, to detect intrusion and sound an alarm. Intrusion Detection Systems (IDS) monitor the external gateway and detect when access is gained past the firewall. It is aimed at detection of external attack, but it requires constant monitoring and human discrimination of false-positive alerts. IDS can be distributed to multiple points within an intranet and may provide some level of detection of inappropriate access. Switches may block visibility to these sensors and care must be taken in their placement. Host based IP programs may actually be a better fit for protecting desktop and laptops that are secondary pathways for external intrusion.
Server
-Specific Security “>
Server-Specific security is an extension of the layered model with access control for each server. A policy rules set is provided for each server to define which users have access and which are to be denied. With precise granularity, this individually locks down important data held in each server. This is considered “intrusion prevention” and it provides the highest level of security against unintended access.
There is no “trusted network” within the perimeter gateway or between resources. The perimeter does not define a common set of rules for all servers, and multiple holes in the gateway do not provide an avenue of entry to protected server systems. Each server has a unique policy designed to allow access solely for its function and presents only one hole to the inside, or the outside.
Server-Specific Security may define encrypted VPN paths between authorized users to given servers. An open termination is no longer useful to snoop data from the common LAN. While it works with existing perimeter defenses and detection to enhance external protection, Server-Specific Security is the only positive means that can thwart an attack mounted from the inside!
The strategy is no different than placing layers of protection in banks, museums, government buildings, or even homes. Even with the most efficient border patrol and police, no bank could survive long without armed guards, outside doors with locks, motion detectors, cameras, locked or guarded areas inside, or vaults with safe deposit boxes. This, along with government audits and monitoring of bonded employees, protects the banks assets.
Who would put their valuables in a bank where the cash sat on a shelf in a locked closet and where there were hundreds of similar keys issued to employees? Who would do the same with corporate data? Surprise, we do all the time!
Saying it differently for emphasis: Server-Specific Security focuses intrusion prevention at the target of an attack, not at the presumed point of entry. It operates with existing defenses to further enhance protection from the outside. It can provide for encryption of data by establishing VPN connections across the corporate intranet to cripple snoopers on the common network. Placing a firewall on each server prevents access to a given server, except by defined users from an authorized terminal. It scales easily, because each added server function provides a custom and properly-sized level of protection to its needs and capacity.
An example of the layered approach includes firewalls installed at the perimeter, and VPN access to protect mail and other sensitive data communications. Each critical corporate data server would have individual rules, and Server-Specific firewalls allow controlled access to files and data in all servers, while other participants would have access only to the data needed to do their job.
For example, the summer intern would have access to help desk files, but be prohibited from access to customer lists, go-to-market plans, engineering designs, or even e-mail. Sales might have access to mail and customer data, but be excluded from information about upcoming products in the engineering server. Perhaps the CEO and CFOs team would be the only ones with VPN access to financial and employee data. All might implement FireDoor (explained shortly) for worm containment. With a dedicated firewall limiting port services, a WAP connection is now effectively on its own DMZ, and can only see the Internet in this example. Other services and servers can be opened to the WAP by changing its dedicated firewall policy.
Server
-Specific Security Management”>
A reasonable concern arises out the complexity of a Server-Specific Security implementation with protection on nearly every server. Yet, when consistently implemented with industry accepted Firewall / VPN software, such as Check Point NG or similar products, management of a complex collection of firewalls is straight-forward. It is easily administered through an intuitive GUI, like Check Points “Smart Dashboard” tools.
Because there is no reliance on a trusted LAN when using a Server-Specific Security-based architecture, open points of access to the intranet (like guest terminals and wireless access points) are no longer as serious an exposure. Certainly, not all servers need be secured, and some can still be on the “untrusted” intranet within the perimeter. Open access points may be isolated and only be allowed specified access to the Internet, or a public data server. Or, they may be defined with designated VPN access to specific data. Custom policies for each server function and even entry points (as in the above WAP example) are now possible, thereby making the system flexible as needs change.
Security policies can be custom-defined for each protected server as the result of a careful study of the organization according to some basic objectives of security:
- Users only have access to data they need to know to do their job
- Protection can be allocated to servers according to the worst-case impact that a compromise could create, with focus on mission critical data.
- There is no such thing as a trusted common LAN, or a trusted user. All networks are treated essentially as DMZs.
- Like a good lock, make unauthorized access so difficult, that intruders go elsewhere, are delayed, or make mistakes and get caught.
Internal Intrusion by a
Proxy”>
In the initial phase of a worm attack, the worm is planted on a system. In the second phase, an automated internal propagation of the worm virus to peer systems can occur. This phase is actually an internal attack, and the infected initial system is considered a hijacked system. Server-Specific Security cant stop the initial virus attack, but it can stop the second phase. Even with an entirely trusted workforce, this is a reason to deploy Server-Specific Security.
This isnt serendipity– eliminating the concept of a trusted network in your architecture can also help limit the ability of rogue systems from quickly doing the same type of damage that an individual might on a corporate intranet. The concept is called FireDoor , and was shown to be 100% effective at a recent SANS security bakeoff, where intrusion was invited from a group of experienced security hackers. After days of assaults with state of the art intrusion tools, an offered prize remained unclaimed. The FireDoor concept is simple and easy to implement (see details in the section titled “Implementation of Server-Specific Security” below).
Each individual firewall is fitted with appropriate inbound rules. Outbound rules are then added on a per server basis that will quarantine the worm to the originally infected server. The rule-set defines that:
- The server may not initiate a transfer; it can only respond.
- The server may not communicate with other servers within its perimeter protection.
Quite simply, FireDoor stops a worm in its tracks. While an unanticipated access path may compromise one server, it cannot spread the infection to its peer systems. Server-Specific Security on the corporate intranet can therefore protect servers from malicious users, AND hijacked systems. The FireDoor can alert systems management to block other similar intrusions, and invoke a recovery service for the lone infected server. Like the surgical mask on hospital personnel, it blocks the internal spread of infection.
Implementation of Server
-Specific Security”>
Server-Specific Security is not intended to replace the existing security assets already protecting the data center. It doesnt call for removal of anything, except the paths of vulnerability. While it is the strongest option today for internal protection of the most critical data, there are implementation choices
One may implement a host-based software solution running on the hardware to be protected, or dedicated network-based discrete hardware appliances may be defined as firewalls, VPN, and other security elements. Some of the solutions may reside inside the systems they protect, while others may reside externally. However in all cases, there is an individual approach to locking down each mission-critical system.
Likely, as needs vary between different servers, there will be a mix of implementation choices taken. There may be a dedicated perimeter gateway system, and host based software on traveling laptops, handhelds, and otherwise unprotected external machines with VPN access to the corporate intranet. Security Blades (see detailed description below) can then insure that every target of attack is protected and that no port out of a mission critical system carries unprotected data.
Guidelines for Implementation of Server-Specific Security
In all cases, the solutions with the highest reliability, best scalability, least disruptive impact, and ease of management will be valued highly. Obviously, there is subjective weight placed on price and performance, but a system only needs to be adequate to the task. It is better to have a purpose-built solution that is appropriately sized to the throughput of the server, than adapting an outsized appliance that is better suited to a perimeter function. In some cases, space and power are a consideration, which may exclude use of an external discrete box. The best solutions are purpose-built embedded appliances (actually embedded in the server), designed for a single function. They install once, and stay on mission for life.
Security designers may implement VPN and Firewall down to the individual server level via a number of means that fall into 3 categories.
- “Host-Based” Software, such as Check Point Secure Server, ISS Black Ice or Okena (see links below). The application runs under the operating system of the system it protects.
- An external embedded appliance box, running a VPN/firewall application. An example is a Nokia or SonicWall system.
- A Security Blade is an internal embedded appliance in PCI card format. It runs an embedded Firewall / VPN such as Check Point NG on its own operating environment.
In most cases, any of the choices may suffice. Limitations occur in the interactions of the given approach with the systems that they protect, the ability to provide common management of all security, and the performance / throughput capacity of a given option.
Server
-Specific Security Method #1–Host-Based Software”>
Host-Based Software refers to a security application running on the server to be protected. Examples include Check Point Secure Server, and products from Okena (Stormwatch), and Entercept Security Technologies version 4.0.
Advantages:
- Host-based software runs on the system it protects as an application under a common operating system.
- It runs at the kernel layer, allowing mail applications like Microsoft Exchange to be easily interfaced for virus screening when mail files are opened. It also allows very close monitoring of application calls within the OS to determine if an infection has infiltrated the host OS, even if it might be too late.
- Because the software is internal to the server, there are no unprotected external interfaces.
- Host-based applications can typically be installed quickly with minimal downtime of the server.
Disadvantages:
- Host-based software takes performance away from other processes running in the server and they may interfere with intended operation or availability of the server. Theyre probably best suited to protecting desktop systems.
- Must run on same OS as the protected system. This could imply as many different versions to manage as there are operating systems in the network.
- IT organizations typically see security software as parasitic to the servers mission. Obviously, the host-based application must operate under the same OS as the server, potentially restricting choice away from an optimal solution.
- Some “hybrid” host based solutions require a proprietary network adapter that includes acceleration hardware to assist. The system must be powered down for installation of this card.
- Top-down management is difficult as it requires managing security software on many diverse platforms and does not permit a standardized, centralized, common, global management strategy.
- On each OS upgrade a new version may be required, and it may not be available.
- If application hangs – availability of the server is blocked and requires manual intervention.
Server
-Specific Security Method #2 — External Appliance Boxes”>
External appliance boxes refer to independent, off-the-shelf appliances that reside outside the server and provide firewall & VPN services. While not necessarily server-specific in all cases, in that they may service a collection of desktops and servers on a network, they may be configured and used closely-coupled with individual servers. Examples include products from Examples include: Nokia (IP330 & more), SonicWALL (Tele, Pro and GX series), and Netscreen (5, 25, 50, 200 Series).
Advantages:
- They are quickly installed into racks and configured for operation.
- Can be very high-performance devices using specialized ASICs and/or high-speed embedded processors, and include fast internal buses to process very large numbers of concurrent secure connections, VPN tunnels, etc.
- They are totally independent of the system that they protect, being truly independent systems with their own CPU, RAM, and network interfaces. No dependence on the servers OS. No cycles are given up from server performance.
- The user selects the hardware and software as one entity. While this is easy, its not necessarily optimal.
- Can support multiple workstations and servers.
- In the event of failure, they can be easily bypassed by changing cables
- Can be implemented and serviced without stopping server OS
Disadvantages:
- Hardware Complexity – adds another failure point in-line to the process as follows:
- The failure rate of either the power supplies or file systems (both fairly high failure rate items) in the appliance box is additive to the failure rate of the protected server.
- A failed external system blocks availability of the protected server and it must be restarted manually.
- Some external appliance boxes run on proprietary hardware and software foundations
- The cables between the appliance box and the server can be easily bypassed to defeat security.
- May not be consistent with other management tools
- None purpose-built for Server-Specific Security
Server
-Specific Security Method #3 — Security Blades”>
Security Blades are internal embedded appliance systems in PCI card format with firewall & VPN software installed. One example is OminClusters SlotShield (Editors Note: the author of this story is Vice President and Chief Technical Officer of OmniCluster).
Advantages:
- Security Blades are totally independent of the system that they protect as truly independent systems with their own CPU, RAM, and network interfaces. No dependence on the servers OS. No cycles are given up from server performance.
- May operate from Flash Disk, a disk connected to the IDE connector of the blade, or a portion of the host disk.
- They are compact, in the form of a PCI card that operates inside the server.
- Typically replace a NIC card in server – no infrastructure impact
- Industry standard PCI, operating system, and application foundation
- As independent systems, the firewall and server may be on dissimilar OS foundations, facilitating optimal choice of firewall and server software.
- Security Blades provide the function of an external firewall box without additional external wiring.
- Can be used with no data connection to the host, where data flows through external ports only – drawing only power from the host
- Alternately, they may share the hosts disk, a mode called Diskless operation, for easy setup and management
- With diskless configurations, there are no additional points of failure. The security blade operates from a portion of a common host or SAN disk system. The common disk system stores a disk image that is boots and swaps as required, just as with a local disk device. Because it is centralized, the disk image is easily replaced and upgraded remotely
- Security Blades can be managed, reset, and restarted remotely.
- Because the Security Blade is internal to the server, there are no unprotected external interfaces external to the server.
Disadvantages:
- Except where hot-plug PCI is supported, power must be interrupted to the protected system for the appliance blade to be installed.
- Unless operated with no data connection to the host, drivers must reside on the host system
- Operation with physical disks requires a spare bay in the host, and becomes another point of failure
- Draws power from the host system
- Requires 2 GB of available disk space
- Requires a full length PCI socket – a problem in a system with no spare full-length slots
For more information on the burgeoning server blade market, check out the list of articles at the recently-formed Server Blade Trade Association Website. Also, take a look at the Server Blade Summit Website.
Conclusion
There is a growing problem of system intrusion from both the outside and inside. Overall, according to Gartner, the problem of intrusion has grown 377% in 2 years and nearly 80% of that is assumed to be from the inside according to the FBI, InterGov, and CERT studies. This is the portion that is known, and reported. The unreported, undetected, or concealed incidents may be far more.
Traditional approaches with perimeter gateways, layered, segmented, and departmentalized configurations, and intrusion detection systems on the perimeter are not effective against the most probable mode of attack – one launched from the inside.
The general topology for the vast majority of existing LANs is flawed with security exposures on the internal “trusted” intra-network. These existing LANs depend too heavily on perimeter protection, which also leaves many avenues for infection open to the outside as well. Numerous open intra-network ports on these same systems leave them vulnerable on the inside. It is impossible to fully plug all the internal and external vulnerabilities; the only feasible defense is to protect the target of attack.
Of the five examples in the initial paragraph of this story, all can be defended by a distributed intrusion prevention strategy using Server-Specific Security. The current investment in intrusion defense becomes the foundation for a coordinated solution to prevent both internal and external attack. A strong perimeter gateway firewall is typically required to defend against the external threat; use it as the guard at the gate. Intrusion detection systems will monitor gateway effectiveness and provide a defense against denial of service attacks.
A selection of Server-Specific Security protection options including Host Based software, and internal and external embedded solutions, is then required to provide a scalable, tailored, total defense. The degree of protection required by each server will vary with the potential impact of compromise for each given function. Some servers inside the perimeter may not need any additional protection, but a majority may, if only to prevent worm attacks from spreading rapidly.
Server-Specific Security, where each server is individually protected by a customized firewall / VPN is therefore the only effective defense against internal digital espionage. This same Server-Specific Security approach treats the entire intranet as a DMZ and vastly complicates the attack from outside as well. It can be configured as solid protection against “Code Red / Nimda / Slammer” type worm infection. The ability to resist and limit external attack is a reason to adopt single server protection, even with a thoroughly trusted workforce inside.
Single server protection is the next logical step in the digital arms race between intruders and IT professionals. This leaves you with a decision to be the victor, or the victim of an inside job.