New network security challenges require new approach
Embedding security policies in the fabric of the network.
Security challenges are likely to become a hallmark of 2010, not least when it comes to securing enterprise-wide computer networks.
“Essentially, a network security solution needs to ensure that only legitimate network packets reach their appropriate destinations,” says 3Com Africa regional sales director Derek Wiggill. “What constitutes legitimate network activity, however, is becoming increasingly complex, reflecting more sophisticated policies, business initiatives, and compliance requirements that are stretching the capabilities of today's enterprise networks.
“As a result, organisations need to rethink their network security requirements and build policy awareness and enforcement into the fabric of the network.”
In response to the internal nature of most of network threats, organisations are moving from secure perimeter to a Secure Network Fabric (SNF) that addresses the pervasive need for security and policy enforcement throughout the network. An SNF is characterised by a few key features:
* Real-time automated remediation - Many security products alert or log every problem, attack or security breach. Manual intervention, however, is required to actually fix the problem, which takes time while threats propagate internally. A superior approach is to block or remediate threats in real-time within the network, by intelligently identifying illegitimate network packets and dropping the offending traffic. This reduces the delays and costs of manual intervention and proactively halts the malicious activity.
* Global enforcement - Rather than just protecting a network from the outside world with a secure perimeter, or protecting high-risk assets from segments of the network through chokepoints, modern security policies have to be enforced everywhere. The fabric of the network has to be inherently secure, with security devices embedded in the network topology.
* Centralised management platform - As security devices become more ubiquitous, the policy management framework must be defined once, centrally, and enforced everywhere. This reduces inconsistencies, management overheads and costs, and allows for more sophisticated policies in the future. Networks can be aligned with compliance and risk management initiatives to become more responsive to changes in broader business needs.
“Different organisations will have their own unique priorities for implementing an SNF,” says Wiggill.
In the healthcare industry, a high priority is given to patient privacy and appropriate record management and access control, with the ultimate goal of achieving full regulatory compliance. Mapping the required policies to identity or role-based rules, as well as content-based requirements, is much easier than figuring out how to configure your firewalls or modify your network topology. The resulting policy implementations are much more flexible and easier to modify and keep up to date.
University and large campus networks are focusing on identity-based policies and user access management issues because they have a large population of users that change frequently, bring their own unmanaged systems on to the internal network, and are not completely trusted. Assigning new users to groups, such as staff and administrators, or grouping students by major, can ensure appropriate access to various resources in a manageable fashion.
“Generally,” says Wiggill, “we are seeing the networking infrastructure becoming inseparable from the security and policy enforcement points that are now embedded throughout the network, and from the centralised policy management system that oversees network and security operations.
“As the sophistication of policies grows beyond simple binary access control decisions, the network infrastructure can be expected to make policy decisions on quality of service to make networks more efficient and cost effective.
“As a result, enterprises are now looking to their networking infrastructure vendor to be their strategic security solution provider as well. More of a premium is being placed on embedded policy enforcement, and on high-performance security devices that can interoperate with the intelligence of the switch to realise the vision of a Secure Network Fabric.
“Multi-vendor, best-of-breed security appliances are becoming harder to justify from both a price-performance perspective, as well as difficulty in seamlessly integrating into the network fabric. Enterprises should rather look for a partner with a comprehensive portfolio that covers core-to-edge, data centre and branch office solutions, and a tightly integrated approach to security and networking components under a common management framework with the tools to build out and enforce complex policies.”