Johannesburg, 30 Nov 2004
Many organisations have begun to realise that data network security flaws mainly occur inside the network and not outside it where conventional perimeter firewalls are doing a good job to secure access from the outside.
"The problem is that these firewalls are powerless to control what is happening within the 'secured' data management zone (DMZ)," says Philip Olejnik, Services Manager at the JSE-listed Square one Solutions Group.
"Some try to solve the problem by creating smaller perimeters with more firewalls in between the segmented DMZ areas. However, the advent of 802.11 wireless infrastructure technology has led to organisations discarding this approach because the smaller the perimeter, the greater the chance for user to user communication through the air across different DMZ areas."
The Business Solutions division of Square One Solutions Group is the South African value-added reseller for Aruba Wireless Networks, an international manufacturer of high-performance centralised wireless networks and security systems.
Olejnik says Aruba's approach is to consider that everything is mobile by default, whether it is a user, device or port and that the network has to be secured by securing the communication to and from any user, device or port in a bi-directional fashion -- not just from the outside to the inside as conventional firewalls would do.
"The Aruba switches that conduct this bi-directional security are ICSA certified in this regard and can therefore be used as mobile firewalls. Switches can be deployed to prevent laptop to laptop communication through the air, particularly between highly secure areas and employees outside those areas," says Olejnik.
He adds that a large university campus has used Aruba switches as centralised firewalls to enforce security policies between departments. If a user wants to access data from another department, the request is sent to Aruba switches that perform policy checks on the user concerned and then permit or deny access accordingly.
"These security applications have nothing to do with wireless networking in itself and access points are not required for them to be effected. They merely provide a higher degree of networking security from the inside of the DMZ to the rest of the network without incurring the cost of deploying hundreds of individual conventional physical firewalls between smaller and smaller perimeters."
To implement such a security application, Olejnik says an organisation would need Aruba switches with a VPN/Firewall software option. The switches, which in this application play the role of enforcement security servers, can be used over any existing network, wired or wireless.
"The only set-up requirement for the organisation is to decide which policies it wishes to enforce and then route all traffic requiring such policing into the Aruba switches. It is a simple and highly cost-effective solution.
"Of course the same solution is achievable in other ways but these require complicated installations of different equipment from various vendors. Such a solution design would probably introduce other security flaws because of the gaps that invariably exist between disparate systems."
Share