Behind the perimeter

As more attacks penetrate traditional perimeter defenses, smart organizations adopt defense-in-depth strategies in which application-level security plays an increasingly critical role.

Joseph Granneman knows all too well the importance of a true defense-in-depth strategy. Granneman, manager of networking and data security at Rockford Health System, a healthcare company in Illinois, had the gates barred by firewalls and intrusion-detection systems but still got slammed.

"We used to think the computer room was safe because it's on the LAN and not the Internet, but that's just not so," he says. "We've got a great perimeter, but the last few worms hit us anyway."

It turns out consultants had walked in with the infections. In one case, a consultant had unplugged a protected desktop and swapped in his infected laptop, bypassing the company's perimeter safeguards and spreading the infection internally.

"He didn't know he had the worm, so it wasn't intentional. But it hit us hard," Granneman says.

Cases like Rockford's are common enough that it is clear that reliance on a hardened perimeter is no longer enough. As perimeter security has become more robust, the bad guys have found new ways in. Or, as in Rockford's case, attacks are launched from within. What's more, business today demands cross-linking networks with partners and customers, many of which have less-than-secure networks.

"Even if we're doing the right things, we're not sure our partners are," says John Pironti, enterprise solutions architect and security consultant at Unisys, noting that large companies that do business with smaller shops are especially vulnerable. "Boutique shops don't tend to have the resources to protect themselves, and they like to advertise they're working with big companies. So if you're an attacker, you look for these little companies and attack them, then use the secure pipes into the larger organizations to attack them."

Faced with these changes, organizations are relying more on defense-in-depth strategies in which they bolster their perimeter security tools with internal measures and application-level security.

Three levels of defense

Granneman is taking a three-pronged strategy for his most critical internal resources. First, he is taking traditional firewall and IDS perimeter security and applying it internally in front of critical devices and servers. "We're trying to build a perimeter-like moat around the internal computer room,"he says.

Second, he is implementing a technology from Zone Labs called Integrity, which eliminates the vulnerability underscored by the consultant's infected laptop. With Integrity, when a user logs on to the network they are directed to the Integrity server that determines if his machine has the appropriate patch levels and virus signatures before providing full network access. If the device is not up to snuff, Integrity routes it to a secure server that downloads the appropriate updates.

Third, Rockford is implementing Top Layer Networks' Attack Mitigator application-level intrusion-prevention system (IPS) between the servers and the firewall/IDS combination. Attack Mitigator focuses on protecting the network from nefarious traffic the firewall lets through. It hones in on individual application-level protocols, such as HTTP for Web applications, SMTP for e-mail or DNS for hosting, and ensures that only protocol-appropriate traffic types and requests get through to the server.

This third layer is especially important because the latest round of denial-of-service attacks, as well as spyware and malware infections, have made it by perimeter defenses and exploited holes at the application level.

For example, many recent attacks focused on exploiting miscoded field lengths in Web applications that kicked off buffer overflows. "If I have a field where I can type in a name, I should only have alpha characters there," explains Unisys' Pironti, who uses an application-level IPS from F5 Networks called TrafficShield. "There really should be no numbers there. So TrafficShield will stop the numbers before they pass through to the Web site, preventing a lot of the buffer overflow attacks. It creates a shield around the environment at the application level."

Better rights management

Another way organizations are looking to shore up the network from the application side is better identity management. Larry Jarvis, vice president of network engineering at Fidelity Investments, says his company has implemented a multi-pronged defensive approach similar to Rockford's and Unisys', but that it is finding the resulting complexity tough to manage.

"Today, we ensure network security through brute force - through segmentation and walling off microcosms of the overall infrastructure with firewalls and so on," he says. "But that doesn't scale well, and it's very complex to support and manage."

A better idea is to implement strict network rights and identity management, he says. "If you control where all of your users - both internal and external - can go, or how your servers can communicate, then you can restrict how the malware, spyware and viruses are spread through that infrastructure."

Jarvis says he's intrigued by concepts like new technology from Trusted Network Technologies (TNT). That technology, called Identity, integrates with directory services such as Microsoft's Active Directory and brings authentication and rights management down to the packet level.

According to TNT, Identity examines packets, validates digital signatures and applies security policies, and discards packets without Identity data or that fail policy. Users without the proper rights are not even aware that the services exist on the network.

The technology is appealing because it combines network and application security at the TCP/IP level, making it manageable across different environments, including Windows, Unix and Linux. "I can put one of their gateways in front of my data center and you won't be able to get there or even see that it's there unless you're truly authorized," Jarvis says.

The downside, he says, is that it's appliance-based and doesn't scale well. He advocates some kind of software-based middleware that would provide TNT-like authentication between servers in the data center.

"Right now, you have that big gooey middle in the data center where everything can talk to everything," Jarvis says. "If I can break that into, say, 1,000 logical domains of trust, I've cut my security vulnerability down. If one of those logical domains gets infected, it can't infect anyone who doesn't have the same rights."

He says it's like the TNT concept at the switch level. "If I were to take the TNT concept and then apply that to every switch port on my network, I'm there," he says. "But it just doesn't exist today."

TNT says it is working on developing Identity for other platforms, beyond its current appliance. The next iteration most likely will take the form of a blade, company officials say, which should help mitigate administration and management headaches.

Good code hygiene

But adding more security devices and identity management to the network only addresses one side of the problem. To truly secure your network, you not only need to block malicious traffic and ensure proper authentication, you also need to ensure applications aren't vulnerable.

John Pescatore, a vice president and research fellow at Gartner, says leading-edge companies are focusing on security during application development.

"We've started to see clients integrate security testing into their software development environment," he says. Organizations are using vulnerability scanning tools from companies such as Sanctum and SpiDynamics to test programs as they are being built. "The software developers essentially push this button that says test the code for security, and it gets done upfront."

Overall, that approach is the most cost-efficient, Pescatore says. "They're finding that it's a lot cheaper to fix a security flaw during coding than it is after it gets attacked by a hacker."

But what about shrink-wrapped products? Rockford's Granneman says it's a constant battle to ensure the applications he purchases don't have blatant security problems. "There is a serious lack of understanding by software vendors about security," he says. It's not just companies like Microsoft battling holes at the operating system level. "It's application vendors in their own programming."

For example, he recently purchased a Web services application to let doctors digitally sign dictation while working from home via the Internet. But when he went to implement it, he saw the vendor had included a "save-as" button.

"That's not compliant with [the Health Insurance Portability and Accountability Act] because HIPAA says I have to maintain control over who has access to that data at all times," Granneman says. "But once it's downloaded to a home PC, I've lost control." When he pointed out the problem to the vendor, they argued to leave it in. "It was incredible," Granneman says. "I trust the doctor, but who else uses his PC? Plus, if he saves it to the PC and then it somehow gets infected with a piece of spyware that goes through the machine and starts e-mailing out personal medical documents. Well, that's a problem."

For most Web applications Granneman runs security scanning software to check them for vulnerabilities. "We use a tool that goes through all the links, reads them all out and especially looks for [Open Database Connectivity] connections," he says. "I've found a lot of vendors will hard-code their ODBC user name and password into their code, and you can see the ODBC driver name and everything. So when we see that, we're able to fix it before we put it up."

He says he's also found such blatant security problems as user and password lists in plain text in the root directory and unencrypted database tables of user passwords.

"In all of these cases, we found the problem and brought it to the vendor's attention," he says, not the other way around. "They all claim to be secure, and we try to ask all of these questions up front, but we still find problems."

The upshot

In the end, most users say the real solution to securing the network is in building and maintaining proper network architectures and security policies - not in implementing more technologies.

"A lot of what we see today is pretty reactive in nature, with people running around updating signatures and patching systems," Unisys' Pironti says. "But the key to getting secure is in getting more proactive, and that isn't really based on technology. It's more doing the policy, procedure and analysis piece upfront and then applying your countermeasures. Technology is just the tool to get there." 

Six steps to strong network security

As more attacks penetrate perimeter defenses, these six steps can help ensure your organization's network and applications remain secure.

1. Recognize the limits of the perimeter. Although perimeter security technologies such as firewalls and intrusion-detection systems (IDS) are important, they are just one part of an overall security solution. As more organizations look to open up their networks to business partners and customers, the perimeter becomes more porous and application-level security needs to play a greater role.

2. Build internal moats. Smart organizations identify their most critical and vulnerable resources and then deploy perimeter-like security devices, such as firewalls and IDSs, around them. This provides an added layer of defense and ensures that in the event of a perimeter breach, critical assets still are protected.

3. Protect against attacks from within. Realize that your internal network is no longer a trusted zone and act accordingly. Technologies such as Zone Alarm's Integrity, which checks PCs to ensure they have the proper virus signatures and patch levels in place before providing access to the network, help ensure internal vulnerabilities are mitigated.

4. Deploy application-specific security wares. Firewall vendors, including Check Point, F5 and Top Layer are rolling out intrusion-prevention systems that sit between perimeter defenses and internal servers. These devices perform application-specific deep packet inspection on traffic that the perimeter firewall lets through. They are especially effective at stopping application-specific attacks such as domain-level attacks that focus on DNS vulnerabilities or Web attacks that exploit known HTTP and FTP holes.

5. Improve identity management. If you can't get to a service, you can't compromise it. New technologies, such as TNT's Identity, look to ease internal and external identity management by integrating with directory services, such as Microsoft's Active Directory, and checking identity at the packet level. Ensuring that only authorized users and applications are granted access goes a long way toward shoring up application security.

6. Integrate security into application development. If applications have no security holes, they can't be breached, no matter how insidious the attack. Vulnerability scanners from Spiware and Sanctum can help ensure that applications are hole-free before deployment. Also examine shrink-wrapped products for proper coding practices.

Cummings is a freelance writer in North Andover, Mass. She can be reached at jocummings@comcast.net.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.

Copyright © 2004 IDG Communications, Inc.