Lock your LAN

How and why should you keep network intruders out of your firm’s local area network (LAN)? Windows Middle East talks to the experts

  • E-Mail
By  Published  December 1, 2006

There is a world of difference between one internet-connected PC and a network of Ethernet-linked computers. These differences, at the simplest level, are two-fold: one - more computers equals more potential threat entrance points; and two - the more users there are on a network, the more data is generated that might be of interest to outsiders. “Whether we look at a small to medium business and a large enterprise, the fundamental security threats are the same,” explains Symantec’s senior security consultant for this region, Ivor Rankin. “At the end of the day we’re talking about IP and the internet, so an organisation needs to realise that there are basic elements of security that must be in place in order to provide their organisation and therefore their customers with some degree of security.” Know your enemies So when we talk about network protection, what exactly do we mean? From whom or from what must our networks be protected? “We have to first distinguish between internal and external threats,” says Linksys’ regional manager, Mohammad Hoda. “External threats can be, for example, DOS (Denial of Service) attacks, worms, viruses and ‘war drivers’ that try to access wireless local area networks.” Internal threats meanwhile, are those posed by your own employees, the users. “It’s important to control users’ operating environment, so that staff cannot endanger your business and its data,” says McAfee’s senior security consultant, Faisal Khan. “For instance, here in the McAfee office we have a complete operating environment (or COE) which applies to each PC; this configuration controls the applications we have and use, and what each user can install. This is important as most worms and botnets for instance are user initiated, usually through inappropriate downloads.” All the elements So when moving from a single AV-protected PC to securing a small network, what are the elements of protection that should be in place? In speaking to software and hardware-focused IT security companies, the Windows team recorded a whole raft of strategies and many different answers to this question, however one recurrent theme ran throughout, namely that of comprehensive ‘multi-layered’ protection. “It’s something that a lot of people are talking about - the fact that we need to have multiple tiers - essentially the same level of protection covering all the various entry points into a business,” says Symantec’s Rankin, “primarily the internet gateway, the servers of course, and last but not least the desktops. That would be the most fundamental type of protection that any organisation - even a five user business - would need to consider.” Sonicwall’s regional sales manager, Shahnawaz Sheikh, concurs: “Absolutely we’re talking about a multi-layered approach. We’re not talking about security that offers 50% or 60% protection - either you’re fully secured or you’re not secured; even a small vulnerability could be the same as your (business) not having any security at all.” Multi-layered security, by default, relates to the OSI concept of network layers (see box opposite). At the lowest workstation level (level seven - or the ‘application’ layer), properly figured anti-virus and personal firewall applications are key. In the case of the AV software itself, many SMB and enterprise-specific products such as those from Symantec, McAfee and Trend Micro, can be controlled and managed by a central IT manager, who can decide the degree of freedom each user may have when it comes to things like installing software or using instant messaging apps. “For SMBs we have Office Scan; a server version (with central management) and a client version, with licenses, for individual user PCs,” states Trend Micro’s sales engineer, Samir Kirouani. “This includes AV functions, anti-spyware, personal firewalls, an adware remover, and a network layer scanner. The software’s manager doesn’t need to be a techie, but in the morning they should put aside some time to log in through their browser and assess the situation.” Safe salespeople The need for a personal firewall on each user’s PC is something all the security software vendors we spoke to were particularly keen to stress, particularly in relation to laptop users who work in the field, then return to the company office and log in again using the same machine. “Most organisations, because of the cost of broadband internet coming down and their business requirements, have a mobile user who travels and uses a laptop,” says Sonicwall’s Sheikh. “When they go away, connect elsewhere, then come back to the network and connect, the moment they do this - if they have a virus or worm, they bring this into your network. If you have desktop security, including a personal firewall, for these remote users, you’re able to protect those PCs and stop such threats.” Trend Micro’s Kirouani agrees and says this is a key issue: “The main route we see of people getting into the network at the moment is when an employee brings their laptop in and connects to the LAN. At work, you should be protected by your network firewall, but a personal firewall will also provide this protection when you\'re at home or away from the office.” So this double protection at the PC level is key. However higher level protection - at the perimeter of a network - is obviously also required to gain true multi-layer security. Top level “Firewalls are always on the first ‘layer’ of the network,” explains Trend Micro’s Kirouani, “they’re the interface between the internet and your network. When we talk about SMBs, the firewall will usually include a built-in router, plus often now some anti-virus functionality too. AV software looks at a packet of data’s content and decides whether this is malicious or not, whereas a firewall is simply like having a nightclub ‘bouncer’; it’s got a list of people that are allowed in (i.e. onto the network), and not allowed in. After a packet (of data) is in, it then becomes the anti- viruses job.” Symantec’s Rankin adds that firms should really pay attention to the type of firewall on offer. “If we go back five years, protection at the high level was adequate. A dedicated firewall and some big form of AV protection - to all intents and purposes the network was deemed to be secure. But that’s changed. Even though an organisation may have a perimeter firewall, it’s the technology in that firewall that determines the degree of security that the firewall is capable of providing.” “In most cases the firewalls that are used in SMBs are primarily circuit-level gateways - they operate at a much lower level in terms of functionality, and as a result provide less degrees of complexity,” he continues. “This means they may be able to stop certain traffic coming into the network, but they may not be able to stop malicious traffic, such as a worm spreading over the network. Blaster, CodeRed and so on came in and infiltrated probably 90% of all networks, even though they were being protected by some sort of perimeter firewall, and fundamentally the reason is because the firewalls themselves were substandard to deal with the new threats; they could block basic ports, but on legitimate ports they didn’t have the ability to deliver full inspection - to determine whether inbound HTTP traffic is real HTTP traffic, or the type of traffic that will be used to create a buffer overflow on my web server and as a result gain control of that server.” A standard firewall will block and open ports, but this alone isn’t enough. “Viruses and hackers always know which ports are open,” Rankin continues. “You’re bound to have everyone browsing the internet, and usually this browsing is through HTTP traffic, which is port 80. E-mail comes through port 25. So even though you have a firewall, you’ll still need to open those ports, otherwise you’ll just block everything. So whichever company I scan, I know that their port 80 and port 25 will be open on the firewall. Therefore the job of a firewall is not enough on its own - you need to examine the content too. “A company needs a firewall that can inspect traffic and determine whether or not it’s legitimate - whether it contains anything that may result in a breach or attempted breach of security systems,” he concludes. This is also where an IPS - a.k.a. an intrusion prevention system - comes in. Largely in the past bought in as a separate hardware device to sit at the network’s perimeter, IPSs’ traffic monitoring functions are now being included in more advanced firewall products, as well as forming part of unified threat management solutions (UTMs). It’s the latter however that are the real growth area in the SMB network security space. Effectively a single hardware appliance that sits at the perimeter of the network next to the switch or router, the UTM is aimed very squarely at time- and cash-limited SMBs. Growing in popularity “The UTM is catching on, for three reasons,” asserts Sonicwall\'s Sheikh. “It’s a simple, all-in-one device and cost-effective. For the SMB and entry-level enterprise, this type of network does not have dedicated expertise - one manager for network security, one for VPN, one for IPS, wireless and so on. They want everything on a single device that they can understand.” “Secondly,” Sheikh adds, “they don\'t want to invest in multi-point products; they don’t want to talk to different vendors and have different vendor solutions. Thirdly, business with five- up to two hundred users, they primary business is something else - not managing their IT infrastructure. The UTM takes away the headache, a firm doesn’t need to have lots of security expertise. Even a person with some network knowledge will be able to manage this UTM box.” “What we offer on the software side isn’t offered as a dedicated McAfee solution although it’s based on the McAfee engine; it’s a Sonicwall Anti-virus. What we add is what we call ‘client enforcement’. What I mean by that is that in a network with 50 users, if two users don’t have updated anti-virus info, or for some reason the AV on their PCs is disabled, they still have to pass through the Sonicwall UTM to access the internet. This UTM can detect that these users’ protection is not 100%, so it stops them and forces them to update their protection. Once a user is compliant, then they’ll be allowed to access the internet.” As far as the pricing of such an all-in-one hardware solution is concerned, Sheikh suggests a 50-user business for example should budget around US $3000. “$2500 to $3000 will cover the cost of the UTM plus desktop software and server licenses.” For budget-strapped yet security-conscious organisations, this route could be one that’s well worth investigating further. Relevant Kit: Symantec (symantec.com) Symantec Client Security Symantec Mail Security for Exchange Linksys (linksys.com) RVS4000 & WRVS4400N secure routers SRW224G4 Sonicwall (sonicwall.com) UTM TZ170 2040 Pro series Trend Micro (trendmicro.com) Office Scan (client/server) McAfee (mcafee.com) McAfee Total Protection for Small Business McAfee IntruShield Network IPS appliances McAfee IntruShield Security Manager appliance McAfee Secure Internet Gateway 3Com (3com.com) OfficeConnect Secure Router OfficeConnect VPN Firewall \"We’re not talking about security that offers 50% or 60% protection - either you’re fully secured or you’re not secured; even a small vulnerability could be the same as your (business) not having any security at all.\" Network layers explained The different vertical layers of a computer network are explained using what\'s called the OSI Model. This method of detailing the different parts of a network uses seven layers, which range from layer one - the ‘physical’ or hardware layer (where you would find a network hub, switch or gateway for example) - down to layer seven, which refers to software applications that run over the network. Layer 1: Microsoft describes this as, “The physical layer, the lowest layer of the OSI model; concerned with the transmission and reception of the unstructured raw bit stream over a physical medium.” This covers network cables, adapter cards, the techniques used to transfer data to the cable and so on, and is the layer at which PCs/servers and internet devices are physically linked. Layer 2: ‘Data Link’ layer Put technically by Microsoft, this “provides error-free transfer of data frames from one node to another over the physical layer”. Layer 3: ‘Network Layer’ This layer controls how the subnet - or group of linked computers - operate. In other words, it’s at this point that decisions are taken on which physical path data should take based on network traffic conditions, the given priority of network services and more. Layer 4: ‘Transport Layer’ As Microsoft puts it, this layer “ensures that messages are delivered error-free, in sequence, and with no losses or duplications.” One of its roles is to take messages from the session layer (below), split these into smaller, more manageable units (if required), and then pass these units to the network layer. Layer 5: “Session layer’ This layer allows sessions (links or connections) to be established between processes running on different workstations (PCs), by performing name recognition, logging and so on. Layer 6: ‘Presentation layer’ Simply formats the data to be presented to the final application layer. It provides for instance character code translation (such as ASCII to EBCDIC), data compression and password/date encryption. Layer 7: ‘Application layer’ Put most simply, this layer acts as the window for users and application processes to access network services, providing functions such as remote file and printer access and directory services. Learn more: http://support.microsoft.com/kb/103884/

Add a Comment

Your display name This field is mandatory

Your e-mail address This field is mandatory (Your e-mail address won't be published)

Security code