Traditionally, network security has been concerned with preventing break-ins by using firewalls, intrusion detection systems, and so on, says Scott Atkinson, networking solutions director at NetForce. Today, problems are coming from inside, whether as the result of internal hacking with the help of readily obtained and easy-to-use tools, or when notebook users unintentionally bring viruses and other malware inside the firewall.
"The network is taking on more responsibility about who is using it," says his colleague, network solutions specialist Daniel Baldry, and that includes checking devices are up to date with patches and antivirus protection. "Once you're inside, the network's your oyster," he adds, as packet sniffing software can sift out unencrypted usernames and passwords, and software can be designed to sporadically bring down a network, giving the impression of an intermittent hardware fault.
Switches can work with RADIUS and other authentication servers to force users to identify themselves before they can connect to the network, says Baldry.
Dick Bussiere, chief technology officer at Enterasys Networks, says his company embeds security into the switching and routing infrastructure so every switch port becomes a dynamically self-configuring firewall, with policies based on the user or device type. This improves uptime and availability as well as security, he says, and while it does come at a price, it is cheap compared with cost of outages.
This technology can be deployed at the edge of the network (ie, in the switches to which PCs and other devices are connected), or only at the distribution layer. The latter is more cost effective but not optimal, he says, because using simple edge switches means a worm on one device can spread to others connected to the same switch.
Similarly, HP has been adding support for Access Control Lists (ACLs) and open standards like IEEE 802.1X to its ProCurve edge switches. They also provide features such as MAC address lockdown and source port filtering to provide access only to appropriate users and protect open ports from inappropriate use.
When a user authenticates via 802.1X, ProCurve switches can place the user on the appropriate virtual LAN (VLAN) based on information from the RADIUS server so they can only access the relevant network resources. Where appropriate, the switch can also be set up to put a user onto a guest VLAN if authentication fails.
Fotios Kotsiopoulos, pre-sales technical -- South Pacific at HP says it is important to make these decisions at the edge. "An analogy would be a front security door at someone's home. You don't let strangers into your house and then ask who they are and what they want access to," he says.
"The use of intelligent edge switches ensures data security, [and] increases network availability by preventing the impact of unauthorised network access and denial of service attacks," he adds.
According to Kotsiopoulos, HP ProCurve switches have the ability to authenticate non-802.1X capable clients using a standard Web interface, avoiding the need to install or configure any additional 802.1X client software.
Echoing Atkinson, Bussiere says mobile computing is a serious security threat thanks to the prevalence of desktop replacement systems, so network infrastructure must play a role in protecting the organisation. Since non-PC devices such as PDAs, cameras, and IP phones are being attached to the network, you can't rely on PC-based security measures. "It's about time the network stood up and played an active role in security," says Bussiere.
|
|
16%
7%
