According to Enterasys managing director Gary Mitchell, network management used to be about capacity and connectivity, but now continuity, context, and control are the watchwords.
Continuity is not just about raw reliability, it also concerns ensuring bandwidth is available for real business data rather than being consumed by worms, viruses, and other junk traffic. Other quality of service issues include the ability to throttle some classes of traffic (eg, e-mail) to ensure good performance for other more time-critical applications such as an ERP system.
Context means identifying who is sending the information, and from what type of device. While the number of users isn't likely to change much, the number and variety of devices will grow. It will be increasingly important to ensure that devices do not send inappropriate types of data -- for example, a printer shouldn't send e-mail. This may require fine-grained control -- if a printer was able to generate e-mail service alerts you might want to let those through, but you wouldn't let it send hundreds of e-mails per minute. One possibility is to set overall policies which are then modified for specific user classes.
Control requires a quick response to emerging threats and anomalies. An organisation is better placed if you detect and act quickly.
"The network itself has a part to play in the overall security posture of any organisation," says Mitchell.
Enterasys customers are mainly large corporations and educational institutions. The latter are "a breeding ground for lots of different types of network abuse," says Bussiere, such as improper DHCP or DNS servers, and they often need to rate-limit certain types of traffic (eg, peer-to-peer file sharing).
The dynamic distributed intrusion response can shut down traffic from a port in seconds, he says. In a test Bussiere carried out, the Blaster worm generated 175 packets per second from a PC he deliberately infected, showing the need to respond quickly.
The technology can block unwanted protocols and services completely. Devices must authenticate before they can join the network, and then will only be allowed to use protocols authorised for that user. For example, only a mail server should generate certain types of SMTP traffic, so if it starts coming from an ordinary PC it is safe to block it, as it is most likely to indicate an infection by a worm containing a spambot.
When a problem is detected, the system will generate an alert to the management console and may put the user into quarantine. That can range from rate-limiting that type of traffic thorough blocking a specific protocol to taking the user off the network temporarily or indefinitely.
This approach permits a real-time response without human intervention while maintaining human oversight. "We optimise 'time to find'," says Bussiere, identifying the switch port originating the suspect traffic in less than one minute.
Another security issue is the installation of rogue access points. Since there is no guarantee they have been securely configured, it's important to locate them quickly and take them off the network, says Baldry. Systems are available that can triangulate the positions of access points and plot their locations on a floor plan. Atkinson says some switches can be configured to disallow the connection of unauthorised access points.
It is even possible to restrict the location of wireless clients by using Newbury Networks' WiFi Watchdog, which uses a network of sensors to locate wireless clients, and when they are outside a predefined boundary their connections are denied or broken.
"We believe in the evolution of intelligence into the network itself," says Boland. "The network's coming out of the transmission function, and starting to play an integral part in the system function."
For example, a network can supplement antivirus and other protective measures by isolating devices that don't conform to a security policy. The Cisco Security Agent can work with products from vendors such as Symantec and McAfee and a RADIUS server to check devices for up-to-date patches and virus signature files, and if appropriate either deny access completely or put the device into a "walled garden" where the user can do nothing other than update the software. Other vendors such as Fortinet and Trend Micro offer similar capabilities.
Similarly, an IDS can detect abnormal activity and then isolate either an individual server or a section of the network. It may not be possible to identify a brand new threat if it enters a network before antivirus and other vendors have updated their products to identify it, says Boland, but should be possible to recognise the abnormal traffic it generates and quickly shut down network access to prevent its spread.
|
|
13%
1%
