Authenticating your users is no longer a simple task, especially if you have lots of them. As networks have grown in size and complexity over the years, so has managing the way users gain access to networks and resources.
The applications and data used by someone in the HR team are most likely not the sort of stuff you want your latest temp to be able to access.
So then you set about creating an access policy that deals with who gets access to what. It sounds simple enough, but when you have 10,000 employees in 50 different groups doing 200 different jobs, things can get a little tricky.
Single sign-on (SSO) systems have proved useful in tidying things up. They're basically a master console used for assigning access to employees in complex environments. They tidy up "ghost" -- or disused -- accounts and passwords that haven't been used in a while, and streamline the process of creating and administering accounts across hundreds of different resources.
It's quite rare that something as useful as SSO actually comes out of vendor land. It's even rarer for security software to present such a clear economic argument for its use. In most large organisations it will result in a boost to the bottom line, simply because the number of calls to the help desk requesting a password is slashed dramatically.
Instead of authenticating to a dozen different servers with a dozen different passwords, users just have to remember their master password. The SSO machine then logs them in to all of their accounts automagically. Neat.
Vendors like to call these technologies "identity management solutions", probably because it makes it sound cooler and more important. In truth, it's administration software as described above, with some good policy and management tools built in.
Firewalls
The truth about firewalls is they are among the least sophisticated computing devices ever invented, but they're also one of the most vital. They exist to inspect Internet Protocol (IP) header information, such as origin IP address and port, and destination IP address and port, and protocol type -- such as ICMP, UDP, TCP, etc -- and determine whether the data should be allowed through.
The main function of a firewall is to block certain types of incoming traffic. If you are running a Web server, you need to let traffic destined for TCP port 80 through, otherwise no one will be able to access it. As for your LAN, no connections from the outside world should be allowed in.
Often, the basic "nothing comes in" technique can be accomplished by using network address translation (NAT), which is essentially a basic form of firewall. These days most routers and broadband modems have an in-built firewall or NAT function, although NAT won't restrict outbound traffic, which is often desirable.
If your company doesn't have one, then you should consider resigning, moving to Brazil and hiring a plastic surgeon so you never have to show your face and be recognised in public again.
Virtual Private Networks
Virtual private networks (VPNs) can be used to allow remote users to access their networks as if they were in the building, and can also be used to provide a secure connection between two office sites. While standard PPTP (Point to Point Tunnelling Protocol) VPNs, as used by many operating systems, are easy to set up, they only rely on a password to stop outsiders getting in. A more sophisticated VPN protocol called IPSec can be configured to allow connections to users who have an encryption key generated by the VPN device. That means potential intruders can't simply throw a dictionary or random password generator at your network in order to gain access.
VPNs can also be configured to only allow certain types of traffic across their links. This is particularly important when dealing with large, site-to-site VPNs, but a good VPN policy is a must. If, for example, you only need to transfer files across links using Microsoft's file-sharing protocol, then why allow anything else? It was poor VPN policies that allowed the SQL slammer worm to propagate through secure global networks, even though the worm targeted a vulnerability that attacked a process on a port that is very seldom used. Ask yourself what you need and enable it. Deny everything else.
Network-based Intrusion Detection Systems
Network-based intrusion detection systems (NIDS) have been around for donkeys' years. They are usually deployed as standalone network "sniffers" that analyse traffic as it passes the machine, which acts as a sensor. A NIDS compares traffic that passes it to known attacks and alerts the administrator to any suspicious activities.
The problem with NIDS, according to Robert Ferrell, a systems security specialist with the US Department of the Interior, is managing the technology.
"NIDS, or any IDS, for that matter, is probably the most misunderstood and blatantly abused tool available to the security practitioner," he says "Without intelligent and strategically sound placement of the probes, without a thorough understanding of the algorithms and the network topology in place, without human interpretation of the results, an IDS is just an expensive piece of junk using up valuable bandwidth and CPU cycles and spewing out tons of useless data."
When Gartner, which had been hyping IDS, effectively ditched its support for the tool, many vendors re-branded them as "intrusion prevention systems," or IPS. They're basically the same device with some real-time heuristics -- a method of detecting attacks that may be new or unknown -- thrown in for measure. The IPS can then strip the malicious content out of the nasty data packet or simply block it. These types of techniques were used in NIDS systems, but marketing managers everywhere agree "prevention" is better than "detection", so voila! IPS it is.
Another limitation of NIDS is they can't inspect encrypted data. This means they are utterly useless in detecting attacks against SSL enabled Web servers. Some vendors offer NIDS products that can decrypt SSL traffic, but the administrator has to load the device with the server's private encryption key, which makes some security consultants hesitant. It's an introduction of another weak point: the NIDS itself (see sidebar on page 88).
A better alternative may be to use an SSL accelerator. This is a machine that sits in front of the Web server to handle all the encryption. Data is passed between the accelerator and the Web server in clear text, which can be analysed by the NIDS.
Host-based Intrusion Detection Systems
Unlike NIDS, host-based intrusion detection systems (HIDS) are designed to detect actual intrusions, and not attempted ones. They are installed on the host being protected.
If some evil hacker type hacks into your system and replaces one of your system files with an alternative loaded with malicious code, a HIDS can detect the activity. The HIDS can act like a booby-trap, watching for strange activity in the system memory.
Contents
Introduction
Authentication and Single Sign-On
Patch Management
Case study: When security software goes wrong
8%
1%
