It's a question many IT managers ask themselves daily. Chances are, your network's perimeter is locked up tight with a strong corporate firewall. Unfortunately, those who pose the greatest risk may already have a key. Employees, telecommuters, strategic vendors, temporary employees, and business partners require access to most networks today - the same networks that include sensitive customer data and financial records.
Given the critical need to keep everyone productive and still protect your company's intellectual property, it's no wonder so many IT managers are feeling a little insecure about network access.
Some Hard Facts
A joint survey conducted by the CSI and FBI found that in 2002, 90 percent of respondents had detected network security breaches over the last 12 months. Approximately 80 percent reported financial losses due to these breaches. Among companies who quantified these losses, the average cost was more than $2 million. In short, the threat of unauthorized network access is very real and the effects can be catastrophic.
The Internet has changed the way people work, communicate, collaborate, buy and sell. Business trends, such as outsourcing and telecommuting, further complicate a corporation's security challenges. Controlled access between corporate networks is often the most practical, cost-effective way to enable business partnerships. But allowing partners deep into the corporate network blurs the distinction between inside and outside access.
The traditional security paradigm of "assuming connections inside the perimeter firewall are safe and connections outside the firewall are suspect," is not nearly enough to protect a company's digital assets. Today's enterprise networks need security that extends from the server to all its end points, whether they're inside or outside the corporate perimeter.
Beyond Perimeter Firewalls
Conventional perimeter firewalls only protect the perimeter of the corporate network. They filter and audit traffic as it crosses the boundary between the LAN inside the company and the Internet outside. However, they're not designed to safeguard individual connections within the LAN. This would be analogous to putting a lock on the main entrance to an office building but leaving individual rooms or offices unlocked - once a person got past the main door, they could get to anything inside the building. This type of network is particularly vulnerable to a targeted attack. For example, a hacker targets machines that have inside access to the corporate LAN. Once they've gained control of such a machine, they use it as a launching pad to break into other systems.
The obvious way to improve security in a building would be to create keys and locks for each room inside it. Similarly, the latest generation of security solutions distributes firewall functions to desktop, notebook and server PCs across the network. Embedding firewalls throughout the company gives users easy access to information - without opening the rest of the network to a potential invasion. With this type of end-to-end security, it wouldn't matter whether users connect through intranets, extranets, VPNs or remote access. It also helps prevent an intrusion at a single end point from progressing further into the network or a public login from being used to break into a restricted-access machine.
Safe, Safer, Safest
Although all companies should be concerned about security, some must be particularly attentive. Organizations that store and rely on confidential and/or proprietary information require a particularly robust and reliable solution. These organizations include government agencies, financial institutions, insurance services, high-tech developers and health care providers.
Many organizations are becoming more and more distributed, with networks that include branch offices, partners, telecommuters and remote workers. As networks become increasingly distributed, network security must adjust to meet the changing nature of the network. Embedding hardware security at each of these new end points - putting locks on each door within the building - quickly becomes a viable option to ensure a consistent, sound security policy across the distributed network.
Software-based solutions - such as personal firewalls and anti-virus scanners - are simply not tamper-resistant enough. These solutions are only as secure as the operating systems of the servers or PCs where they reside. Once the operating system is compromised, the software security solution is effectively rendered useless. End-user action or even a malicious script delivered via email can easily disable software security products. It's even possible for "friendly" applications running on the host computer to inadvertently turn off security software to eliminate a driver conflict. Once these software solutions fail, the end system is left vulnerable. Worse yet, the rest of the network is at risk of penetration from this potential launching pad.
Perimeter firewall appliances or gateways offer superior tamper-resistance because their security functions are handled by hardware processors, not software. But as noted, these devices are limited to boundary protection. A NIC-based firewall solution extends this functionality beyond the perimeter and distributes it to network end points. It provides both bypass-and tamper-resistance. Security enforcement happens at the PC but is handled by the firewall hardware, separate from the host system - which makes it virtually invulnerable to malicious code or hacker attacks. Even in the unlikely event that an attacker can execute code on a firewall-enabled host, they will be severely restricted. They can't turn off or go around the embedded hardware firewall and progress further into the network.
As distributed networks expand, the ability to centrally monitor and manage the security infrastructure becomes critical. Just as it would be preferable for a security guard to lock and unlock any door from his security base station, rather than walk from room to room with a giant keychain, so it provides significant benefits for companies to configure and manage network security from a central control console. It enables IT administrators to easily regulate network security to fit changing business needs and maintain better control over user access. Security policies can be created and enforced for a specific machine (i.e. payroll server) or for a group of machines (i.e. all web servers). For example, IT staff can quickly adjust security levels in response to a newly detected network attack, as reported by the intrusion detection system (IDS), and, if necessary, shut down inbound and/or outbound traffic to any given machine or group of machines equipped with the embedded hardware firewall
One of the greatest challenges IT managers face with a distributed network is enforcement of security policy. Security that is controlled from a remote server is very difficult to turn off at the end points, especially if it is hardware embedded on an individual machine. IT administrators can be confident that once they deploy the appropriate security across the network, users and systems are safeguarded - and will stay that way.
The Emerging Home Work Force
A hardware-based firewall security solution at the PC level also protects telecommuting users who access the corporate LAN from home. PCs in the home are particularly vulnerable to hackers because most residential Internet services operate over open connections, with no added security. They are at an even greater risk if they are using a DSL router or cable modem. These "always-on" broadband connections are more vulnerable to hackers than dial-up modems because they keep computers connected to the Internet 24 hours a day. Dial-up services typically assign a user a new IP address on the Internet each time they connect, but broadband providers often assign a permanent Internet address to each customer, making it easier for an attacker to "lock on" to their connection.
Unfortunately, the number of attacks occurring on home PCs is rising as hackers discover these easy targets. That's the recent assessment of Carnegie Mellon's CERT Coordination Center, which tracks computer security threats and disseminates information on how to protect against attacks. According to CERT, the number of hacker attacks on home computers rose sharply in 2001. In many cases, hackers aren't going after personal files, but are simply using the computers to gain access to corporate networks. Securing these remote access endpoints with NIC-based firewalls helps protect the rest of the corporate network from risky Internet connections.
Time for Secure, End-to-End Connections
With global hacking events and virus incidents on the rise, it's no wonder many companies consider network security an essential factor in ensuring business profitability. Microsoft, eBay, Yahoo! and Amazon.com are a few corporate giants whose operations came to a grinding halt because of network breaches. Email viruses, such as Code Red, Sircam and Nimda, have increasingly become mainstream business news.
As hackers and virus writers continue to get craftier, network security products must evolve to stay ahead of them. PC-based, hardware firewalls add an essential layer of tamper-resistant, distributed protection to any smart security solution. Firewall hardware can be easily integrated into notebooks, desktops, and servers at the factory to deliver secured systems right off the shelf. Security-conscious corporate customers should ask their PC manufacturers if they offer firewall-enabled systems to secure the last unprotected are of the network: the personal computer.
James Teel is senior director of security solutions business management at 3Com Corporation (www.3com.com).