Securing your IT network, layer by layer

There is a significant shift in the security landscape happening, and many organisations have not identified how to respond to the increasing requirements for security, reliability and compliance within their environment.

Security safeguards are typically unmanaged, under-funded and poorly understood. In many cases, security issues are known by a select few who rarely take up these issues, either because of lack of funding, adequate skills, or time.

The concept of a trusted and un-trusted network has effectively gone, with employees moving in and out of the network at will, working remotely, or moving freely between offices. Laptop sales are outstripping desktops, further indicating that mobility and flexibility is a major requirement for businesses.

Systems, data and applications are also being consolidated in specialised data centres, often co-located with other organisation's systems, all sharing power, air-conditioning and physical security. While many organisations have invested in core systems, applying high availability, strict backup regimes, strict physical security and careful monitoring of availability, the connectivity to the data centre is often held by a thread. At Netsolutions, we often see staff connecting to a poorly designed network in an organisation that offers little or no security.

To address these issues, a good approach is to break down each of the layers of the network, taking one step at time. Through applying security and monitoring at all levels, an organisation can start to build a strong security stance, providing visibility into all parts of the environment.

In addition to the standard 7 layers (physical, data link, network, transport, session, presentation, application) I'd recommend a new layer: ‘Layer 8' - that of ‘identity'. We should no longer think about the location of a user as being relevant. The identity of an individual and the role they play in the organisation is the only relevant factor when determining what resources they should be allowed to access.

At Layer 2, the data link layer, switching infrastructure can be configured to provide a number of safeguards. These include VLAN-based separation of devices in the network, DHCP snooping and dynamic ARP inspection to protect against ARP spoofing and DHCP attacks, mac limiting to protect from mac flooding, and private VLANs to provide intra-VLAN security in high-risk areas.

At Layer 3, the network layer, the routing infrastructure provides separation and control of routed domains to eliminate unwanted traffic paths and provides intelligent, policy-based forwarding. Controls such as Unicast Reverse Path Forwarding (URPF) can be used to mitigate the risk of IP spoofing and DOS attacks, filter IP traffic, and secure routing protocols.

At Layer 4, the transmission layer, control and management of TCP traffic is essential. Monitoring of session volumes for tracking anomalies using flows, managing sessions per destination to avoid service level DOS issues, quotas on outbound communication to avoid outbreaks, and application of TCP syn/ack protection to protect against syn flood attacks are all possible.

The application layer, Layer 7, is where firewalls and Intrusion Prevention Systems (IPS) devices perform protocol anomaly protection. This prevents zero day attacks, controls the use of common protocols when connecting to application servers and compounds signatures to decode traffic and ensure false positives are minimised.

Once an organisation has control and visibility over its traditional network components, provisioning access to resources with a new 'identity layer' can be approached with more assurance that the right level of access and control can be delivered. Contractors and part-time workers can be given access to limited parts of the network, and guest users may simply be given access to the internet so they are able to connect to their own organisation.

Once this level of control is asserted over the infrastructure, the network can be monitored to identify rogue servers and users, and solve performance problems without being typically reactive.
Further to this, profiling of the applications and patch levels throughout the environment can be achieved, and resources mapped to location and hosts consistently across the data centre. Application Volume Tracking (AVT) can also be used to resource planning and optimisation, and flow collection for analysis.

Finally, once all the controls and services are deployed, an accurate report on network activity and usage can be provided. Reports of overall threat levels, external attacks, trends, compliance status and application usage can all be produced simply and quickly if the foundation of the network is laid out and managed correctly.

Many of the security controls outlined here - which offer enormous benefits to an organisation - are already available within the standard routing, switching and firewall infrastructure, but most of the time a co-ordinated effort is not made to integrate and manage them tightly. With the right planning and process, a fully managed, secured and carefully-monitored network can be achieved.

Richard Savage is Principal Consultant at Netsolutions.