Securing your IT network, layer by layer

There is a significant shift in the security landscape happening, and many organisations have not identified how to respond to the increasing requirements for security, reliability and compliance within their environment.

Security safeguards are typically unmanaged, under-funded and poorly understood. In many cases, security issues are known by a select few who rarely take up these issues, either because of lack of funding, adequate skills, or time.

The concept of a trusted and un-trusted network has effectively gone, with employees moving in and out of the network at will, working remotely, or moving freely between offices. Laptop sales are outstripping desktops, further indicating that mobility and flexibility is a major requirement for businesses.

Systems, data and applications are also being consolidated in specialised data centres, often co-located with other organisation's systems, all sharing power, air-conditioning and physical security. While many organisations have invested in core systems, applying high availability, strict backup regimes, strict physical security and careful monitoring of availability, the connectivity to the data centre is often held by a thread. At Netsolutions, we often see staff connecting to a poorly designed network in an organisation that offers little or no security.

To address these issues, a good approach is to break down each of the layers of the network, taking one step at time. Through applying security and monitoring at all levels, an organisation can start to build a strong security stance, providing visibility into all parts of the environment.

In addition to the standard 7 layers (physical, data link, network, transport, session, presentation, application) I'd recommend a new layer: ‘Layer 8' - that of ‘identity'. We should no longer think about the location of a user as being relevant. The identity of an individual and the role they play in the organisation is the only relevant factor when determining what resources they should be allowed to access.

At Layer 2, the data link layer, switching infrastructure can be configured to provide a number of safeguards. These include VLAN-based separation of devices in the network, DHCP snooping and dynamic ARP inspection to protect against ARP spoofing and DHCP attacks, mac limiting to protect from mac flooding, and private VLANs to provide intra-VLAN security in high-risk areas.

At Layer 3, the network layer, the routing infrastructure provides separation and control of routed domains to eliminate unwanted traffic paths and provides intelligent, policy-based forwarding. Controls such as Unicast Reverse Path Forwarding (URPF) can be used to mitigate the risk of IP spoofing and DOS attacks, filter IP traffic, and secure routing protocols.

At Layer 4, the transmission layer, control and management of TCP traffic is essential. Monitoring of session volumes for tracking anomalies using flows, managing sessions per destination to avoid service level DOS issues, quotas on outbound communication to avoid outbreaks, and application of TCP syn/ack protection to protect against syn flood attacks are all possible.