Building a Next Generation IT Infrastructure Whitepaper

Whitepaper Building a Next-Generation IT Infrastructure The Need for Secure NetworksTM Ben McLeod Security Solutions Marketing Enterasys Networks Page 1 of 12 • Whitepaper A Smarter Way to Protect Your Network The business environment is changing. Forces driving change include the competitive global market place, the growth in outsourcing, the need for collaborative decision making and the increasingly important role of “non-traditional employees” such as consultants and contractors. Today’s workers are geographically dispersed, yet demand seamless 24x7 access to up-to-date business intelligence. The IT department is tasked to deliver the services and systems required by these users, and to extend decision making to partners, customers and suppliers. The network infrastructure is the backbone that ties all of this together, connecting users to the required IT resources and enabling instant sharing of information. To a large extent, the infrastructure connectivity and capacity challenges have been addressed—most organizations have now deployed an efficient, high-capacity network that support seamless, robust communications and collaboration. However, IT executives are now confronted with a very different set of problems. Security is now the crucial concern, with a growing range of IT security challenges: applications and operating systems are under attack; there is increasing theft of critical information; government regulations are becoming more onerous; and new technologies are blurring the distinction between protected and unprotected perimeters. The stakes have also become much higher as organizations are now dependent on their highperformance information infrastructure. Disruption to that infrastructure significantly impairs revenue and ongoing operations. The Cost of Security So your next infrastructure decision should not be about speeds and feeds. The next infrastructure decision you make must address security policies and requirements. And it must do more than that, it must support the organization’s business model, enhance operations and deliver measurable ROI. Over the past several years businesses have spent billions of dollars trying to protect their IT resources with firewalls, anti-virus software, security consulting services and so on. Despite this effort, attacks are more pervasive now, the threats are evolving and the cost to combat them has skyrocketed. For example, the economic impact of viruses has increased significantly with estimates as high as $180 billion for 2003 alone, a 300% increase over 2000. This whitepaper examines the breadth and scope of these security challenges and proposes Secure Networks™ solutions from Enterasys as a smarter way to protect your network infrastructure—assuring business continuity while reducing both acquisition and operational costs. Page 2 of 12 • Whitepaper The Spectrum of Security Challenges IT executives are confronted by a range of security challenges. These can be broadly categorized as: • Opportunistic predators • Targeted attacks • Regulatory mandates • Risks associated with new mobile technologies It is essential to understand each of these challenges, and how each impacts the organization, in order to build an effective IT security infrastructure. Opportunistic Predators For many people, the most visible and alarming threats are the Internet-borne worms. These attacks, while not specifically targeting your organization and systems, cause widespread disruption to business processes. The consequences are lost business opportunity, employee downtime and high reactive counter-measure costs. The worldwide cost of worms and viruses is now estimated at $180 billion per year. MS Blaster, SQL Slammer and SoBig.f were among the most disruptive worms during 2003; in May of this year, the Sasser worm caused significant performance degradation in infected Windows XP and Windows 2000 systems. To compound these problems, the impact of worms is widely reported in the media making it very visible to senior management. Many senior IT executives worry that they are only one more worm away from a career-threatening crisis. The most widely deployed defenses against virus and worm attacks are anti-virus software, server and workstation patches, and personal firewalls. Anti-virus products are effective but depend on attack signatures or virus definition files, so they cannot protect against Day Zero attacks. Software patch updates have similar limitations: Patches are often not installed in time because the IT department must first certify interoperability with homegrown and customized enterprise applications. Page 3 of 12 • Whitepaper Targeted Attacks Targeted attacks are designed to compromise a specific organization with the goal of stealing intellectual property or disrupting business operations. Denial of Service attacks effectively disable systems and networks; Snooping attacks gather user names/passwords and capture e-mail messages; and Spoofing attacks allow an alien device to represent itself as a legitimate network user. According to the CSI/FBI Computer Crime and Security Survey for 2003, the theft of proprietary information caused significant financial loss for respondents, with the average reported loss being approximately $2.7 million. Unlike a worm, with a targeted attack you may not even be aware that your systems are being compromised. Common defenses against targeted attacks include strong authentication and traffic payload encryption. User identification based on digital certificates, two factor authentication (such as SecurID from RSA Security) and biometrics are superior to traditional password-based methods. Payload encryption is rare on wired Local Area Networks (though WPA encryption is becoming popular for wireless LANs). Encrypted IPSec and SSL Virtual Private Networks are commonly used for remote WAN connections. Newer techniques for defending against targeted attacks restrict a user’s access to network and IT resources based on his or her role within the organization, and enforce these roles within the network itself. By deploying need-to-know access, you greatly limit the impact of a Snooper or Spoofer connected to your network. Regulatory Mandates Both government agencies and international regulators are defining acceptable and unacceptable uses for corporate information and imposing penalties when organizations fail to adhere to these rules. For example, in the United States the Sarbanes-Oxley legislation requires CEOs and CFOs to certify corporate earnings results and shortens the time delay before companies must file quarter-end reports to 35 days. Other regulations add responsibilities for the storage, movement, and protection of employee and customer information. Complying with these regulations demands a commitment of IT resources, which can significantly increase operational expenses. The focus has been primarily at the systemand application-level with enhanced authentication requirements, audit trails to track modifications to critical systems, and comprehensive reporting tools. Many organizations now realize the benefits of leveraging the network to enforce compliance with regulatory requirements. The network can segment users based on their roles within the organization and assign access based on rules. The network can also encrypt key information to protect against eavesdropping and man-in-the-middle attacks. And the network can move and prioritize large quantities of data securely between locations. Page 4 of 12 • Whitepaper New Mobile Technologies Mobile devices are an important part of the security spectrum because they have changed the paradigm that distinguishes between trusted and untrusted devices. Historically trusted IT workstations were protected behind the physical perimeters of the corporate office and the virtual perimeter of the enterprise firewall. Laptops began to blur this distinction once Internet and VPN access became commonplace. A telecommuter could now unwittingly infect her laptop, and later connect this workstation to the secure corporate LAN where it would in turn infect other users and devices. This problem is growing more serious with the widespread use of wireless LAN hotspots at airports, restaurants and conventions; and the proliferation of wireless handheld devices such as PDAs, Smart Phones and Blackberries. An additional challenge is the need to provide guest access to corporate networks for partners and customers. The consequence of all of this is that the perimeter is no longer a perimeter; there are multiple alternate paths that an external threat may exploit to breach the security barrier. Therefore, organizations should no longer distinguish between external and internal threats. Faced with this broad spectrum of security challenges, most CIOs understand the urgent need to upgrade defenses and counter-measures. The corporate network can act as the integration point for communications security technologies because of its pervasive presence and ability to control both individual users and devices. However, in order to make the network infrastructure become this full participant in the security architecture of enterprise IT systems, it must become an intelligent system that delivers additional value to the business. Page 5 of 12 • Whitepaper The 5Cs of Network Security A true network security architecture offers a number of key attributes; it meets the Continuity, Context, Control, Compliance and Consolidation requirements of an enterpriseclass organization. (These traits are often referred to as the 5Cs.) Secure Networks address these challenges by embedding advanced security technologies within the network infrastructure, to deliver granular control and automated response. Enterasys’ Secure Networks solutions enable enterprises to ensure corporate compliance and prevent security events without incurring business downtime or increased operating expenses. Continuity A Secure Network provides uninterruptible and predictable business communication. It includes robustness to withstand Denial of Service (DoS) attacks and adds self-protection mechanisms to assure that critical business communications are continuous even when malicious activities occur. Continuity is especially crucial for converged networks where a sustained attack could cause loss of both voice and data traffic. Context A Secure Network understands the context of packet flows traversing the infrastructure, and how these flows relate to normal and expected behavior. For example, the typical network traffic patterns generated by a sales executive are quite different from those generated by a systems administrator. With sophisticated contextual awareness, the network can recognize legitimate versus harmful traffic and make decisions to protect the business services it delivers. Control Granular control is central to any secure infrastructure. A Secure Network differentiates and controls the many traffic flows that traverse it, distinguishing between relevant business communications and malicious or unauthorized activities. Control is applied to users, services and applications, and the network can be dynamically reconfigured from a central point in response to business and security demands. Compliance Governments and regulatory agencies increasingly dictate the acceptable uses for corporate information—examples include United States HIPAA and Sarbanes-Oxley legislation, and European Union data privacy regulations. These rules impact how IT departments handle digital information and transactions, and non-compliance may result in significant financial penalties. A Secure Network touches every element of the IT system and is the key location to embed technologies that enforces compliance with privacy and confidentiality mandates. Consolidation Networks must be adaptable to accommodate a diverse set of communications types and flows. A Secure Network adapts to support the consolidation of additional applications, users and locations over a common pervasive infrastructure. Page 6 of 12 • Whitepaper Secure Networks Solutions Secure Networks is Enterasys’ unique approach to enterprise networking that integrates advanced security and management features to centralize and automate granular control of the entire network infrastructure. Secure Networks solutions complement traditional approaches to perimeter security. (Perimeter security alone is insufficient to defend against today’s sophisticated threats.) Secure Networks solutions enable enterprises to buy down risk and focus on business-enhancing activities. Specific Secure Networks solutions, as outlined below, address particular business and operational challenges that the IT department faces today. Acceptable Use Policy An acceptable use policy is a set of business rules that dictate how an organization’s IT infrastructure should be utilized. This policy is formulated from a number of different inputs, e.g., the company’s business needs dictate which mission-critical applications receive highest priority, while security policy highlights specific network services that are disallowed from some or all usability points. An Acceptable Use Policy solution from Enterasys enables an organization to enforce its business rules proactively and effectively. It does this by leveraging intelligent infrastructure products and innovative policy management to enforce security and application usage policies throughout the organization. A central administration and control point allows the IT organization to configure and deploy this solution quickly and effectively. As each user or device connects to the network infrastructure, its traffic patterns are monitored and appropriate policies are enforced against that traffic. Undesirable behavior can be eliminated right at the source. Specific attacks can be identified and eliminated through filtering policy rules. With an Acceptable Use Policy solution in place, a company can work more securely and efficiently. As access to undesirable applications and resources is eliminated, the bandwidth previously being consumed can be made available to business-critical applications and resources. At the same time, more secure and intelligent use of network resources extends infrastructure viability and lifecycle. Page 7 of 12 • Whitepaper Secure Application Provisioning The network infrastructure is no longer just a communications path, it is the underpinning for the applications that enable the organization to operate and prosper. A secure application provisioning model allows the differentiation of security and Quality-of-Service levels for various business-critical applications based on their operational importance. It supports multiple prioritization levels by application and functional group, e.g., the sales department may require high-priority, non-stop access to a CRM database application while manufacturing may require little or no access to this application. A Secure Application Provisioning solution dynamically applies security and Quality-ofService policies for applications and services used on the network. Now organizations can provision a security and quality level to each application or service based on the business role of the users who are utilizing it. The IT department can use a central administration and control point to configure and enforce secure, prioritized application usage policies quickly and effectively throughout the entire network infrastructure. Using the Secure Application Provisioning solution from Enterasys, a company can increase the availability and efficiency of its most critical business applications, while also securing the usage of these applications to the users who depend on them. Page 8 of 12 • Whitepaper Secure Guest Access To accelerate decision making, many organizations need to provide basic network communication services to visitors or “guests”. For example, visiting contractors, vendors and customers often request basic Internet/VPN connectivity, or possibly restricted access to corporate systems. The challenge for the IT department is how to allow guest access to basic communication services while at the same time protecting business-critical network services and applications. An additional consideration is to ensure that guests do not become vulnerable to security breaches originating from other guests. A Secure Guest Access solution from Enterasys dynamically provisions basic services to corporate guests while protecting the security of business-critical resources and applications. A Secure Guest Access solution differentiates between an employee (trusted user) and a guest (untrusted user) at the point of network connection and assigns resources accordingly. The IT department can quickly and effectively configure and enforce secure service and application usage appropriate for guests, who may connect from any LAN or wireless LAN node in the network infrastructure. This model allows trusted employees and guests to share the same network infrastructure while differentiated security and application usage policies are enforced to each. With a Secure Guest Access solution, an organization can safely permit guests to access basic network services while maintaining complete security, thereby increasing overall productivity and effectiveness. Page 9 of 12 • Whitepaper Dynamic Intrusion Response Most larger organizations have deployed perimeter firewalls, enterprise anti-virus software and server patch management processes to protect their IT infrastructure. But these defenses have failed to stop the recurring waves of Internet-borne worms in the past few years, resulting in major business disruptions and lost productivity. The security features embedded in Enterasys’ Dynamic Intrusion Response solution addresses this problem by identifying and isolating malicious activity based not just on identified threats and attack signatures but on the abnormal behavior that accompanies these attacks. Therefore, you minimize your exposure to targeted threats and opportunistic predators, assuring business continuity. Dynamic Intrusion Response protects your IT infrastructure against both known and new vulnerabilities. Using security technologies integrated into the network infrastructure, Dynamic Intrusion Response identifies and categorizes internal and external threats, isolates the source of these attacks, then automatically reconfigures your network to eliminate any intrusion. Dynamic Intrusion Response enforces access control and resource usage policies based on established security profiles. No other solution in the industry offers an automated framework for identifying, locating, and mitigating threats to the enterprise. Most organizations have already configured stateful packet inspection firewalls, DMZs, NAT Servers and Router ACLs to protect the perimeters of their corporate network. These protections provide strong defense but fail to protect the enterprise from sophisticated newer attacks, e.g., e-mail has become an important “attack transport,” new workstation and server OS vulnerabilities are identified regularly, and mobile laptops constantly move between trusted and untrusted environments. To protect against these threats you need a Secure Networks infrastructure to identify abnormal behavior rapidly and isolate the source automatically. Dynamic Intrusion Response addresses these sophisticated attacks and is designed to complement and enhance your already deployed perimeter defenses, not to replace them. Page 10 of 12 • Whitepaper Conclusion IT executives are confronted by a broad range of complex security challenges. Large investments have been made in security point products, but despite this investment, attacks are becoming more pervasive and the cost and resources required to combat them have skyrocketed. The network infrastructure, which historically was just a means to move information from one place to another, touches every user and device making it the critical integration point for security technologies. Enterasys Secure Networks solutions integrate advanced security and management features to centralize and automate granular control of the entire network infrastructure. Secure Networks solutions complement and do not replace traditional approaches to perimeter security. These solutions assure business continuity while aligning the infrastructure with the goals of the organization. You can leverage this architecture to achieve a greater TCO and investment protection, while accelerating the implementation of new solutions that dramatically increase your security posture. And because Secure Networks adhere to open interoperability, you’re assured of an IT infrastructure that will grow with your needs and not require a forklift upgrade. Enterasys has the experience, expertise and technological innovation to be the leading provider of next-generation Secure Networks to global enterprises. Enterasys has been providing secure, intelligent solutions to customers for more than 10 years. That’s our singular focus. We invite you to learn more at enterasys.com/secure-networks. Page 11 of 12 • Whitepaper All contents are copyright © 2004 Enterasys Networks, Inc. All rights reserved. Lit. #9013663 5/04 Page 12 of 12 • Whitepaper