Back in May, Lawrence Orans, a senior analyst at Gartner’s research organization, gave a talk titled “Five Network Security Technologies that You Need to Know” to a group of IT security directors. The five technologies are new, and they address security concerns that are quickly becoming impossible to ignore. Mobile Enterprise recently caught up with Orans to explore the topic further, especially as it pertains to mobile professionals.
Additional information about Orans’ talk, relevant papers and recommended vendor solutions may be requested through Gartner’s Web site, www.gartner.com.
In July 2001, the Code Red worm waged a war across the Internet. It was designed to scan the Internet in search of vulnerable computers for 20 days and on midnight of the 20th day use the infected computers to attack the White House Web site with a crippling amount of garbage data. However, it was detected by a savvy engineer, the White House was alerted and before midnight on July 19, 2001, its IP address was changed, effectively avoiding the barrage. While Code Red didn’t succeed in disabling its target, it did infect some 350,000 servers, and it made a whole lot of people quickly aware of their vulnerability to worms.
“Worm containment is becoming increasingly important, as we have more worms spreading throughout the networks, and they spread all the time from desktop to desktop,” says Orans. Contamination generally occurs in three scenarios: use of a VPN connection; an outside person (such as a contractor) coming into the office and bypassing the perimeter security; and an end user bringing a laptop home at night to finish up work and send a few e-mails.
“Worm containment is critical, especially for mobile workers who often times will use their laptop to plug into a hotel network to access the Internet. That’s the most dangerous thing you can do just about anywhere, because there’s no security on those hotel networks—they’re just hotbeds for virus and worm activity.” It’s not that you want to discourage people from using a high-speed hotel connection, Orans clarifies, but that you want to make sure they have the proper protection before they get on that network. “Or for that matter, any network. If you have a laptop and you’re mobile, you want to make sure that you have the proper anti-virus protection on that PC, and that the Windows OS patches are up to date. A lot of folks these days like to deploy a personal firewall on a PC as well. But the real responsibility lies with the company [to make sure] that when the employee gets back to the office and plugs into the network they don’t infect other people if they’ve picked up a worm while they were on the hotel network. One of the best ways to protect against that is to only allow properly protected PCs
on the network.”
The good news: There are solutions to worm containment and even options. Preventative software scans the PC to make sure it meets a certain criteria—that it has patches, a personal firewall, etc. Reactive software, in the event that a virus is detected, contains it to one spot so it doesn’t spread throughout a network. Preventative is very important, says Orans, though it’s just beginning to emerge as a solution, as many IT directors are loathe to implement a system that blocks unprotected computers for fear of blocking out the CEO or some other high-level officer. Nonetheless, there are early adopters of preventative worm containment, “And of the five technologies,” says Orans, “I’d say this is one of the newest.”
802.1x is an authentication protocol—it facilitates a network-based authentication and also prevents information from being intercepted while traveling between a Wi-Fi network and a client device. T-Mobile recently made news when it announced it was testing 802.1x security specifications at selected hot spots—the fear being that hackers could set up rogue access points in paid hot spots, transmit a faux version of the hot spot log-in page and when a subscriber logs on, collect
his or her login, password and possibly credit card
number (in the case of first-time users).
“It’s actually an element of worm containment,” says Orans. “Where 802.1x becomes important is for what we call ‘scan and block.’ It enables the ability to scan a PC and make sure that it has the proper protection. Things like, does it have anti-virus signatures, does it have the proper OS, are there Windows patches? And does it have other criteria that you might establish, like a personal firewall on the desktop.”
The main obstacle in 802.1x adoption is that you can’t just go to a vendor and buy an all-in-one solution; instead, you need to have three individual components in place: a PC with an 802.1x client (supplicant, is the term), an authentication server and an authenticator/relay point (an Ethernet switch or 802.11 access point). You also need PCs running Windows XP, which can lead to a lot of upgrading. “It’s work, and it hasn’t really caught up until now because most people just don’t have XP yet,” says Orans.
To really take advantage of 802.1x and build a valuable solution, it’s helpful to have policies that define what makes a PC secure, and that the PC then enforces those criteria. “Until recently,” says Orans, “there haven’t been solutions [packages]. … Now we have these vendors that essentially ride on top of 802.1x. Companies like Info Express and Sygate offer what we call policy engines. They have a little piece of software that resides on the desktop, or it can be downloaded onto the desktop. That little piece is called a software agent, and it checks for criteria [you determine] ... So if the agent decides that the PC meets all of those criteria, it uses 802.1x to communicate that information back to this policy server.”
Port 80 Security
Of the five securities, Port 80 is least linked to mobility, though it’s relevant if your employees spend any time in the office. The White House–targeted Code Red was a worm, but it infected users through Port 80, a hole in the firewall that leaves networks vulnerable. “Viruses can come in through different paths,” says Orans, “including Web traffic. [They] can come in via e-mail attachments, but there are also viruses that can come in through Port 80. You want to be able to scan Port 80 traffic for anti-virus protection.”
Essentially, says Orans, there are two risks associated with Port 80: “Bad stuff can come in, and you can get to bad stuff.” The “bad stuff” workers can get to includes pornography, Internet gambling sites or even using the corporate network to download copyrighted material such as music, opening the company to the wrath of the RIAA or other policing organizations. One solution for keeping employees from such sites is by installing Internet filtering and reporting (IFR).
As for keeping the bad stuff from employees, one common approach, says Orans, is a “reverse proxy in the DMZ—the de-militarized zone. That’s the zone between your trusted (in other words, the corporate) network and the untrusted network (or in other words, the public Internet). Reverse proxy allows you to move your Web server out of the DMZ and behind the firewall.” The proxies either perform virus checking themselves or hand off the job to another appliance or piece of software.
“The point is, you want to keep viruses out of your corporate network,” Orans says, then emphasizes, “There are many solutions, though. This is just one of many different approaches.” Another is to add Web-based, anti-virus capabilities, which are also growing in popularity.
Enterprises can take one of three approaches to instant messaging (IM): call it evil and ban it all together; pretend it isn’t happening; or address it and give it the corporate seal of approval. Obviously, the latter is the only option that’ll ensure your IM security.
“There’s so much momentum around instant messaging that it will be unacceptable to block it completely,” says Orans. “And it’s very risky to ignore it all together. So you need to apply some security around it and establish a corporate policy to allow it, but to allow it in a secure fashion.”
There are four major threats posed by IM on an insecure network: The first is identity impersonation. Because screen names are not controlled, a user can adopt any name, which could create a number of scenarios where confidential information is shared or released (for example, someone using the CEO’s name could request sensitive data from a high-level officer, or even fire someone; there’s no lack of options). Second, without a security function in place, viruses and worms can be spread via file attachments. Third, unsecure messaging could lead to a loss of intellectual property—if someone e-mails information to a competitor, there’s a paper trail; if they IM the information, there’s not. And fourth, SPIM—which is to say, spam for IM. It’s increasing, it’s annoying and it’s the last thing anyone wants.
One way of securing IM is to place a policy engine behind the firewall. It can interface with virus-scanning directories and allow an enterprise to set certain standards; for example, decide who’s allowed to IM people outside the network, who can send or receive files, etc. Policy engines are available through “certified partners”—companies such as Akonix, FaceTime Communications and IMlogic, which have relationships with the three major public providers (AOL, Yahoo! and MSN) and so are alerted to changes before they happen and can tweak their offerings. Another option is to use a vendor (such as Blue Coat Systems, IM-Age Software or Omnipod) that already offers secure document transfer and simply folds IM into its offering.
Increasingly, enterprises are choosing secure socket layer (SSL) VPNs over IP Security (IPsec) VPNs to provide mobile workers with secure access to the corporate network. IPsec is secure, and it’s easy to use, says Orans, but it’s not so easy to support. “When I travel and use a VPN, I have to click on the icon, use a password and then I get connected.” But if he wanted to use another laptop, say to check e-mail, and that laptop didn’t also have the IPsec client, he would have to install it.
Conversely, “To take advantage of SSL VPN, all you need is a machine with a browser on it, because browsers have SSL capability built in,” says Orans. “And this is important because people are carrying more and more mobile devices. So if you have to put a different client on your PDA, and you have one for your laptop and one for your cell phone, it just gets to be too much stuff for the corporate IT department to manage. That’s why the SSL is becoming real, real popular—it’s just much more flexible [than IPsec].”
Ready, Set, Protect
The popularity and adoption of these five new technologies are increasing at fairly similar rates. “SSL VPN is a big one,” says Orans. “It’s getting a lot of attention, a lot of focus. People are doing a reasonably good job at things like applying Internet content filtering.”
IM is also getting a lot of new interest. Back in May, Microsoft announced the opening of the beta program for its Office Live Communications Server 2005, which will offer encrypted instant messaging in an authenticated environment. The LCS, which will be released in Q4 of this year “will be able to communicate to the three big public IM players,” says Orans. “The very fact that IM is catching on more broadly, and people are using it to connect with increasing frequency outside the organization, [means] the risks of IM go up. So we’re getting a lot of interest about that.”
The worm problem also continues to be high profile, though Orans wagers, “SSL VPN is the one I’d say most enterprises are little farther ahead with. The second one I would say is the IFR—those two are the most mature.”
When asked if the challenge to stay current was that the precautions keep changing, Orans paused thoughtfully before answering, “The risks are greater, is what it is.” •