Security is changing: smart clients and remote working mean that the security perimeter is getting closer to the server. How will you protect your clients’ networks tomorrow?
Building and managing a secure network for your customers used to be easy. When they only had one connection to the Internet – usually one that you’d set up for them - all you needed was a firewall and an up-to-date set of security rules. Security architectures looked like a mediaeval castle, and devices took their names from a castle’s defensive features. But the Internet has evolved, and the idea that all a site’s servers and PCs huddle together behind a fortress wall has become as obsolete as the castles it emulated.
Today’s security landscape is much, much more complex – and businesses won’t accept the loss of productivity simplistic security can mean. Laptop PCs regularly leave the protection of the big business firewall, and employees working from home make them part of loosely-protected home networks – or connect through untrusted public networks in hotels and coffee shops. With VPN access these unknown, untrusted (and often untrustworthy) networks are part of your clients’ networks, opening them up to malware coming over what appear to be trusted connections. Businesses also outsource services to third parties, either through traditional outsourcing contracts or through cloud-based software-as-a-service providers. An increasing reliance on ebusiness tools also means that companies now connect applications directly, blending their security perimeters.
It’s hard to tell exactly what should be trusted and when. But the truth is actually quite simple; there are no trustworthy connections and no trustworthy networks. All networks need to be considered insecure, and protection needs to be pulled back to the server and applied directly to user devices.
Set up a perimeter
It’s a trend Steve Riley – one-time Microsoft security evangelist – described as “de-perimeterisation"; he suggested that new security technologies and networking standards made the whole concept of a network perimeter obsolete. While the idea of hardening servers and PCs makes sense, the hardware power (and the requisite virtualisation technologies) isn’t quite there. What we’re really looking at is re-perimeterisation, a rethinking of how we trust hardware and software, and how we manage security in a world of flexible connections. It’s not only a response to the changing role of the public network; it’s also a response to an explosion in the number of possible threat channels.
Every port on a PC or a laptop needs to be considered part of a network’s perimeter. Data can leave your clients’ businesses on a USB stick or a SD card as easily as through a network connection – and with a new generation of high capacity cards, there’s even more potential for a malicious employee or a compromised application to transfer large amounts of data outside a security perimeter – or the USB stick could just fall out of their pocket on the train. Re-perimeterisation moves much of the responsibility for security to the device itself, making data more secure and harder to tamper with no matter what network connections are in use. Data on removable devices needs to be encrypted, or you need to apply policies that make devices read only (or block specific classes of devices for specific users).
It’s not only about securing PCs, either. Smartphones and other mobile devices have increased the possible attack surface, with key business data ending up on everything from iPhones to BlackBerrys. Security tools need to be able to handle smartphones, ensuring appropriate security policies are followed – and making sure devices can be wiped remotely if they’re lost. Smartphones are as much part of your clients’ network as a laptop, and need to be treated appropriately.
Securing the data centre (or the server cupboard) is another story, and one that’s much more like the traditional security model, with firewalls and network security appliances. Even so there needs to be much more of a focus on server- and storage-level security, as new technologies like Microsoft’s DirectAccess bring remote devices right into the data centre, using IPv6 connections to servers and to server applications. Remote desktops and laptops will be able to use DirectAccess to connect directly to data centre resources, leapfrogging traditional security devices using tunnelled connections, appearing as part of the local network, no matter where they are actually operating.
So how do you secure a network, if there’s no such thing as a traditional perimeter – and can you do it without locking security down so tightly you stop people doing their job? You don’t have to go far to find the basic features you need; there are several useful tools in Windows Server 2008 R2, including advanced network access protection tools and group policies (which work best with Windows 7).
Who are you and what do you want?
There are two components in any modern security architecture. The first is a secured connection, using technologies like IPSEC. The second is certificate-based identity, ensuring both the user and the machine that is connecting are trusted, often using the 801.X protocol. As both are based on open standards, you’re not limited to using any one operating system (though there are benefits to using some Windows-specific features). Direct Access requires IPSEC secured connections, as do many modern VPNs; (it also needs either IPv6 or IPv4 to IPv6 translation). Certificate-based security tools control access to the IPSEC connection, allowing you to quickly block untrusted hardware without having to manage trusted connections individually or keep them open all the time.
Wi-Fi and 3G mean your customers can connect to their network anywhere, anytime; that means network access protection is a key piece of any re-perimeterisation strategy. You can use policies to set minimum standards for any device that connects to a network; everything from dictating minimum patch levels, to the current state of on-device security software. When a device connects to a network (either directly or over a VPN), it’s initially connected to a quarantine VLAN. The device’s health status is checked, and only compliant computers are given access to the network. It’s also possible to use this process to push updates and policies to non-compliant devices, though beware of how much this slows down employees on a slow connection who need quick access to information on the network because if you repeatedly make them wait for what they need you’ll drive them to making copies and keeping them in unsecured cloud services and on USB sticks and all you’ve done is move the problem.
You can use tools like System Center to handle the update process, using familiar update and software distribution techniques. There’s a lot to be said for taking this approach, as it makes it possible to manage systems that aren’t actually part of a domain – so home systems connecting via VPNs can be protected and trusted, as can visitors from suppliers and partners. Network access protection can also be used to reduce the risk associated with machine to machine connections and outsourced business systems.
You’re also going to need to significantly boost device security. While Microsoft’s BitLocker whole disk encryption tools can encrypt all a user’s data, it’s an all or nothing approach. More complex policy driven tools from companies like PGP give you more control (and also allow system administrators to use familiar management tools with encrypted files). Windows 7 allows administrators to lock out specific USB devices, and BitLocker To Go can be used to force encryption on any approved devices (which can still be read from but not written to on earlier versions of Windows). With mislaid USB devices causing so many data losses and breaches, controlling how users can use USB storage will help reduce risk. There are some options in Group Policy but it’s worth considering endpoint security tools like DeviceLock, which can log device use as well as encrypting content.
Managing applications is also important, and tools like Microsoft’s AppLocker (built in to Windows 7) let you use group policies to control the desktop applications that run on managed PCs. With AppLocker you can control applications right down to the specific version, making sure that only tested and approved software runs on managed devices – and that users can’t install random applications from the Internet that haven’t been fully tested. Rules that let you specify a minimum version or later mean this doesn’t require updating every time there’s a new release of common tools.
Web applications like SharePoint need a different level of control and management, and that’s where offerings like Blue Coat’s Application Delivery Network come in. That gives your customers faster access to internal and external Web applications and makes them more secure; Blue Coat’s on-premise appliances (like the ProxySG) and Secure Web Gateway cloud service both include data loss prevention tools to stop malware from sending data outside the network, whether over the Web or through IM and VOIP services.
Productivity plus security
Connections aren’t always direct; email and IM are common tools for remote workers, and they add additional risks to any network. Content inspection tools are part of any effective security architecture, offering more than malware protection. They can also be used to reduce the risk of data loss, as well as helping your clients ensure compliance with regulatory requirements (something that’s becoming increasingly important). Tools like Clearswift’s CONTENTsafe add content inspection to a network, though they don’t stop remote users from using Web mail to get around your security policies.
Managing a re-perimeterised network needn’t be complex. Microsoft’s tools use familiar group policies (along with System Center). Policy based management makes a lot of sense, as it allows security to be role-based, giving those that need remote access the tools they need, while also ensuring that their devices have been secured. Clearswift’s network security appliances add a further layer to network control, warning users when they’re about break a policy (perhaps surfing Facebook in working hours or spending too long surfing the Web rather than getting on with their work), and offering them the chance to stop before they go too far; that lets you offer customers security that strikes a balance between making sure employees know when they’re reaching a limit and allowing them to use their judgement if they have a legitimate business reason for doing something that a simplistic security policy would block outright
More complex networks mean more complex ways of delivering security. However policy-based approaches can reduce the costs of security management, and the current generation of access technologies can simplify life for remote workers – because a completely secure system that stops people getting their job done isn’t actually that useful. With increased demand for flexible working and a highly mobile workforce, tightening the perimeter around servers makes a lot of sense, as does offloading security to laptops and desktops; it’s a matter of making sure that you know who and what to trust, and when to trust them.
Applocker at work
Using AppLocker in Windows 7 (video):
Understanding the perimeter
Steve Riley on using IPSEC and IPv6 for secure network connections:
BitLocker to Go
A BitLocker to Go video from TechNet:
A Technet screencast on configuring Direct Access: