Networks Risk Grounding Without Airport-Level Security

It is one of the old security adages that the nature of the threats to networks are ever-changing. Today they encompass physical threats (theft of computers), technical (viruses), resource (loss of computing power, bandwidth overload), legal (illegal data on corporate networks), human resources, information loss and employee time-wasting.

Each is a threat that needs to be considered separately. But the most significant change to network security for years has just materialised, and it means that firewalls need a complementary gateway barrier if defence against invasions via Web traffic is to be effective.

Ten years ago, when corporate networks largely consisted of internal data traffic handled by bridges, hubs, and LAN switches, with routers managing what limited Internet access there was, the firewall symbolised a gleaming piece of state-of-the-art ‘machinery’, capable of identifying and tackling any external threat.

Things have changed. The ubiquity of Internet access within the modern enterprise is such that Web traffic levels are increasing daily, and so are the security threats that this brings with it.

This does not mean, though, that the firewall has been made redundant – far from it. In fact the very real security concerns facing businesses today are such that the firewall is more vital than ever. But separate appliances, allied with firewalls in a co-ordinated defence system, are required to tackle the emergence of a new loophole – port 80, over which the vast majority of Web traffic flows, and is subjected to only very basic checks.

Airport Sophistication Needed
The situation facing IT departments is uncannily similar to that facing the fledgling airlines and airports – and indeed the passengers using them – when air travel first emerged as a popular phenomenon. Then, arrive at the airport with a passport and the right ticket and you were directed to the right aircraft While the same is true today, the overall system has been tightened somewhat.

Even the least comprehensive of airport security systems for departing passengers will perform basic questioning at check-in. But it will also have security staff patrolling the check-in areas looking for suspicious behaviour, weighing and x-raying of hold baggage, x-raying of cabin baggage and possible body searching, metal detector checks for passengers, plus further questions and scrutiny at the gate and all areas of the airport constantly monitored by closed-circuit television for anything untoward. At the destination, sniffer dogs check baggage once more and immigration checks and further x-raying of baggage is undertaken. Depending on the route and the customer, different numbers and types of checks are undertaken.

While superficially it seems that the level of security is governed by the number of checks carried out, in fact it is a combination of the checks and the types of security threat being checked for: while a terrorist with a concealed weapon may be able to bluff his way through verbal checks, he may not beat a metal detector, and a keen-eyed security guard should have cause for concern and frisk him if needed. Granted, no defence system is ever totally impenetrable, but airports have realised – largely for common sense reasons – that threats comes from all sides and in varying shapes and sizes, hence multi-faceted protection is critical.

Separate Scrutiny
Firewalls are the equivalent of check-in. The passenger name and destination ticket are checked, if they match, the passenger is allowed to continue. Port 80 security devices provide to enterprise networks to the rest of an airport’s security arsenal, see table below.

Air Travel Security
Network Security
Check user and destination
Firewall source/destination check
Check passport/ID
Security Gateway validate user with authentication system
Check time and date
Security Gateway time/day rules
Count baggage
Security Gateway bandwidth limits
Weigh baggage
Security Gateway content filtering
X-ray baggage
Security Gateway virus-scanning
Individual metal detector
Security Gateway scan/block mobile code or specific file/MIME-types
Check visa validity
Security Gateway browser, media-player, messenger application
Sniffer dogs (food, drugs etc.)
Security Gateway: ensure data not POSTed to the web
Frequent flyer awards
Logging by individual user
Specific policies depending on destination
Security Gateway granular policies

Once hold baggage is checked, a machine at the airport reads the barcode on the luggage label and directs the luggage to the correct airplane. One customer may have multiple pieces of luggage, but the machine looks at each one on individually and does not know that there may be multiple pieces of luggage that are related. This is similar to a firewall inspecting each packet of data and making forwarding decisions one packet at a time. Whereas firewalls understand packets, or individual chunks of data, and look at the source and destination and see if it matches defined rules, security gateways that address port 80 traffic understand data. They rebuild complete Web content and make decisions based on this content and its parameters. The x-ray analogy is a clear one; port 80 security devices are able to ‘look inside’ Web traffic and assess whether it is genuine and perfectly innocent, or an attempt by a hacker to test the network’s defences.
A web page is made up of many individual pieces of data and may come to the user hundreds of individual packets, so this ability to ‘look inside’ them is crucial.

The device can then make decisions based on user, file-type, MIME-type, active content type, original web site, time of day, browser, user, group, site of user and other such factors. It can also take individual objects and redirect them to virus scanning devices, something that is not possible if the only understanding gained is on a packet-by-packet basis. There is a further parallel to be drawn over virus scanning, which is similar in its function to x-raying hand luggage, while metal detectors that passengers must walk through are like removing mobile code such as Java and Active-X.

Acting On Intelligence
Security gateways, also, provide an enterprise with complete logs of every user, every request, everything that happens. They allow security-critical statistics to be analysed, such as time online by user, users creating the most Web traffic, most popular sites, split of data by site category, the amount of streaming data and types of browser in use.

This gives the organisation far better information on which to act. Take the usual security system based largely on firewalls, which list traffic only by IP address, not by user. From a HR perspective this is useless, as management cannot discipline staff if they are unsure who is doing what, and so the threat pervades.

So, just like airlines who need to know their most important customers, who habitually arrives late at check-in, who uses multiple airlines, and who is loyal, security gateways can show what each user does, for how long, and where they go. Then the company’s management can ascertain whether there is a problem that needs to be addressed.

Implications For The IT Function
The most significant capability on security gateways is the quantum leap in security sophistication that they deliver to the enterprise. Essentially, they allow organisation to upgrade or downgrade their security curtain as circumstances dictate, just like an airport.

Picture this: a new virus is spread by visual BASIC files, and for a few crucial hours there is no solution to it. Management can insert a specific rule for ‘block all’.VBS (visual BASIC) files, and implement it immediately. When the virus vendors have an update to their scanning system, this can be deployed and the block removed from the security gateway.

Alternatively, month-end in a multinational company could bring with it some crucial communications that need to be made between several systems. These may start at 6:00pm GMT, during the North American working day. To ensure bandwidth is not consumed during this time for non-crucial work, a rule could be set up that starts automatically at 6:00pm and stops again at midnight GMT. During this time, streaming support is limited to a lower level of performance, access to news web-sites are redirected to an internal web page saying ‘month end – don’t go here until tomorrow’. Without anyone needing the access the management system at midnight the rule automatically gets rescinded, making maximum use of available resources while security is tightened.


Subscribe to the Help Net Security breaking news e-mail alerts:


Don't miss