Here’s a question: What’s the number 1 vector for security outbreaks today? Given the title of the article we hope you answered Virtual Private Networks (VPNs). Today’s convenient world of mobile access to critical applications and information has come with a hefty burden for the world’s already overburdened security teams. Our Secure Operations Centers witness the same trend each time a new outbreak, such as Sasser, occurs. The first day, usually during a weekend, is eerily quiet given the large amount of outbreak activity we see outside of our clients’ networks. But then Monday rolls around and our Analysts are rapidly working to prevent damage from internal outbreaks for the next couple of days. Almost every single one of these internal outbreaks can be traced back to an infected mobile user or external partner entering the corporate network through the VPN.
There are a variety of ways security teams can address this problem. However, the right solution must be unobtrusive to the external party and err on the side of availability since most external users are either sales personnel, executives or business partners that cannot be denied access.
Network segmentation is the first basic step to address the VPN issue. Properly segmenting your VPN network and the networks most typically accessed by users will give you the ability to contain outbreaks when they occur. Segmentation can be performed at the network, sub-network and host level. At the network level, teams can utilize their Firewalls and IPS devices to segment major portions of the network. However, perhaps more importantly security teams need to properly segment individual subnets and limit who can access these networks and hosts. This can be performed easily using Virtual LAN and Access Control Lists. Performing proper segmentation across all three levels will enable security teams to contain outbreaks, control which users can access critical hosts and provide the fundamental level of security around their VPN segments.
Intrusion Prevention Systems (IPS) are an extremely useful solution to the VPN outbreak problem. Since an IPS is an inline device with automated blocking functionality there is always risk of falsely denying access. However, a properly tuned IPS looking for a discrete set of known malware can be highly effective in preventing outbreaks behind the VPN. Security teams should deploy an IPS device behind any and all VPN devices. Once an outbreak occurs these teams should move quickly to update their IPSs with the new attack signature and turn the blocking mode on when the device encounters this new threat. Security teams should then monitor the activity on this device to ensure that all malicious traffic is blocked, while not denying legitimate traffic. Managing this IPS process effectively will result in far fewer internal outbreaks and consequently security team headaches.
New initiatives from leading network and security vendors hold the promise of easing the VPN outbreak burden in the future. Cisco’s Network Access Control (NAC) is one such initiative. Essentially NAC will inform a Cisco router or VPN about the current state of the mobile user’s security. Information such as patch levels and anti-virus signature updates are then used by the VPNs to determine whether or not this person is safe to enter your network. If they are not safe the device directs the user to an internal web page where they can download the latest patches or virus signatures. Other vendors are promising to deliver a similar set of functionality. These solutions should greatly help security teams control the number of outbreaks occurring through the VPN.
VPNs will likely continue to be the weakest link in an organization’s security infrastructure for some time to come. Implementing these recommended actions should help security teams minimize, and hopefully someday eliminate, the impact from outbreaks entering through the VPN. Although these methods will help to better defend your enterprise, they are by no means a substitute for an effective, comprehensive Threat Management strategy. Such a strategy must include prevention, discovery, assessment, detection, response and early warning. Implementing this strategy will provide a security team with the best chance of efficiently protecting your enterprise from existing and emerging threats.
Steven Drew is Chief Operating Officer of LURHQ Corporation, a trusted provider of Managed Security Services. Founded in 1996, LURHQ protects the critical information assets of more than 400 customers by offering integrated Threat Management services. LURHQ’s 24X7 Threat Management capabilities enable customers to enhance their security posture while reducing the costs of managing their security environments.