Is unified access control the answer to security?

Protecting an IT environment now consumes more resources than actually managing the network. There are more devices connected, more people collaborating, more dispersal of access points and an enormous increase in the amount of traffic and type of traffic on the network. Juniper Networks’ Matt Miller* looks at the following issues and provides some remedies. Even if you can secure all entry points, the biggest issue is scale. How do you ensure only the right people can see the right data at the right time when network capacity is already strained?

Security used to mean more bottlenecks but unified access control (UAC) is providing an answer. The network has exploded outside of the traditional boundaries that we have seen in the past number of years. The introduction of 3G, the iPhone and other smart phones has seen ubiquitous connectivity become a major issue with security. If we look at mobile devices specifically, they are critical tools used by organisations to provide competitive advantages for the mobile workforce. They enable people to ‘work on the move’ and are therefore integrated into corporate networks. As mobile devices such as laptops roam freely in and out of an organisation’s controlled environment, this can pose extra threats to the network. While mobile devices are open to the same threats as a PC, they are also exposed to many other threats. It is vital for organisations to recognise that mobile devices are an extension of an organisation’s network and are needed to be treated accordingly.

The lines in network boundaries are no longer clear and companies now need to approach security based upon the user and their rights. Firewalls and other security devices are still needed to keep the unknown out but smarter technology is needed to control the known users, who have always been allowed.

But as networks become more ambiguous, especially with the cloud becoming the next frontier of connectivity, these threats are expected to increase. This means there will be an increase in the amount of known and unknown users connecting to a supposedly endless pool of resources. These resources need protection and, as long as firewalls and a security policy are in place, the traffic will be secure. However, the constant battle between operational capability and security weighs in. Companies need to allow access to the resources for them to be operational, allowing everyone and anyone to use the resource that poses the threat. Therefore, the focus for security must be on the end user.

It is even more important for organisations today to adopt a best practice, defence in depth strategy for their security infrastructure. Security is a multilayered investment with security requirements becoming more apparently inherent. Traditionally, security solutions did not scale, proving to be a bottleneck in the network, along with introducing the issue of firewall sprawl. Therefore, for security to be transparent it needs to scale to complement the routers and switches in the network. In response to these shortcomings of firewalls, Juniper released its SRX range of products in September 2008, with it flagship device being the SRX5800, scaling up to 120 Gb of firewall traffic. Such scale removes bottlenecks in the network and allows optimum performance of the network in a consolidated way. Consolidation with the SRX devices allows customers to limit the amount of firewalls in their network, provide operational efficiencies with the intelligence of JUNOS and ensure security is baked into the network and not seen as an afterthought. The more transparent security solutions are in the network, the more difficult they are to get around.

To further the in-depth discussion, intrusion detection and prevention solutions are the perfect complement to the security infrastructure, as most attacks go for the vulnerabilities of applications. It is the application that processes, stores or is the gateway to the data that increases identity theft and is the key asset for a malicious attack. There is a more sophisticated way to identify and protect against these attacks which, to a typical firewall, is valid traffic, such as web browsing or email. Intrusion detection prevention (IDP) looks at the traffic while it is in transit and will do a number of traffic matching, both signature and protocol anomaly, to either allow or deny the traffic. Again this solution needs to scale in the network, otherwise it will restrict network performance. Juniper has embedded this functionality into their SRX series, providing fundamental firewall capability along with the sophistication of IDP, up to 30 Gbps.

Other security elements such as VPN concentrators will continue to provide access gateways into the network, which have and will continue to evolve to respond to the ubiquity of computing. Providing access and security for the range of computing devices is difficult, due to the sheer number of devices available. With the introduction of the iPhone, data skyrocketed in response, as they are just as connected, if not more, than a traditional laptop computer. The iPad will push the limits of network connectivity but again it needs to be restricted when entering a private network to access only the right resources when required. The Juniper Secure Access devices enable the likes of laptops, smart phones and other connected devices to enter a secure environment via the internet-based protocol, Secure Socket Layer.

Traditionally, these security elements have worked in isolation of each other but, for a true end-to-end security solution, they now need to work in concert with each other. Initiatives such as IF-Map will become more important in the networks of the future as source and destinations are going to become more ambiguous, therefore the products in the network need to respond and adjust dynamically based upon security threats. IF-Map allows the devices to be user aware and follow the sessions within the network and respond accordingly if there is a security threat.

In a cloud-based environment where networks are limitless and resources are ambiguous, scale of the security solutions matter. Having security inherent in the network will protect the resources as they ebb and flow to customer needs, very much like a utility infrastructure. When you flick a light switch, the light turns on, with all of the safety mechanisms being completely hidden from the end user.

UAC is a security overlay product that looks for security threats from known users, allowing or denying access to critical resources. If at any stage the PC was to have its antivirus disabled, it would require the PC to be quarantined until it was rectified. The UAC supplicant can be either layer 3, routing or layer 2 with 802.1x port based security.

Security is no longer as simple as either allowing or denying access, but combining a number of different user attributes of which access control is the most basic. Understanding who the user is, their access rights, and at what time, along with where they are coming from, are now the more sophisticated security requirements. Combining these requirements is difficult as they are all variables. However, as companies enter into a world of cloud computing, it is becoming more important as the user is the only constant in this variable environment.

Technology alone does not fix all security issues. Security, together with people and organisation’s internal policies, will provide a suitable security solution. Applying security controls to manage people-related risks is critical for protecting the network. Staff needs to be adequately trained to ensure both technological and procedural security controls are implemented.

UAC complements traditional security infrastructure such as firewalls and provides comprehensive visibility and response to both network and user-borne security attacks. Network-based attacks are still a real threat to anyone who is connected to the internet. However, users represent a major threat in the future; therefore the necessity for a user-based security layer is no longer a luxury.

Once the attack is identified and acknowledged, there needs to be an adequate response to the attack. Utopia would be an automated solution, which can usually happen with technology; however, organisational policies will be required to see the resolution through to completion.

Security is not a set-and-forget solution. Companies need to regularly manage and update their security solutions as the security landscape is constantly evolving and changing at a rapid pace.

* Matt Miller is the Director, Systems Engineering at Juniper Networks Australia and New Zealand.