Network and information security
Ensuring corporate network security
High security and regulatory compliance are a must in enterprise networking projects.
To protect their own information resources, enterprises implement network security solutions into their infrastructure, guaranteeing the security of the network and commercial data at all levels:
- firewall
- managed VPN networks
- detecting and blocking network intrusion attempts
- protection endpoints traffic exchange
- corporate antivirus system.
Connection security
For employees on business trips or working from home, the service remote access to the corporate network has become a working necessity.
More and more organizations are allowing partners to remotely access their networks to reduce system maintenance costs. Therefore, protecting traffic exchange endpoints is one of the most important tasks in ensuring the security of a company's network.
The places where a corporate network connects to the Internet are the network's security perimeter. Incoming and outgoing traffic intersect at these points. Corporate user traffic crosses network boundaries, and Internet requests from external users to access web and email applications enter the company network.
Because the endpoints have a persistent connection to the Internet, which typically allows external traffic to enter the corporate network, it is a prime target for attackers.
When building a corporate data security network, firewalls are installed at the edges of the network at Internet access points. These devices allow you to prevent and block external threats when terminating VPN tunnels (see Fig. 1).
Fig.1 Security perimeter of a corporate network
A set of integrated solutions for secure connections from Cisco Systems ensures information confidentiality. The network examines all endpoints and access methods in all company networks: LAN, WAN and wireless mobile network
Ensures full availability of the firewall and VPN services. The firewall features provide stateful application layer filtering for inbound and outbound traffic, secure outbound access for users, and a DMZ network for servers that need to be accessed from the Internet.
System integrator IC "Telecom-Service" builds corporate security networks based on multifunctional security devices from Cisco Systems, Juniper Networks and Huawei Technologies, allowing to reduce the number of required devices in the network.
Comprehensive corporate network security solutions from Cisco Systems, Juniper Networks and Huawei Technologies have a number of advantages that are important for effective business:
- reduction of IT budgets for operation and maintenance of software and hardware
- increasing network flexibility
- reduction in implementation costs
- reduction in total cost of ownership
- strengthening control through unified management and the introduction of security policies
- increasing profits and increasing enterprise efficiency indicators
- reducing security threats to the network and storage systems
- application of effective security policies and rules at the end nodes of the network: PCs, PDAs and servers
- reduction of time to implement new security solutions
- effective network intrusion prevention
- integration with software from other developers in the field of security and management.
- full-scale network access control
Cisco security products at all network levels
Endpoint Security: Cisco Security Agent software protects computers and servers from worm attacks.
Built-in firewalls: The PIX Security Appliance, Catalyst 6500 Firewall Services Module, and firewall feature set protect the network internally and at the perimeter.
Network intrusion protection: 4200 Series IPS sensors, Catalyst 6500 IDS Services Modules (IDSM-2), or IOS IPS identify, analyze, and block malicious unsolicited traffic.
Detecting and eliminating DDoS attacks: Cisco Traffic Anomaly Detector XT and Guard XT ensure normal operation in the event of service interruption attacks. Cisco Traffic Anomaly Detector Services and Cisco Guard modules provide strong protection against DDoS attacks on Catalyst 6500 Series switches and 7600 Series routers.
Content Security: The device module Access Router Content Engine module protects business applications working with the Internet and ensures error-free delivery of web content.
Intelligent network and security administration services: Unwanted traffic and applications are found and blocked in Cisco routers and switches.
Management and monitoring:
Products:
Network Admission Control (NAC) technology from Cisco
Network Admission Control (NAC) is a set of technologies and solutions based on an industry-wide initiative led by Cisco Systems.
NAC uses the network infrastructure to enforce security policies on all devices seeking to access network resources. This reduces possible damage to the network from security threats.
Multifunctional security devices provide secure remote access to corporate VPN to employees and partners using SSL and IPsec VPN protocols, built-in blocking services to prevent and prevent IPS intrusions.
Self-Defending Network - self-defending network strategy from Cisco
Self-Defending Network is an evolving future strategy from Cisco. The technology allows you to protect enterprise business processes by detecting and preventing attacks, adapting to internal and external network threats.
Enterprises can more effectively use the intellectual capabilities of network resources, optimize business processes and reduce costs.
Cisco Security Management Suite
The Cisco Security Management Suite is a set of products and technologies designed to provide scalable administration and enforcement of security policies for a self-defending Cisco network.
The integrated Cisco product allows you to automate security management tasks using key components: the management manager and Cisco Security MARS - a monitoring, analysis and response system.
Cisco Security Management Manager provides a simple interface for configuring firewall, VPN, and intrusion protection system (IPS) on Cisco security appliances, firewalls, routers, and switches.
If we consider the system information security any large company, then this is not only an antivirus, but also several other programs for protection in all areas. The days of simple IT security solutions are long gone.
Of course, the basis of a general information security system for any organization is to protect a standard workstation from viruses. And here the need to use an antivirus remains unchanged.
But corporate security requirements have changed overall. Companies need full-fledged end-to-end solutions that can not only provide protection against the most complex modern threats, but also stay ahead of the curve.
"More and more large companies are building a security system based on the principle of defense in depth."
Moreover, earlier echelons were built on various elements of the IT infrastructure, but now multi-level protection should be even on individual elements of the IT environment, primarily on workstations and servers
What threats did companies face in 2014?
From a threat perspective, targeted attacks on corporations and government agencies have become a huge problem in information security recently. Many of the techniques that hackers previously used to attack home users are now being used in businesses.
These include modified banking Trojans that are aimed at employees of financial departments and accounting departments, and various encryption programs that began to work within corporate information networks, and the use of methods social engineering.
In addition, network worms have become popular; to remove them, the entire corporate network must be shut down. If companies that have a similar problem face a large number of branch offices located in different time zones, then any interruption of network operation inevitably leads to financial losses.
According to the results of a study conducted by Kaspersky Lab in 2014 among information security specialists, most often Russian companies face
- malware,
- unwanted correspondence (spam),
- attempts at unauthorized entry into the system via phishing.
- vulnerabilities in installed software,
- risks associated with the behavior of company employees.
The problem is further aggravated by the fact that cyber threats are far from static: they are multiplying every day, becoming more diverse and complex. In order to more clearly understand the current situation in the field of information security and the consequences that even a single computer incident can lead to, let’s present everything in figures and facts obtained based on Kaspersky Lab’s analysis of the events of 2014.
Cyber threat statistics
By the way, it is mobile devices that today continue to be a separate “headache” for information security specialists. The use of personal smartphones and tablets for work purposes is already acceptable in most organizations, but proper management of these devices and their inclusion in common system Company information security is not practiced everywhere.
"According to Kaspersky Lab, Android platform Today, 99% of malware that specializes in mobile devices."
To understand where such a number of threats come from and to imagine the speed with which they are increasing in number, it is enough to say that every day Kaspersky Lab specialists process 325 thousand samples of new malware.
Malware most often gets onto users' computers in two ways:
- through vulnerabilities in legitimate software
- using social engineering methods.
Of course, a combination of these two techniques is very common, but attackers do not neglect other tricks.
A separate threat to business is targeted attacks, which are becoming increasingly common.
“Using illegal software, of course, further increases the risk of becoming a successful target for a cyber attack, primarily due to the presence of more vulnerabilities in it.”
Vulnerabilities appear sooner or later in any software. These could be errors during program development, obsolescence of versions or individual code elements. Be that as it may, the main problem is not the presence of a vulnerability, but its timely detection and closure.
By the way, recently, and 2014 is clear evidence of this, software manufacturers are beginning to increasingly close the vulnerabilities in their programs. However, there are still plenty of gaps in applications, and cybercriminals are actively using them to penetrate corporate networks.
In 2014, 45% of all vulnerability incidents were caused by holes in the popular Oracle Java software.
In addition, the past year saw something of a turning point when a vulnerability was discovered in the common OpenSSL encryption protocol, called Heartbleed. This flaw allowed an attacker to read memory contents and intercept personal data on systems using vulnerable versions of the protocol.
OpenSSL is widely used to protect data transmitted over the Internet (including information exchanged between users on web pages, emails, messages in Internet instant messengers) and data transmitted over VPN (Virtual Private Networks) channels, so potential damage the impact of this vulnerability was enormous. It is possible that attackers could use this vulnerability as a start for new cyber espionage campaigns.
Victims of attacks
In general, in 2014, the number of organizations that became victims of targeted cyber attacks and cyber espionage campaigns increased almost 2.5 times. Over the past year, almost 4.5 thousand organizations in at least 55 countries, including Russia, became the target of cybercriminals.
Data theft occurred in at least 20 different economic sectors:
- state,
- telecommunications,
- energy,
- research,
- industrial,
- healthcare,
- construction and other companies.
Cybercriminals gained access to the following information:
- passwords,
- files,
- geolocation information,
- audio data,
- screenshots
- webcam pictures.
It is likely that in some cases these attacks were supported by government agencies, while others were more likely carried out by professional cyber mercenary groups.
In recent years, Kaspersky Lab's Global Threat Research and Analysis Center has tracked the activities of more than 60 criminal groups responsible for cyberattacks around the world. Their participants speak different languages: Russian, Chinese, German, Spanish, Arabic, Persian and others.
The consequences of targeted operations and cyber espionage campaigns are always extremely serious. They inevitably end in hacking and infection of the corporate network, disruption of business processes, and leakage of confidential information, in particular intellectual property. In 2014, 98% of Russian companies encountered some kind of cyber incident, the sources of which were, as a rule, outside the enterprises themselves. In addition, another 87% of organizations recorded incidents caused by internal threats.
“The total amount of damage for large companies averaged 20 million rubles for each successful example of a cyber attack.”
What companies fear and how things really are
Kaspersky Lab annually conducts research to determine the attitude of IT specialists to information security issues. A 2014 study showed that the vast majority of Russian companies, 91% to be exact, underestimate the amount of malware that exists today. Moreover, they do not even assume that the number of malware is constantly increasing.
Interestingly, 13% of IT professionals said they are not worried about insider threats.
This may be explained by the fact that in a number of companies it is not customary to divide cyber threats into external and internal. In addition, among Russian heads of IT and information security services there are those who still prefer to solve all problems with internal threats through prohibition measures.
However, if a person is prohibited from doing something, this does not mean that he does not do it. Therefore, any security policy, including prohibition, requires appropriate control tools to ensure compliance with all requirements.
As for the types of information that attackers are primarily interested in, the study showed that companies’ perceptions and the actual state of affairs differ quite greatly.
Thus, companies themselves are most afraid of losing
- information about clients,
- financial and operational data,
- intellectual property.
- information on analyzing the activities of competitors,
- payment information,
- personal data of employees
- data on corporate bank accounts.
“In fact, it turns out that cybercriminals most often steal internal company operational information (in 58% of cases), but only 15% of companies consider it necessary to protect this data in the first place.”
For security, it is equally important to think through not only technologies and systems, but also to take into account the human factor: understanding of the goals by the specialists who build the system, and understanding of the responsibilities of the employees who use the devices.
Recently, attackers are increasingly relying not only on technical means, but also on the weaknesses of people: they use social engineering methods that help to extract almost any information.
Employees who take away data on their device must understand that they bear exactly the same responsibility as if they took paper copies of documents with them.
Company personnel should also be well aware that any modern technically complex device contains defects that can be exploited by an attacker. But to take advantage of these defects, an attacker must gain access to the device. Therefore, when downloading mail, applications, music and pictures, it is necessary to check the reputation of the source.
It is important to be wary of inflammatory text messages and emails and check the reliability of the source before opening the message and clicking on the link.
In order for the company to still have protection from such accidental or intentional actions of employees, it should use modules to protect data from leaks.
“Companies need to regularly remember how to work with personnel: from improving the skills of IT employees to explaining the basic rules for safe work on the Internet, no matter what devices they access it from.”
Thus, this year Kaspersky Lab released a new module that implements data leakage protection functions -
Cloud protection
Many large companies use the cloud in one way or another, in Russia most often in the private cloud version. It is important to remember here that, like any other information system created by man, cloud services contain potential vulnerabilities that can be exploited by virus writers.
Therefore, when organizing access even to your cloud, you need to remember about the security of the communication channel and the end devices that are used by employees. Equally important are internal policies regulating which employees have access to data in the cloud, or what level of confidentiality information can be stored in the cloud, etc. The company must formulate transparent rules:
- what services will work from the cloud,
- which ones are on local resources,
- what kind of information should be placed in the clouds,
- which one needs to be kept “at home”.
Based on the article: Time for “hard” decisions: security in the Enterprise segment.
This is exactly the result given by a survey of more than 1,000 heads of IT departments of large and medium-sized European companies, commissioned by Intel Corporation. The purpose of the survey was to identify the problem that is of greatest concern to industry experts. The answer was quite expected; more than half of the respondents named the problem of network security, a problem that requires an immediate solution. Other survey results are also quite expected. For example, the network security factor leads among other problems in the field information technologies; its importance has increased by 15% compared to the situation five years ago.According to the survey results, highly qualified IT specialists spend over 30% of their time on solving security issues. The situation in large companies (with over 500 employees) is even more alarming - about a quarter of respondents spend half of their time resolving these issues.
Balance of threats and protection
Alas, the issue of network security is inextricably linked with the fundamental technologies used in modern telecommunications. It just so happened that when developing a family of IP protocols, priority was given to the reliability of the network as a whole. At the time of the appearance of these protocols, network security was ensured in completely different ways, which were simply unrealistic to use in the context of the Global Network. You can loudly complain about the short-sightedness of the developers, but it is almost impossible to radically change the situation. Now you just need to be able to protect yourself from potential threats.The main principle in this skill should be balance between potential threats to network security and the level of protection required. Commensurability must be ensured between security costs and the cost of possible damage from realized threats.
For modern large and medium-sized enterprises, information and telecommunication technologies have become the basis for doing business. Therefore, they turned out to be the most sensitive to the effects of threats. The larger and more complex the network, the more effort it requires to protect it. Moreover, the cost of creating threats is orders of magnitude less than the cost of neutralizing them. This state of affairs forces companies to carefully weigh the consequences of possible risks from various threats and choose appropriate methods of protection against the most dangerous ones.
Currently, the greatest threats to corporate infrastructure come from actions related to unauthorized access to internal resources and blocking the normal operation of the network. There is quite big number such threats, but each of them is based on a combination of technical and human factors. For example, penetration malware into a corporate network can occur not only due to the network administrator’s neglect of security rules, but also due to the excessive curiosity of a company employee who decides to take advantage of a tempting link from spam mail. Therefore, you should not hope that even the best technical solutions in the field of security will become a panacea for all ills.
UTM class solutions
Safety is always a relative concept. If there is too much of it, then it becomes noticeably more difficult to use the system itself that we are going to protect. Therefore, a reasonable compromise becomes the first choice in ensuring network security. For medium-sized enterprises by Russian standards, such a choice may well be helped by class decisions UTM (Unified Threat Management or United Threat Management), are positioned as multifunctional network and information security devices. At their core, these solutions are software and hardware systems that combine functions different devices: firewall, network intrusion detection and prevention system (IPS), as well as anti-virus gateway (AV) functions. Often these complexes are tasked with solving additional tasks, such as routing, switching, or supporting VPN networks.Often, UTM solution providers offer solutions for small businesses. Perhaps this approach is partly justified. But still, it is both easier and cheaper for small businesses in our country to use the security service from their Internet provider.
Like any universal solution, UTM equipment has its pros and cons. The first include cost and time savings for implementation compared to organizing protection of a similar level from separate security devices. UTM is also a pre-balanced and tested solution that can easily solve a wide range of security problems. Finally, solutions of this class are not so demanding on the level of qualifications of technical personnel. Any specialist can handle their setup, management and maintenance.
The main disadvantage of UTM is the fact that any functionality of a universal solution is often less effective than the same functionality of a specialized solution. That is why when high performance or high degree security specialists prefer to use solutions based on the integration of individual products.
However, despite this disadvantage, UTM solutions are becoming in demand by many organizations that differ greatly in scale and type of activity. According to Rainbow Technologies, such solutions were successfully implemented, for example, to protect the server of one of the online stores of household appliances, which was subject to regular DDoS attacks. Also, the UTM solution made it possible to significantly reduce the volume of spam in postal system one of the automobile holdings. In addition to solving local problems, we have experience in building security systems based on UTM solutions for a distributed network covering the central office of a brewing company and its branches.
UTM manufacturers and their products
The Russian market for UTM class equipment is formed only by offers foreign manufacturers. Unfortunately, none of the domestic manufacturers have yet been able to offer their own solutions in this class of equipment. The exception is the Eset NOD32 Firewall software solution, which, according to the company, was created by Russian developers.As already noted, in the Russian market, UTM solutions may be of interest mainly to medium-sized companies whose corporate network has up to 100-150 jobs. When selecting UTM equipment to be presented in the review, the main selection criterion was its performance in various operating modes, which could ensure a comfortable user experience. Manufacturers often specify performance specifications for Firewall, IPS Intrusion Prevention, and AV Virus Protection modes.
Solution Check Point is called UTM-1 Edge and is a unified security device that combines a firewall, an intrusion prevention system, an anti-virus gateway, as well as VPN and remote access tools. The firewall included in the solution controls work with a large number of applications, protocols and services, and also has a mechanism for blocking traffic that clearly does not fit into the category of business applications. For example, instant messaging (IM) and peer-to-peer (P2P) traffic. The antivirus gateway allows you to monitor malicious code in email messages, FTP and HTTP traffic. In this case, there are no restrictions on the size of files and decompression of archive files is carried out “on the fly”.
The UTM-1 Edge solution has advanced capabilities for working in VPN networks. OSPF dynamic routing and VPN client connections are supported. The UTM-1 Edge W model is available with built-in WiFi hotspot IEEE 802.11b/g access.
When large-scale deployments are required, UTM-1 Edge seamlessly integrates with Check Point SMART to greatly simplify security management.
Cisco Company traditionally pays increased attention to network security issues and offers a wide range of necessary devices. For review, we decided to choose the model Cisco ASA 5510, which is focused on ensuring the security of the corporate network perimeter. This equipment is part of the ASA 5500 series, which includes modular UTM class protection systems. This approach allows you to adapt the security system to the peculiarities of the functioning of the network of a particular enterprise.
The Cisco ASA 5510 comes in four main kits - a firewall, VPN tools, an intrusion prevention system, as well as anti-virus and anti-spam tools. The solution includes additional components, such as the Security Manager system for creating a management infrastructure for an extensive corporate network, and the Cisco MARS system, designed to monitor the network environment and respond to security breaches in real time.
Slovak Eset company
supplies the software package Eset NOD32 Firewall UTM class, which includes, in addition to corporate firewall functions, the Eset NOD32 anti-virus protection system, mail (anti-spam) and web traffic filtering tools, IDS and IPS network attack detection and prevention systems. The solution supports the creation of VPN networks. This complex is built on a server platform running Linux. Software part devices developed domestic company Leta IT, controlled by the Russian representative office of Eset.
This solution allows you to monitor network traffic in real time, and supports content filtering by categories of web resources. Provides protection against DDoS attacks and blocks port scanning attempts. Eset NOD32 Firewall solution includes support DNS servers, DHCP and bandwidth change control. The traffic of SMTP and POP3 mail protocols is controlled.
This solution also includes the ability to create distributed corporate networks using VPN connections. At the same time, various modes of network aggregation, authentication and encryption algorithms are supported.
Fortinet company offers a whole family of devices FortiGate UTM class, positioning its solutions as capable of providing network protection while maintaining a high level of performance, as well as reliable and transparent operation information systems enterprises in real time. For review we chose model FortiGate-224B, which is aimed at protecting the perimeter of a corporate network with 150 - 200 users.
The FortiGate-224B equipment includes firewall functionality, VPN servers, web traffic filtering, intrusion prevention systems, as well as anti-virus and anti-spam protection. This model has built-in Layer 2 LAN switch and WAN interfaces, eliminating the need for external routing and switching devices. For this purpose, routing using the RIP, OSPF and BGP protocols is supported, as well as user authentication protocols before providing network services.
SonicWALL Company offers a wide selection of UTM devices, from which this review got the solution NSA 240. This equipment is the junior model in the line, aimed at use as a security system for the corporate network of medium-sized enterprises and branches of large companies.
This line is based on the use of all means of protection against potential threats. These are a firewall, an intrusion protection system, anti-virus and anti-spyware gateways. software. There is filtering of web traffic by 56 categories of sites.
As one of the highlights of its solution, SonicWALL notes the technology of deep scanning and analysis of incoming traffic. To avoid performance degradation, this technology uses parallel data processing on a multiprocessor core.
This equipment supports VPN, has advanced routing capabilities and supports various network protocols. Also, the solution from SonicWALL is capable of providing a high level of security when servicing VoIP traffic using the SIP and H.323 protocols.
From the product line WatchGuard company solution was chosen for review Firebox X550e, which is positioned as a system with advanced functionality for ensuring network security and is aimed at use in the networks of small and medium-sized enterprises.
The UTM class solutions of this manufacturer are based on the principle of protection against mixed network attacks. To achieve this, the equipment supports a firewall, an attack prevention system, anti-virus and anti-spam gateways, web resource filtering, as well as an anti-spyware system.
This equipment uses the principle of joint protection, according to which network traffic checked by a certain criterion at one protection level will not be checked by the same criterion at another level. This approach allows for high equipment performance.
Another advantage of its solution, the manufacturer calls support for Zero Day technology, which ensures security independence from the presence of signatures. This feature is important when new types of threats emerge that have not yet been effectively countered. Typically, the “window of vulnerability” lasts from several hours to several days. When using Zero Day technology, the likelihood of negative consequences from the vulnerability window is noticeably reduced.
ZyXEL Company offers its UTM class firewall solution, aimed at use in corporate networks with up to 500 users. This ZyWALL 1050 solution designed to build a network security system, including full virus protection, intrusion prevention and support for virtual private networks. The device has five Gigabit Ethernet ports, which can be configured for use as WAN, LAN, DMZ and WLAN interfaces depending on the network configuration.
The device supports the transmission of VoIP application traffic via SIP and H.323 protocols at the firewall and NAT level, as well as the transmission of packet telephony traffic in VPN tunnels. At the same time, the functioning of mechanisms for preventing attacks and threats for all types of traffic, including VoIP traffic, the operation of an anti-virus system with a full signature database, content filtering for 60 website categories and spam protection is ensured.
The ZyWALL 1050 solution supports multiple private network topologies, VPN concentrator mode, and aggregation virtual networks to zones with uniform security policies.
Main characteristics of UTM
Expert opinion
Dmitry Kostrov, Project Director of the Directorate of Technological Protection of the Corporate Center of MTS OJSCThe scope of UTM solutions mainly applies to companies classified as small and medium-sized businesses. The very concept of Unified Threat Management (UTM), as a separate class of equipment for protecting network resources, was introduced by the international agency IDC, according to which UTM solutions are multifunctional software and hardware systems that combine the functions of different devices. Typically these include a firewall, VPN, network intrusion detection and prevention systems, as well as anti-virus and anti-spam gateway and URL filtering functions.
In order to achieve truly effective protection, the device must be multi-level, active and integrated. At the same time, many manufacturers of security equipment already have a fairly wide range of products related to UTM. The sufficient simplicity of system deployment, as well as the all-in-one system, makes the market for these devices quite attractive. The total cost of ownership and return on investment when implementing these devices seem very attractive.
But this UTM solution is like a “Swiss knife” - there is a tool for every situation, but to punch a hole in the wall you need a real drill. There is also a possibility that the emergence of protection against new attacks, updating signatures, etc. will not be as fast, in contrast to the support of individual devices in the “classic” corporate network protection scheme. There also remains the problem of a single point of failure.
At the initial stage of development of network technologies, the damage from virus and other types of computer attacks was small, since the dependence of the world economy on information technology was small. Currently, in the context of the significant dependence of business on electronic means of access and exchange of information and the constantly growing number of attacks, the damage from the most minor attacks leading to lost computer time is estimated in millions of dollars, and the total annual damage to the global economy amounts to tens of billions of dollars.
Information processed on corporate networks is especially vulnerable, which is facilitated by:
- increasing the volume of information processed, transmitted and stored on computers;
- concentration of information of various levels of importance and confidentiality in databases;
- expanding access of a circle of users to information stored in databases and to computer network resources;
- increasing the number of remote jobs;
- widespread use of the global Internet and various communication channels;
- automation of information exchange between user computers.
An analysis of the most common threats to which modern wired corporate networks are exposed shows that the sources of threats can vary from unauthorized intrusions by attackers to computer viruses, while human error is a very significant security threat. It is necessary to take into account that sources of security threats can be located both inside the CIS - internal sources, and outside it - external sources. This division is completely justified because for the same threat (for example, theft), countermeasures for external and internal sources are different. Knowledge of possible threats, as well as the vulnerabilities of the CIS is necessary to select the most effective means ensuring security.
The most frequent and dangerous (in terms of the amount of damage) are unintentional errors of users, operators and system administrators servicing the CIS. Sometimes such errors lead to direct damage (incorrectly entered data, an error in the program that caused the system to stop or collapse), and sometimes they create weaknesses that can be exploited by attackers (these are usually administrative errors).
According to the US National Institute of Standards and Technology (NIST), 55% of IP security breaches are the result of unintentional errors. Working in a global information system makes this factor quite relevant, and the source of damage can be both the actions of the organization’s users and the users of the global network, which is especially dangerous. In Fig. Figure 2.4 shows a pie chart illustrating statistical data on the sources of security violations in the CIS.
Theft and forgery are in second place in terms of damage. In most of the cases investigated, the perpetrators turned out to be full-time employees of organizations who were well acquainted with the work schedule and protective measures. The presence of a powerful information channel of communication with global networks in the absence of proper control over its operation can further facilitate such activities.
Dishonest
Attacks from outside
Offended
User and personnel errors
4% Viruses
Rice. 2.4. Sources of Security Violations
employees
Problems
physical
security
Offended employees, even former ones, are familiar with the procedures in the organization and are capable of causing harm very effectively. Therefore, when an employee is dismissed, his access rights to information resources must be revoked.
Deliberate attempts to obtain unauthorized access through external communications account for about 10% of all possible violations. Although this number may not seem significant, Internet experience shows that almost every Internet server is subject to intrusion attempts several times a day. Tests by the Information Systems Protection Agency (USA) showed that 88% of computers have weaknesses in terms of information security that can be actively used to obtain unauthorized access. Separately, cases of remote access to an organization’s information structures should be considered.
Before building a security policy, it is necessary to assess the risks to which the organization's computer environment is exposed and take appropriate actions. It is obvious that the organization's costs for monitoring and preventing security threats should not exceed the expected losses.
The statistics provided can tell the administration and staff of an organization where efforts should be directed to effectively reduce security threats to the corporate network and system. Of course, it is necessary to address physical security issues and measures to reduce the negative impact on security of human errors, but at the same time, it is necessary to pay the most serious attention to solving network security problems to prevent attacks on the corporate network and system, both from outside and from within the system.
Today in our blog we decided to touch upon the security aspects of corporate networks. And Mikhail Lyubimov, technical director of LWCOM, will help us with this.
Why is this topic of network security extremely relevant in the modern world?
Due to the almost universal availability of broadband Internet, most actions on devices are carried out through the network, so for 99% of modern threats, the network is the transport through which the threat is delivered from the source to the target. Of course, spreading malicious code is possible using removable media, But this method is currently used less and less, and most companies have long learned to deal with such threats.
What is a data network?
Let's first draw the architecture of a classic corporate data network in a simplified and understandable form.
The data transmission network begins with the access layer switch. Workplaces are connected directly to this switch: computers, laptops, printers, multifunctional and various other devices, for example, wireless points access. Accordingly, you can have a lot of equipment; it can connect to the network in completely different places (floors or even separate buildings).
Typically, a corporate data network is built using a “star” topology, so the interaction of all segments with each other will be ensured by network core level equipment. For example, the same switch can be used, only usually in a more powerful and functional version compared to those used at the access level.
Servers and storage systems are usually consolidated in one place and, from the point of view of data networks, can be connected either directly to the core equipment or may have a certain segment of access equipment dedicated for these purposes.
Next, we have equipment for interface with external data networks (for example, the Internet). Typically, for these purposes, companies use such devices as routers, firewalls, and various kinds of proxy servers. They are also used to organize communications with distributed company offices and to connect remote employees.
This is the architecture of a local area network that is easy to understand and common to modern realities.
What classification of threats exists today?
Let's define the main goals and attack vectors within network communication.
The most common and simplest attack target is the user device. Malicious software can be easily distributed in this direction through content on web resources or via email.
In the future, the attacker, having gained access to the user’s workstation, can either steal confidential data or develop an attack against other users or other devices on the corporate network.
The next possible target of attack is, of course, servers. One of the most well-known types of attacks on published resources are DoS and DDoS attacks, which are used to disrupt the stable operation of resources or their complete failure.
Attacks can also be directed from external networks to specific published applications, for example, web resources, DNS servers, email. Attacks can also be directed from within the network - from an infected user’s computer or from an attacker connected to the network, to applications such as file shares or databases.
There is also a category of selective attacks, and one of the most dangerous is an attack on the network itself, that is, on access to it. An attacker who has gained access to a network can launch the following attack on virtually any device connected to it, as well as secretly gain access to any information. What is most important is that a successful attack of this kind is quite difficult to detect, and it cannot be treated standard means. That is, in fact, you have New user or, worse, an administrator you know nothing about.
Another target of the attacker may be communication channels. It should be understood that a successful attack on communication channels not only allows you to read information transmitted over them, but also be identical in consequences to an attack on a network, when an attacker can gain access to all resources of a local computer network.
How to organize competent and reliable data transmission protection?
To begin with, we can present global practices and recommendations for organizing the protection of a corporate data network, namely the set of tools that will allow you to avoid most existing threats with minimal effort, the so-called safe minimum.
In this context, it is necessary to introduce the term “network security perimeter”, because The closer you control to the possible source of the threat, the more you reduce the number of attack methods available to an attacker. In this case, the perimeter must exist for both external and internal connections.
First of all, we recommend securing the interface with public networks, because the greatest number of threats come from them. Currently, there are a number of specialized network security tools designed specifically for securely organizing connections to the Internet.
Terms such as NGFW (Next-generation firewall) and UTM (Unified Threat Management) are widely used to refer to them. These devices not only combine the functionality of a classic router, firewall and proxy server, but also provide additional services security, such as: URL and content filtering, antivirus, etc. At the same time, devices often use cloud-based content scanning systems, which allows you to quickly and efficiently check all transmitted data for threats. But the main thing is the ability to report on identified threats in retrospect, that is, to identify threats in cases where infected content has already been transferred to the user, but the manufacturer received information about the maliciousness of this software later.
Things like inspection of HTTPS traffic and automatic analysis of applications allow you to control not only access to specific sites, but also allow/prohibit the operation of applications such as: Skype, Team Viewer and many others, and as you know, most of them have been running for a long time HTTP and HTTPS protocols and standard network tools simply cannot control their operation.
In addition to this, within single device you can also get an intrusion prevention system, which is responsible for stopping attacks aimed at published resources. You can also additionally get a VPN server for secure remote work of employees and connecting branches, anti-spam, botnet control system, sandbox, etc. All this makes such a device a truly unified network security tool.
If your company does not yet use such solutions, then we highly recommend starting to use them right now, since the time for their effectiveness has already come, and we can say with confidence that such devices have proven their real ability to combat big amount threats, which did not exist 5 years ago. At that time, such things had just entered the market, had many problems and were quite expensive and low-performing.
How to choose Next-generation firewall?
Now there are a huge number of network devices on the market with declared similar functionality, but only a few can provide truly effective protection. This is explained by the fact that only a limited number of manufacturers have the funds and actually invest them in nonstop development of current threats, i.e. constantly update databases of potentially dangerous resources, provide uninterrupted support for solutions, etc.
Many partners will try to sell you solutions that are profitable for them to sell, so the price of a solution does not always correspond to its real ability to counter threats. Personally, I recommend turning to materials from independent analytical centers, for example, NSS Labs reports, to select a device. In my opinion, they are more accurate and unbiased.
In addition to threats from the outside, your resources can also be attacked from within. The so-called “safe minimum” that should be used in your local area network is its segmentation into VLANs, i.e. virtual private networks. In addition to segmentation, it is mandatory to apply access policies between them, at least using standard access list (ACL) means, because simply having a VLAN in the fight against modern threats gives practically nothing.
As a separate recommendation, I will outline the desirability of using access control directly from the device port. However, it is necessary to remember the network perimeter, i.e. The closer to the protected services you apply the policies, the better. Ideally, such policies should be implemented on access switches. In such cases, it is recommended to apply 4 as the most minimal security policies simple rules:
- keep all unused switch ports administratively disabled;
- do not use 1st VLAN;
- use MAC filtering sheets on access switches;
- use ARP protocol inspection.
Attackers can also launch attacks on channels. Strong encryption should be used to protect channels. Many people neglect this and then pay the consequences. Unprotected channels are not only information available for theft, but also the possibility of attacking almost everyone corporate resources. Our customers have had a considerable number of precedents in their practice when attacks were carried out on corporate telephony by organizing communications through unsecured data transfer channels between a central and remote office (for example, simply using GRE tunnels). Companies received crazy bills!
What can you tell us about wireless networks and BYOD?
The topic of remote work, wireless networks and the use of your own devices, I would like to highlight separately. In my experience, these three things are one of the biggest potential security holes in your company. But at the same time they are one of the biggest competitive advantages.
To take a brief approach to the issue, I recommend either completely prohibiting the use of wireless networks, remote work, or working through your own mobile devices, citing corporate rules, or providing these services as thoroughly as possible from a security point of view, especially since modern solutions provide the opportunity to do it's in at its best.
In terms of remote work, the same Next Generation Firewalls or UTM devices can help you. Our practice shows that there are a number of stable solutions (including Cisco, Checkpoint, Fortinet, Citrix) that allow you to work with a variety of client devices, while providing the highest standards for identifying a remote employee. For example, the use of certificates, two-factor authentication, one-time passwords delivered via SMS or generated using a special key. You can also monitor the software installed on the computer from which the access attempt is made, for example, for the installation of appropriate updates or running antiviruses.
Wi-Fi security is a topic that deserves its own article. In this post I will try to give the most important recommendations. If you are building corporate Wi-Fi, be sure to consider all possible security aspects associated with it.
By the way, Wi-Fi is a whole separate source of income for our company. We deal with them professionally: projects to equip shopping malls and shopping centers, business centers, warehouses with wireless equipment, including the use of modern solutions such as positioning, are carried out in nonstop mode. And according to the results of our radio surveys, in every second office and warehouse we find at least one home Wi-Fi router that the employees themselves connected to the network. Usually they do this for their own convenience of work, for example, to go to the smoking room with a laptop or to move freely within the room. It is clear that no corporate security rules were applied to such routers and passwords were distributed to well-known colleagues, then to colleagues of colleagues, then to guests who came for coffee, and as a result, almost everyone had access to the corporate network, while it was completely uncontrolled.
Of course, it is worth protecting the network from connecting such equipment. The main ways to do this can be: using authorization on ports, filtering by MAC, etc. Again, from a Wi-Fi point of view, strong cryptographic algorithms and enterprise authentication methods should be used for the network. But you should understand that not all enterprise authentication methods are equally useful. For example, Android devices in some software releases can ignore the public certificate of a Wi-Fi network by default, thereby making Evil twin attacks possible. If an authentication method is used, such as EAP GTC, then the key is transmitted in clear text and can be completely intercepted in this attack. We recommend using only certificate authentication in corporate networks, i.e. These are TLS methods, but keep in mind that it significantly increases the load on network administrators.
There is another way: if remote work is implemented in the corporate network, then you can connect via Wi-Fi network devices are forced to use a VPN client as well. That is, allocate a Wi-Fi network segment to an initially untrusted area, and in the end you will get a good working option with minimizing network management costs.
Manufacturers of enterprise Wi-Fi solutions, such as Cisco, Ruckus, which is now Brocade, Aruba, which is now HPE, in addition standard solutions for organizing Wi-Fi, provide a whole range of services for automatically monitoring the security of the wireless environment. That is, things like WIPS (Wireless intrusion prevention system) work quite well for them. These manufacturers have implemented wireless sensors that can monitor the entire spectrum of frequencies, thereby allowing monitoring in automatic mode quite serious threats.
Now let's touch on topics such as BYOD (Bring your own device) and MDM (Mobile device management). Of course, any mobile device that stores corporate data or has access to the corporate network is a potential source of problems. The topic of security for such devices concerns not only secure access to the corporate network, but also centralized management of policies for mobile devices: smartphones, tablets, laptops used outside the organization. This topic has been relevant for a very long time, but only now really working solutions have appeared on the market that allow you to manage a diverse fleet of mobile equipment.
Unfortunately, it won’t be possible to talk about them in this post, but know that there are solutions and in the last year we have been experiencing a boom in the implementation of MDM solutions from Microsoft and MobileIron.
You talked about “minimum security”, what then is “maximum security”?
At one time there was a popular picture on the Internet: it recommended installing firewalls from well-known manufacturers one after another to protect the network. We in no way encourage you to do the same, but, nevertheless, there is some truth here. It will be extremely useful to have network device with the analysis of virus signatures, for example, from SOFOS, and at workplaces already install an antivirus from Kaspersky Lab. Thus, we get two protection systems against malicious code that do not interfere with each other.
There are a number of specialized information security tools:
DLP. The market offers specialized information security tools, that is, developed and aimed at solving a specific threat. Currently, DLP (Data Loss Prevention) or data leakage prevention systems are becoming popular. They work both at the network level, integrating into the data transmission environment, and directly on application servers, workstations, and mobile devices.
We are somewhat moving away from the network topic, but the threat of data leakage will always exist. In particular, these solutions are becoming relevant for companies where data loss carries commercial and reputational risks and consequences. Just 5 years ago, the implementation of DLP systems was somewhat difficult due to their complexity and the need to carry out a development process for each specific case. Therefore, due to their cost, many companies abandoned these solutions or wrote their own. Currently, market systems are sufficiently mature, so all the necessary security functionality can be obtained straight out of the box.
On the Russian market, commercial systems are mainly represented by the manufacturer Infowatch (below is a picture from this manufacturer about how they present their solution in a large company) and the fairly well-known MacAfee.
WAF. Due to the development of Internet commerce services, and this is Internet banking, electronic money, electronic commerce, insurance services, etc., specialized tools for protecting web resources have recently become in demand. Namely WAF - Web Application Firewall.
This device allows you to repel attacks aimed at vulnerabilities of the site itself. In addition to selective DoS attacks, when a site is overwhelmed by legitimate requests, these can be SQL injection attacks, Cross site scripting, etc. Previously, such devices were purchased mainly by banks, but they were not in demand from other customers, and they cost a lot of money. For example, the cost of a working solution started at $100,000. Now the market offers a large number of solutions from well-known manufacturers (Fortinet, Citrix, Positive Technologies), from which you can get a working solution to protect your website for quite reasonable money (3-5 times less than the previously indicated amount).
Audit. Organizations, especially those that advocate for their own security, are implementing automated audit tools. These solutions are expensive, but they allow a number of administrator functions to be transferred to the area of automation, which is extremely in demand for large businesses. Such solutions constantly scan the network and audit all installed operating systems and applications for known security holes, timeliness of updates, and compliance with corporate policies. Probably the most famous solutions in this area not only in Russia, but throughout the world are products from Positive Technologies.
SIEM. Similar to SIEM solutions. These are systems designed to detect emergency situations related specifically to security-related events. Even a standard set of a couple of firewalls, a dozen application servers and thousands of desktops can generate tens of thousands of alerts per day. If you have a large company and you have dozens of edge devices, then understand the data received from them in manual mode It becomes simply impossible. Automating the control of collected logs simultaneously from all devices allows administrators and information security employees to act immediately. SIEM solutions from Arcsight (part of HPE products) and Q-RADAR (part of IBM products) are quite well known on the market.
And finally: what advice can you give to those who are seriously engaged in organizing the protection of their IT resources?
Of course, when organizing IT security for an enterprise, one should not forget about administrative regulations. Users and administrators should be aware that found flash drives cannot be used on a computer, just as they cannot follow dubious links in emails or open dubious attachments. It is very important to tell and explain which links and attachments are unverified. In reality, not everyone understands that there is no need to store passwords on sticky notes glued to the monitor or phone, that you need to learn to read the warnings that applications write to the user, etc. You should explain to users what a security certificate is and what the messages associated with it mean. In general, it is necessary to take into account not only the technical side of the issue, but also to instill a culture of using corporate IT resources by employees.
I hope you found this great post interesting and useful.