Network security basics: A Buyer's Guide
A collection of articles that takes you from defining technology needs to purchasing options
Not so long ago, network security consisted of a handful of autonomous components that performed basic and completely separate tasks. Network architects had to be cautious about over-securing networks, as device design often had to compensate for single points of failure and potential bottlenecks.
Today, security hardware has become far more sophisticated and powerful. Multiple network security systems work in conjunction with each other to create a security mesh at the edge, into the cloud and within an enterprise network. Bottlenecks have also been eliminated, thanks to application-specific integrated circuits that allow data to filter through security checkpoints at wire speed.
Here, we will take a look at how the basics of network security have changed and discuss the five cutting-edge network security systems that every enterprise network should be evaluating in the coming months:
- Next-generation firewalls (NGFWs)
- Secure web gateways (SWGs)
- Network access control (NAC)
- Malware sandboxing
- Cloud access security broker (CASB)
Some of these network security systems -- such as NGFWs, NAC and SWGs -- have been around for years and have evolved over time to adapt to the latest security threats. Other tools, such as malware sandboxing and CASB, are fairly new concepts in the overall security platform. Before we dig deeper to examine features and security benefits of today's network security systems, let's look at how the basics of network security have transformed the modern enterprise security posture.
Understanding the basic components of network security
Traditional firewalls have been considered the first and most critical line of defense for decades. Most enterprise architectures called for firewalls to be placed along edges, where the core network is connected to other networks, especially if the other networks were managed by third parties or were considered less secure than the core.
This commonly included using firewalls to segment connections to the internet, extranet and remote WAN sites. Original firewalls were stateless, meaning the firewall had no intelligence into monitoring data flows. Because of this, early firewalls suffered from spoofing attacks, where the attacker pretended to be a device that was permitted through the firewall access rule set.
Stateful firewalls soon became popular because they had the ability to monitor and track traffic flows between two devices communicating with each other through the firewall. State tables are used to not only monitor flows for proper transport, but also to verify that packets being sent and received were coming from the original devices in the existing connection. This is handled by performing packet inspection at the network and transport layers -- Layers 3 and 4 of the OSI model -- and by monitoring details such as IP address, protocol and port number, and in the case of TCP, sequence numbers. Corroborating this information with packets coming though the firewall made it far more difficult for spoofed devices to get malicious packets through the perimeter firewall.
While traditional firewalls were designed to only permit specific protocols and ports through, they could not gauge whether websites being accessed were malicious or inappropriate. This left a major hole, especially in terms of web traffic. A firewall can only permit or deny all traffic; it cannot be selective, and it has no way to look into upper-layer protocols. This led to the creation of SWGs.
First-generation SWGs performed only one function: URL filtering. In most deployments, web gateways were used to block access to websites that were included on a predefined blacklist. SWG manufacturers maintained blacklist databases that were regularly updated on the gateway hardware. Administrators could then pick and choose which blacklist categories would be enforced. Blacklisted categories included websites with pornography, gambling and hate groups, as well as websites known to harbor malware.
Movement toward a defense-in-depth strategy
For years, network security systems, such as traditional firewalls and secure web gateways, worked independently of each other and performed different security functions. And while this architecture was better than nothing, it only provided a single layer of defense for any given threat. To add additional layers of protection, the concept of a defense-in-depth strategy has become commonplace. The idea is to implement overlapping security systems in such a way that threats face multiple security measures designed to thwart malicious behavior.
Traditional firewalls, web and email security gateways, and intrusion prevention systems (IPS) are all used to protect the perimeter of a company's network infrastructure, which now often includes access to public cloud resources. All data in and out of the network is filtered through the firewall and IPS. Then, all web and email traffic is sent to their respective security gateway for additional screening to identify malware that might be contained in data and email attachments.
If properly tuned and maintained, a defense-in-depth architecture strategy using these components can provide a robust security posture. Yet, determined hackers are beginning to identify cracks in between each system, through which they can enter a network. There are three primary reasons for this. First, some security systems are difficult to fully implement. Often, only portions of the security features available are implemented in production.
Second, the security systems are not properly maintained and updated. Firewall software, for example, must be regularly updated to patch newly discovered vulnerabilities. Secure gateways and IPS databases are constantly being revised and sometimes require manual intervention to update.
Last, while these systems do overlap and provide multiple layers of protection, they still work independently from one another and do not share information between systems that could potentially be used to discover difficult-to-find threats.
How next-generation network security systems work better together
Next-generation security tools not only use the defense-in-depth strategy, they go one step further -- through tight integration and by increasing the amount of information shared between systems -- to better correlate potential threats.
Next-generation firewalls combine traditional firewalls' features with IPS functionality that monitors and detects malicious packets by identifying known signatures that contain attack patterns. NGFWs are also called application firewalls because of their ability to use deep-packet inspection techniques. This allows the firewall to look into the payload of packets to not only match signatures, but also to identify what application the packet belongs to. This method allows the NGFW to overlap with an IPS and a web security gateway, providing multiple layers of protection.
Modern secure web gateways shift away from standard URL filtering and move into direct malware protection. SWGs act like an IPS, focusing on web-based virus signatures and anomalies. These signatures are automatically pushed to the SWG appliance when new signatures are discovered. Another new feature found in most enterprise-class SWGs is the ability to tap into a global network of threat sensors. These threat sensors, usually maintained by the security vendor, identify new threats worldwide and adjust the local SWG in real time to better protect against emerging web threats. This type of security is effective in combatting against the rise of ransomware attacks.
Malware sandboxes are a relatively new security tool for many enterprise security administrators. The purpose of a malware sandbox is to create an isolated simulation environment, the sandbox, in which a system can run various tests against suspicious packet payloads. This approach identifies dangerous payloads and prevents them from accessing the production environment. Sandboxes can detect threats that other tools, such as NGFWs and SWGs, may have missed. Some malware sandbox architectures require all data be filtered through, making the sandbox responsible for identifying suspicious payloads. In other designs, the malware sandbox relies on the NGFWs and SWGs to flag payloads as suspicious, at which time they're diverted to the sandbox for further testing.
Next-generation networks are beginning to rely on network access control much more than previous generations. The explosion of BYOD has created concerns about security holes inside a network -- as opposed to at the network edge -- and security administrators are getting serious about identifying, assessing, authorizing and tracking who has access to the production network resources.
NAC forces both users and devices to properly identify themselves prior to granting network access. If authenticated, users or devices are pushed an access policy, unique to that specific user. The access policy regulates which resources can be accessed within the production network. Additionally, access to resources can be logged and baselined. This is used to identify suspicious behavior that may indicate possible theft of intellectual property or other malicious behavior.
Another new security tool, CASB platforms, enforce end-to-end security policy between devices and the application or data with which they're interacting. Now that enterprises are expanding their use of public cloud resources, a CASB can create a uniform security posture that focuses on user authentication and access of corporate resources no matter where the end user is located. CASB can also monitor how users interact with data and block inappropriate uses. In some cases, a properly implemented and tuned CASB can replace and consolidate NAC and data loss prevention (DLP) tools that may have already been deployed. Alternatively, a CASB platform can fully integrate with NAC and DLP systems if the additional capabilities of independently operated systems are required.
The key to all of these next-generation network security systems is they can work together by sharing information -- thus exploiting the strengths of each tool to provide a tighter net and block malicious behavior both within and at the edge of the network. The tools, while still individual components that can operate on their own if needed, work better as a fully integrated approach. And working better, together, moves a security posture much closer to a true in-depth security strategy.
How advanced machine learning can help identify network security threats
Five ways organizations can stop the threat of ransomware
Reducing the security risks of home networks