Not so long ago, network security consisted of a handful of autonomous components that performed basic and completely separate tasks. Network architects had to be cautious about "over securing" networks as device design often had to compensate for single points of failure and potential bottlenecks.
Today, security hardware has become far more sophisticated and powerful. You'll find multiple network security components working in conjunction with each other to create a security mesh, both at the edge and within an enterprise network. Bottlenecks have also been eliminated, thanks to application-specific integrated circuits that allow data to filter through security checkpoints at wire speed.
In this article, we will take a look at how the basics of network security have changed, and discuss the four cutting-edge security tools that every enterprise network should be evaluating in the coming months:
- Next-generation firewalls (NGFWs)
- Secure Web gateways (SWGs)
- Network access control (NAC)
- Malware sandboxing
Some of these security tools, such as NGFWs and SWGs, have been around for years and have evolved over time to adapt to the latest security threats. Other tools, such as NAC and malware sandboxing, are fairly new concepts in the overall security platform. Before we dig in deeper to examine features and security benefits of today's tools, let's look at how the basics of network security have transformed the modern enterprise security posture.
Traditional firewalls have been considered the first and most critical line of defense for decades. Most enterprise architectures called for firewalls to be placed along edges, where the core network connected to other networks, especially if the other networks were managed by third parties or were considered less secure than the core.
This commonly included using firewalls to segment connections to the Internet, extranet and remote WAN sites. Original firewalls were stateless, meaning the firewall had no intelligence into monitoring data flows. Because of this, early firewalls suffered from spoofing attacks where the attacker pretended to be a device that was permitted though the firewall access rule set.
Stateful firewalls soon became popular because they had the ability to monitor and track traffic flows between two devices communicating with each other through the firewall. State tables are used to not only monitor flows for proper transport but also to verify that packets being sent and received were coming from the original devices in the existing connection. This is handled by performing packet inspection at the network and transport layers (Layer 3 and Layer 4 of the OSI model) and by monitoring details such as IP address, protocol and port number -- and in the case of TCP -- sequence numbers. Corroborating this information with packets coming though the firewall made it far more difficult for spoofed devices to get malicious packets through the perimeter firewall.
Traditional secure Web gateways
While traditional firewalls were designed to only permit specific protocols and ports through, they could not gauge whether websites being accessed might be malicious or inappropriate. This left a major hole, especially in terms of Web traffic. A firewall can only permit or deny all traffic; it cannot be selective and it has no way to look into upper-layer protocols. This led to the creation of Web gateways.
First-generation secure Web gateways performed only one function: URL filtering. In most deployments, Web gateways were used to block access to websites that were included on a predefined blacklist. SWG manufacturers maintained blacklist databases that were regularly updated on the gateway hardware. Administrators could then pick and choose which blacklist categories would be enforced. Blacklisted categories included websites with pornography, gambling and hate groups, as well as websites known to harbor malware.
Movement toward a defense-in-depth strategy
For years, security tools such as traditional firewalls and secure Web gateways worked independently of each other and performed different security functions. And while this architecture was better than nothing, it only provided a single layer of defense for any given threat. To add additional layers of protection, the concept of a defense-in-depth strategy has become commonplace. The idea is to implement overlapping security tools in such a way that threats face multiple security measures designed to thwart malicious behavior.
Traditional firewalls, Web and email security gateways, and intrusion prevention systems (IPSes) are all used to protect the perimeter of a company's network infrastructure. All data in and out of the network is filtered through the firewall and IPS. Then all Web and email traffic is sent to their respective security gateway for additional screening to identify malware that might be contained in data and email attachments.
If properly tuned and maintained, a defense-in-depth architecture strategy using these components can provide a robust security posture. Yet, determined hackers are beginning to identify cracks in between each system, through which they can enter a network. There are three primary reasons for this. First, some security tools are difficult to fully implement. Often, only portions of the security features available are implemented in production. Second, the security tools are not properly maintained and updated. Firewall software, for example, must be regularly updated to patch newly discovered vulnerabilities. Secure gateways and IPS databases are constantly being revised and sometimes require manual intervention to update. Last, while these systems do overlap and provide multiple layers of protection, they still work independently from one another and do not share information between systems that could potentially be used to discover difficult-to-find threats.
How next-generation security tools work better, together
Next-generation security tools not only use the defense-in-depth architecture strategy, they go one step further -- through tight integration and by increasing the amount of information shared between systems -- to better correlate potential threats.
Next-generation firewalls combine traditional firewalls features with IPS functionality that monitors and identifies malicious packets by identifying known signatures that contain attack patterns. NGFWs are also called "application firewalls" because of their ability to use deep packet inspection techniques. This allows the firewall to look into the payload of packets to not only match signatures but also to identify what application the packet belongs to. This method allows the NGFW to overlap with an IPS and a Web security gateway, providing multiple layers of protection.
Modern secure Web gateways shift away from standard URL filtering and move into direct malware protection. SWGs act like an IPS, focusing on Web-based virus signatures and anomalies. These signatures are automatically pushed to the SWG appliance when new signatures are discovered. Another new feature found in most enterprise-class SWGs is the ability to tap into a global network of threat sensors. These threat sensors, usually maintained by the security vendor, identify new threats worldwide and adjust the local SWG in real time to better protect against emerging Web threats.
Malware sandboxes are a relatively new security tool for many enterprise security administrators. The purpose of a malware sandbox is to create an isolated simulation environment -- the sandbox -- in which a system can run various tests against suspicious packet payloads. This approach identifies dangerous payloads and prevents them from accessing the production environment. Sandboxes can detect threats that other tools, such as NGFWs and SWGs, may have missed. Some malware sandbox architectures require all data be filtered through, making the sandbox responsible for identifying suspicious payloads. In other designs, the malware sandbox solution relies on the NGFWs and SWGs to flag payloads as suspicious, at which time they are diverted to the sandbox for further testing.
Finally, next-generation networks are beginning to rely on network access control much more than previous generations. The explosion of bring your own device has created concerns about security holes inside a network -- as opposed to at the network edge -- and security administrators are getting serious about identifying, assessing, authorizing and tracking who has access to the production network resources. NAC forces both users and devices to properly identify themselves prior to granting network access. If authenticated, users or devices are pushed an access policy, unique to that specific user. The access policy regulates which resources can be accessed within the production network. Additionally, access to resources can be logged and baselined. This is used to identify suspicious behavior that may indicate possible theft of intellectual property or other malicious behavior.
The key to all these next-generation tools is that they can work together by sharing information -- thus exploiting the strengths of each tool to provide a tighter net and block malicious behavior both within and at the edge of the network. The tools, while still individual components that can operate on their own if needed, work better as a fully integrated approach. And working better, together, moves a security posture much closer to a true in-depth security strategy.
Learn how to improve security on a content delivery network
Implement a robust perimeter security strategy
Cisco data mining can improve network security
Learn how to prioritize your network security features properly