Attacks from virus writers and malicious Internet users are getting harder to stop. The time between the discovery of a vulnerability and an attack has dropped from several months to a few weeks. This means that companies have virtually no time to patch systems before attacks strike. To make matters worse, attacks can bypass the firewall and come into a corporate network in numerous ways.
The bottom line: Because cyberdefenses will be compromised eventually, security strategies must include processes and technologies to contain the damage.
What it means: Containment is a critical piece of an overall security strategy. The best perimeter defenses are useless against viruses and Trojan horses that enter a network inside a laptop that was infected while connected to the Internet outside of the corporate firewall. Companies that allow employees to connect via a Virtual Private Network (VPN) running over their home broadband Internet connections are exposed to any malware (i.e., malicious software) resident on the home machine.
Containment strategies include the following:
- Monitoring the internal network for suspicious network traffic originating from internal systems. Intrusion Detection System (IDS) and Intrusion Prevention System (IPS) products can be used to monitor both internal and external network traffic.
- Segmenting the network and isolating segments with internal firewalls and bandwidth-shaping devices to prevent the unrestricted flow of network packets on the internal network.
- Enforcing security policies based on the concept of least privileges. Give users only the minimum amount of permissions to use systems and networks to do their jobs.
I recently spoke with customers of Tipping Point's IDS appliance. Each company had recently experienced a virus attack when a user plugged an infected laptop back into the corporate network. In each case, the Tipping Point appliance was configured not only to monitor traffic coming in from the Internet, but also traffic on the internal network. The Tipping Point appliance immediately caught the traffic generated by the virus, and the companies were able to stop the virus before it could gain a strong foothold within the corporate network.
Conclusion: When developing your network security strategy, assume that your perimeter defenses will be breached at some point. Use containment strategies to limit the damage a compromised system can do within your internal network. IDS products from vendors such as Internet Security Systems, Symantec, and Tipping Point can monitor internal and external traffic and should be part of your internal network containment strategy.
All materials copyright © 2004 of the AMR Research Inc.
AMR Research, Inc. is a source of analysis and advice for executives responsible for delivering performance enhancement and cost savings aided by technology. AMR Research aggregates best practices from leading global companies and provides tailored, actionable advice and research reports to every client. More information is available at www.amrresearch.com.
Dig deeper on Network Security Monitoring and Analysis