SearchEnterpriseWAN.com spent some time with Kevin Beaver discussing wide area network (WAN) security and the impact that the WAN can have on the safety of enterprise applications. Beaver is an independent information security consultant, expert witness, professional speaker, and author with over 21 years of experience in IT—the last 15 years of which he has dedicated to information security. Now the founder and principal information security consultant at Principle Logic, LLC, Beaver is an independent information security expert who advises customers on information security and compliance in order to protect an organization's network, computers, and information assets from rogue employees and criminal hackers.
In this first part of a two-part series, we discuss overall WAN security threats and common mistakes made by WAN engineers. In part two, WAN application security in the age of cloud and mobile devices, the focus shifts to a couple of the latest technology trends and their impact to WAN security.
What are the biggest WAN security threats to enterprise applications today?
Kevin Beaver: The biggest WAN security threat to enterprise applications may very well be ignorance on the part of IT management. I say that because at the root of every data breach, there is usually some oversight, some sort of assumption, or a lack of doing what’s needed in terms of business best practices or compliance regulation. Many of the issues we are seeing can be traced to managers having their heads in the sand, and that mindset gets pushed down throughout the IT organization, creating the current threat environment—whether it is denial that the organization could be a valuable target to hackers or that the organization actually has sensitive information that might be of interest to others.
Of the more traditional application threats, malware is near the top of the list. With all of the malicious software being propagated through the Web and unsecured applications, an absent-minded click by a user is all it takes to unleash malware code on an internal enterprise network. These exploits are becoming increasingly sophisticated, where even visiting a malicious page is enough to be affected by it.
In terms of WAN security and application security, are there particular areas of the network that WAN managers should pay closer attention to in order to mitigate malware and to get more security-savvy?
Beaver: For WAN engineers, it is [essential] to actually utilize the tools at your disposal, be it in the router, the switch, or even at the ISP level or a cloud application. Utilize these applications to look at network flows, look at protocols to see what is moving around your network. There may also be some intelligence built in to look for specific security issues. Most of these are fairly low cost or even included with the equipment; it is just a matter of finding the time to learn and put the systems and controls in place to make it happen. The first step is to make use of what you have before stepping up to enterprise network analyzers or network flow applications.
There is one big thing that I’ve noticed while doing security assessments for different types of organizations, from small to medium businesses all the way up to government entities, and it is a pretty common theme: Most organizations may have security software in place, but network engineers are too overwhelmed to actually utilize the stuff. They are too busy putting out day-to-day fires to actually take the time to say, “OK, here’s what I’ve got and here’s how I need to configure the [WAN security] tools, and this is the insight that it's going to provide me.” Unfortunately, having a well deployed security policy and support structure is the exception, not the rule. Related to that, I see people buying some high-end third-party applications for network security monitoring and analysis, and it’s sitting on the shelf. WAN engineers say, “Yeah, we haven’t had time to implement that yet.” This is an organizational problem attributed to poor time management and having too few bodies to get things done.
I strongly recommend network engineers find a way to take time away from the phone and email to learn about security, whether it is by reading up on the subject, taking a class, or attending a security conference. [WAN] engineers can easily be put into situations where they are set up to fail: They aren’t given enough time to put out the fires, much less to put the stuff in place to help better put out the fires. They are going to have to break this cycle to fix this situation.
What are the common WAN security mistakes engineers make when designing their networks to support remote applications?
Beaver: Network engineers in charge of application security can often overlook the critical applications that are seemingly unimportant. Even internal-only applications can be at risk. There are internal threats within your organization, [and] people that have security tools or hacking tools can use that information against the business. So it’s not just the highly visible e-commerce sites or customer portals, it’s practically every application. If it is critical to the business, and most applications are there for a reason, there is a distinct possibility that there are vulnerabilities waiting to be exploited. You have to prioritize and do a business impact analysis of each application. Determine what’s there and how it needs to be secured. Don’t assume that your highly visible applications are the only ones that matter.
Many organizations are turning toward WAN optimization and application acceleration to improve WAN performance. Does application acceleration affect the security of your application over a WAN? Do WAN managers have to make a trade-off when balancing performance with WAN security risks?
Beaver: I think it could. It can affect the insight that you have to your environment, depending on the tools or, more often, the lack of tools that you have at your disposal. Just like someone encrypting a piece of malware or zipping a file, compression and other acceleration techniques could mask a threat on the WAN. This ties to a larger issue around security, and ultimately a network engineer has to break out of always being reactive to issues, such as dealing with a deployed application accelerator after the fact. Not everything can be proactive. Had you known what the critical systems are, where the sensitive information is, and what was at risk, those vulnerabilities would [have] never even existed and wouldn’t even be an issue going across the WAN using compression or acceleration. Being proactive and having your ducks in a row shouldn’t allow a problem like this to exist.
Continue reading this Q&A to learn about cloud and mobile device WAN application security.