Drasanes metro station is at the bottom of the Rambla in Barcelona. Last December when I asked the station official to call security it was because I had been followed by a pick pocket onto the platform. The official amazed me by replying, "Not much point, they live here". Drasanes is an ideal place for pickpockets to operate with a plentiful supply of disorientated foreigners to prey on. The scary thing is the pickpockets have become so prevalent that they and their crimes are now invisible to all except their immediate victims. They find this fact encouraging.
Chances are your office computer network would make just such a comfortable home to hackers. It's not that you don't have security measures in place. Your internet gateway router is running a firewall, your office workstations are on a Windows domain and each endpoint workstation is protected with up to date antivirus software. All the computers in the domain are patched and up to date. So what's the weakness if you stop at these perfectly sensible security measures?
Increasingly devices are being brought on to the network that fall outside the direct control of the IT administrator. This might include staff personal/work laptops, smart-phones, visiting client PC's, or if you are a tech company, PC's you are working on for a client. In some informal networks the majority of devices are not controlled at all, with just one or two devices such as an administration PC kept for office duties. Most of the devices just connect, acquire a network and gateway address and are immediately granted access to an infamously insecure place we call the Internet. Is it safe to share your company network in this way?
Getting back to the Barcelona metro metaphor, like the metro authorities you might have resources that you feel you need to secure and others that you allow to share your network but are, well - someone else's responsibility. The style of your office and communications set up in general is easy going. People install their own applications, Facebook, Twitter, Skype; all these have become part and parcel of the way you do business. Not only that, you are a small business and cannot afford all the paraphernalia associated with corporate security (do you have retinal scanners and CCTV at the office door? Do you need a smart card with One-Time-Password to log in?) So just what threats are we turning our backs on by ignoring these 'passengers' on our network?
Keyboard logging to discover passwords and credit card details, packet sniffing to view unencrypted network traffic, remote access servers to grant a remote user full access to a PC, botnets using a PC to send out thousands of spam emails or launch attacks on other PCs; these are just some of the 'features' that hackers can install on your network via uncontrolled devices. Internet access is driving our business but it is also driving the business of hackers – it's the most popular way of gaining unauthorized access to your network.
Now let's get this in perspective. At home we have one or two PCs and each is properly protected by an Internet Security Suite. This is much more than an antivirus. It delves into our network traffic, scours emails and prods web sites suspiciously before connecting us to their servers. Inside a controlled corporate environment, antivirus, that checks once an infection has already reached the PC file system, might be enough. But we are already agreed, if we are honest, that we don't have a controlled corporate environment. So what do we need to be able to see and tackle these threats?
Configuring Cisco IPS on your network is like installing CCTV monitored by a 24/7 flying squad at your favourite city's most notorious metro station. Or to put it another way, you can configure many of the features of a security suite at a single point in your network. There's really no excuse for not doing this. I used the word configuration, because if you already have a Cisco ISR at the edge of your network then this feature is built in for no extra cost. If not then upgrading to an ISR is the way to go.
Cisco IPS works in a complementary way to a firewall. Unlike a basic firewall, IPS can detect attacks coming from the inside of the network. For example a user inadvertently clicks on a link that installs a hidden remote access server. The server attempts to connect out to its master (somewhere on the internet) and establish access to your network. IPS would be triggered by this outside connection attempt. IPS can be triggered by up to 2300 signatures matching causes as diverse as Peer-2-Peer traffic and internet worms. Sometimes just a single packet, sometimes a combination of events triggers a signature.
Alerts are sent to a management station that can be set up on the local network and via a secure connection at your service provider's network so they can proactively monitor your network security as part of their support contract. The management software is linked to an online database giving further information about the attack signature. As the sensor is operating in-line with the threat traffic it can be configured to drop a packet, reset the connection, deny the connection or deny the attacker. In the case of an infected PC, this would prevent the PC communicating through the router, giving you enough time to be able to identify the problem and take further action.
Anti spam, email and web content filtering are useful threat defences that you should also consider, but by implementing IPS you are acknowledging that, in all but the strictest security environments, the difference between inside and outside marked by the company firewall is not as clear cut as it used to be. You are also giving yourself the tools to manage the security of the 'public' on your network.
No comments:
Post a Comment