This website uses cookies primarily for visitor analytics. Certain pages will ask you to fill in contact details to receive additional information. On these pages you have the option of having the site log your details for future visits. Indicating you want the site to remember your details will place a cookie on your device. To view our full cookie policy, please click here. You can also view it at any time by going to our Contact Us page.

Security in an Open World

15 February 2007

Modern IT departments of organisation that are opening uptheir networks and web servers to business partners and customers are using of policy-based networking model to ensure for IT security. Reginald P Best describes the key components

ACCORDING TO A STUDY BY RESEARCHER, IDC on endpoint security management, approximately 60 percent of serious security threats come from internal sources that have been given access to an organisation's network resources. This can include anyone from employees based on site, to remote workers, consultants, business partners and customers who are now being allowed remote access to networks and web servers.

Many FM companies typify this opening up of the traditional IT network perimeters,collaborating with and granting access to their networks and web servers to multiple suppliers and partners. This trend, known as de-perimeterisation, is forcing many organisations to re-think security strategy and many are considering moving to the IT security model represented by olicybased Networking (PN). PN typically consists of a suite of complementary solutions interoperating with existing network systems to enforce rules and policies that govern who and what can be admitted to the network and what resources and information they can be allowed to access when they are inside.

The start point for PN is controlling network admission via a device or software called a Network Admission Controller (NAC). When a user wants to access the network, whether theyare logging on remotely or from the office, using wireless or wired access, the NAC verifies their identity by querying the organisation's authentication servers (such as RADIUS, LDAP or RSA). The system checks the user directory on the authentication server to determine the rules and policies relating to that user's access to the network. It may have been specified, for example, that he or she may be granted access only during certain hours or from certain locations. Organisations might want to establish these sorts of policies for a partner to have daily access to specific information from your network, or to stop people from logging on to the network from Internet caf's or other third party locations, for example.

One of the major challenges that IT security specialists are grappling with is that even trusted users, whose identity has been verified, can inadvertently infect other devices withviruses, worms, spyware and other threats. This could be because they have not kept the security software on their desktop or laptop up to date or there is a security flaw on their system which has not been picked up. For this reason, the NAC system also scans each user's device for proper versions of anti-virus, anti-spying or personal firewall software, as well as correct operating system patches. Access is only allowed to those that comply with established security software policies.

Critical protection
The next component of PN is an Identity Enforcement appliance (ID) which helps control data traffic flowing within the network. This ensures that access to servers containing critical business and financial information, customer details or employee records, is restricted only to those employees, suppliers and partners who need these resources, based on the organisation's agreed policies.

Anyone not conforming to policy is denied even visibility of restricted components and information, with the ID concealing their locations and eliminating potential risks. If it detects offending behavior, the system can place a user into quarantine. In other words the users machine is effectively isolated from the network while the system and network administrators decide what to do next.. Alternatively ID could shut down the port which was giving the 'suspect' user access to the network.

While organisations once focused primarily on encrypting data crossing the traditional boundary of the network perimeter (ie going in or out of the network, the ID delivers an additional layer of security by encrypting sensitive traffic moving within the network), This helps to ensure that neither legitimate users nor intruders can eavesdrop on confidential data streams, an aspect that is becoming very significant because of the way organisations are opening up their networks to partners and supplies.

Web-based systems
With many organisations turning to web based systems to deliver computer applications and information to their employees, partners and customers via the Internet or on intranets, the final component of an all-inclusive PN security strategy is an Application Protection (AP) appliance. This works to protect web-based systems which can become exposed to vulnerabilities ┬ĘC even if it is unknowingly from authorised users.

The AP, which has properties similar to traditional firewall software, authenticates every internal user seeking access to critical web servers, which might hold financial or customer data, for example. It deters any irregular activity, preventing a wide array of web attacks, including denial of service attacks which attempt to make web resources unavailable to intended uses; buffer overflow attacks which force applications to crash or produce errors, and forced browsing which is a way of editing URLs in order to access information via a web browser.

The AP scrutinizes the content of the traffic to and from the web servers, including headers, fields and data. If it detects an attack or questionable activity, it can block access or place suspect devices into quarantine.

While the tendency to open up the IT infrastructure to partners, suppliers and customers improves efficiency and enhances business processes. The flip-side is that it puts even greater pressure on the IT department to prevent unauthorised access, keep information protected from prying eyes and to avoid malicious attacks. By facilitating access to the network but linking it closely to user and device identity and linking this to policy, a security strategy based on a comprehensive PN solution helps organisations to find a balance between the business benefits of making their systems more open, and the necessity of maintaining an effective level of security.

....Reginald P Best is EVP/GM Application Security Business at AEP (

PN - Policy-based Networking: complementary solutions interoperating with existing network systems to govern who can be admitted to the network and what they can access
NAC - Network Admission Controller: verifies indentity of users wanting access to the network
AP - Application Protection; authenticates every internal user seeking access to critical web servers to deter irregular activity and web attacks

Print this page | E-mail this page