Executive Summary
This white paper focuses on the evolving nature of LAN security in today’s enterprise in light of a dissolving network perimeter and the need for an identity-based solution to address new requirements. Network security policies arise from compliance and risk management initiatives across multiple lines of business throughout the organization. Security, compliance and business requirements are articulated in a readable policy built up from basic identity, role and group definitions, or can be read as network security access decisions that are mapped to user profiles. Identity is at the core of enterprise policies.
Network infrastructure, and network security solutions built on top of the infrastructure, is not identity-aware, since network packet headers provide information about machine addresses and location, not user information. Enforcing identity-based policies with identity-blind systems has proven to be a futile endeavor, in light of increasingly complex security policies, open networks, mobile systems, and unmanaged endpoints. The dilemma facing network security administrators has become an insurmountable obstacle and cash drain, resulting in poorly designed security models being implemented at the wrong places in the network. Exacerbating the problem is that without an identity-aware network infrastructure, it is almost impossible to demonstrate compliance with the identity-based policy initiatives. The events of interest are occluded in the network cloud of machine-address-based technology.
The solution is to build user identity knowledge into the network fabric, and enforce identity-based policies within the secure network. Network security policies can then be easily mapped from the definition stage into the network security architecture, with clear visibility to user activity through the enforcement, remediation and reporting phases. This offers a clear ROI by greatly improving network administration and user management costs, reducing the complexity of ill-fitting network security infrastructure, as well as reducing the costs of managing policy breaches and compliance reporting. Security policy enforcement is moving into the network to address the dissolving network perimeter problem, and when it does, the network infrastructure and the security policy enforcement layer must be identity-aware.
1. THE DISSOLVING NETWORK PERIMETER AND THE EVOLUTION OF SECURITY POLICIES
Traditionally, network security has focused on the external perimeter. The vast majority of threats to the enterprise network have arisen from outside the organization and from the open nature of the Internet. This naturally led to securing the perimeter of the corporate network very early on. Internal users and systems were generally “trusted” to be secure and there were little internal security mechanisms beyond securing the endpoints themselves. Under such an environment, an employee who had access to the network could get around on the corporate network unchecked. Access to resources such as file servers, application servers, etc. was controlled at the server directly via access privileges.
With the advent and pervasive deployment of mobile devices, portable storage media, wireless communications, and ubiquitous access points, security policies grew more complex and more security infrastructure proliferated as point solutions to diverse risks. The once-perceived secure internal perimeter now has to accommodate a myriad of “untrusted” users such as guests, contractors, business partners, customers, mobile systems, employee-owned systems, and other unmanaged endpoints. The ability to create a secure DMZ has effectively become outdated, and the entire LAN or internal corporate network has become the new DMZ. Administrators now have to defend the entire network from untrusted endpoints with conflicting and diverse security policies and access requirements, while dealing with conflicting goals of productivity and security.
Internally, access to sensitive network resources has been controlled at the resource itself by various access mechanisms, such as passwords and Acess Control Lists (ACL). However, that model is proving woefully inadequate today. The nature of threats today exploits the easy access to resources to mount denial of service (DoS) attacks, propagate worms, probe for vulnerabilities, and other malicious behavior. A better model to defend against an onslaught of potential attacks from internal systems is to secure the fabric of the network, not merely the endpoints (servers and user PCs). This would defend against such attacks long before they reach the critical resource, ideally as close to the source of the malicious traffic as possible.
