THE NEED FOR LAN SECURITY
In the past, enterprise LANs were built assuming that threats come from outside the enterprise, and that all internal users are equally trustworthy. This was the case at one time, when the endpoints were provided and managed by the enterprise, and before a general expectation of Internet access became a perquisite of the workplace. In those days, good security meant a good perimeter firewall and maybe some desktop anti-virus software.
It is now well accepted that things have changed drastically, creating a need for additional security measures within the LAN itself. It is no longer easy to control what devices are attached to the internal network – user laptops shared with other family members, PDAs, even cell phones can “plug and play,” get a dynamic address, and access just about anything, from party mailing lists to HR benefits to business critical applications. Furthermore, business reasons have caused the LAN to be opened up to guests, temporary contractors, and outsourcing partners, among others – regardless of whether these users had unmanaged or even unmanageable endpoints.
There is growing recognition that LAN security has to go beyond the desktop and into the network infrastructure itself. Not only can security software not be relied upon to be installed and functional, such software is fairly easy to circumvent or disable. The desktop operating systems in wide use by enterprises today have been designed also for mass market appeal – ease of use features, especially ease of installation, enables a variety of applications for entertainment as well as productivity, but also introduces the potential for misuse as well as unintentional installation of spyware and other malware.
LAN security basically provides, or rather restores, two benefits. One is control, both of who is on the network and what devices they are using, as well as what they are allowed to do. The other is availability, the ability to protect the network infrastructure from malware attacks and maintain business continuity.
PLANNING AND DEPLOYMENT
Once the need for LAN security is recognized, what should be the next steps? A successful LAN security deployment has to address specific problems. Hence, the first steps should be to formulate goals - prioritize the problems and list the criteria against which to measure success.
What are the main problems?
The following are examples of typical LAN security issues, formulated both as problem statements and as LAN security goals.
- Unauthorized Access – anyone with physical access to the network has unrestricted access to all systems on the LAN. As a result, sensitive or critical assets can be accessed and possibly attacked by anyone connecting to the network, including guests, temporary workers, and even non-staff (e.g., janitors).
- LAN Security should both control access to the network itself, and provide differentiated access based on need to know. In particular, which is more important, protecting the network from unauthorized users, or protecting servers from unauthorized access?
- Endpoint Integrity – vulnerable endpoints can introduce the risk of penetration by outsiders.
- LAN Security should be able to define policy criteria for compliant endpoints, identify endpoints that are out of compliance both at the time of initial access and continuously during user sessions, and assist remediation to bring endpoints into compliance without the need for a helpdesk call. What kinds of access should non-compliant endpoints be allowed?
- Resilience and Availability – malware on infected end systems can try to infect other end systems, attack critical network infrastructure, or mount denial of service attacks, among other things.
- LAN Security should detect and identify threats, and be able to take preventive action commensurate with the seriousness of the threat. Policy questions here abound, such as is it more important to know about the malware, or automatically react? In either case, network functioning might be disrupted or compromised.
- Regulatory Compliance Verification – there is no visibility as to who is accessing sensitive or critical assets on the network, or even who is using the network itself.
- LAN Security should provide summary reports, in appropriate levels of detail, as to network usage. These would ideally provide an inventory of which systems are connected to the network at specified times. Which particular reports are required by the enterprise?
