This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
1. White paper LAYERED NETWORK SECURITY 2006: A best-practices
approach Prepared by: Mitchell Ashley CTO and VP of Customer
Experience StillSecure January 2006 Copyright 2002-2006
StillSecure. All rights reserved.
3. 2 of 11 INTRODUCTION plan can be a straightforward exercise.
Furthermore, with the best- practices approach introduced in this
paper, you can erect effective Network security is a
mission-critical concern for enterprises, barriers without breaking
your budget. government agencies, and organizations of all sizes.
Todays advanced threats demand a methodical approach to network
security. In many industries enhanced security is not an option
INCREASING THE HACKERS WORK FACTOR its mandatory. Federal
regulations such as Sarbanes-Oxley, HIPAA, GLBA, and others require
organizations such as financial Network security professionals
speak in terms of work factor, institutions, health care providers,
and federal agencies to which is an important concept when
implementing layered security. implement stringent security
programs to protect digital assets. Work factor is defined as the
effort required by an intruder to com- promise one or more security
measures, which in turn allows the This paper introduces you to a
layered approach for securing your network to be successfully
breached. A network with a high work network. The layered approach
is both a technical strategy, espous- factor is difficult to break
into, while a network with a low work fac- ing adequate measures be
put in place at different levels within tor can be compromised
relatively easily. If hackers determine that your network
infrastructure, and an organizational strategy, requir- your
network has a high work factor, which is a benefit of the lay- ing
buy-in and participation from the board of directors down to ered
approach, they are likely to move on and seek the shop floor.
networks that are less secure and thats exactly what you want them
to do. The layered-security approach centers on maintaining
appropriate security measures and procedures at five different
levels within your The security technologies discussed in this
paper collectively repre- IT environment: sent a best-practices
approach for securing your digital assets. 1. Perimeter In an ideal
world you would have the budget and the resources to 2. Network
implement all the measures we discuss. Unfortunately, we dont live
3. Host in an ideal world. As such, you should evaluate your
network how 4. Application it is used, the nature of the data
stored, who requires access, its rate 5. Data of growth, etc. and
then implement a blend of security measures that provides the
highest level of protection given your available In this paper,
well define each of these levels and provide an resources. overview
of the various security measures that operate on each. Our goal is
to provide a foundation-level understanding of network security and
suggest a best-practices approach to THE LAYERED-SECURITY MODEL
protecting digital assets. Our target audience includes IT
profession- als, business managers, and high-level decision-makers.
Figure 1 presents the layered-security model and some of the
technologies that function at each level. These technologies are
dis- Protecting your proprietary information does not require
dozens of cussed in more detail in the sections that follow.
specialized solutions or unlimited funds. With an understanding of
the overall problem, creating both a strategic and tactical
security Security level Applicable security measures Firewall 1.
Perimeter Network-based anti-virus VPN encryption Intrusion
detection /prevention system (IDS/IPS) 2. Network Vulnerability
management system Network access control Access control /user
authentication Host IDS 3. Host Host vulnerability assessment (VA)
Network access control Anti-virus Access control/user
authentication Application shield 4. Application Access
control/user authentication Input validation Figure 1. The security
levels in the 5. Data Encryption layered approach and the
technologies that Access control/user authentication function on
each. Copyright 2002-2006 StillSecure. All rights reserved.
4. 3 of 11 LEVEL 1: PERIMETER SECURITY The perimeter is the
first line of defense from outside, from spreading virus-infected
email. Network-based anti-virus is a un-trusted networks. The
perimeter acts as the first complement to anti-virus protection
performed on your email server and last point of contact for
security defenses protecting and individual desktop computers. To
work effectively, the database the network. It is the area where
your network ends of known viruses must be kept up to date. and the
Internet begins. The perimeter consists of one or more fire- walls
and a set of strictly controlled servers located in a portion of
VPN A virtual private network (VPN) uses high-level encryption the
perimeter referred to as the DMZ (demilitarized zone). A DMZ to
create a secure connection between remote devices, such as
typically contains the Web servers, email gateways, network anti-
laptops, and the destination network. It essentially creates an
virus, and DNS servers that must be exposed to the Internet. The
encrypted tunnel across the Internet, approximating the security
firewall has strict rules about what can enter inside the network
as and confidentiality of a private network. A VPN tunnel can
terminate well as rules about how servers in the DMZ can interact
with the on a VPN-enabled router, firewall, or server within the
DMZ. Internet and the inside network. Enforcing VPN connections for
all remote and wireless network segments is an important
best-practice that is relatively easy and The network perimeter, in
short, is your gateway to the outside inexpensive to implement.
world and, conversely, the outside worlds gateway to your network.
A compromised network perimeter can cripple your ability to con-
PROS duct business. For example, if your organization relies on
your Web These well established perimeter-level technologies have
been servers for revenue generation, and those servers have been
hacked available for many years, and most IT professionals are well
and are off-line, you lose money for every minute they are down.
acquainted with their capabilities and operational requirements.
Therefore, they are straightforward and cost effective to
implement. The following technologies provide security at the
network perimeter: A range of vendors offer solid solutions for
these technologies, and most are reasonably priced. Firewall A
firewall is typically installed on a server connected to the inside
and the outside of the network perimeter (see Figure 2). A firewall
performs three general functions; 1) traffic control, 2) CONS
Because these systems are quite basic and have been available for
address translation, and 3) VPN termination. The firewall performs
some time, most sophisticated hackers have figured ways around
traffic control by examining the source and destination of all
incoming them. An anti-virus tool, for example, cannot detect a
virus unless and outgoing network traffic; it ensures that only
permissible it already has the virus signature or if the virus is
embedded within requests are allowed through. Additionally,
firewalls help secure the an encrypted file. Although VPN provides
effective encryption, it network by translating internal IP
addresses to IP addresses that are does impose an administrative
burden on your IT staff, as encryp- visible to the Internet. This
prevents the disclosure of critical tion keys and user groups must
be managed on an ongoing basis. information about the structure of
the network inside the firewall. Additionally VPNs dont protect you
from infected devices or A firewall can also terminate VPN tunnels
(discussed below.) These malicious traffic using the VPN
connection. three capabilities make a firewall an indispensable
part of your network security. CONSIDERATIONS Network-based
anti-virus Installed in the DMZ, network-based The complexity of
your network architecture can have a considerable anti-virus
software compares incoming and outgoing email message impact on the
effectiveness of these technologies. Multiple external content to a
database of known virus profiles. Network-based anti- connections,
for example, would likely require multiple firewalls and virus
products block infected email traffic by quarantining suspicious
anti-virus instances. Architecting all of your connections to
termi- and infected email messages and then notifying recipients
and nate in a common area allows a single instance of a given
technology administrators. This prevents email infected with a
virus from enter- to provide effective coverage. ing and spreading
across your network, and it prevents your network All allowed
traffic is passed through the firewall LAN Router traffic Internet
Firewall DMZ Figure 2. A typical firewall installation. Copyright
2002-2006 StillSecure. All rights reserved.
5. 4 of 11 The types of devices located in your DMZ are also an
important Intrusion detection systems (IDSs) and intrusion
prevention factor. How critical are these devices to your business?
The higher systems (IPSs) IDS and IPS technologies analyze traffic
moving the criticality, the more stringent security measures and
the policies across your network in much greater detail than your
firewall. that govern these devices must be. Similar to anti-virus
systems, IDS and IPS devices analyze traffic and compare each
packet to a database of known attack profiles. The difference is
that anti-virus inspects files on the system, where LEVEL 2:
NETWORK SECURITY as IDS/IPS inspects packets within network
traffic. When attacks are detected, IDS/IPS technologies take
action. IDS tools alert your IT The network level of the
layered-security model refers staff that an attack has occurred;
IPS tools go a step further and to your internal LAN and WAN.Your
internal network automatically block the harmful traffic. may
include desktops and servers or may be more complex with
point-to-point frame relay connections to IDSs and IPSs have many
characteristics in common. In fact, remote offices. Most networks
today are fairly open most IPSs have an IDS at their core. The key
difference between the behind the perimeter; once inside, you can
travel across the technologies is implied by their names: IDS
products only detect network unimpeded. This is especially true for
most small- to malicious traffic, while IPS products prevent such
traffic from medium-size organizations, which makes them tempting
targets entering your network. Standard IDS and IPS network for
hackers and other malicious individuals. configurations are show in
Figure 3. The following technologies provide security at the
network level: Vulnerability management Vulnerability management
systems perform two related functions: (1) they scan the network
for External interface listens for traffic IDS and detects attacks
LAN Router Internet Firewall Intrusion detection system (IDS)
Firewall signals are sent External interface to dynamically block
listens for traffic incoming attacks IPS and detects attacks x
malicious traffic LAN Router Internet traffic Firewall Intrusion
prevention system (out-of-band configuration) The IPS device
automatically blocks attacks before they enter the network x
malicious traffic LAN IPS Router Internet traffic Firewall
Intrusion prevention system (in-line configuration) Figure 3.
Typical IDS/IPS installations Copyright 2002-2006 StillSecure. All
rights reserved.
6. 5 of 11 vulnerabilities and (2) they manage the process of
repairing the vul- Vulnerability managers automate the process of
checking your nerabilities found. In the past, this technology was
called "vulnera- network for vulnerabilities. Performing such
checks manually bility assessment (VA)", but the technology has
evolved to the point with the frequency required to ensure security
would be highly where most commercially available systems do more
than simply impractical. Also, networks are dynamic. New devices,
application assess network devices for vulnerabilities. upgrades
and patches, and adding and removing users can all introduce new
vulnerabilities. VA tools allow you to scan your Vulnerability
managers scan devices on a network for flaws and network frequently
and thoroughly for newly introduced vulnerabilities that could be
exploited by hackers or harmful traffic. vulnerabilities. They
typically maintain a database of rules that identify known
vulnerabilities for a range of network devices and applications.
Network access control solutions give organizations a high level of
During a scan, the system tests each device/application by applying
control over the devices that they traditionally have had very
little the appropriate rules. control over. Hackers are
increasingly looking to exploit endpoints to gain entry to the
network, as recent exploits like Mydoom, Sobig, As the name
implies, vulnerability managers include features and Sasser attest
to. Network access control solutions close this that manage the
remediation process. The depth of management dangerous backdoor
into the network. features vary greatly among vendors, from simple
assignments and notifications to comprehensive integration with
patch managers CONS and trouble ticketing systems. Intrusion
detection systems (IDSs) have a tendency to produce numerous false
alarms, also referred to as false positives. While Network access
control - Network access control solutions protect an IDS will
likely detect and alert you of an attack, such informa- the network
by ensuring that endpoints meet defined security tion could be
buried under a mountain of false positive or trivial standards
before they are allowed to access the network. This data. IDS
administrators can quickly become desensitized to the protects the
network from being attacked 'from the inside' via sheer volume of
data produced by the system. To be effective, compromised employee
desktops and laptops, contractor machines, an IDS must be closely
monitored and continually fine-tuned and VPN and RAS devices. to
the usage patterns in your environment. Such maintenance typically
consumes a fair amount of administrative resources. Endpoint
security solutions allow or deny access based on tests run against
a device when it attempts to connect. They typically test for The
level of automation within intrusion prevention systems (IPSs) (1)
required software, such as service paks, up-to-date antivirus can
vary significantly among products. Many must be carefully
definitions, etc. and (2) prohibited applications, such as file
sharing configured and managed to reflect the traffic patterns
characteristic and spyware. of the network on which they are
installed. Possible side-effects of non-optimized performance
include terminating legitimate user Access control/authentication
Access control entails authenti- requests and locking out valid
network resources. cating users who access your network.
Authentication is typically performed against the user information
in a RADIUS, LDAP, or Many, but not all, network access control
solutions require that an Windows ACTIVE directory. Both users and
devices should be agent be installed on each endpoint. This can add
a considerable controlled by access control measures at the network
level. amount of administrative overhead to deployment and upkeep.
Note: In this paper we discuss access control and authentication
Access control/authentication technologies may have technical at
the network, host, application, and data levels of our layered
security limitations. For example, some may not work with all the
devices on framework. A considerable amount of overlap and
interaction commonly your network, so you may need multiple systems
to provide the exists among the access control/authentication
schemes that function necessary coverage. Also, multiple vendors
market access control across these levels, and authentication can
be passed from one level to the systems, and functionality can vary
greatly among products. next. Such interaction is usually
transparent to the user. While we discuss Implementing an
integrated solution across your network may be these concepts
briefly in upcoming sections, keep in mind that access difficult.
Such a patchwork, multi-product approach may actually control and
authentication are sophisticated processes that should be introduce
additional vulnerabilities to your network. carefully managed to
provide maximum security throughout the network. CONSIDERATIONS
PROS The success of network-level security measures is somewhat
IDS, IPS, and vulnerability management technologies perform
dependent on the speed of your internal network connections.
sophisticated analyses on network threats and vulnerabilities.
Because IDS/IPS, vulnerability management, and network access Where
your firewall allows or disallows traffic based on its ultimate
control tools can consume resources on the networks they protect,
destination, IPS and IDS tools conduct a much deeper analysis and,
increased connection speeds will minimize the impact they have on
therefore provide a higher level of protection. With these advanced
overall network performance. In implementing these technologies
technologies, attacks embedded in legitimate network traffic, which
you must consider the trade-off between improved security and can
get through a firewall, will be identified and potentially ease of
use, as many of these products must be continually managed
terminated before damage occurs. to perform effectively, and they
may make it less convenient to move around on the network.
Copyright 2002-2006 StillSecure. All rights reserved.
7. 6 of 11 CONS Keep in mind the ongoing evolution of your
network when Host-based systems can be extremely time-consuming to
deploy assessing these technologies. Scalability may be an issue on
rapidly and manage. Because they need to be continually monitored
expanding and highly dynamic networks. and updated, they often
consume an inordinate number of man-hours to manage properly.
Installation is often difficult, and a considerable effort is often
required to fine tune them to the host LEVEL 3: HOST SECURITY
device. Also, the more operating systems you have on your
network-i.e., the more heterogeneous the network-the more In the
layered-security model, the host level pertains expensive a
host-based approach becomes, and the more difficult to the
individual devices, such as servers, desktops, these devices are to
manage. Also, with a large number of host- switches, routers, etc.,
on the network. Each device based security devices on a network,
the number of alerts and false has a number of configurable
parameters that, when positives can be enormous. set
inappropriately, can create exploitable security holes. These
parameters include registry settings, services CONSIDERATIONS
(applications) operating on the device, or patches to the operating
Because of their expense and administrative overhead, host-based
system or important applications. devices should be deployed
judiciously. As a rule of thumb, most organizations install these
measures only on the 'crown jewels' of The following technologies
provide security at the host level: their network. The exception to
this rule is a network access control Host-based intrusion
detection systems (IDSs) Host-based solution, which will often be
deployed to cover every desktop and IDSs perform similarly to
network IDSs the key difference being laptop that attempts to gain
access to the network. that they monitor traffic on a single
network device. Host-based IDSs are fine-tuned to the specific
operational characteristics of the host device and therefore
provide a high degree of protection LEVEL 4: APPLICATION SECURITY
when properly administered. Application-level security is currently
receiving a great Host-based vulnerability assessment (VA)
Host-based VA deal of attention. Poorly protected applications can
tools scan a single network device for security vulnerabilities.
provide easy access to confidential data and records. Host-based VA
tools are fine-tuned to the devices they monitor. The hard truth is
that most programmers dont code They are extremely accurate and
make minimal demands on the with security in mind. This is a
historical problem with many hosts resources. Because they are
configured specifically for the commercial-off-the-shelf (COTS)
applications.You may become host device, they provide an excellent
level of coverage when aware of security shortcomings in the
software, yet you may be properly administered. powerless to
correct them. Network access control - Network access control
solutions do Applications are being placed on the Web for access by
customers, double duty, protecting both the network (as discussed
in the partners or even remote employees with increasing frequency.
previous section) and individual hosts. These solutions continually
These applications, such as sales force, customer relationship
check the host for harmful applications and infections and also
management, or financial systems, can provide a ready target to
verify that required security measures, such as anti-virus and
individuals with malicious intent. Therefore, it is especially
personal firewalls are installed and up to date. important to
impose a comprehensive security strategy for on each network
application. Anti-virus Device-specific anti-virus applications
provide an additional layer of protection when used in conjunction
with The following technologies provide security at the application
level: network-based anti-virus tools. Application shield An
application shield is frequently referred to as an
application-level firewall. In ensures that incoming and Access
control/authentication Access control measures at the outgoing
requests are permissible for the given application. device level
are a best-practice that ensures device access is granted Commonly
installed on Web servers, email servers, database to authorized
users only. Again, there is likely to be a high level of servers,
and similar machines, an application shield is transparent to
interaction between network access-control measures and host the
user but highly integrated with the device on the backend.
access-control measures. An application shield is finely tuned to
the host devices expected PROS functionality. For example, an
application shield on an email server These host-based technologies
provide excellent protection would likely be configured to prohibit
an incoming mail message because they are configured to meet the
specific operational from automatically launching any executables,
because that is not a characteristics of a single device. Their
accuracy and responsiveness typical or necessary email function. to
the host environment allow administrators to quickly identify which
device settings require updating to ensure secure operation. Access
control/authentication Like network- and device- level
authentication, only authorized users are able to access the
application. Copyright 2002-2006 StillSecure. All rights
reserved.
8. 7 of 11 Input validation Input validation measures verify
that The following technologies provide security at the data level:
application input traveling across your network is safe to process.
Encryption Data encryption schemes are commonly implemented
Although this is crucially important for Web-based input, any at
the data, the application, and the operating-system levels. Almost
interaction between people and a user interface can produce input
all schemes involve encryption/decryption keys that all parties
errors or be exploited if the proper security measures are not in
accessing the data must have. Common encryption strategies place.
In general, any interactions with your Web server should be include
PKI, PGP, and RSA. considered unsafe. Access control/authentication
Like network-, and host-, and As an example, consider a Web-form
with a zip code field. The application-level authentication, only
authorized users are given only acceptable input from this field
should be five characters, access to the data. digits only. All
other input should be denied and produce an error message when
submitted. Input validation should occur at multiple PROS levels.
In this example, a Java script could initially perform browser-
Encryption provides a proven method for safeguarding your data.
based validation on the client side, while CGI-bin validation
controls Should intruders compromise all other security measures on
your could be put in place on the Web server. Additional rules of
thumb network, encryption provides a final, effective barrier
protecting include: your proprietary information and intellectual
property. Filter key words. Common command-related terms, such as
insert,should be checked for and prohibited. CONS Only accept data
thats expected for a given field. For There is overhead associated
with encrypting and decrypting the example, a 75-character first
name is not standard input. data, which can result in significant
performance impacts. Also, key management can become an
administrative burden in large PROS or growing organizations.
Application-level security measures enhance your overall security
posture and allow you to better control your applications. They
also CONSIDERATIONS provide a higher level of accountability as
many of the actions In-depth data encryption must be carefully
managed. Encryption monitored by these measures are logged and
traceable. keys must be set and synchronized for all affected
devices and applications. As such, a fair amount of management
overhead is CONS required for an effective encryption program.
Implementing comprehensive application-level security can be an
expensive endeavor as each application and its host device must be
assessed, configured, and managed individually. Also, retrofitting
a THE STILLSECURE SUITE: DESIGNED FOR LAYERED network with
application security can be a daunting and impractical SECURITY
task. The earlier you can implement policies for incorporating
these measures, the more efficient and less expensive the process
will be. The StillSecure suite of network security products allows
you to implement effective layered security beyond the minimal
measures CONSIDERATIONS provided by your anti-virus and firewall.
The StillSecure suite has The key considerations are prioritizing
your applications and been designed specifically to meet today's
top security priorities: planning for the long term. Implement
security on application where youll get the most bang for your
buck. Long-term planning Preventative security allows you to
implement security measures in a controlled way Regulatory and
internal policy compliance as your network grows and avoids the
additional expenses that Protection from attack in real time
retrofitting will likely require. If you currently have security
measures in place on your network, the StillSecure suite leverages
your existing security investments LEVEL 5: DATA SECURITY and
greatly enhances the depth of your network defenses. If you have
minimal or inadequate measures in place, StillSecure products
Data-level security entails a blend of policy and provide immediate
security and give you a running start on building encryption.
Encrypting data where it resides and as it a comprehensive
layered-security system. The StillSecure suite travels across your
network is a recommended best includes: practice because, if all
other security measures fail, a strong encryption scheme protects
your proprietary data. StillSecure Safe Access - network access
control solution Data security is highly dependent on
organization-wide policies StillSecure VAM - network vulnerability
management that govern who has access to data, what authorized
users can platform do with it, and who has ultimate responsibility
for its integrity and StillSecure Strata Guard - network intrusion
detection/ safekeeping. Determining the owner and the custodian of
the data prevention system (IDS/IPS) lets you identify the
appropriate access policies and security measures that should be
applied. Copyright 2002-2006 StillSecure. All rights reserved.
9. 8 of 11 The following sections introduce you to these
best-of-breed Using Safe Access, administrators create Access
policies that: products. (1) Define which applications and services
are permitted and (2) Specify the actions to be taken when devices
do not SAFE ACCESS comply. Safe Access automatically applies access
policies Safe Access protects the network by ensuring endpoint
devices are to devices as they log onto the network. It answers the
free from threats and in compliance with IT security policies
before question: Is it safe to give this device access? they are
allowed on the network. An award-winning access control solution,
Safe Access protects the network from the damage a Based on test
results, devices are either permitted or denied net- single
compromised or infected endpoint can unleash. Safe Access work
access or quarantined to a specific part of the network, thus
functions at Levels 2 (network) and 3 (host) of the layered
enforcing organizational security standards. Enforcement is accom-
security model. plished through multiple methods as shown in Figure
4. Safe Access tracks all testing and connection activity and
produces a With multiple, flexible testing and enforcement options,
Safe Access range of reports for auditors, managers, and IT staff.
It is available integrates seamlessly into virtually any network
environment as software or a preconfigured hardware appliance
(Figure 4, below). Safe Access controls network access for the full
range of user types including trusted and untrusted, foreign and
VAM internal, remote, and wireless endpoints. The StillSecure VAM
vulnerability management platform identifies, Safe Access is a
flexible, integratable solution, offering: tracks, and manages the
repair of network vulnerabilities across the Purpose-built network
access control engine enterprise. Functioning on Level 2 (Network)
of the layered security True agent-less endpoint testing option; no
software model, VAM mitigates the risk of network exploitation
through end- installed on or downloaded to endpoint to-end
vulnerability lifecycle management. Multiple enforcement options:
802.1x, Inline, DHCP, and enforcement through Cisco's NAC
architecture VAM serves as your vulnerability command and control
Integration in the IT environment through the StillSecure center,
delivering: Enterprise Integration Framework Systematic
vulnerability scanning: fast, accurate, Deep endpoint testing with
hundreds of off-the-shelf tests comprehensive, with minimal network
impact Compatibility with heterogeneous network infrastructure;
Automated, scheduled device discovery and network no hardware
upgrades required mapping; fully configurable, tunable
Comprehensive coverage of user types network users, Extensible
Vulnerability Repair Workflow: automatic visitors, partners, remote
users etc. (LAN, VPN, RAS, and assignment of repairs and
scheduling, lifecycle tracking, WiFi connections) automated repair
verification, detailed device histories Technical and management
reporting 802.1x enforcement DHCP enforcement (network &
endpoint based) Pass Fail Safe Access DHCP server VLAN 802.1x-
Switch enabled switch Safe Access Radius server Pass Fail Corporate
Network Fail Pass Firewall NAC- enabled router Internet Safe Access
Access Safe Access Control Server VPN & RAS Employee-owned
Corporate- desktop owned laptop Enforcement through Ciscos NAC
architecture Inline enforcement Figure 4. Safe Access offers four
enforcement options that allow for seamless deployment on all
network architectures. Endpoints that pass Safe Access testing are
allowed onto the network; endpoints that fail are denied access or
placed into quarantine, thereby protecting the network from the
threats posed by non-compliant, non-secure devices. Copyright
2002-2006 StillSecure. All rights reserved.
10. 9 of 11 VAM is available as software or as preconfigured
hardware appli- Trending and workflow analysis ance. VAM can be
deployed as a turnkey vulnerability management Multi-user,
role-based permissions/access system or as a management platform
integrated with Distributed architecture for large organizations;
existing IT systems. centralized data warehousing Full integration
with existing IT systems through STRATA GUARD Enterprise
Integration Framework suite of open APIs Strata Guard is an
award-winning family of network-based intrusion As an integrated
vulnerability management platform, VAM goes detection/prevention
systems (IPS/IDS) that provide real-time, zero- well beyond the
routine scanning and reporting offered by simple day protection
from network attacks and malicious traffic. With four vulnerability
scanners. Effective vulnerability management must different models
and two deployment options, Strata Guard protects take into account
regulatory/compliance requirements, the dimin- your enterprise from
the network perimeter to the core, including ishing time between
the identification of a vulnerability and its remote and internal
segments (as shown in Figure 6). exploitation, and the need to
maximize the efficiency of finite IT resources. VAM meets the
challenges of todays demanding Functioning on Level 2 (network) of
the layered security model, security environment, offering: Strata
Guard employs six distinct attack-detection technologies for
Regulatory compliance: VAM ensures and demonstrates comprehensive
network protection. With signature-based and (through comprehensive
reporting and device histories) behavior-based attack detection,
deep packet inspection, and the integrity of systems housing
sensitive information protocol anomaly analysis, Strata Guard
terminates network-, Integration with existing critical IT systems
and application-, and service-level attacks including worms,
trojans, processes, such as trouble ticketing, patch management,
spyware, port scans, DoS and DDoS attacks, server exploit attempts,
network management, and other security-related and viruses before
they infiltrate the network and systems cause real damage.
Extensibility to accommodate organization-specific requirements and
business flows Beyond blocking malicious attacks, Strata Guard
enforces your net- An open, distributed architecture that scales
seamlessly work usage polices and can block peer-to-peer file
sharing, instant to global, enterprise-wide deployments, yet offers
messaging, chat, prohibited browsing activity, and worm centralized
Web-based management (shown in Figure 5) propagation. It detects
anomalous activity such as spoofed attack VAM Central Server
includes onboard scanner VAM Distributed Scanner VAM Distributed
Scanner VAM Distributed Scanner Figure 5. VAM employs a distributed
scanning architecture. All scanning and repair activities are
securely controlled and coordinated through the VAM Central Server.
Distributed Scanners are deployed as needed to load balance and to
scan remotely. Access to the Central Server is through the
Web-based VAM console, providing flexible anytime, anywhere
management. Where appropriate, multiple Central Servers can be
managed through a single master Central Server. Copyright 2002-2006
StillSecure. All rights reserved.
11. 10 of 11 Figure 6. Strata Guard, represented by the stop
light, secures the connections that expose your organization to
attack: at the perimeter, internal- ly, on links to remote offices,
partners, and vendors, and on wireless LAN segments. source
addresses, TCP state verification, and rouge services running
DEFENDING AGAINST COMMON THREATS AND ATTACKS on the network. Figure
7 demonstrates how the layered-security approach protects against
common threats and attacks. The figure shows how each Highly
automated, Strata Guard is designed for ease of use and level plays
a key role in contributing to comprehensive, effective streamlined
administration and management. Through its multi- network security.
The shaded regions indicate where Strata Guard layered Dynamic
Attack Qualification technologies, Strata Guard and VAM products
function in the layered-security model. The com- eliminates
false-positives. Its multi-node, multi-user management mon threats
presented in Figure 7 include: capabilities allow for
enterprise-wide deployments and provide appropriate levels of
control for all users requiring access to Web server attacks Web
server attacks encompass a wide security data. variety of problems
with nearly every Web server available. From simple page
defacement, to remote system compromise, to Strata Guard is
available as software or as a preconfigured hardware a complete
denial of service (DOS), Web server attacks are one appliance. of
the most common attacks today. Code Red and Nimda are well known
Web server attacks. The StillSecure Suite P = Prevents 1. Perimeter
2. Network 3. Host 4. Application 5. Data Strata Guard prevents the
attack. Common network attacks D = Detects Web server attacks P D P
D D D VAM detects the enabling vulnerability and prevents
Unauthorized Internet mail relaying P D P D D D attack through
remediation. System-level remote host compromise P D P D E D E D
Unauthorized P2P / IM usage P D P D E D E D E = Enforces SafeAccess
enforces compliance with Unauthorized internet services available P
D P D E D E D security ploicy, ensuring compromised Virus, worm,
spyware detection P D P D D E D devices cant access the network
Figure 7. Each level contributes to the security of your network.
Functioning on levels 1 to 4, StillSecure products defend against
these common threats and others, as the shaded region indicates.
Copyright 2002-2006 StillSecure. All rights reserved.
12. 11 of 11 Unauthorized internet mail relaying Improperly
configured CONCLUSION Internet email servers are a common cause of
email spam. Many spam-generating companies specialize in finding
these servers Hackers and cyber terrorists are launching network
attacks with and send hundreds if not thousands of spam messages
through increasing frequency and sophistication. The traditional
approach to them. security namely a firewall combined with an
anti-virus is incapable of protecting you from todays advanced
threats. System-level remote host compromise A number of
vulnerabili- ties provide an attacker with remote control of the
compromised You can, however, erect a formidable defense by
implementing system. Most often this type of remote control is at
the system level, network security using a layered approach. By
selectively installing giving the attacker the same privileges as
the local system security measures on five levels within your
network environment administrator. (perimeter, network, host,
application, and data), you can adequately protect your digital
assets and greatly reduce your exposure to a Unauthorized P2P / IM
usage Most corporations have in catastrophic network breach. The
StillSecure suite of integrated place an acceptable-use policy that
prohibits the use of peer- network security software products are
the bedrock on which an to-peer (P2P) applications as well as
instant messaging (IM) effective layered security strategy is
erected. applications. Each type of application poses various
significant threats to the corporation such as remote exploitation
of the P2P or IM application itself, or improper allocation of
corporate resources in regard to the bandwidth being used.
Unauthorized Internet services available The ability to easily
deploy a Web server or other Internet service on ones desktop poses
a potential threat due to the risk of unintentional information
disclosure. Often such services go undetected, all the while
operating under the radar of most organizations. Virus activity
detection While anti-virus (A/V) software is particularly adept at
detecting viruses, A/V software is not designed to detect virus
activity. Be it a new service available for remote control or an
active process searching for other hosts to detect, a network IDS
deployment is well suited to detect this type of activity.
StillSecure 2002-2006 StillSecure. All rights reserved.
StillSecure, StillSecure logo, Strata Guard, VAM, and Safe Access
are 100 Superior Plaza Way O 303.381.3800 trademarks or registered
trademarks of StillSecure. Additional StillSecure trademarks or
registered marks are available at
http://www.stillsecure.com/policies/copyright.php. All other
brands, company names, product names, trademarks or Suite 200 F
303.381.3880 service marks are the property of their respective
owners. Superior, CO 80027 www.stillsecure.com