LAYERED NETWORK SECURITY 2006:

1. White paper LAYERED NETWORK SECURITY 2006: A best-practices approach Prepared by: Mitchell Ashley CTO and VP of Customer Experience StillSecure January 2006 Copyright 2002-2006 StillSecure. All rights reserved.

2. 1 of 11 Table of Contents Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Increasing the hackers work factor . . . . . . . . . . . . . . . . . . . . . . . . .2 The layered-security model . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2 Level 1: Perimeter security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Pros: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Considerations: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3 Level 2: Network security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4 Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5 Level 3: Host security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Level 4: Application security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .6 Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Level 5: Data security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Pros . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Cons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 Considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .7 The StillSecure suite: designed for layered security . . . . . . . . . . . . .7 Safe Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 VAM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .8 Strata Guardd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .9 Defenfing against common threats and attacks . . . . . . . . . . . . . . .10 Conclusion . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .11 About the author Mitchell Ashley is Chief Technology Officer and Vice President of Customer Experience at StillSecure. He is responsible for product strategy and development of the StillSecure suite of network security software. Mr. Ashley has more than 20 years of experience in data networking, network security and software development. He is a graduate of the University of Nebraska, with a Bachelor of Science degree in Computer Science and Business Administration. Copyright 2002-2006 StillSecure. All rights reserved.

3. 2 of 11 INTRODUCTION plan can be a straightforward exercise. Furthermore, with the best- practices approach introduced in this paper, you can erect effective Network security is a mission-critical concern for enterprises, barriers without breaking your budget. government agencies, and organizations of all sizes. Todays advanced threats demand a methodical approach to network security. In many industries enhanced security is not an option INCREASING THE HACKERS WORK FACTOR its mandatory. Federal regulations such as Sarbanes-Oxley, HIPAA, GLBA, and others require organizations such as financial Network security professionals speak in terms of work factor, institutions, health care providers, and federal agencies to which is an important concept when implementing layered security. implement stringent security programs to protect digital assets. Work factor is defined as the effort required by an intruder to compromise one or more security measures, which in turn allows the This paper introduces you to a layered approach for securing your network to be successfully breached. A network with a high work network. The layered approach is both a technical strategy, espous- factor is difficult to break into, while a network with a low work fac- ing adequate measures be put in place at different levels within tor can be compromised relatively easily. If hackers determine that your network infrastructure, and an organizational strategy, requir- your network has a high work factor, which is a benefit of the lay- ing buy-in and participation from the board of directors down to ered approach, they are likely to move on and seek the shop floor. networks that are less secure and thats exactly what you want them to do. The layered-security approach centers on maintaining appropriate security measures and procedures at five different levels within your The security technologies discussed in this paper collectively repre- IT environment: sent a best-practices approach for securing your digital assets. 1. Perimeter In an ideal world you would have the budget and the resources to 2. Network implement all the measures we discuss. Unfortunately, we dont live 3. Host in an ideal world. As such, you should evaluate your network how 4. Application it is used, the nature of the data stored, who requires access, its rate 5. Data of growth, etc. and then implement a blend of security measures that provides the highest level of protection given your available In this paper, well define each of these levels and provide an resources. overview of the various security measures that operate on each. Our goal is to provide a foundation-level understanding of network security and suggest a best-practices approach to THE LAYERED-SECURITY MODEL protecting digital assets. Our target audience includes IT professionals, business managers, and high-level decision-makers. Figure 1 presents the layered-security model and some of the technologies that function at each level. These technologies are dis- Protecting your proprietary information does not require dozens of cussed in more detail in the sections that follow. specialized solutions or unlimited funds. With an understanding of the overall problem, creating both a strategic and tactical security Security level Applicable security measures Firewall 1. Perimeter Network-based anti-virus VPN encryption Intrusion detection /prevention system (IDS/IPS) 2. Network Vulnerability management system Network access control Access control /user authentication Host IDS 3. Host Host vulnerability assessment (VA) Network access control Anti-virus Access control/user authentication Application shield 4. Application Access control/user authentication Input validation Figure 1. The security levels in the 5. Data Encryption layered approach and the technologies that Access control/user authentication function on each. Copyright 2002-2006 StillSecure. All rights reserved.

4. 3 of 11 LEVEL 1: PERIMETER SECURITY The perimeter is the first line of defense from outside, from spreading virus-infected email. Network-based anti-virus is a un-trusted networks. The perimeter acts as the first complement to anti-virus protection performed on your email server and last point of contact for security defenses protecting and individual desktop computers. To work effectively, the database the network. It is the area where your network ends of known viruses must be kept up to date. and the Internet begins. The perimeter consists of one or more firewalls and a set of strictly controlled servers located in a portion of VPN A virtual private network (VPN) uses high-level encryption the perimeter referred to as the DMZ (demilitarized zone). A DMZ to create a secure connection between remote devices, such as typically contains the Web servers, email gateways, network anti- laptops, and the destination network. It essentially creates an virus, and DNS servers that must be exposed to the Internet. The encrypted tunnel across the Internet, approximating the security firewall has strict rules about what can enter inside the network as and confidentiality of a private network. A VPN tunnel can terminate well as rules about how servers in the DMZ can interact with the on a VPN-enabled router, firewall, or server within the DMZ. Internet and the inside network. Enforcing VPN connections for all remote and wireless network segments is an important best-practice that is relatively easy and The network perimeter, in short, is your gateway to the outside inexpensive to implement. world and, conversely, the outside worlds gateway to your network. A compromised network perimeter can cripple your ability to con- PROS duct business. For example, if your organization relies on your Web These well established perimeter-level technologies have been servers for revenue generation, and those servers have been hacked available for many years, and most IT professionals are well and are off-line, you lose money for every minute they are down. acquainted with their capabilities and operational requirements. Therefore, they are straightforward and cost effective to implement. The following technologies provide security at the network perimeter: A range of vendors offer solid solutions for these technologies, and most are reasonably priced. Firewall A firewall is typically installed on a server connected to the inside and the outside of the network perimeter (see Figure 2). A firewall performs three general functions; 1) traffic control, 2) CONS Because these systems are quite basic and have been available for address translation, and 3) VPN termination. The firewall performs some time, most sophisticated hackers have figured ways around traffic control by examining the source and destination of all incoming them. An anti-virus tool, for example, cannot detect a virus unless and outgoing network traffic; it ensures that only permissible it already has the virus signature or if the virus is embedded within requests are allowed through. Additionally, firewalls help secure the an encrypted file. Although VPN provides effective encryption, it network by translating internal IP addresses to IP addresses that are does impose an administrative burden on your IT staff, as encryp- visible to the Internet. This prevents the disclosure of critical tion keys and user groups must be managed on an ongoing basis. information about the structure of the network inside the firewall. Additionally VPNs dont protect you from infected devices or A firewall can also terminate VPN tunnels (discussed below.) These malicious traffic using the VPN connection. three capabilities make a firewall an indispensable part of your network security. CONSIDERATIONS Network-based anti-virus Installed in the DMZ, network-based The complexity of your network architecture can have a considerable anti-virus software compares incoming and outgoing email message impact on the effectiveness of these technologies. Multiple external content to a database of known virus profiles. Network-based anti- connections, for example, would likely require multiple firewalls and virus products block infected email traffic by quarantining suspicious anti-virus instances. Architecting all of your connections to termi- and infected email messages and then notifying recipients and nate in a common area allows a single instance of a given technology administrators. This prevents email infected with a virus from enter- to provide effective coverage. ing and spreading across your network, and it prevents your network All allowed traffic is passed through the firewall LAN Router traffic Internet Firewall DMZ Figure 2. A typical firewall installation. Copyright 2002-2006 StillSecure. All rights reserved.

5. 4 of 11 The types of devices located in your DMZ are also an important Intrusion detection systems (IDSs) and intrusion prevention factor. How critical are these devices to your business? The higher systems (IPSs) IDS and IPS technologies analyze traffic moving the criticality, the more stringent security measures and the policies across your network in much greater detail than your firewall. that govern these devices must be. Similar to anti-virus systems, IDS and IPS devices analyze traffic and compare each packet to a database of known attack profiles. The difference is that anti-virus inspects files on the system, where LEVEL 2: NETWORK SECURITY as IDS/IPS inspects packets within network traffic. When attacks are detected, IDS/IPS technologies take action. IDS tools alert your IT The network level of the layered-security model refers staff that an attack has occurred; IPS tools go a step further and to your internal LAN and WAN.Your internal network automatically block the harmful traffic. may include desktops and servers or may be more complex with point-to-point frame relay connections to IDSs and IPSs have many characteristics in common. In fact, remote offices. Most networks today are fairly open most IPSs have an IDS at their core. The key difference between the behind the perimeter; once inside, you can travel across the technologies is implied by their names: IDS products only detect network unimpeded. This is especially true for most small- to malicious traffic, while IPS products prevent such traffic from medium-size organizations, which makes them tempting targets entering your network. Standard IDS and IPS network for hackers and other malicious individuals. configurations are show in Figure 3. The following technologies provide security at the network level: Vulnerability management Vulnerability management systems perform two related functions: (1) they scan the network for External interface listens for traffic IDS and detects attacks LAN Router Internet Firewall Intrusion detection system (IDS) Firewall signals are sent External interface to dynamically block listens for traffic incoming attacks IPS and detects attacks x malicious traffic LAN Router Internet traffic Firewall Intrusion prevention system (out-of-band configuration) The IPS device automatically blocks attacks before they enter the network x malicious traffic LAN IPS Router Internet traffic Firewall Intrusion prevention system (in-line configuration) Figure 3. Typical IDS/IPS installations Copyright 2002-2006 StillSecure. All rights reserved.

6. 5 of 11 vulnerabilities and (2) they manage the process of repairing the vul- Vulnerability managers automate the process of checking your nerabilities found. In the past, this technology was called "vulnera- network for vulnerabilities. Performing such checks manually bility assessment (VA)", but the technology has evolved to the point with the frequency required to ensure security would be highly where most commercially available systems do more than simply impractical. Also, networks are dynamic. New devices, application assess network devices for vulnerabilities. upgrades and patches, and adding and removing users can all introduce new vulnerabilities. VA tools allow you to scan your Vulnerability managers scan devices on a network for flaws and network frequently and thoroughly for newly introduced vulnerabilities that could be exploited by hackers or harmful traffic. vulnerabilities. They typically maintain a database of rules that identify known vulnerabilities for a range of network devices and applications. Network access control solutions give organizations a high level of During a scan, the system tests each device/application by applying control over the devices that they traditionally have had very little the appropriate rules. control over. Hackers are increasingly looking to exploit endpoints to gain entry to the network, as recent exploits like Mydoom, Sobig, As the name implies, vulnerability managers include features and Sasser attest to. Network access control solutions close this that manage the remediation process. The depth of management dangerous backdoor into the network. features vary greatly among vendors, from simple assignments and notifications to comprehensive integration with patch managers CONS and trouble ticketing systems. Intrusion detection systems (IDSs) have a tendency to produce numerous false alarms, also referred to as false positives. While Network access control - Network access control solutions protect an IDS will likely detect and alert you of an attack, such informa- the network by ensuring that endpoints meet defined security tion could be buried under a mountain of false positive or trivial standards before they are allowed to access the network. This data. IDS administrators can quickly become desensitized to the protects the network from being attacked 'from the inside' via sheer volume of data produced by the system. To be effective, compromised employee desktops and laptops, contractor machines, an IDS must be closely monitored and continually fine-tuned and VPN and RAS devices. to the usage patterns in your environment. Such maintenance typically consumes a fair amount of administrative resources. Endpoint security solutions allow or deny access based on tests run against a device when it attempts to connect. They typically test for The level of automation within intrusion prevention systems (IPSs) (1) required software, such as service paks, up-to-date antivirus can vary significantly among products. Many must be carefully definitions, etc. and (2) prohibited applications, such as file sharing configured and managed to reflect the traffic patterns characteristic and spyware. of the network on which they are installed. Possible side-effects of non-optimized performance include terminating legitimate user Access control/authentication Access control entails authenti- requests and locking out valid network resources. cating users who access your network. Authentication is typically performed against the user information in a RADIUS, LDAP, or Many, but not all, network access control solutions require that an Windows ACTIVE directory. Both users and devices should be agent be installed on each endpoint. This can add a considerable controlled by access control measures at the network level. amount of administrative overhead to deployment and upkeep. Note: In this paper we discuss access control and authentication Access control/authentication technologies may have technical at the network, host, application, and data levels of our layered security limitations. For example, some may not work with all the devices on framework. A considerable amount of overlap and interaction commonly your network, so you may need multiple systems to provide the exists among the access control/authentication schemes that function necessary coverage. Also, multiple vendors market access control across these levels, and authentication can be passed from one level to the systems, and functionality can vary greatly among products. next. Such interaction is usually transparent to the user. While we discuss Implementing an integrated solution across your network may be these concepts briefly in upcoming sections, keep in mind that access difficult. Such a patchwork, multi-product approach may actually control and authentication are sophisticated processes that should be introduce additional vulnerabilities to your network. carefully managed to provide maximum security throughout the network. CONSIDERATIONS PROS The success of network-level security measures is somewhat IDS, IPS, and vulnerability management technologies perform dependent on the speed of your internal network connections. sophisticated analyses on network threats and vulnerabilities. Because IDS/IPS, vulnerability management, and network access Where your firewall allows or disallows traffic based on its ultimate control tools can consume resources on the networks they protect, destination, IPS and IDS tools conduct a much deeper analysis and, increased connection speeds will minimize the impact they have on therefore provide a higher level of protection. With these advanced overall network performance. In implementing these technologies technologies, attacks embedded in legitimate network traffic, which you must consider the trade-off between improved security and can get through a firewall, will be identified and potentially ease of use, as many of these products must be continually managed terminated before damage occurs. to perform effectively, and they may make it less convenient to move around on the network. Copyright 2002-2006 StillSecure. All rights reserved.

7. 6 of 11 CONS Keep in mind the ongoing evolution of your network when Host-based systems can be extremely time-consuming to deploy assessing these technologies. Scalability may be an issue on rapidly and manage. Because they need to be continually monitored expanding and highly dynamic networks. and updated, they often consume an inordinate number of man-hours to manage properly. Installation is often difficult, and a considerable effort is often required to fine tune them to the host LEVEL 3: HOST SECURITY device. Also, the more operating systems you have on your network-i.e., the more heterogeneous the network-the more In the layered-security model, the host level pertains expensive a host-based approach becomes, and the more difficult to the individual devices, such as servers, desktops, these devices are to manage. Also, with a large number of host- switches, routers, etc., on the network. Each device based security devices on a network, the number of alerts and false has a number of configurable parameters that, when positives can be enormous. set inappropriately, can create exploitable security holes. These parameters include registry settings, services CONSIDERATIONS (applications) operating on the device, or patches to the operating Because of their expense and administrative overhead, host-based system or important applications. devices should be deployed judiciously. As a rule of thumb, most organizations install these measures only on the 'crown jewels' of The following technologies provide security at the host level: their network. The exception to this rule is a network access control Host-based intrusion detection systems (IDSs) Host-based solution, which will often be deployed to cover every desktop and IDSs perform similarly to network IDSs the key difference being laptop that attempts to gain access to the network. that they monitor traffic on a single network device. Host-based IDSs are fine-tuned to the specific operational characteristics of the host device and therefore provide a high degree of protection LEVEL 4: APPLICATION SECURITY when properly administered. Application-level security is currently receiving a great Host-based vulnerability assessment (VA) Host-based VA deal of attention. Poorly protected applications can tools scan a single network device for security vulnerabilities. provide easy access to confidential data and records. Host-based VA tools are fine-tuned to the devices they monitor. The hard truth is that most programmers dont code They are extremely accurate and make minimal demands on the with security in mind. This is a historical problem with many hosts resources. Because they are configured specifically for the commercial-off-the-shelf (COTS) applications.You may become host device, they provide an excellent level of coverage when aware of security shortcomings in the software, yet you may be properly administered. powerless to correct them. Network access control - Network access control solutions do Applications are being placed on the Web for access by customers, double duty, protecting both the network (as discussed in the partners or even remote employees with increasing frequency. previous section) and individual hosts. These solutions continually These applications, such as sales force, customer relationship check the host for harmful applications and infections and also management, or financial systems, can provide a ready target to verify that required security measures, such as anti-virus and individuals with malicious intent. Therefore, it is especially personal firewalls are installed and up to date. important to impose a comprehensive security strategy for on each network application. Anti-virus Device-specific anti-virus applications provide an additional layer of protection when used in conjunction with The following technologies provide security at the application level: network-based anti-virus tools. Application shield An application shield is frequently referred to as an application-level firewall. In ensures that incoming and Access control/authentication Access control measures at the outgoing requests are permissible for the given application. device level are a best-practice that ensures device access is granted Commonly installed on Web servers, email servers, database to authorized users only. Again, there is likely to be a high level of servers, and similar machines, an application shield is transparent to interaction between network access-control measures and host the user but highly integrated with the device on the backend. access-control measures. An application shield is finely tuned to the host devices expected PROS functionality. For example, an application shield on an email server These host-based technologies provide excellent protection would likely be configured to prohibit an incoming mail message because they are configured to meet the specific operational from automatically launching any executables, because that is not a characteristics of a single device. Their accuracy and responsiveness typical or necessary email function. to the host environment allow administrators to quickly identify which device settings require updating to ensure secure operation. Access control/authentication Like network- and device- level authentication, only authorized users are able to access the application. Copyright 2002-2006 StillSecure. All rights reserved.

8. 7 of 11 Input validation Input validation measures verify that The following technologies provide security at the data level: application input traveling across your network is safe to process. Encryption Data encryption schemes are commonly implemented Although this is crucially important for Web-based input, any at the data, the application, and the operating-system levels. Almost interaction between people and a user interface can produce input all schemes involve encryption/decryption keys that all parties errors or be exploited if the proper security measures are not in accessing the data must have. Common encryption strategies place. In general, any interactions with your Web server should be include PKI, PGP, and RSA. considered unsafe. Access control/authentication Like network-, and host-, and As an example, consider a Web-form with a zip code field. The application-level authentication, only authorized users are given only acceptable input from this field should be five characters, access to the data. digits only. All other input should be denied and produce an error message when submitted. Input validation should occur at multiple PROS levels. In this example, a Java script could initially perform browser- Encryption provides a proven method for safeguarding your data. based validation on the client side, while CGI-bin validation controls Should intruders compromise all other security measures on your could be put in place on the Web server. Additional rules of thumb network, encryption provides a final, effective barrier protecting include: your proprietary information and intellectual property. Filter key words. Common command-related terms, such as insert,should be checked for and prohibited. CONS Only accept data thats expected for a given field. For There is overhead associated with encrypting and decrypting the example, a 75-character first name is not standard input. data, which can result in significant performance impacts. Also, key management can become an administrative burden in large PROS or growing organizations. Application-level security measures enhance your overall security posture and allow you to better control your applications. They also CONSIDERATIONS provide a higher level of accountability as many of the actions In-depth data encryption must be carefully managed. Encryption monitored by these measures are logged and traceable. keys must be set and synchronized for all affected devices and applications. As such, a fair amount of management overhead is CONS required for an effective encryption program. Implementing comprehensive application-level security can be an expensive endeavor as each application and its host device must be assessed, configured, and managed individually. Also, retrofitting a THE STILLSECURE SUITE: DESIGNED FOR LAYERED network with application security can be a daunting and impractical SECURITY task. The earlier you can implement policies for incorporating these measures, the more efficient and less expensive the process will be. The StillSecure suite of network security products allows you to implement effective layered security beyond the minimal measures CONSIDERATIONS provided by your anti-virus and firewall. The StillSecure suite has The key considerations are prioritizing your applications and been designed specifically to meet today's top security priorities: planning for the long term. Implement security on application where youll get the most bang for your buck. Long-term planning Preventative security allows you to implement security measures in a controlled way Regulatory and internal policy compliance as your network grows and avoids the additional expenses that Protection from attack in real time retrofitting will likely require. If you currently have security measures in place on your network, the StillSecure suite leverages your existing security investments LEVEL 5: DATA SECURITY and greatly enhances the depth of your network defenses. If you have minimal or inadequate measures in place, StillSecure products Data-level security entails a blend of policy and provide immediate security and give you a running start on building encryption. Encrypting data where it resides and as it a comprehensive layered-security system. The StillSecure suite travels across your network is a recommended best includes: practice because, if all other security measures fail, a strong encryption scheme protects your proprietary data. StillSecure Safe Access - network access control solution Data security is highly dependent on organization-wide policies StillSecure VAM - network vulnerability management that govern who has access to data, what authorized users can platform do with it, and who has ultimate responsibility for its integrity and StillSecure Strata Guard - network intrusion detection/ safekeeping. Determining the owner and the custodian of the data prevention system (IDS/IPS) lets you identify the appropriate access policies and security measures that should be applied. Copyright 2002-2006 StillSecure. All rights reserved.

9. 8 of 11 The following sections introduce you to these best-of-breed Using Safe Access, administrators create Access policies that: products. (1) Define which applications and services are permitted and (2) Specify the actions to be taken when devices do not SAFE ACCESS comply. Safe Access automatically applies access policies Safe Access protects the network by ensuring endpoint devices are to devices as they log onto the network. It answers the free from threats and in compliance with IT security policies before question: Is it safe to give this device access? they are allowed on the network. An award-winning access control solution, Safe Access protects the network from the damage a Based on test results, devices are either permitted or denied net- single compromised or infected endpoint can unleash. Safe Access work access or quarantined to a specific part of the network, thus functions at Levels 2 (network) and 3 (host) of the layered enforcing organizational security standards. Enforcement is accom- security model. plished through multiple methods as shown in Figure 4. Safe Access tracks all testing and connection activity and produces a With multiple, flexible testing and enforcement options, Safe Access range of reports for auditors, managers, and IT staff. It is available integrates seamlessly into virtually any network environment as software or a preconfigured hardware appliance (Figure 4, below). Safe Access controls network access for the full range of user types including trusted and untrusted, foreign and VAM internal, remote, and wireless endpoints. The StillSecure VAM vulnerability management platform identifies, Safe Access is a flexible, integratable solution, offering: tracks, and manages the repair of network vulnerabilities across the Purpose-built network access control engine enterprise. Functioning on Level 2 (Network) of the layered security True agent-less endpoint testing option; no software model, VAM mitigates the risk of network exploitation through end- installed on or downloaded to endpoint to-end vulnerability lifecycle management. Multiple enforcement options: 802.1x, Inline, DHCP, and enforcement through Cisco's NAC architecture VAM serves as your vulnerability command and control Integration in the IT environment through the StillSecure center, delivering: Enterprise Integration Framework Systematic vulnerability scanning: fast, accurate, Deep endpoint testing with hundreds of off-the-shelf tests comprehensive, with minimal network impact Compatibility with heterogeneous network infrastructure; Automated, scheduled device discovery and network no hardware upgrades required mapping; fully configurable, tunable Comprehensive coverage of user types network users, Extensible Vulnerability Repair Workflow: automatic visitors, partners, remote users etc. (LAN, VPN, RAS, and assignment of repairs and scheduling, lifecycle tracking, WiFi connections) automated repair verification, detailed device histories Technical and management reporting 802.1x enforcement DHCP enforcement (network & endpoint based) Pass Fail Safe Access DHCP server VLAN 802.1x- Switch enabled switch Safe Access Radius server Pass Fail Corporate Network Fail Pass Firewall NAC- enabled router Internet Safe Access Access Safe Access Control Server VPN & RAS Employee-owned Corporate- desktop owned laptop Enforcement through Ciscos NAC architecture Inline enforcement Figure 4. Safe Access offers four enforcement options that allow for seamless deployment on all network architectures. Endpoints that pass Safe Access testing are allowed onto the network; endpoints that fail are denied access or placed into quarantine, thereby protecting the network from the threats posed by non-compliant, non-secure devices. Copyright 2002-2006 StillSecure. All rights reserved.

10. 9 of 11 VAM is available as software or as preconfigured hardware appli- Trending and workflow analysis ance. VAM can be deployed as a turnkey vulnerability management Multi-user, role-based permissions/access system or as a management platform integrated with Distributed architecture for large organizations; existing IT systems. centralized data warehousing Full integration with existing IT systems through STRATA GUARD Enterprise Integration Framework suite of open APIs Strata Guard is an award-winning family of network-based intrusion As an integrated vulnerability management platform, VAM goes detection/prevention systems (IPS/IDS) that provide real-time, zero- well beyond the routine scanning and reporting offered by simple day protection from network attacks and malicious traffic. With four vulnerability scanners. Effective vulnerability management must different models and two deployment options, Strata Guard protects take into account regulatory/compliance requirements, the dimin- your enterprise from the network perimeter to the core, including ishing time between the identification of a vulnerability and its remote and internal segments (as shown in Figure 6). exploitation, and the need to maximize the efficiency of finite IT resources. VAM meets the challenges of todays demanding Functioning on Level 2 (network) of the layered security model, security environment, offering: Strata Guard employs six distinct attack-detection technologies for Regulatory compliance: VAM ensures and demonstrates comprehensive network protection. With signature-based and (through comprehensive reporting and device histories) behavior-based attack detection, deep packet inspection, and the integrity of systems housing sensitive information protocol anomaly analysis, Strata Guard terminates network-, Integration with existing critical IT systems and application-, and service-level attacks including worms, trojans, processes, such as trouble ticketing, patch management, spyware, port scans, DoS and DDoS attacks, server exploit attempts, network management, and other security-related and viruses before they infiltrate the network and systems cause real damage. Extensibility to accommodate organization-specific requirements and business flows Beyond blocking malicious attacks, Strata Guard enforces your net- An open, distributed architecture that scales seamlessly work usage polices and can block peer-to-peer file sharing, instant to global, enterprise-wide deployments, yet offers messaging, chat, prohibited browsing activity, and worm centralized Web-based management (shown in Figure 5) propagation. It detects anomalous activity such as spoofed attack VAM Central Server includes onboard scanner VAM Distributed Scanner VAM Distributed Scanner VAM Distributed Scanner Figure 5. VAM employs a distributed scanning architecture. All scanning and repair activities are securely controlled and coordinated through the VAM Central Server. Distributed Scanners are deployed as needed to load balance and to scan remotely. Access to the Central Server is through the Web-based VAM console, providing flexible anytime, anywhere management. Where appropriate, multiple Central Servers can be managed through a single master Central Server. Copyright 2002-2006 StillSecure. All rights reserved.

11. 10 of 11 Figure 6. Strata Guard, represented by the stop light, secures the connections that expose your organization to attack: at the perimeter, internal- ly, on links to remote offices, partners, and vendors, and on wireless LAN segments. source addresses, TCP state verification, and rouge services running DEFENDING AGAINST COMMON THREATS AND ATTACKS on the network. Figure 7 demonstrates how the layered-security approach protects against common threats and attacks. The figure shows how each Highly automated, Strata Guard is designed for ease of use and level plays a key role in contributing to comprehensive, effective streamlined administration and management. Through its multi- network security. The shaded regions indicate where Strata Guard layered Dynamic Attack Qualification technologies, Strata Guard and VAM products function in the layered-security model. The com- eliminates false-positives. Its multi-node, multi-user management mon threats presented in Figure 7 include: capabilities allow for enterprise-wide deployments and provide appropriate levels of control for all users requiring access to Web server attacks Web server attacks encompass a wide security data. variety of problems with nearly every Web server available. From simple page defacement, to remote system compromise, to Strata Guard is available as software or as a preconfigured hardware a complete denial of service (DOS), Web server attacks are one appliance. of the most common attacks today. Code Red and Nimda are well known Web server attacks. The StillSecure Suite P = Prevents 1. Perimeter 2. Network 3. Host 4. Application 5. Data Strata Guard prevents the attack. Common network attacks D = Detects Web server attacks P D P D D D VAM detects the enabling vulnerability and prevents Unauthorized Internet mail relaying P D P D D D attack through remediation. System-level remote host compromise P D P D E D E D Unauthorized P2P / IM usage P D P D E D E D E = Enforces SafeAccess enforces compliance with Unauthorized internet services available P D P D E D E D security ploicy, ensuring compromised Virus, worm, spyware detection P D P D D E D devices cant access the network Figure 7. Each level contributes to the security of your network. Functioning on levels 1 to 4, StillSecure products defend against these common threats and others, as the shaded region indicates. Copyright 2002-2006 StillSecure. All rights reserved.

12. 11 of 11 Unauthorized internet mail relaying Improperly configured CONCLUSION Internet email servers are a common cause of email spam. Many spam-generating companies specialize in finding these servers Hackers and cyber terrorists are launching network attacks with and send hundreds if not thousands of spam messages through increasing frequency and sophistication. The traditional approach to them. security namely a firewall combined with an anti-virus is incapable of protecting you from todays advanced threats. System-level remote host compromise A number of vulnerabilities provide an attacker with remote control of the compromised You can, however, erect a formidable defense by implementing system. Most often this type of remote control is at the system level, network security using a layered approach. By selectively installing giving the attacker the same privileges as the local system security measures on five levels within your network environment administrator. (perimeter, network, host, application, and data), you can adequately protect your digital assets and greatly reduce your exposure to a Unauthorized P2P / IM usage Most corporations have in catastrophic network breach. The StillSecure suite of integrated place an acceptable-use policy that prohibits the use of peer- network security software products are the bedrock on which an to-peer (P2P) applications as well as instant messaging (IM) effective layered security strategy is erected. applications. Each type of application poses various significant threats to the corporation such as remote exploitation of the P2P or IM application itself, or improper allocation of corporate resources in regard to the bandwidth being used. Unauthorized Internet services available The ability to easily deploy a Web server or other Internet service on ones desktop poses a potential threat due to the risk of unintentional information disclosure. Often such services go undetected, all the while operating under the radar of most organizations. Virus activity detection While anti-virus (A/V) software is particularly adept at detecting viruses, A/V software is not designed to detect virus activity. Be it a new service available for remote control or an active process searching for other hosts to detect, a network IDS deployment is well suited to detect this type of activity. StillSecure 2002-2006 StillSecure. All rights reserved. StillSecure, StillSecure logo, Strata Guard, VAM, and Safe Access are 100 Superior Plaza Way O 303.381.3800 trademarks or registered trademarks of StillSecure. Additional StillSecure trademarks or registered marks are available at http://www.stillsecure.com/policies/copyright.php. All other brands, company names, product names, trademarks or Suite 200 F 303.381.3880 service marks are the property of their respective owners. Superior, CO 80027 www.stillsecure.com

LAYERED NETWORK SECURITY 2006:

Documents