Network security is a multi-faceted business segment that has mushroomed in size and scope over the last decade. The potential threats to a network and its content,can come from many different areas, adding levels of complexity to an already daunting problem.
Prior to the Internet, securing a satellite network and its content from real-time invasion was relatively easy, however, the interconnection of satellite-based networks with the World Wide Web has opened a Pandora’s Box of problems.
For many years satellite networks were standalone and not generally interconnected with the outside world. They benefitted from security by obscurity. That is not the case anymore.
There are a handful of different tools network engineers can use to enhance the security of their networks, but regardless of the tools chosen, an effective security strategy begins with an honest assessment of a network and the development of a security policy. Security policies are useless unless they are rigorously adhered to.
Every piece of equipment in a network should, at minimum, have a log-in screen which requires a user name and password to access the device. Consider the risk posed by equipment which can be manipulated simply by plugging some sort of terminal into it. User name and password protection is of little value if you never change them from their factory defaults. Once the defaults are discovered for a piece of hardware, they are posted on hacker bulletin boards.
The following network security tools can be used individually, but they are the most effective when used collaboratively, thereby leveraging their individual benefit.
Firewalls are still the first line of defense against network attacks, and the technology has evolved over the last 15 years through developments by vendors such as Cisco, Juniper, and Check Point. Traditionally, firewalls have been deployed at trust boundaries, or those points where private and public networks meet; however, with the widespread use of wireless 802.11 networks, the number of trust boundaries has proliferated and so have the number of places networks can be attacked.
Originally, firewalls controlled traffic by opening and closing ports designated by the Internet Engineering Task Force (IETF) to correspond to specific applications. Port 80 would control Web browsing, Port 25 would control SMTP traffic, Port 23 would control telnet traffic, and so on. For a while, everyone abided by these rules, but application developers wanted their software to be able to be used by broader classes of users. Some ports, such as 80 and 443, almost always are open, and application developers took advantage of this way in and out of the firewall. Applications evolved to a point where most can now find a way through port-based firewalls. The value of port blocking has declined with time.
Static applications used a single port (80, 25, 23, etc) and could be controlled by simple packet filters. Dynamic applications (e.g., FTP) would go out one port and in another, requiring a more sophisticated control, hence stateful inspection was born. Modern applications ignore ports entirely, so some vendors tack on more types of filters, adding processing delay. (See “Minimizing Latency in Satellite Networks” in the September issue of Via Satellite.) The reality is that enterprise control of modern applications requires something even more sophisticated.
To meet this need, Palo Alto Networks has integrated application ID (App-ID) into its firewall. The company has the ability to classify the characteristics of 870 different applications. App-ID allows further granularity of the decisions which can be made across a network. For instance, the marketing department in an organization might be allowed to run WebEx, but other departments cannot. Application identification is a powerful too, but some applications, such as Skype, use a proprietary form of encryption and hop from port to port, making the application signature resistant. Skype’s mannerisms, however, are identifiable through heuristic analysis, allowing Palo Alto Networks’ firewall to block Skype traffic.