On Internal LAN security, switches and IPSes

I have heard some security researchers claim that since anti-virus (and anti-spyware and other anti-X software) software exists on hosts, the network just needs to make sure that it is working properly. That is indeed a core idea behind NAC (or NAP if you prefer) but as the more pragmatic security professionals will observe, security needs a layered approach. This is because no individual layer of security is foolproof; there is always a chance that it will fail. Consider for example, rootkit based spyware that can avoid detection by anti-X software on a host but a network based monitor (a specialty appliance or embedded in a switch, router, firewall or IPS) can detect it by looking at the network traffic from/to that host. Indeed rootkit based spyware and anti-X software evasion are expected to be dominant problems this year [ http://searchsecurity.techtarget.com/tip/0,289483,sid14_gci1238948,00.html?track=NL-494&ad=577800&Offer=SEbpd124&asrc=EM_UTC_938379&uid=5726676 ] Multiple layers reduce the chances of security failure because the probability that all of them will fail at the same time is low. Of course, adding layers increases the cost and complexity while making management difficult so we cannot have hundreds of them. But it is fairly easy to see that we need at least two layers: one in the network and one on the host. It would be a mistake however to assume that these two layers will have completely complementary, non-overlapping functionalities. Both will tend to use similar algorithmic techniques like pattern matching (aka signatures) for known malware, protocol anomaly detection and behavioral anomaly detection for unknown malware. They may differ in their set of patterns, protocols or behavior models and in platform specific implementation optimizations but for engineers building them they are essentially similar techniques. They may differ in their input sources e.g host based systems will scan memory and files whereas network based systems will scan network traffic. So my point is that we will see the role of the network in NAC get augmented with more IPS-like features. Firewall and IPS vendors will start getting traction in the internal network (they are mostly deployed at perimeter today) but will face new challenges unique to the internal network like higher performance requirements, need for integration with other intranet infrastructure (like switches, directory servers etc.) and a difference in the application landscape (like CIFS, CVS, J2EE etc which are mostly not seen as much in the perimeter). On the other hand switch vendors will start adding firewall and IPS-like features to their switches but face challenges developing switch architectures to allow the "programmability" and "deep processing" that is needed.



Add to Technorati Favorites