A FUNCTIONAL security solution depends on a series of
layers whether you’re dealing with physical or logical security issues. You
need walls and gates, well-lit places where attacks are obvious, gatehouses
where incoming traffic can be checked and access controlled doors driven by an
up-to-date access database. You also need intrusion alarms alerting of
unauthorized entry and a surveillance system that lets you oversee what’s
happening on the network.
You will need high security locations on a network just
as you do in physical sites where there may be a systems room, a bond store or
a security control room. And finally you’ll need a response and management team
with a clearly defined chain of command. Think about the security of your
networked security devices in this way and you won’t go wrong.
Central to network security is working out what you need
to protect and from whom. This means you need to undertake a full audit of the
system and the threats it faces, taking into account vulnerabilities and paying
particular attention to protecting vital operational aspects of the system.
For the security installation team it’s going to be
relatively easy to establish the most vital network components. These may be as
simple as DVR or as complicated as an integrated solution combining alarms,
access control SCADA and video surveillance across a global footprint
incorporating hundreds of sites.
Along with providing protection online, securing network
security components also means you need to physically secure the location of
DVRs, access control head ends, door controllers and more.
“Ensuring defence in depth in a networked system is going
to mean partitioning. At the very least you want to keep high security
components of the system in a high security subnet, while moderate and low
security machines reside in less secure environments”
Establishing vulnerabilities is a central issue. Consider
an off-the-shelf server being used as a video server in a networked
environment. You’ll need to establish the default protection level of the
server taking into account the fact that more popular operating systems are
likely to be exposed to greater levels of attack than less common Linux or BSD
platforms.
Start by jotting down all elements of the system – DVRs,
video servers, authorized workstations, routers, operating systems, IP cameras
and streaming devices. Once you have a list of all components on your network
rate their importance to the overall operation of the electronic security application
as low, moderate or high. A video server will have a high rating while a
duplicated router or a workstation may have a low one.
Once this is complete, figure out the vulnerability of
the system components and rate them in the same way. Once you’ve figured out
what’s important and what’s at risk start thinking about ways to provide a
secure environment for these components to operate in. For high risk, high
importance items like video or SQL authentication servers you will need a
management area with double authentication and no inward or outward access. For
low risk components high levels of inherent security you may simply need double
authentication.
When thinking about authentication, consider the type of
authentication you need. Will passwords be enough? Double authentication may
simply constitute 2 passwords – this is a system that works well enough for
many banks. In higher security sites prox and a password or a biometric may be
required. Another thing that’s going to need to be addressed is the required
synergy between physical and cyber access control solutions.
Remember that the central pillar of network protection
against external and internal online threats is going to be restricting inward
access using a protective network structure and a properly managed access
control database and credential library.
Challenging you will be global electronic security
applications. While your instincts will be to lock your security management
systems up and throw away the key, some devices like DVRs will need to be
available across the Internet. This means there will be some comprises in
security levels and/or some compromises in performance levels.
How can you achieve this? You need protection but it
needs to be affordable and manageable. That means you need low security domains
that might be generally unprotected, while the high security elements of the
system of wrapped in cotton wool and kept in an environment of the highest
possible security.
You’ll need to do this because sometimes it’s not
possible to have quality firewalls protecting every networked device. Low
security areas might be protected with an aggressive network intrusion
detection system back by a proactive security policy. Screening routers may not
be able to protect you from every sort of attack. But capable NIDS on a high
security management subnet will allow you detect and attack and respond as well
as you can – even if that means pulling the plug.
The importance of partitioning
Ensuring defence in depth in a networked system is going
to mean partitioning. At the very least you want to keep high security
components of the system in a high security subnet, while moderate and low
security machines reside in less secure environments.
Each partition needs to be protected by its own firewall
offering stateful inspection and packet filtering. Whatever else goes on you
want to decree what and who gets through the gate – and you want to know who
they were, where they went and what they did once inside.
What this means is that the security team may wind up
installing physical elements of the security system in the server closet for
Depending on the size of the solution the systems team
may build a structure in which subnets of machines with similar vulnerabilities
and levels of importance might be located on the same switch separated by a
VLAN. DVRs, SQLs and authorized workstations might share trusted subnet with
all paths to the trusted switch passing through well-managed firewalls.
Then there’s the possibility especially in the case of
smaller systems, where the security function might (or elements of the security
function) might reside with the highest security administration subnet. In
bigger sites systems managers aren’t going to be opening up this location for
anything but it may be the best solution in small/medium solutions.
An existing management subnet is going to be inherently
secure with rock solid access protection and encrypted communications
protocols. External Internet access for remote management? Forget about it.
The management subnet will incorporate things like
logging servers, configuration machines and authentication servers. Depending
on the security level required there may be out-of-band management located on
the management subnet as well. Out-of-band management capabilities denote a
parallel management network that monitors and controls a data network. Most
systems use in-band SNMP, however.
Proactive protection
Regardless of the protective network structure you end up
adopting, the only way you’re going to ensure ongoing security is by monitoring
the network and its components – particularly the trusted and high security
subnets.
Small organizations might simply have a firewall
defending their site but for higher security sites and applications this is not
going to be enough. Instead you’ll need to support the firewall using network
intrusion detection, secure system loggers, authentication servers. Careful
readers will have noticed something – all these applications must be located
and isolated on the management LAN.
Security integrators in many cases may hand their
networked systems over to network security managers and their teams, especially
if some elements of the integrated security system are devoted to
authentication. This will become more important given the U.S. government
recently decreed both cyber and physical access credentials must be integrated.
Network security teams are still likely to preside over
trusted subnets so there will be a need for the security manager and the
network security team to work together.
When building a network you’d be best to install network
intrusion detection systems on each and every subnet of the system. Security
integrators need to be thinking about putting NIDS in front of every subnet on
which networked security devices are installed – depending on the nature of the
system this may only be a single trusted subnet.
The general rule is that it’s better to leave low
importance, low cost elements of the network vulnerable than to scrimp on
protection for vital network components.
Every network intrusion device should be set up with a
pair of network interface cards (NICs) with one NIC located on the monitored
subnet and the other on the management LAN allowing fast and secure reporting
of intrusion events. Under no circumstances should NIDS be given an IP address
on a monitored subnet.
It goes without saying that NIDS without reporting and
organized response are no better than local alarm systems without sirens –
pretty much useless. There a number of options you will need to consider when
planning reporting, monitoring and response functions for NIDS protecting
network security systems and we’ll get to these later on.
Using network intrusion devices
It’s very important not to just throw NIDS at a security
subnet and then consider the job is done. Intrusion detection systems are part
of an overall security solution but they need to be supported by a firewall
that’s regularly tuned up, a set of tough procedures that are followed – the
most important of these being regular security audits.
It’s very common for NIDS providers to talk about their
systems as offering high tech security solutions for networks, almost as if
these systems will detect an intruder and ride to the rescue will a war-chest
of responses to any attack. There might be an element of truth to this but
there’s plenty of hype as well.
Never forget that NIDS capability is directly linked to
the breadth of the attack database stored on it and how up to date that
database is. You also want performance – not just from the NIDS system itself
but ease of use of the analysis console. There are 8 key things you need to
think about when looking at NIDS. These are implementation, administration and
security, response and reporting, documentation, technical support, and cost.
On the operational side you will have to be sure your
system is capable of detecting events in a timely way and you also want some
kind of restriction on false positive alarm events. Then there’s a need for
logging of attack events – this will let you monitor activity and conduct
forensic investigations. Last and perhaps most importantly, no NIDS will be any
use if it’s unable to work in a seriously congested environment. Make sure the
selected NIDS will operate in your environment.
An advantage of intrusion detection is that it gives
administrators a very clear idea of what sort of attack traffic they are up
against – if any. Any attack that gets through and is detected is an attack the
network should be protected against immediately. Essentially this means that
ensuring an evolving security solution means being aware of the sorts of
attacks the system is commonly being exposed to. Along with this, NIDS will
clearly indicate the performance of other security devices protecting a
network.
A serious problem with NIDS is false alarms. Early system
developers were panned for focusing on bells and whistles without paying any
attention to things like accurate detection and diagnosis of attacks. What this
meant was that systems were exceptionally good at contacting network support
teams to inform them of the false alarms they had generated. The more false
alarms generated the harder it is going to be for administrators to weed out
actual attacks.
One way around this could be to locate NIDS on both sides
of a trusted subnet firewall using signatures carefully set-up in order to
reduce false alarms. Another good feature is the ability to pick up trends and
display these trends before alarms are generated and a good product is also likely
to integrate network intrusion detection and pattern matching data sources.
A key issue with NIDS is going to be their impact on
bandwidth so watch this – older systems were certain to both detect and consume
network bandwidth with no guarantee of picking up on actual intrusion. Try to
establish how much time it will take to set NIDS up so that it’s able to flag
actual attacks while ignoring innocent network communications.
A NIDS solution has a sensor or sensors that monitor
traffic, detect attacks by comparing the nature of communications to a database
of known attacks – this is signature detection – or uncover anything that is
unusual or strange when compared to typical network communications, a method
called anomaly detection.
Central to the performance or signature detection systems
is library size and maintenance. Signature detection is great in that it will
pick up any known form of attack but there is a fundamental weakness in that it
won’t pick up an attack it’s never run across before. At the same time you need
to consider the network environment in which an anomaly-based system operates.
If there is a consistency of traffic then aberrations will stand out. A more
complicated environment is going to be tougher going for anomaly-based systems.
“Every network intrusion device should be set up with a pair of network
interface cards (NICs) with one NIC located on the monitored subnet and the
other on the management LAN allowing fast and secure reporting of intrusion
events. Under no circumstances should NIDS be given an IP address on a
monitored subnet”
