'Orgs need to move beyond firewalls & AVs'

by Abhinna Shreshtha    Apr 21, 2010

Jatin Sachdev, information security specialist at Cisco, gives us an expert opinion on how organizations can solve everyday security challenges.

What are the trends that are being seen in the information security space?

Nowadays, we are seeing a lot of consumerization of endpoint devices. What I mean is that users have a number of options on how they access the network like netbooks, laptops, blackberry’s, smart phones, etc.

Also, a lot of organizations are allowing employees to access social networking websites within the organization. What this has done is that it has increased exposure to the Internet for employees, further leading to a loss of control for the administrator.

Now, there are more chances for a user to getting infected and then in turn infecting the entire network.

The most common attacks which we are seeing today, or at least the ones that are getting the most visibility, are the ones that are related to the most commonly accessed web applications. Given the number of people visiting these web pages, there is a high probability of infecting users. The trend nowadays is to infect users and then create a botnet which can be used to target someone else, maybe an organization or a bank.

Quite a few of the organizations that we speak with have a significant number of employees infected in some way or the other.

Most organizations think having a firewall or anti-virus is enough. Your comments.

The way we work and the applications that we access have undergone a rapid transition in the past few years. Nowadays, most of the times the applications are web-based, in this scenario organizations need to reassess how their firewall should work. A firewall is important but the firewall should be focused on the applications and should also have the ability of identifying the user and then take a decision depending on whether the user has the right to access the application.  The ‘http’ protocol or the web protocol needs to be inspected, analyzed, and understood, instead of just blindly allowing or disallowing users from accessing a URL. A lot of firewalls have still not reached that stage but this is the granularity of control that a firewall needs.

Speaking of anti viruses, they have never been 100% effective, and the importance is reducing with every passing day. Most of the new attacks that are happening today are zero-day attacks where the virus signature is either completely unknown or it is exploiting some application from the server side, maybe a hosted application on the web, so the antivirus becomes ineffective in that case.

Another reason that the antivirus is losing its importance is because of the consumerization of the endpoint and adoption of technologies like virtualization. If you take a look at virtual desktops, where organizations allow users to get their own endpoint devices, these devices do not have any corporate linkage. The corporate linkage begins at the backend and that is where all the security is. It becomes all the more important to identify the endpoints before allowing them access. This is another case where the antivirus may be ineffective, since it may be running on the virtual desktop but not on the actual physical device.

Could you tell us some security best practices or controls that organizations should start using?

There are a number of controls that are coming up, some of them have been there for sometime, for example - URL filtering. One important control to look at is reputation of IP addresses, in terms of filtering. There are a lot of products in the market that are not only looking at signature matching or URL filtering, but also the reputation of the IP address with which communication is happening. These solutions do not allow users to access websites if the IP address has a bad reputation.

Another thing that needs to be adopted is the ability to identify users on the network and what access each user has. We need to have identity-based controls on the network, where users need to be segregated on the basis of role, project, etc. Most of the IT administrators are not leveraging this.

When we talk of employees who are working from outside the company network, what kind of controls can we have in place for them?

The easiest way to manage users who are working from outside the company is to have an ‘always on’ corporate option or an ‘always on’ VPN that is controlled centrally and can be turned on for users who are more vulnerable, e.g. executives.

What this does is that with the user always connected to the corporate network even when he is outside, their traffic is always going to pass through a traffic control, like firewalls, etc. This could be a mandatory option so whenever a user is outside the network a VPN connection gets established at the backend and the moment this happens; all traffic gets routed through corporate network.

This is not something that is always ideal. So this is where we need ways of intelligently deciding which traffic is routed through the VPN and which goes through the public network.

What are the security challenges that will occur with concepts like cloud computing?

Cloud computing is another trend which will cause a lot of the applications to move out of the data center and into the cloud. An IT administrator will have even less control over what the user can or cannot do. For example, if a person goes to Salesforce.com or Webex, it will be tricky to monitor what exactly he is doing over there. You have a lot of scope for controls but there is no way of doing it if you stick to the traditional method of firewall and antivirus.

This is where the always-on VPN will play a major role. A lot of these apps are web-based and the challenge is not only about allowing or denying access but figuring out what levels of authorization can be given to the user. Now one way of doing this is to go to the vendor and tell them exactly what to allow for each user but there is no seamless way of doing this with every vendor.

The ideal way is to do it via a VPN and have some kind of intelligence, like a thin-client, at the end-point. So when a user tries to get access to a corporate resource, they need to first get that client on dynamically and then the client makes the decision of sending the user through the nearest inspection point on the network.