WHITEPAPER
When Network Security Becomes
a Network-management Problem
6 Ways your Network Team Can Help Fight Malware—
and Improve IT Efficiency at the Same Time
WHITEPAPER When Network Security Becomes a Network Management Problem
1
When you hear about security breaches, you think about disruption of services to customers, stolen data and identities, and damage to company reputation. All these externally facing consequences are dire—which is why IT departments have implemented next-generation firewalls with unified threat management, web-application firewalls, layered security, intrusion-detection and prevention solutions, and security information and event management (SIEM) systems. But there is another kind of damage that is only beginning to make the news. Attacks on the computing infrastructure also directly impinge on—network management teams.
The ability of network management teams to do their jobs, the time and resources they have available, and their ability to scale the network up to support the business as it grows are all impacted by security threats—whether those threats succeed, or simply consume resources as IT staff work to detect and thwart them.
Security isn’t just a security issue; it’s a network management issue as well. The two cannot be separated in today’s network management environment. The good news, though, is that network management teams are in a position to defend themselves, the IT organization at large, and the enterprise from security threats.
This white paper explains six ways in which your network management team can make strong contributions to your company’s defense against botnets, distributed denial of service (DDoS) attacks, designer malware, and all the other scary things that go bump in the Ethernet.
1. Let the Infrastructure Do the Work.
Most of us are accustomed to thinking of network infrastructure the way we think of a city—in terms of services delivered, communications transmitted, power provided for activities, space available for storing things. Networks today still have to be all those things, but now we have to think of them as a fortresses as well, as walled cities that not only allow dwellers to carry out vital functions, but also protect them from external perils.
Two elements of your network need to be designed with external threats in mind: the underlying architecture, and the hardware devices that host the applications and services the network supports.
A Threat-resistant, High-Availability Architecture
Most network architectures today are more the result of evolution than design. Big corporate networks have grown over years or decades and are made up of components from different eras and different vendors, managed using dissimilar tools ranging from Microsoft Domain Name System (DNS) and Dynamic Host Configuration Protocol (DHCP) services to Excel spreadsheets, Perl scripts, and command-line interfaces. These ad hoc architectures are highly vulnerable to attack, and the network teams who manage them are too busy to do much about it.
Now that network security has risen to the top of the IT agenda, greenfield
architectures have to be purpose-built and legacy architectures have to be refitted to keep cyberattackers at bay.
The starting point is a security-hardened network infrastructure that supports high-availability operation and withstands security scans and attacks. The key tactic is to have centralized control across network subnets, zones, and sites.
This network architecture should be managed from a central appliance that pushes global configuration data and other information out to other appliances, and it should be coupled with an integrated, zero-administration, real-time database so that the infrastructure can continue to deliver services without data loss or corruption if a device or a wide-area network (WAN) fails or becomes infected and needs to be quarantined. Connections and communications across the network should obey established principles of high availability.
• The central appliance and all its subordinate appliances should be instantly upgradable in case a new operational fix or security flaw has been identified or a new patch has been made available.
• Servers should be linked in high-availability pairs, with constant back-and-forth health checking and automatic failover. There should be no single point of failure, and if a link fails temporarily, communications should go into a queue that is maintained until the link is restored.
• Industry-standard Secure Socket Layer (SSL) encryption should be used in VPN tunnels to reduce the vulnerability of the entire infrastructure.
• The central controlling appliance should be coupled with a mirrored backup appliance at another site that can take over instantly.
Other desirable features include a hardened operating system with no root access, two-factor authentication for login, detailed audit logging, EAL-2 Common Criteria Certification, and granular access control.
Hardened Appliances
The increasing frequency and destructiveness of cyberthreats are good reasons to reconsider the budgetary advantages of general-purpose servers and the free software that often comes bundled with them. Today’s cybercriminals know commodity servers inside out and have refined techniques for compromising them. In addition, using multiple free utilities—with no readily available technical support or training— to manage network services consumes time and staff resources.
Purpose-built appliances are inherently more reliable, manageable, scalable, and secure than software running on general-purpose servers. And the software that runs on them usually offers features—such as real-time environmental and fault monitoring—that bundled utilities don’t have.
Other security-enhancing features that can be found in purpose-built appliances include: • Redundant, hot-swappable components such as power supplies, fans, and
hard-disk drives
WHITEPAPER When Network Security Becomes a Network Management Problem
3
• Enterprise-quality construction
• Compliance with government security requirements
2. Make Management in General Easier.
Complexity and vulnerability go hand in hand, and the more time your network team spends performing its traditional repetitive functions, the less time it has to contribute to security initiatives or more value-added short-term projects. So goals you’ve pursued for financial reasons—simplification, centralization, and integration—now become contributors to network defense as well.
Simplify
If you or your staff are using client stations and command-line interfaces to manage your network, operational efficiency is taking a hit because you’re spending too much time on mundane, repetitive tasks, and you might be making errors that can leave you vulnerable to attack.
If you can replace these outmoded vendor-based systems with a single network-centric, web-based GUI, your staff can manage from any station on the network, monitor more easily, and enter data more accurately—saving time and freeing resources to work on strengthening your defenses.
Centralize
Any military commander will tell you that an effective defense requires central direction. A distributed network whose devices are operated as a single, centrally controlled system across network subnets, zones, and sites is more secure than a loose collection of locally managed networks. Central control makes it easier to monitor and report on network devices and operations, give administrators single sign-on capability and role-based access and permissions, and identify trends that impact efficiency as well as security.
Integrate
Many network management teams are still juggling a mismatched collection of management tools that might include:
• Microsoft DNS and DHCP utilities • Microsoft Clustering
• Separate DHCP servers • DNS tools on virtual machines
• Excel spreadsheets used to manage IP addresses • Perl script or command line interfaces used for automation
In short, they have too many steps, too many tools, and too much complexity. Expert staff are tied up with repetitive administrative tasks, information that needs to be in one place is scattered around in disparate systems, and both management efficiency and network security are difficult to attain.
One of the best steps you can take to reduce complexity is to integrate three key functions so that they share a management interface:
• Domain Name System
• Dynamic Host Configuration Protocol • IP address management (IPAM)
With these vital functions combined, your network operations are easier to automate, easier to connect securely, easier to virtualize, easier to scale and upgrade—and easier to protect from outages, whether their causes are natural or malicious.
3. Get All the Visibility You can into Network Data.
Network managers are already familiar with the value of having easily accessible network data at their fingertips. Using data for long-term historical reporting, trending, and analysis enables you to improve application up time, maximize staff resources, and plan to accommodate growth. It can also enable network teams to protect the business against malware. Historical reporting, especially on DNS activity, enhances security by making it possible to track intermittent and suspicious
activity over time. By being aware of factors such as how many queries are going to questionable outside addresses or whether any of your DNS servers are sending an unusual number of queries, you can detect infected clients quickly, limiting the damage and eliminating the infection.
4. Manage DNS for Security.
Cyberattacks on DNS servers represent one of the most significant hazards to network security today. DNS querying goes on unobtrusively behind the scenes, and yet it is pervasive and continuous, making it an excellent vehicle for unauthorized and malicious access to computing systems.
Trojan-horse spyware and backdoor codes can be found via DNS queries—undetected by almost all security approaches. Once they are inside the firewall, they can communicate with the malefactors who created them using the same DNS path they entered on.
WHITEPAPER When Network Security Becomes a Network Management Problem
5
Spyware can collect financial data, account numbers, passwords, credit card numbers, and other keys that give access to proprietary company data, confidential healthcare patient information, insider trading secrets, and customer bank accounts— and send it to criminals who will use it to commit fraud, theft, and sabotage, to highjack computing resources and use them for launching DDoS attacks on other companies, or to generate SPAM.
Even if your business has a robust SIEM system with all of the latest security tools, chances are it’s not protected against DNS-exploiting attacks. And because DNS is used by nearly all networked applications—including email, web browsing, ecommerce, Internet telephony, and more—these types of attacks threaten the very basis of modern communications and commerce.
As noted above, general-purpose free applications and commodity servers aren’t well equipped to combat modern cybercrime techniques. They usually don’t have rollback or reporting. DNS, DHCP, and IPAM are handled separately via different control interfaces. And most of them have no discovery, analysis, or change-management tools.
The safest course of action is to:
• Either fortify the management of your commodity servers, or replace them entirely with servers engineered specifically to stop DNS-exploiting malware
• Deploy DNS firewalls to prevent clients from connecting to identified malware sites, keep botnet DNS command-and-control requests from executing, and make it possible to pinpoint infected clients
Network management best practices for securing DNS servers include:
• Reviewing and blocking resolved DNS queries to bad domains from infected clients • Implementing reports that give you visibility into infected devices by IP/MAC
address and device type
• Accessing frequently updated malware data feeds to counter fast-flux changes of IP addresses to bad domains
• Blocking potentially dangerous geographies such as North Korea, Iran, and Russia Another important DNS-related management tool is DNSSEC, which uses
asymmetric cryptography to provide origin authentication and integrity checking for DNS Data. The consequences of cache poisoning are so calamitous that it’s worth implementing DNSSEC purely to address it—so your network infrastructure should definitely have support for DNSSEC.
5. Unify Management of Routers and Access Control Lists.
The management of network devices in large, heterogeneous networks is complex, time-consuming, and error prone. Most network teams are using manual processes and numerous vendor-supplied management tools. Visibility into network devices and configurations is patchy and limited, and rule-changing, provisioning, and security analysis are unsystematic.
The solution is to unite processes on a platform focused on access-policy management, provisioning of access control lists (ACLs), and management of network security device rules.
Centralized management makes it possible to discover network devices, capture and update configuration settings, and implement changes. It simplifies provisioning and tightens control over user access rights. And it makes firewall intelligence available by allowing users to model changes before they are deployed so that unplanned effects can be identified before they make it into production and create security vulnerabilities.
6. Automate Everything.
Hand-to-hand combat with an army of robots is a losing proposition. Automation is the enemy’s most powerful weapon. And in the arms race that network security has become, you have to fight fire with fire. By automating the management of everything from DNS to DHCP to IP addresses; from switch ports and security devices to policies and compliance; from provisioning, change and configuration, and reporting to infrastructure control, you can:
• Respond more quickly to security threats • Avoid errors that leave your network at risk
• Defend a larger perimeter with limited staff resources
Infoblox Can Help You Seamlessly Integrate Network
Management with Network Security.
Technology that can empower your network team to employ the tactics described above is available today—and Infoblox can supply it. As you perform your day-to-day network management tasks and gear up to take advantage of trends like cloud computing, virtualization, and software-defined networking, we can help you make yet another vital contribution to your business. Infoblox can help make network management a key contributor in securing your business against cyber-attacks. Contact us to discuss how we can help you control your network for security as well as efficiency.
About Infoblox
Infoblox (NYSE:BLOX) helps customers control their networks. Infoblox solutions help businesses automate complex network control functions to reduce costs and increase security and uptime. Our technology enables automatic discovery, real-time configuration and change management and compliance for network infrastructure, as well as critical network control functions such as DNS, DHCP, and IP Address Management (IPAM) for applications and endpoint devices. Infoblox solutions help over 6,500 enterprises and service providers in 25 countries control their networks.
