Using Ranch Networks for Internal LAN Security The Need for Internal LAN Security
Many companies have secured the perimeter of their network with Firewall and VPN devices. However many studies have shown that despite this protection, the frequency of security breaches of various types is on the rise. The number of reported security incidents has been doubling year-over-year, to 82,000 in 2002. The number of actual security incidents is estimated to be approximately five times the number of reported incidents.
A large subset of the total number of security breaches actually comes from within the LAN. The sources of these internal breaches include:
- Disgruntled employees - Contract employees
- Laptops and other portable devices that have been connected elsewhere and brought back into the corporate LAN
- Other companies that are connected in various ways to the corporate LAN: customer access, outsourcing, partnerships, or shared LAN environments
- Improperly secured Wireless LANs
- Peer-to-peer applications such as those for Instant Messaging or File Sharing - Malicious code that passes through the perimeter protection, infects an internal
system by exploiting an unpatched vulnerability, then launches an internal attack These security breaches can cause many serious issues such as:
- Damage from Worms and Viruses
- Theft of Intellectual Property or other sensitive company data - Financial fraud
- Internally launched Denial of Service Attacks
- Violation of laws such as HIPAA, Sarbanes-Oxley, the Patriot Act, or Gramm-Leach-Bliley
- Sabotage
There are many statistics that justify these concerns:
- The FBI/CSI Computer Crime and Security Survey of US corporations, government agencies, and universities found:
i. The theft of proprietary information cost US$70 Million in 2002 with an average of US$2.7 Million per reported loss
ii. In 2001 the financial loss from financial fraud totaled US$116 Million, with an average loss of US$4.4 Million
iii. For those respondents who knew where security breaches came from, about half came from inside their network
- A survey of US corporations entitled “Managing Security Information” from The McKinsey Corporation found:
i. 49% of respondents experienced unauthorized network access by insiders ii. 26% experienced a theft of proprietary information, with an average loss of
US$4.5 Million
iii. 12% experienced financial fraud, with an average loss of US$4.4 Million - A survey conducted at the InfoSecurity 2003 Conference found:
i. 49% of respondents listed potential security breaches from current employees as the most-common cause of concern
ii. Over one-third of respondents named current employees as a source of the
majority of corporate security breaches in the past year
How Ranch Networks Helps to Solve These Problems
Providing Internal LAN Security as an
Overlay to an Existing Network
Ports trunked together, containing VLANs
RN20
RN20 Zone Plan:
Zone 1: VLANs for all WLANs, all Conf Rms, Guest Office, Lobby
Zone 2: VLANs for all Accounting Desktops Zone 3: VLANs for all Sales Desktops Zone 4: VLANs for all HR Desktops Zone 5: VLANs for Financial Servers Zone 6: VLANs for Sales Servers Zone 7: VLANs for HR Servers Zone 8: VLAN for Internet Selective Access Control Policy:
Guests entering through Wireless LANs or
other Zone 1 points are allowed to access the Internet but no other segment of the network
Employees entering through these same
points can access the areas of the networks they are permitted to enter by
Authenticating with the RN20, which contains Authorization Profiles for each type of user
Internet Layer 2 Backbone Switch
Existing Network S1: Servers with Financial Apps S2: Servers with Sales Apps S3: Servers with HR Apps Third Floor L2 Second Floor L2 First Floor L2 Data Center L2 WLAN 4 Conf Rm A WLAN 3 WLAN 2 WLAN 1 Desktops VL A Ns Guest Office VLANs VLA Ns VLANs Conf Rm B Conf Rm C Desktops Lobby Desktops
If you believe that increasing internal LAN security is important, Ranch Networks has an inexpensive, easy-to-implement way to address this need. The above diagram helps illustrate the various ways that a Ranch device can be used to increase the security of an existing LAN and complement the functions already provided by a perimeter Firewall/VPN device. Adding the Ranch product is an easy migration due to our Split Subnet feature which means that many layers of security can be added without rewiring the existing network or reconfiguring IP addresses.
In this example, VLANs are used to subdivide the existing network. These VLANs are then brought back to the Ranch device where they are grouped into “areas of trust” or Secure Zones.
The resulting increase in network security includes:
Secure Zones and a total of 20 Virtual Firewalls. Firewall rules can be set at Layers 2, 3, or 4. A full range of NAT options is available. Unauthorized access to Zones or IP addresses can be denied as can unauthorized access from Zones or IP addresses.
- Denial of Service protection is provided between each pair of Secure Zones. - Authentication can be enabled so that it is required to enter or exit a Secure
Zone. This means that no packets from a user will be allowed through the Ranch device until the user first enters their Username and Password. Once the user is authenticated, they are then permitted to only enter those areas of the network to which they have been authorized. This enables a Single-Sign-On approach: once the user is authenticated by the Ranch device, they can be allowed access to those applications to which they are permitted – without further sign-on if desired.
- Security breaches can be automatically or manually isolated and quarantined within a Zone.
i. Leveraging your investment in an Intrusion Detection System (IDS) Ranch products can be used to increase the performance, coverage, and effectiveness of an IDS in two ways:
1. Ranch products can be configured to mirror traffic to the IDS. Traffic can be selected by Source or Destination Zone, IP address (or range), MAC address, or Port number (or range). Given the centralized location of a typical Ranch installation (see the above figure), it is in a perfect position to selectively filter and mirror traffic from most any area of the network. By performing this function, traffic to the IDS can be regulated to match the IDS throughput capacity and prioritized to mirror the traffic the network admin most wants to monitor. This approach effectively increases the performance and coverage of the IDS and can significantly decrease the cost of an IDS deployment. 2. If the IDS detects an attack or the presence of some malicious code, it
can send a message to the Ranch device instructing it to isolate the infected Zone and/or IP address. In this way the Ranch product becomes an enforcement point for the IDS.
ii. Leveraging your investment in a Security Policy Management or Event Correlation system Just as with an IDS, these security management systems can be configured to automatically send a message to an RN device to isolate a Zone and/or IP address.
iii. Manual Isolation Just as an IDS can be programmed to perform an automatic isolation of a Zone or IP address, a network admin can implement this isolation manually through SNMP.
v. Alarms can be initiated when an unauthorized connection is attempted. With many Client/Server applications, the Server should never initiate a new connection – it only responds the queries by the Client. If however the Server becomes infected and attempts to launch a new connection out of the Zone, the Ranch device can not only deny the attempted connection but also initiate an alarm so that the Server can be cleaned.
- Wireless LANs can be separated into their own Zone, with stricter security policies applied to this Zone. The diagram above illustrates this scenario. Even if Wireless LAN Access Points are scattered randomly throughout the LAN, VLANs can be used to segment them from the rest of the LAN. These VLANs are then brought back to the Ranch device and grouped together into a Secure Zone. Other LAN connections where Guests, Contractors, or other third parties are likely to connect can also be grouped into this same Zone. Then special security policies can be applied to this Zone:
i. If the company wishes, it can allow Guests to have access from this Zone to the Internet, but not to the rest of the network.
ii. If the company wants to restrict the total bandwidth from this Zone to the Internet a maximum bandwidth rule can be configured.
iii. If the company wants to implement a Username and Password before Guests can access the Internet this can be configured.
iv. If an Employee enters the network through this same Zone (for instance, by using the Wireless LAN), they can enter the internal network by using the Authentication feature so that they can access those portions of the network to which they have been authorized.
- Network hiding is provided between each pair of Secure Zones. Since the Ranch device sits in-line in front of the Servers, Desktops, and other devices in the Zone, it hides these devices from many types of hacking attempts:
i. Port scanning is blocked and does not get to the Servers and other devices ii. Operating System vulnerabilities become less accessible
iii. Patch management can be performed in reasonable time periods
iv. Devices that may not themselves have adequate internal security are hidden and protected (such as many Printers, IP Phones, Routers, Switches, PBXs, Network Attached Storage (NAS), PDAs and other devices with exotic Operating Systems)
In addition to these security functions, Ranch products also provide many useful non-security functions:
- Overlay without reconfiguration
i. Ranch products can be added as an overlay to upgrade an existing LAN without needing to (1) rewire the LAN to achieve Secure Zones, or (2) reconfigure IP addresses. This is possible due to the Virtual Zones and Split Subnetting features included in all Ranch devices.
- Quality of Service
i. Bandwidth Management / Traffic Shaping
1. Guaranteed, minimum, maximum, and burst bandwidth can be allocated based upon Source or Destination Zone, IP address (or range), MAC address, or Port number (or range). Thus it is possible to prioritize traffic on a per-user or per-application basis.
2. Bandwidth allocations can be either permanent or dynamic (only used when needed, and if not needed, it is shared)
ii. Full support for end-to-end QoS can be provided by (1) setting TOS or DiffServ priority for outgoing traffic and (2) classification and prioritization of incoming traffic based on TOS or DiffServ.
- Support for Voice-over-IP includes low latency, high throughput, Bandwidth Management, TOS / DiffServ, dynamic firewall control, Per-User Authentication, and the ability to segment voice devices into their own Secure Zone.
- Load Balancing
i. Load Balancing can be provided for multiple server groups (up to a total of 1024 server groups per Ranch device)
ii. Common Load Balancing algorithms such as Round Robin, Weighted Round Robin, and Least Connections are provided.
iii. Persistency can be provided via: Cookie, SSL, Client IP HTTP, HTTPs, FTP (active and passive)
- Health Monitoring
i. Any device with a reachable IP address, within the LAN or elsewhere, can be monitored via ICMP ping verification (Layer 3). If the device does not respond, an SNMP alarm/trap and/or Syslog message is sent.
ii. TCP connection verification can be used to monitor devices with a reachable IP address and TCP enabled (Layer 4).
iii. Link monitoring (Layer 2) is performed for links physically connected to Ranch device.
iv. Web (HTTP) and FTP servers can also be monitored at Layer 7
v. An HTTP server can be requested to perform a database query into another server. If this database query is not successful an alarm will be sent.
- Multicasting and Switching
ii. Multicasting is based on RFC 1112/2236/2933 and is hardware assisted to provide up to 1 Gbps of Multicast traffic.
- Accounting
i. All Ranch devices have the ability to count packets and bytes so that network usage can be monitored or charged back to users. Traffic can be classified for Accounting purposes based on Source or Destination Zone, Source or Destination IP Address, Source or Destination Protocol Port, or other Protocol information. The number of packets (or bytes) corresponding to the classification specification are then counted. An external Accounting, Billing, or Network Management System can query the Ranch device periodically in order to read the counters and bill (or measure) users accordingly. Over a thousand Classification Categories can be defined. Monitoring of network usage can thus be performed by customer, application, user (or group of users), server (or group of servers), or network segment
- Remote Management
i. Currently two types of Remote Management are provided: a Web-based GUI (Graphical User Interface) and SNMP.
The Advantages of This Approach
This Ranch solution is advantageous over other alternatives in the following ways:
- Unprecedented Value: Ranch Networks devices contain greater functionality for the price than any competitive product.
- More robust internal network security: Ranch devices are specifically optimized for internal network security and provide more security between Zones than any competitive product. Some competitors say that they provide “zones” but typically there are not even separate firewalls between these “zones”, nor Denial of Service protection, nor most of the other security functions Ranch provides. - Lower Capital Expense: The cost of purchasing the separate products required to
perform a similar set of functions is much more expensive. (up to 5-7 times more expensive depending on vendors and products used)
- Lower Operating Expense: The cost of maintaining the separate products required to perform these functions is similarly much more expensive. These costs include vendor maintenance, software support, and technical support, internal staff time, training time, installation and configuration time, per-user licensing fees as users on the system increase, and network monitoring costs. - Ease of Upgrade: Ranch devices can be easily added as an overlay to upgrade an
- Higher Reliability: The presence of multiple devices instead of one decreases the reliability of the system since more boxes means more cables, more connectors, more power supplies, more fans, and more electronic components. The greater the number of these components, the more likely there will be a system failure.
Increased Reliability and Performance
Firewall Bandwidth
Manager BalancerLoad Switch
RN20 Enterprise LAN Enterprise LAN Servers Traditional Approach Ranch Approach
- Higher Performance: When a packet needs to traverse multiple devices, each device must process the packet up and down its own TCP/IP stack. With Ranch Networks’ patent-pending Single Pass Packet Scanning technology, each packet is only processed once, regardless of how many services (security, bandwidth, etc.) are applied to it.
- Lower Complexity: Fewer boxes means less network complexity and fewer opportunities to make mistakes. Training can be standardized on a single user interface, rather than multiple. Providing redundant configurations in far easier. - A higher level of security than VLANs: VLANs do a great job of segmenting a
network, but what happens when traffic needs to pass between VLANs? VLAN switches alone provide no security policies between VLANs, whereas Ranch provides all the security functionality described above.
do not include Per-User Authentication, nor do they provide many other functions that Ranch security provides.
- Greater leverage of an IDS investment: Ranch selective mirroring allows customers to save money on their IDS deployments by reducing the per-port, per-leg, or per-user licensing they may otherwise be required to pay. An RN device also provides a powerful enforcement point so that an IDS can automatically stop an attack and isolate it.
- Assist rather than impede application performance: Usually when security is increased on a network the availability and performance of applications is decreased so business productivity suffers. Because of Ranch’s QoS support, Single Sign On support, high throughput, low latency, and application prioritization through bandwidth management, application performance is
improved rather than impeded while network security is simultaneously increased.
- Security can be matched to the “areas of trust” associated with a specific organization.
- Complement and enhancement to host-based security: RN devices provide many security functions that host-based security does not:
i. Denial of Service protection
ii. Security for systems that may not contain adequate host-based security such as many Printers, IP Phones, Routers, Switches, PBXs, Network Attached Storage (NAS), PDAs and other devices with exotic Operating Systems. iii. Blockage of port scanning
iv. Prevention of unauthorized access into a network segment v. Hiding of Operating System vulnerabilities
vi. Protection of devices during patch management
vii. Traffic mirroring to an IDS and enforcement for the IDS viii. Detection of malicious communication from an infected host
