What is a “self defending” network?
Blogger: Phil Schacter
With its acquisition of Ironport, Cisco once again leads with the “self defending” network marketing message. But with Jericho Forum, Burton Group and others highlighting the changing role of the network in security, has the self defending network marketing message outlived its usefulness and merely serves to confuse the issues?
Marketing slogan aside, it’s a useful exercise to consider what it means for a network to be capable of defending itself. Self defense is a reasonable goal as long as what we’re talking about are the operational components of a network that are responsible for reliably moving bits around.
When we refer to the network fabric often what we’re talking about are the routers, switches, and other devices that play an active role in the primary job of the network, bit hauling. These network devices incorporate specialized hardware, run optimized real-time operating systems, implement support for various networking protocols, and are instrumented to enable common administrative and operational functions. Proper self defense should include attack resistant software, hardened operating systems, protocols that are secure by design, and controls that permit only authorized administrators and network operations personnel to access privileged functions. Even with this relatively narrow definition, there is an argument that the industry has a long way to go to deliver on the vision of a “self defending” network.
There is a great temptation, especially by vendors of network infrastructure equipment, to want to broaden the role of the network’s routers and switches to include additional security functions that impose restrictions on the traffic and usage of the network. These functions include authentication of devices and users based on 802.1X, enforcement of network access control (NAC) policies based on a system health assessment, and traffic filtering based on deep inspection of application protocols and packet content. Such vendors have positioned the “self defending” network as including this kind of security intelligence, the distorted goal being to protect the IT resources and users that are connected to the network. This is no longer the network devices defending themselves but extending their protective umbrella to every user and resource inside the enterprise managed network’s perimeter.
The notion of a bastion network with an impermeable perimeter around a global, distributed enterprise is almost never the reality. Networks need to be open and flexible to enable dynamic business relationships and business expansion. They typically involve use of public wired and wireless networks, leveraging the ubiquity and economics of the Internet. In these cases, it’s not practical for the network fabric to protect the rest of the IT infrastructure, and attempts to add this kind of intelligence introduce complexity, overhead, and set a false expectation of security. It’s time to shift the burden of defense back to the endpoint devices and the data centers that host business applications and information.
Burton Group will be exploring these issues at the Catalyst conference in its “Networks Without Borders” content track. Check out http://catalyst.burtongroup.com/NA07/CatLiveBlogs.htm over the next few days for real-time coverage of this and other exciting issues!
Well stated. The security controls introduced by some of these NAC devices typically only address a high “threat event frequency” scenario with typically a very low “loss event frequency”. Thus, it can be a very expensive security control that provides very little value. I would rather see efforts focused on strong access and authorization controls at all levels of an N-Tier application before introducing technology that potentially can prevent the employees from working.
Posted by: Chris Hayes | July 03, 2007 at 11:05 AM