Network Security Across the Enterprise – Stop Gap Measures to Help You Protect Your Network

Today’s business networks consist of numerous remote access connections from employees and outsourcing firms. Too often, the inherent security risks arising from these connections outside the network are overlooked. Continuous improvements have been made that can enhance security in today’s network infrastructure; taking particular focus on the users accessing the network externally and monitoring access end- points are critical for businesses to protect their digital assets.

Installing the correct software for the specific needs of your IT infrastructure is essential to having the best security protection possible. Many companies install “off the shelf” security software and assume they are protected. Unfortunately, that is not the case due to the nature of today’s network threats. Threats are diverse in nature, including the usual spam, spyware, viruses, trojans, worms, and the occasional possibility that a hacker has targeted your servers.

The proper security solution for your organization will neutralize virtually all of these threats to your network. Too often, with only a software package installed, network administrators spend a lot of their time at the perimeter of the network defending its integrity by manually fending off attacks and then manually patching the security breach.

Paying network administrators to defend the integrity of your network is an expensive proposition – much more so than installing the proper security solution that your network requires. Network administrators have many other responsibilities that need their attention. Part of their job is to make your business operate more efficiently – they can’t focus on this if they have to manually defend the network infrastructure all the time.

Another threat that must be considered is the threat occurring from within the perimeter, in other words, an employee. Sensitive proprietary information is most often stolen by someone on the payroll. A proper network security solution must guard against these kinds of attacks also. Network administrators definitely have their role in this area by creating security policies and strictly enforcing them.

A smart strategy to give your network the protection it needs against the various security threats is a layered security approach. Layered security is a customized approach to your network’s specific requirements utilizing both hardware and software solutions. Once the hardware and software is working simultaneously to protect your company, both are able to instantaneously update their capabilities to handle the latest in security threats.

Security software can be configured to update multiple times a day if the need be; hardware updates usually consist of firmware upgrades and an update wizard much like that present within the software application.

All-in-one Security Suites A multi-pronged strategy should be implemented to combat the multiple sources of security threats in today’s corporate networks. Too often, the sources of these threats are overlapping with Trojans arriving in spam or spyware hidden within a software installation. Combating these threats requires the use of firewalls, anti-spyware, malware and anti-spam protection.

Recently, the trend in the software industry has been to combine these previously separate security applications into an all-encompassing security suite. Security applications standard on corporate networks are integrating into security suites that focus on a common goal. These security suites contain antivirus, anti-spyware, anti-spam, and firewall protection all packaged together in one application. Searching out the best stand-alone applications in each security risk category is still an option, but no longer a necessity.

The all-in-one security suite will save a company money in reduced software purchasing costs and time with the ease of integrated management of the various threat sources.

Trusted Platform Module (TPM) A TPM is a standard developed by the Trusted Computing Group defining hardware specifications that generate encryption keys. TPM chips not only guard against intrusion attempts and software attacks but also physical theft of the device containing the chip. TPM chips work as a compliment to user authentication to enhance the authentication process.

Authentication describes all processes involved in determining whether a user granted access to the corporate network is, in fact, who that user claims to be. Authentication is most often granted through use of a password, but other techniques involve biometrics that uniquely identify a user by identifying a unique trait no other person has such as a fingerprint or characteristics of the eye cornea.

Today, TPM chips are often integrated into standard desktop and laptop motherboards. Intel began integrating TPM chips into its motherboards in 2003, as did other motherboard manufactures. Whether or not a motherboard has this chip will be contained within the specifications of that motherboard.

These chips encrypt data on the local level, providing enhanced security at a remote location such as the WiFi hotspot full of innocent looking computer-users who may be bored hackers with malicious intent. Microsoft’s Ultimate and Enterprise versions of the Vista Operating System utilize this technology within the BitLocker Drive Encryption feature.

While Vista does provide support for TPM technology, the chips are not dependent upon any platform to function.

TPM has the same functionality on Linux as it does within the Windows operating system. There are even specifications from Trusted Computing Group for mobile devices such as PDAs and cell phones.

To use TPM enhanced security, network users only need to download the security policy to their desktop machine and run a setup wizard that will create a set of encryption keys for that computer. Following these simple steps significantly improves security for the remote computer user.

Admission Based on User Identity Establishing a user’s identity depends upon successfully passing the authentication processes. As previously mentioned user authentication can involve much more than a user name and password. Besides the emerging biometrics technology for user authentication, smart cards and security tokens are another method that enhances the user name/password authentication process.

The use of smart cards or security tokens adds a hardware layer requirement to the authentication process. This creates a two-tier security requirement, one a secret password and the other a hardware requirement that the secure system must recognize before granting access.

Tokens and smart cards operate in essentially the same fashion but have a different appearance. Tokens take on the appearance of a flash drive and connection through a USB port while smart cards require special hardware, a smart card reader, that connects to the desktop or laptop computer. Smart cards often take on the appearance of an identification badge and may contain a photo of the employee.

However authentication is verified, once this happens a user should be granted access through a secure virtual network (VLAN) connection. A VLAN establishes connections to the remote user as if that person was a part of the internal network and allows for all VLAN users to be grouped together within distinct security policies.

Remote users connecting through a VLAN should only have access to essential network resources and how those resources can be copied or modified should be carefully monitored.

Specifications established by the Institute of Electrical and Electronics Engineers (IEEE) have resulted in what is known as the secure VLAN (S-VLAN) architecture. Also commonly referred to as tag-based VLAN, the standard is known as 802.1q. It enhances VLAN security by adding an extra tag within media access control (MAC) addresses that identify network adapter hardware within a network. This method will prevent unidentified MAC addresses from accessing the network.

Network Segmentation This concept, working hand-in-hand with VLAN connections, determines what resources a user can access remotely using policy enforcement points (PEPs) to enforce the security policy throughout the network segments. Furthermore, the VLAN, or S-VLAN, can be treated as a separate segment with its own PEP requirements.

PEP works with a user’s authentication to enforce the network security policy. All users connecting to the network must be guaranteed by the PEP that they meet the security policy requirements contained within the PEP. The PEP determines what network resources a user can access, and how these resources can be modified.

The PEP for VLAN connections should be enhanced from what the same user can do with the resources internally. This can be accomplished through network segmentation simply be defining the VLAN connections as a separate segment and enforcing a uniform security policy across that segment. Defining a policy in this manner can also define what internal network segments the client can access from a remote location.

Keeping VLAN connections as a separate segment also isolates security breaches to that segment if one were to occur. This keeps the security breach from spreading throughout the corporate network. Enhancing network security even further, a VLAN segment could be handled by it’s own virtualized environment, thus isolating all remote connections within the corporate network.

Centralized Security Policy Management Technology hardware and software targeting the different facets of security threats create multiple software platforms that all must be separately managed. If done incorrectly, this can create a daunting task for network administration and can increase staffing costs due to the increased time requirements to manage the technologies (whether they be hardware and/or software).

Integrated security software suites centralize the security policy by combining all security threat attacks into one application, thus requiring only one management console for administration purposes.

Depending on the type of business you’re in a security policy should be used corporate-wide that is all-encompassing for the entire network. Administrators and management can define the security policy separately, but one overriding definition of the policy needs to be maintained so that it is uniform across the corporate network. This ensures there are no other security procedures working against the centralized policy and limiting what the policy was defined to implement.

Not only does a centralized security policy become easier to manage, but it also reduces strain on network resources. Multiple security policies defined by different applications focusing on one security threat can aggregately hog much more bandwidth than a centralized security policy contained within an all-encompassing security suite. With all the threats coming from the Web, ease of management and application is essential to maintaining any corporate security policy.

Frequently asked Questions:

1. I trust my employees. Why should I enhance network security?

Even the most trusted employees can pose a risk of a network security breach. It is important that employees follow established company security standards. Enhancing security will guard against lapsing employees and the occasional disgruntled employee seeking to cause damage to the network.

2. Do these innovations really create a secure environment for remote access?

Yes they do. These enhancements not only greatly enhance a secure VLAN connection but they also use widely accepted standards that are often integrated into common hardware and software. It’s there, your company only needs to start using the technology.

3. My company is happy with using separate software, that way each application can focus on a separate security threat. Why should I consider an all-in-one security suite?

Many of the popular software applications commonly used by businesses have expanded their focus to identify all security threats. This includes solutions from both software and hardware appliance technology manufacturers. Many of these firms saw the need to consolidate security early on and purchased smaller software firms to gain that knowledge their firm was lacking. A security suite at the application level, will make management much easier and your IT staff will thank you for it.

4. Do I need to add a hardware requirement to the authentication process?

Requiring the use of security tokens or smart cards should be considered for employees accessing the company network from a remote site. Particularly if that employee needs to access sensitive company information while on the road, a simple flash drive secure token prevents a thief from accessing that sensitive data on a stolen laptop.

5. With all this concern about WiFi hotspots should employees be required not to use these locations to connect to the company network?

WiFi hotspots have sprung up nationwide and present the easiest method for your remote employees to access the Internet. Unfortunately, hotspots can also be full of bored, unemployed hackers who have nothing better to do than find a way to intercept a busy employee’s transmissions at the next table. That’s not to say employees on the road should avoid hotspots. That would severely limit them from accessing the network at all. With technologies like S-VLAN and secure authentication in place, a business can implement technologies to reduce threats both now and in the future.

Implementing the latest network security technologies is a high priority for IT Management. In today’s network environment with many users accessing your digital assets remotely, it’s critical to get your network security correct during the planning phase of the integration process.

Obviously, it should be noted that most large companies have multiple operating systems running (Windows, Mac O/S, etc) and that for many of these companies all-in-one security suites face certain challenges in a mixed operating system environment.

That is why I stress that you consider having layered security (both hardware and software) and don’t simply rely on software applications to protect your digital assets. As technology changes so do the opportunities for security breaches.

As these security threats become more sophisticated, hardware and software developers will continue to innovate and it’s essential businesses keep up with, and implement these technologies.

Ant Colony Optimisation for E-Learning Applications Over a Secure Network

This work was initiated when Paraschool, the French leading e-learning company contacted the INRIA research center to conceive an automatic algorithm that would allow the relatively rigid albeit functional existing Paraschool software to behave differently depending on user specificities. After several brainstorming sessions where neural networks, evolutionary algorithms and other artificially intelligent techniques were considered, it appeared that swarm-like algorithms could be used, thanks to the great number of actual users (more than 10000) and more especially ant-based probabilistic optimisation that could easily be grafted on the existing pedagogical graph constituted by the Paraschool software.

Moreover, Ant Colony systems present the interesting property of exhibiting emergent behaviour that allow individuals to benefit from the dynamic experience acquired by the collectivity, which means, in pedagogic terms that a student could benefit from the pedagogic lessons drawn out of his peers’ successes and failures.

The implementation of these algorithms yields results that go beyond the requirements of the Paraschool company which will soon be experimenting in real size the automatic dynamic optimisation of the pedagogic graph (their set of interconnected lessons and exercises) implemented by their software. This paper successively presents a concise description of human-learning concepts and their software implementation, a short description of the technical implementation of the Ant-Colony based optimisation algorithm and a discussion on the use of various selection operators. A set of experiments is then conducted, showing that erroneous arc probabilities can be automatically corrected by the system.

II. ELEMENTS ON THE PHILOSOPHY OF LEARNING

The main concepts of teaching and learning used nowadays are still very old. The two main currents are Constructivism, that was elaborated by Kant and Behaviourism: a theory that came from Pavlov’s experiments.

A. Constructivism

In 1781, Kant tried to synthesize rationalist and empiricist viewpoints. Kant sees the mind as an active agent, that organizes and coordinates experiences. Along these lines, Piaget states that knowledge is not simply “acquired,” by children bit by bit, but constructed into coherent, robust frameworks called
“knowledge structures.” Children are not passive absorbers of experience and information, but active theory builders. Papert, a mathematician, and one of the early pioneers of Artificial Intelligence (he founded the Artificial Intelligence Laboratory at MIT), worked with Piaget at the University of Geneva

IV. IMPLEMENTATION OF THE ANT COLONY:

ALGORITHMIC OVERVIEW

All nodes (html pages) of the new Paraschool software now contain a new ACO-powered NEXT button that leads the user along an arc chosen by a selection algorithm (see section V), based on the probability associated with the arc. This probability is computed by taking several factors into account in the design of a weighted fitness function described in the next section. These factors are the following and play at both
the individual and collective levels:

A. Pedagogic Weights: W

This pedagogical weight is the main value of each arc. It is implemented as a static (i.e. “global”) variable (W), accessible to all ants. (W) is set by the Paraschool teachers and reflects the relative importance of the arcs that come out of a particular node. In other words, the teachers encourage the students to go toward such or such exercise after such or such lesson by giving the corresponding arc a higher weight. This valuation of the graph describes the pedagogic structure that will be optimized by the ACO algorithm

B. Pheromones: S and F

There are two kinds of pheromones that can be released on arcs to reflect students’ activity:

S: success pheromone.
This floating point value is incremented by ants/students on the adequate incoming arcs when
they are successful in completing the corresponding exercise.

F: failure pheromone.
This last value is S’s counterpart for failure. These pheromones are released not only on the arc that
led the ant to that node but also on previous ones in the ant’s history with decreasing amplitude.

This is meant to reflect the fact that the outcome of a particular node (exercise) is influenced by all the nodes (lessons, exercises) the ant went through before but with an influence that, of course, diminishes with time. For obvious pragmatical reasons, this “back propagation” of pheromone release is limited in scope (atypical value of 4 has been agreed upon). To illustrate this, let us consider an ant that went through nodes A,B,C,D,E,F and that reaches node G. When it validates node G with success, 1 unit of success pheromone is dropped on arc (F,G), 1/2 unit on arc (E,F), 1/3 of a unit on arc (D,E) and 1/4 on arc (C,D). In addition, to allow for dynamic adaptability of these pheromone amounts (S and F), evaporation is performed on a regular basis, usually every day, by reducing S and F in a given proportion _ typically around 0.999.

CONCLUSIONS AND PERSPECTIVE

Paraschool wanted a smart automatic system that could adapt to different users without manual intervention, which would be totally unrealistic to envisage on 10000 students. The ant-based system described in this paper not only offers such automatic features by gradually modifying pedagogic paths suggested by teachers using collective experience and by making the structure individual-specific thanks to variables such as H but also comes up with emergent informations that can be used as a refined auditing tool to help the pedagogical team identify the strengths and weaknesses of the software and pedagogic material.

From a more theoretical standpoint, this work can be seen as a new take on Interactive Evolutionary Computation where the solution to a problem is gradually constructed and modified by multiple interacting entities with different and possibly opposite goals. A creative and robust compromise can be reached that balances all the influences and constraints, which allows all participating entities to benefit from an emergent culture and to enhance their decision making processes accordingly. This suggest a great deal of new and exciting applications in the field of Collective Cognition Modelling and Collective Evolutionary Design.

Planning Network Security

The Need for Computer / Network Security:

Computer / network security includes:

Control of physical accessibility to computers / network
Prevention of accidental data
Erasure, modification, compromise
Detection and prevention of
Intentional internal security breaches
Unauthorized external intrusions (hacking)

All three legs of the triangle must exist for a network intrusion to occur:
Motive
A reason to want to breach your security
Means
The ability
Opportunity
The chance to enter the network
This last item is the administrator’s only chance at controlling events.

Principles of Network Security:
Network security goals are sometimes identified as Confidentiality.
Only the sender and intended recipient should “see” the message Integrity.
Sender and receiver want to make sure that the message is not altered in transit, or afterwords. Authentication
The sender and receiver want to confirm each other’s identity Availability.
Services and resources must be available and accessible.

Understanding Risk Management:
A key principle of security is that no network is completely secure.
Information security deals principally with risk management.
The more important an asset, the more it is exposed to security threats, thus the more resources you must put into securing it.

Understanding Risk Management – 2:
In general, without training, administrators respond to a security threat in one of three ways:
Ignore the threat, or acknowledge it but do nothing to prevent it from occurring.
Address the threat in an ad hoc fashion.
Attempt to completely security all assets to the utmost degree, without regard for usability or manageability
None of these strategies take into account what the actual risk is, and all of them will usually lead to long-term failure.

What are Some Risks?
Eavesdropping
Interception of messages
Hijacking
Taking over the role of a sender or receiver.
Insertion
Of messages into an active connection
Impersonation
Spoofing a source address in a packet or any field in a packet
Denial of service (DOS).
Prevent others from gaining access to resources, usually by overloading system.

Managing Risk:
Once the assets and their corresponding threats have been identified risk management can consist of:
Acceptance
Mitigation
Transference
Avoidance

Accepting Risk:
If you take no proactive measures, you accept the full exposure and consequences of the security threats to an asset.
Should accept risk only as a last resort when no other reasonable alternatives exist, or when the costs are extremely high.
When accepting risk, it is always a good idea to create a contingency plan.
A contingency plan details a set of actions that will be taken after the risk is realized and will lessen the impact of the compromise of loss of the asset.

Mitigating Risk:
The most common method of securing computers and networks is to mitigate security risks.
By taking proactive measures either to reduce an asset’s exposure to threats or reduce the organizations dependency on the asset, you are mitigating the security risk.
A simple example: installing antivirus software.

Transferring Risk:
Transfer security risk to another party has many advantage including:
Economies of scale, such as insurance.
Use of another organization expertise and services.
Example: using a web hosting service.
When undertaking this type of risk transference, the details of the arrangement should be clearly stated in a contract known as a service level agreement (SLA).

Avoiding Risk:
The opposite of accepting risk is to avoid the risk entirely.
To avoid risk, you must remove the source of the threat, exposure to the threat, or your organization reliance on the asset.
Generally, you avoid risk when there are little to no possibilities for mitigating or transferring the risk, or when the consequences of realizing the risk far outweigh the benefits gained from undertaking the risk.
An example can be a military or law enforcement dBase that, if compromised, could put lives at risk.

Implementing Security:
Think of security in terms of granting the least amount of privileges required to carry out the task.
Example: consider the case of a network administrator unwittingly opening an e-mail attachment that launches a virus.
If the administrator is logged on as the domain administrator, the virus will have administrator privileges on all computers in the domain and thus unrestricted access to nearly all data on the network.

Defense in Depth:
Imagine the security of your network as a series of layers.
Each layer you pull away gets you closer to the center, where the critical asset exists.
On your network, defend each layer as though the previous outer layer is ineffective or nonexistent.
The total security of your network will dramatically increase if you defend at all levels and increase the fault tolerance of security.
Example: to protect users from launching an e-mail-borne virus, in addition to antivirus software on the users’ computers, you could use e-mail client software that blocks potentially dangerous file types from being executed, block potentially dangerous attachments according to their file type, and ensures that the user is running under a limited user account.

Reducing the Attack Surface:
An attacker needs to know of only one vulnerability to attack your network successfully, whereas you must pinpoint all you vulnerabilities to defend your network.
The smaller your attack surface, the better chance you have of accounting for all assets and their protection.
Attackers will have fewer targets, and you will have less to monitor and maintain.
Example: to lower the attack surface of individual computers on your network, you can disable services that are not used and remove software that is not necessary.

Addressing Security Objectives:
Controlling Physical Access to
Servers
Networked workstations
Network devices
Cabling plant
Being aware of security considerations with wireless media related to portable computers.
Recognizing the security risk.
Of allowing data to be printed out.
Involving floppy disks, CDs, tapes, other removable media.

Recognizing Network Security threats:
To protect your network, you must consider the following:
Question: from whom or what are you protecting if?
Who: types of network intruders and their motivations.
What: types of network attackers and how they work.
These questions form the basis for performing a threat analysis.
A comprehensive threat analysis should be the product of brainstorming among people who are knowledgeable about the business processes, industry, security, and so on.

Classifying specific Types of Attacks:
Social engineering attacks
DOS attacks
Scanning and spoofing
Source routing and other protocol exploits
SOFTWARE and system exploits
Trojans, Viruses and worms

It is important to understand the types of threats in order to deal with them properly.

Designing a Comprehensive Security Plan:
RFC2196, the Site Security Handbook.
Identify what your are trying to protect.
Determine what you are trying to protect it from.
Determine how likely the anticipated threats are.
Implement measures that will protect your assets in a cost-effective manner.
Review the process continually and make improvements each time a weakness is discovered.

Steps to Creating a Security Plan:
Your security plan will generally consist of three different aspects of protecting your network.
Prevention: the measures that are implemented to keep your information from being modified, destroyed, or compromised.
Detection: the measures that are implemented to recognize when a security breach has occurred or has been attempted, and possibly, the origin of the breach.
Reaction: the measures that are implemented to recover from a security breach to recover lost or altered data, to restore system or network operations, and to prevent future occurrences.

Security Ratings:
The U.S. government provides specifications for the rating of network security implementations in a publication often referred to as the Orange Book, formally called the DOD Trusted Computer System.
Evaluation criteria, or TCSEC.
The Red book, or Trusted Network Interpretation of the TCSEC (TNI) explains how the TCSEC evaluation.
criteria are applied to computer networks.
Canada has security rating systems that work in a similar way.
CTPEC

Security Ratings -2:
To obtain a government contract, companies are often required to obtain a C2 rating.
A C2 rating has several requirements.
That the operating system in use be capable of tracking access to data, including both who accessed it and when it was accessed.
That users’ access to objects be subject to control (access permissions).
That users are uniquely identified on the system (user account name and password).
That security-related events can be tracked and permanently recorded for auditing (audit log).