Coordinating Our Network Defenses

SIW contributor Stuart Bailey is founder and CTO for Infoblox, a leading developer of core network services solutions for enterprise networks.

Jan walks into the office at 8 a.m. with a hot cup of coffee and a calm look on her face. After a few minutes, she notices that the dreaded “Fawlty” virus tried to bring the corporate network to a grinding halt last night, but didn't. At first glance it looks like a visitor to the Executive Briefing Center inadvertently infected the guest wireless network, but a deeper trace suggests that a malicious Russian hacker spoofed a VOIP call to gain access to the core data center.

Finally, the records show, that amidst the chaos of last night's maintenance window, Jan's coordinated defense system correlated the “Fawlty” virus and the VOIP session to an infected, but authenticated, laptop running Windows XP in the EBC and quarantined it. She now has a name and number of an executive to follow up with today. She decides that she'll walk this one up herself.

Jan's fictional coordinated defense system sounds too good to be true. For most cost-sensitive buyers of off-the-shelf network security systems, it is too good to be true. For starters, Jan would need to know exactly where to look to find out what devices are on the network, who is associated with those devices, where those devices have been, what the network traffic from those devices looks like, and as much activity history of those network devices as possible.

Unfortunately, for most, this information is scattered among the various logs and records of firewalls, provisioning systems, and switches to name just a few places. In most organizations, gathering this data would require a heroic effort if it is possible at all. Furthermore, individual security components, such as firewalls, IDs and IDPs, antivirus gateways, client software, and authentication systems look for vastly different types of threats and are not configured to coordinate with each other. One component may perceive a system-wide threat as a network worm, another may see it as a compromised endpoint, and another may see it as a distributed authentication attack.

The various systems have no common way for contributing their piece of knowledge to a common picture to gain a more complete view of network and endpoint activity and status. Without such mechanisms, it is impractical, or impossible, to provide appropriate, coordinated responses to attacks using heterogeneous components, even if they are from the same vendor.

What about NAC – Is It Enough?

The concept of fine grain regulation of network connectivity by Network Admission Control (NAC) has been developing for the last five years. However, Jan's story requires something more; it requires a coordinated network defense.

Regulating the admission process with NAC is only the first step. With the variety of capable and proven NAC technologies available on the market today, we are entering an age where multi-vendor coordinated defense is the logical next step. What is coordinated network defense, and is it possible?