In my work as a security engineer, I’m often asked which is more important: network security or application security. My answer is they’re both critical. In this tip, I’m going to focus on why network security is important, how it differs from application security and ways to strengthen network security. In a second tip in this series, I’ll follow up by demonstrating why application security is also a critical component in your overall...
The difference between network and application security
Network security is considered the traditional element of modern information security, because most security breaches started out at the network layer. To illustrate networking and application security, consider a private home with high-value targets. The access to the home (front gate, long driveway, wide lawns, and surveillance cameras) is a crucial element to protecting the home. Physical security engineers will spend significant resources designing the home such that no one can approach it without detection and such that they can only approach the home by overcoming challenging obstacles. A web application is the same concept -- protecting the data confidentiality, integrity and availability of the application starts well before a hacker has reached the database. If you can prevent the hacker from ever reaching the application, or force the hacker to access the application in the same limited way a valid user can, you have significantly reduced your scope of coverage.
The goals of network security are to:
- Protect network resources (devices, appliances, servers, workstations, etc.) from unauthorized access.
- Ensure network resources are available to accomplish organizational purposes.
- Protect the confidentiality and integrity of data traveling across networks.
- To detect and proactively respond to attempted and actual network attacks.
In 2002, SecureIT Consulting Group created a presentation for ISSA-NE. That presentation included a step-by-step illustration of why network security is so critical, and it has been adapted for this tip:
Network security is so critical here because it prevents access to applications and data, preserves the availability of network resources, and ensures the confidentiality and integrity of data travelling within the network. To put it another way, your application can be built more secure than the strongest fortress, but if a hacker can pull your network down, the application is still useless.
Back to basics
Network security analysis shows most attacks on networks are due to poor system and administrative controls. (In an analysis of the Spiderslabs 2010 report, one journalist discovered that 84% of breaches occurred where no firewall was in place!) In other words, everything necessary for a secure network is available to the administrator, but it’s not configured correctly. The takeaway here is that network security isn’t about doing the advanced things, it’s about ensuring the basics are done, and done right.
Start with a firewall
This tip is more about the why and less about the how, but a brief overview of network security might help. Network security is built around the concept of defense in depth, or redundant layers of security. A good network security strategy begins with a firewall in place -- a firewall which is programmed to detect inbound traffic, to inspect that traffic, and to only route traffic to valid destinations (IP addresses and ports). This is the equivalent to a guard house at the intersection of a driveway and a public street. The guard stops inbound visitors, verifies their destination, and ensures they are routed correctly.
Another good strategy for network security is network segmentation. This is the concept of dividing network traffic into like “groups.” For instance, production servers should always be isolated from corporate desktops. Applications supporting production Web servers should be hosted on servers segmented from both. Some traffic may be allowed to pass between segments, but it’s limited by IP, content and destination.
Another network security strategy is to encrypt transactions to and from important shares or servers. For instance, personal health information is required by United States law to be protected with encryption at rest and in motion. An insurance company which stores and analyzes patient transactions must store that information in an encrypted database, and any connection to the database to pull down data must take place over an encrypted path. Leveraging network encryption technologies such as IPSec or L2TP can enable the system administrator to secure data in motion and at rest within the corporate network -- and ensure the company stays in compliance with numerous international laws regarding data privacy.
An oft-overlooked key to network security is the use of logging -- both the act of logging traffic details as well as reviewing logs real-time to discover potential threats. A critical situation for this is the relatively new “Advanced Persistent Threat.” This threat is generally a piece of malware which resides undetected within a corporate network, most often on a workstation. The malware gathers important data, a little bit at a time, and sends that data home to a server somewhere on the Internet. Looked at individually, each piece of outbound traffic appears innocuous, but when reviewed in aggregate in a log analysis tool, the APT provides a clear signature and can alert the security administrator to a potential threat.
Network security is not the only necessary approach to securing a company’s information. Once the network has been secured, the next important step (and the subject of a subsequent tip) is to secure the applications hosted on the corporate network. Network security and application security are the yin and yang of an information security -- you cannot have one without the other.