Five Things You Can't See on Your Network
- 19 March, 2009 10:05
Networks today are blind. As analyst firms such as Gartner have pointed out, IT doesn't really know which users are on the network. Similarly, IT knows very little about the application traffic on the LAN.
IT relies on cryptic tools to stand in for user and application data, but these tools can rarely be used to tie the information back to real-time traffic.
But if networks have been blind to users and applications for a long time, why is this black hole a problem now? Changes in business practices have changed the risk dramatically. Organizations now host far more people, many of them "outsiders" just visiting, and users are increasingly bringing in more and more applications all the time.
Realistically, businesses need these changes for the productivity gains they enable. Companies need to work with partners and contractors to complete projects efficiently, and often new applications drive new levels of collaboration amongst employees. So the key is for IT to allow these fruitful practices without compromising the security of the organization's digital assets or the productivity of the employees.
What kinds of risks can IT avoid by adding identity and application visibility and control to the network?
Here are just a few examples:
Applications (or people) behaving badly: A bank was under the impression that teller transactions were happening over encrypted tunnels using SSH. After gaining application intelligence in the network and watching their application flows, they noticed huge amounts of Telnet sessions and tracked them back to the tellers. They learned that those sensitive transactions, involving customer financial and personal data, were running in the clear over Telnet rather than being encrypted over SSH.
Who's visiting which sites: Any business that bills clients based on employee time needs to make sure the employees are billing appropriately. A call center company bills by time needed to service incoming calls, and the billing cycle initiates the second the call enters the call center's queue, even if the client's customers have to wait on hold. A study of top applications at one call center revealed extensive access to web-based gaming sites. Turns out playing these games was delaying some employees from answering calls quickly, inappropriately increasing the fees charged to clients. By tying web site access to username, the company eliminated this time-waster and returned to accurate billing for its customers.
The Port 80 problem: People typically use this term to describe the plethora of applications that run on Port 80. While those flows used to correspond to web surfing traffic, today far more applications use that L4 port. Think of the Oracle application serviced via a web browser, or CRM applications using cloud computing such as SalesForce.com. Knowing something is Port 80 actually tells you very little now. And in fact, assuming what application is running based on the use of L4 port can actually leave an organization at risk. Consider the software vendor who thought they'd successfully shut down eDonkey by closing its well-known port on the perimeter firewall. Once they were able to perform detailed application inspection on the LAN, they saw eDonkey was still widely in use, putting their source code at risk.
Page BreakIP addresses don't equate to users: Looking for IP addresses to be a proxy for users can similarly put an organization at risk. IT often relies on spreadsheets to track addresses and tie them to usernames. In one case, a company's spreadsheet indicated that a certain IP address belonged to a switch port, and so that port was grouped with other "management" devices and assigned a policy to use only relevant management applications. Imagine the confusion when policy violations abounded. By looking at detailed flows, they were able to identify the "sender" as a user, and not a switch. This situation could easily have created the possibility for duplicate IP addresses and network loops, for example, or for users to be incorrectly grouped and accidentally given access to sensitive financial data. With only IP addresses to keep tabs, an organization truly has no idea about who is doing what on the network.
Illegal downloads: Being able to tie media downloads to individuals is key not only to retain productivity (and server space!) but also to meet compliance needs. Any organization where such activity is happening ends up liable, and the MPAA and RIAA are adamant about enforcing copyright violations. Given the chance to link download traffic to a specific user, IT can go to that user and reiterate the Internet usage policies, possibly saving a friend's job or a student's enrollment.
The changes in business practices I mentioned previously are happening very quickly, and IT must be able to tie traffic to user names. This facility is critical for enforcing access policies, achieving enforcement, satisfying compliance demands, meeting industry audits, and ensuring employee productivity. That level of visibility in the LAN is essential for IT to control what users can do on the LAN, because you can't control what you can't see.
So for a variety of reasons-data protection, employee productivity, simplified IT operations, and perhaps someone's job-IT should look for ways to more clearly know the identity of the users on the LAN and the full range of applications in use. Whatever the mechanism, IT will reap many rewards from identity-based user and application control.
Jeff Prince is chairman and CTO of ConSentry Networks.