Who Can You Trust?
Companies have traditionally adopted a fortress mentality with network perimeter security to protect corporate applications and assets. But things are changing, driven by increasing threats from inside the LAN and more company laptops and mobile devices moving in and out of the network. This means that IT managers must now treat every connection on the internal network as “dirty’. In effect, there is no longer a trusted enterprise.
A second driver is the increasing demand for anywhere, anytime access to business resources, presenting the challenge of managing an unknown number of fixed or wireless devices as valid remote access points to the corporate network.
With perimeter-based security becoming more complex, network architects are taking a new approach to build borderless global enterprises where security is inherent rather than applied only at the interface between the internal network and the outside world. This is becoming known as deperimeterization or the inverted network.
An inverted network partitions traditional networks – where every user, system or device on the inside is assumed to have the same level of trust – into a number of smaller pieces, each sharing common trust attributes. These trust domains are protected from one another by internal firewalls and perimeter security. Typically, the multiple trust domains will contain either, application servers and data centre resources or groups of users. Users for example, may be defined geographically or by job function or relationship to the business; however, in general, they fall into two categories – the public domain and semi-trusted users. The secret is to trust no user, system or device completely and to verify any trust that you extend within and beyond a trust domain.
SSL VPNs already provide secure remote access from fixed or wireless devices on the Internet. Unlike traditional VPNs based on IPSec (Internet Protocol Security) technology, SSL or Secure Socket Layer VPNs offer clientless and client-based access from any device with an Internet connection. This includes a machine on someone else’s network, an airport or tradeshow kiosk, home PC, wireless laptop or PDA.
The machine may be a company supplied and managed desktop or laptop located on the enterprise’s local fixed or wireless network and associated with the proper trust domain. In effect, internal and external access become the same. Because SSL VPNs use existing conventional transport protocols, they can work well over all forms of network mediums such as broadband, satellite, wireless and cellular networks.
In an inverted network authentication goes beyond validating users and extends to managing risks inherent in users’ computing environments – their operating systems, browsers, applications and type of network. With access devices that may include cyber cafés, hotel computers or a friend’s home PC, threats such as Trojans, key stroke loggers, viruses and worms are greater.
End point control measures are designed to authorise the appropriate level of access for authenticated users, given the known risk of their environments. For example, full access to business applications may be granted from a corporate-managed desktop compared to simply checking email from a cyber café.
This can be achieved by integrating technologies to enforce security at the end point, such as personal firewalls that are installable as desktop images or transient software agents. Desktop integrity checking software scans the computer to ensure new threats are identified and removed, while desktop operating system vendors have a powerful incentive to create increasingly trustworthy platforms.
With an integrated and scaleable object-based SSL VPN policy model, it is possible for network administrators to provide fine-grained access control rules that precisely define which individuals or groups have access to which applications from which types of end points. With an inverted network and multiple trust domains, authorisation can be centralised and independent of application servers and the perimeter access controls.
The idea of the inverted network or deperimiterization is increasingly resonating with large companies and it is more likely that SSL VPN technology — developed to meet the demand for secure remote access — will play a major role in delivering the secure inverted network.