The Scorched Earth LAN & A Better Enterprise Security Model

The enterprise LAN is a blasted wasteland of dead and dying technologies. I call for a strategic retreat.

It seems to me that endpoints, such as desktops, and the LAN in enterprise networks just aren’t defensible any more. Not only are we still relying on signature based controls on the endpoint and in the network, the management of end users’ hardware and software bundles is a huge waste of time and money and effort. All that effort we’re expending on trying to manage the Cursed Earth that is the LAN and desktop estate could be better deployed trying to protect what actually matters to the enterprise – data and, by extension, the data centre.

Turning the Data Plane into Remote Access

If we give our users a solid wired and wireless infrastructure that’s properly segmented from the data centre, then we can concentrate on securing the control plane and allowing the data plane to become a remote access technology. The authentication point can then be centralised, rather than pushing it out onto the LAN. We simply expect users to VPN in and authenticate using two-factor authentication to a RADIUS server, backed off to LDAP or AD.

To stop endpoints attacking each other over the LAN (however much fun that would be to watch), we need to make sure that the data plane implements appropriate restrictions and prevents client-client communication.

Security by Identity

Over the last couple of years, I’ve come to the conclusion that trying to define the security policy by IP address on the network is a losing game. IP addresses and transport layer ports just aren’t a good way of managing traffic any more. For us to secure the network now, we have to focus on what actually matters for the users. From my point of view, we should be using a triad to define policy.

  • Identity: the user should have a single identity on the network. Active Directory or LDAP is a good source for this.
  • Application: security controls need to be application-aware so that granular access can be enforced.
  • Data: the data that the user is trying to access.

Cisco has been talking a lot recently about identity based policy enforcement, and I’m inclined to agree with them. The same user should get the right policy, no matter the device, location or access technology they use. That policy should follow them as they roam to a new location and device.

Tools (No – Not the AV Vendors)

To support this kind of change, there’s a need for some re-tooling. Apart from anything else, the perimeter needs to be application and identity aware so that security policies can be enforced. I’m going to need better orchestration tools for security functions so that it doesn’t take me weeks to build new services, and I’ll need some good intelligence to help me decide on where to deploy new tools and resources, as well as to give me an insight into what’s happening on the network.

To do that, I need the following:

  • Single identity source
  • High capacity remote access and virtual desktop solutions
  • Application aware firewalls and IPS
  • Robust management and orchestration tools (Software Defined Security anyone?)
  • Correlation, analytics and profiling

That All Sounds a Bit Scary – What’s the Alternative?

At the moment, it’s still possible to continue down the road of managing the LAN and desktop estate and chasing down rogue devices that connect to your network one at a time. You can continue to try and educate your users on why they can’t connect X or Y device to the network, and you can continue to pay AV/AS vendors a fortune to deliver endpoint insecurity.

But looking forward strategically, we need to re-think Enterprise LAN security and work out what we can actually defend.  What do you think?

Neil Anderson
Neil is a freelance network security architect and contractor working with a number of clients in Scotland and Europe. He is CCIE #18705 and also holds a CISSP. He can often be found sampling beer in remote locations and ranting about tech to anyone too stupid to run away. If you're very unlucky, he may talk to you in Gaelic. Neil can be occasionally be found on Twitter.
  • http://etherealmind.com Etherealmind

    There are some ways to do this today, and several vendors are attempting to get traction on this type of solution. The largest problem is support in the operating systems. Most enterprises still using WinXP which won’t evert have these features. Windows 7 does today but administering desktops is a huge challenge – the insecurity of Windows software means people are reluctant to add more software. AV, Asset, malware, VPN = corporate crapware.

    This should happen but I bet that is doesn’t.

    • http://twitter.com/northlandboy Lindsay Hill

      I can see it happening in specific environments – actually I know people doing parts of it already – but you’re right, the challenge is doing it in a way that works with most operating systems in use today, and for the next ten years.

      • NeilTAnderson

        I see this mostly as a way of turning security into a way of enabling behaviour that previously would have the security guys (i.e. me) waving their arms in horror. If you can give people a level of comfort around the use of non-standard devices, because the network is protected from them, you tend to get their attention.

        Then you can tell them that they won’t need to manage desktops any more. I think this is a long term strategy, rather than a quick fix, but I genuinely believe that the enterprise managed desktop needs to die. Preferably before the point where we’re being asked to roll out Windows 8.

        • http://twitter.com/northlandboy Lindsay Hill

          Given the shocking usability of most corporate laptops, I think users would be dancing in the aisles if they no longer had to put up with those systems. I know I’m grateful for working at a place that lets me choose my own hardware/software, and lets me manage it as I see fit.

          I don’t see Windows 8 being rolled out in Enterprises. I actually wonder if the current Win7 rollout cycle will be the last major Enterprise-wide rollout. After all, the last one was a decade ago, and we all know the IT picture will look very different in 10 years.

          This will mean massive upheaval to policies, and typical IT roles. There will be much resistance, and many people who think they “know IT” will find that actually, all they know is how to pop in a CD and click Next. This week I saw some desktop support staff building some laptops, and there were CDs being popped in and out, and I just thought “WTF are you doing?”

          Parallels to the changes I expect we’ll see in networking. Some will make it, some won’t. Hopefully I scrape through, or that move to project management will come quite a bit sooner than planned!

  • http://twitter.com/gilesguthrie Giles Guthrie

    Good reasoning. I tried to get a client to consider their network landscape as thre dimensional, where X & Y were locations as they understood, and the Z-axis corresponded to the significance of the data and/or user in that location. Defence strategies could therefore be built accordingly.

    I found (and subsequently verified with other clients) that they don’t really like the idea of seeing users (trusted employees) as being threats to corporate IP assets in the datacentre, even though they can understand simple concepts like not letting people at the salaries DB table.

    So ringfencing access layers from data layers is the pragmatic approach, but selling an investment scenario designed to keep authenticated users out is still quite tricky.

    • NeilTAnderson

      I usually try and explain it by saying that it’s not the users that we don’t trust – after all, if they’re really untrustworthy then they’ll print stuff out or photograph it, not matter what DLP you have in place. Rather, it’s the devices and the pain of managing them that you’re trying to mitigate.

      It’s also very important to set financial expectations. This kind of approach needs heavy investment initially, with long-term savings a real possibility.

      Of course, I usually spoil all my hard work by saying something like “… and anyway: signature based security controls? Surely we should be living in the now?”

7ads6x98y