The enterprise LAN is a blasted wasteland of dead and dying technologies. I call for a strategic retreat.
It seems to me that endpoints, such as desktops, and the LAN in enterprise networks just aren’t defensible any more. Not only are we still relying on signature based controls on the endpoint and in the network, the management of end users’ hardware and software bundles is a huge waste of time and money and effort. All that effort we’re expending on trying to manage the Cursed Earth that is the LAN and desktop estate could be better deployed trying to protect what actually matters to the enterprise – data and, by extension, the data centre.
Turning the Data Plane into Remote Access
If we give our users a solid wired and wireless infrastructure that’s properly segmented from the data centre, then we can concentrate on securing the control plane and allowing the data plane to become a remote access technology. The authentication point can then be centralised, rather than pushing it out onto the LAN. We simply expect users to VPN in and authenticate using two-factor authentication to a RADIUS server, backed off to LDAP or AD.
To stop endpoints attacking each other over the LAN (however much fun that would be to watch), we need to make sure that the data plane implements appropriate restrictions and prevents client-client communication.
Security by Identity
Over the last couple of years, I’ve come to the conclusion that trying to define the security policy by IP address on the network is a losing game. IP addresses and transport layer ports just aren’t a good way of managing traffic any more. For us to secure the network now, we have to focus on what actually matters for the users. From my point of view, we should be using a triad to define policy.
- Identity: the user should have a single identity on the network. Active Directory or LDAP is a good source for this.
- Application: security controls need to be application-aware so that granular access can be enforced.
- Data: the data that the user is trying to access.
Cisco has been talking a lot recently about identity based policy enforcement, and I’m inclined to agree with them. The same user should get the right policy, no matter the device, location or access technology they use. That policy should follow them as they roam to a new location and device.
Tools (No – Not the AV Vendors)
To support this kind of change, there’s a need for some re-tooling. Apart from anything else, the perimeter needs to be application and identity aware so that security policies can be enforced. I’m going to need better orchestration tools for security functions so that it doesn’t take me weeks to build new services, and I’ll need some good intelligence to help me decide on where to deploy new tools and resources, as well as to give me an insight into what’s happening on the network.
To do that, I need the following:
- Single identity source
- High capacity remote access and virtual desktop solutions
- Application aware firewalls and IPS
- Robust management and orchestration tools (Software Defined Security anyone?)
- Correlation, analytics and profiling
That All Sounds a Bit Scary – What’s the Alternative?
At the moment, it’s still possible to continue down the road of managing the LAN and desktop estate and chasing down rogue devices that connect to your network one at a time. You can continue to try and educate your users on why they can’t connect X or Y device to the network, and you can continue to pay AV/AS vendors a fortune to deliver endpoint insecurity.
But looking forward strategically, we need to re-think Enterprise LAN security and work out what we can actually defend. What do you think?