White Papers

June 2005

Layered Defense Approach to Network Security
Smart Internet Searching Saves Time and Money

Bob Gaughan, Nortel Networks Corporation

Today’s enterprises and governments are enjoying the many benefits of greater communications with fewer boundaries between them and their business partners, customers and remote employees. While there are many benefits, they can be outweighed by the various risks of doing business on public networks or open intranets. Organizations must still make the right business decisions to appropriately protect their assets, sensitive information (payroll, research and development, etc.) and their customers’ privacy.

A properly designed and implemented security policy is an absolute requirement for all types of enterprises and should be a living document and process, which is enforced, implemented and updated to reflect the latest changes in the enterprise infrastructure and service requirements. Ultimately, a solid approach to network security not only ensures security of your network, but your overall network reliability, resiliency, business continuity and business productivity.

An enterprise’s need to communicate with its remote employees, business partners and customers should not be hampered by the threats public networks can harbor.

Securing the network perimeter and prohibiting unauthorized access from within can prove to be a daunting challenge. Today’s businesses must guarantee uninterrupted access to network resources and the applications they support; and a consistent quality of experience for real-time applications, such as IP telephony and unified communications services. Products must be designed with a high level of resiliency and security even under attack. Evolution of the enterprise and the way it does business, coupled with today’s network threats, has reduced the effectiveness of traditional perimeter security.

A Layered Defense uses multiple approaches to security enforcement at multiple areas within a network. This approach removes single points of security failure in order to secure enterprise information assets.

With security solutions that presume a multi-vendor network, customers can pick and choose which solutions they want to leverage in a heterogeneous environment. Based on open, standards-based solutions, this approach enables easy integration and simplified operations that reduce the overall network security total cost of ownership. A Layered Defense can be thought of in the context of broad functional security solution components such as Endpoint Security, Perimeter Security, Core Network Security, Secure Communications and Security Management & Platform Security.

Endpoint security — Blocking threats at the source
As employees, business partners and customers make more use of the enterprise network to meet their business objectives, enterprises need more control of the endpoints that are used to access the network. Because so many threats are from internal users on the network, this must include wired and wireless endpoints within the network as well as those at remote endpoints, where there is less control over the user’s device.

Securing the perimeter
There are a number of options for protecting the perimeter — be it an internal perimeter around departments, secure multimedia zones to protect multimedia and IP Telephony call servers, or at the external edge of the network. VLANs are an important Layer 2 mechanism to define internal perimeters. No matter what your business need, perimeter security products are designed to ensure you can effectively and efficiently secure boundaries between network zones of differing levels of trust, enabling your business to ensure your information assets are protected without minimizing business agility.

Core network security — Keeping watch for malicious activity and enforcing policy
Continually monitoring the network for malicious activity is key to ensuring that if an attack slips through other layers of security (e.g., endpoint, perimeter, deep packet inspection, signature matching, etc.) that your network will detect it and take appropriate action to block the attack and ensure survivability. This is of great concern with internally generated attacks or infections that may have unwittingly been released into the network by an otherwise innocent user. A great example is an Instant Message (IM)-delivered virus. With an early warning system, the network can identify the signs of such a virus once in the core of the network, define an effective mitigation tactic and push out a policy to enforcement points in the network to filter out the unwanted traffic. This protects the network and ensures survivability even during an attack.

Secure communications — Protecting information in transit
Protecting corporate and government information from unauthorized discovery, eavesdropping or misappropriation while it transits across hostile networks is an important element of the Layered Defense approach to security. Enterprises have several options to secure their traffic leaving or arriving their network. Offering multiple methodologies enables customers to choose the exact solution that meets their organization’s security need while minimizing TCO. While VPN is the primary approach to securing communications, VLANs can be used in conjunction with VPNs to enhance security. Coupled with the endpoint protections mentioned earlier, VPN and VLAN-enabled user devices are also checked before being allowed to join any network.

Security management and platform security
A security solution can easily become too costly and not very beneficial if you can’t effectively manage it. Effective management requires configuration, policy and event management components.

Incorrectly configured devices can be a key weakness in a network’s security posture. The configuration of several devices on large enterprise multi-vendor networks can present many problems and be very costly. There are ways to offer complete multi-vendor network configuration control that tracks, regulates and automates all configuration and software changes across multi-vendor network devices. In addition, there are solutions that enable IT governance initiatives, automates delivery and enforcement of network change control processes, and provides automated management of security and compliance best practices.

Summary
The organization’s need to share information between employees, business partners and customers should not be hampered by threats to public networks or internally originated attacks. A Layered Defense is key to ensuring that an organization removes all single points of security failure and is able to fully leverage the benefits realized from state-of-the-art applications and networks. By building multiple approaches to security enforcement into all areas within a network, organizations are deploying a security infrastructure that is highly resilient against attacks while also providing the privacy capabilities needed to remain compliant with so many of today’s new regulations.