Sign up for our newsletter
Technology / Software

Guest Blog: Taming the Tiger in Your Network

Darren Turnbull

We have created a world of users that expect to gain access across a range of devices and network connections instantly. Remote working blurs the line between the workplace and home life with access any time from anywhere being expected. Access to everything, by everyone, from everywhere – all of it securely?

In a world that demands a secure business-computing environment but insists on ubiquitous connectivity, piecemeal solutions proliferate. However, solving today’s problem in this way will create tomorrow’s nightmare.

Of course, this evolution hasn’t occurred via a series of carefully planned steps. Instead, the speed and variety of change has taken many IT managers by surprise. Reacting to these events has created a multitude of solutions to address the emerging or expected problems. It seems as though every new vulnerability creates an opportunity for a new solution, and every new solution creates an opportunity for a new vulnerability.

White papers from our partners

The result can be chaotic with mis-matched and overlapping technologies as well as a raft of hastily assembled rules and policies. All of this is created in the hope that each will work together in defence of the network and support the business expected to fund this effort. It is the very antithesis of ‘holistic’.

Having created such an environment, it becomes very difficult to let go. You hope you have tamed the tiger, but there’s a chance it will still bite someone. In other words, you hope you have a solution, and you hope it is secure.

Unfortunately, today’s reality sees the network management of most organisations struggling to accomplish a truly secure unified access. The escalating number and complexity of security technologies, rules and policies accumulated over time means many organisations are unable to respond effectively to the changing threat landscape.

The piecemeal approach is leaving organisations ever more vulnerable as rules are constantly added to security devices (but seldom removed), resulting in a complexity that is spiraling out of control. Administrators find it increasingly challenging to understand the security regime they are implementing and are under impossible time pressures to troubleshoot emerging problems. Within this chaos, the risk is that security holes are opening up.

So, the answer to complexity is not more complexity; the answer is simplification. But where does a business start to untangle the mess and implement a logical, manageable, sensible and secure solution to policy accumulation?

Managing a large estate of specialised security devices from many different manufacturers is a sure fire way of multiplying the number of active security policies. In contrast, deploying a suite of complementary systems from the same vendor reduces operating costs by enabling easier and more responsive management with less policies, higher performance and better overall security. It also enables network access policies to be integrated with all other security policies. A single operating system across devices will obviously be a major benefit to simplifying the management process.

Simplifying security policies is further challenged by the introduction of application-aware security, a key tenet of next-generation firewall technology. So, it is important to apply an application-awareness policy to individual user-IDs in one place, and to enforce it throughout the network and across network security functions.

Indeed, even though the granularity that arises from running distinct security policies according to each different authentication environment may seem a bonus, it can be burdensome to security management. But granularity need not be sacrificed and security management can be simplified by the use of obvious tactics such as Single Sign On (SSO), which conveniently retains context about the user’s location or device.

With this approach to policy enforcement at a unified entry point onto the wired or wireless network, all policies can be determined according to user ID, device type and location.

Runaway policy accumulation will invariably occur where artificial or technology dictated solutions to wired and wireless network access become entirely separated for management purposes. Where both coexist, wireless is typically the more dynamic environment, with similar levels of traffic as the wired infrastructure. For easier oversight as well as simplified monitoring and compliance, a unified wired and wireless policy will ensure simplicity, while still offering both visibility and control.

This can be achieved using security appliances such as Fortinet’s FortiGate range, which offers switching and access point management functionality as well as integrating other key security features including advanced firewall protection, VPN connectivity, endpoint and application control, web filtering, antimalware and data loss prevention.

Ultimately, organisations need to make smart, simple policies and reduce the decision making process. Of course they still have a policy set to be concerned about – but that one is much easier to handle. Don’t press on with a flawed strategy and an increasingly disparate security infrastructure loosely controlled by a myriad of policies – many of which may contradict each other. Untangle the solution and simplify it. Don’t let your policy accumulation and complexity creep become a part of the problem. Tame your tiger!

Fortinet has a white paper resource for security administrators to easily and seamlessly implement ID-based ‘smart policies’ across their wired and wireless network infrastructures. Entitled "Making Smart Policies with FortiOS 5", the white paper shows how organisations can unify access and security policies, apply an integrated, ID based authentication and authorisation model, and benefit from simplified visibility of detailed real-time data.

To conclude, always keep in mind that making the simple complicated is commonplace; but making the complicated simple is ingenuity.
This article is from the CBROnline archive: some formatting and images may not be present.