In-Depth

Denetworking, Anyone?

Reducing computing systems’ exposure to attack may be the goal, but unhooking network connections—or “denetworking”—is rarely feasible. A network endpoint appliance may be the answer.

• By Rich Weiss
• 06/29/2005

If you’re an information security professional, have you ever wanted to pull the network cables out of some of your users’ PCs? Have security worries ever tempted you to disconnect critical systems from the enterprise LAN and physically isolate them, as was standard years ago?

Security managers face great pressure to secure networks in the face of increasingly sophisticated exploits, complex regulatory requirements, and employee insistence on violating simple security rules. Reducing computing systems’ exposure to attack could mitigate these challenges. However, turning back the clock on network connectivity – or “denetworking” – is usually not an option. Executives have heard for years that they must invest heavily in networking infrastructure to increase productivity and competitive advantage. Telling them that broader access sometimes causes more problems than it solves might not go over so well.

Moreover, reducing employees’ access to information resources can make the natives restless, at the very least. Several factors have contributed to their sense of entitlement:

• The growth of personal computing in general, and Web usage in particular, fostered the perception that individuals should be able to choose the information they have access to.

• Networking vendors have aggressively promoted the idea that giving more employees more connections to both information and each other will inherently increase profits.

• During the dot-com era, many people became enamored with “Metcalfe’s Law” – the assertion that the value of a network increases exponentially as the number of network users increases. Faith in this formula was partially responsible for the unrealistic value placed on the accumulation of “eyeballs” by Web sites.

Each of these propositions has some basis in reality. Unfortunately, they don’t account for security considerations. Do all white-collar workers really need Web access? Should everyone get a company e-mail account? Is anywhere, anytime browser access to ERP systems, HR databases, and customer data always beneficial? If you’re already providing more access than business needs dictate, how do you correct the situation?

Many security managers have established policies specifying least-privilege access to IT resources for each job function. Some managers find that regulatory requirements actually make policy enforcement easier. Regulations get senior management’s attention, and they can help overcome employee resistance to loss of inessential access rights.

Still, in many organizations, explicitly reducing user access is not politically feasible. In these cases, technical solutions can help. For example, segmenting or compartmentalizing networks can limit both malware propagation and unauthorized insider access. This practice isn’t new, but administrative overhead has traditionally hindered adoption.

However, a new type of easily deployed security appliance uses application-layer inspection to stop malicious traffic from traversing network segments. The appliance also prevents users in a network segment from gaining unauthorized access to resources in other segments. This indirect method of reducing unsafe and unnecessary connectivity isn’t denetworking, but it delivers similar security benefits without antagonizing employees.

Endpoint security products provide even tighter access control by stopping unauthorized traffic from entering or leaving PCs. The most advanced ones also deny network access to remote or internal hosts that don’t have updated antivirus, essential patches installed, or other security attributes. These solutions have been available for several years and have proven their ability to protect networks in the face of increasing connectivity and associated security threats.

Maybe you don’t need to start pulling plugs after all.