Homogeneous and Heterogeneous Networks

There is an interesting dichotomy with respect to network security and network diversity. That is, homogeneous networks are easier to manage and configure, making them good for your organization's security in some ways. In other ways, they are bad because they offer a single point of compromise for a given piece of your IT infrastructure. The best example is in the area of desktop systems.

Today, the vast majority of organizations have standardized on Microsoft application and operating system software for the desktop. Microsoft Internet Explorer is the most popular web browser, and the various flavors of Microsoft Outlook are the most popular e-mail clients. Both of these systems are based on popular Internet standards (SMTP, IMAP, POP3, HTTP, SSL, and so on). Setting aside the rise of website development that requires a specific browser, any standards-compliant web browser or e-mail client could be used instead of the Microsoft variants. Most organizations stay with Microsoft products, however, which leaves an entire organization vulnerable to a well-written exploit for either of these applications.

This idea extends to the Internet as a whole. If I am a malicious virus writer, am I going to target less than 5 percent of the Internet's hosts by targeting Macintosh computers or am I going to try for the greater than 90 percent of the hosts running some variation of Microsoft Windows? The answer is obvious.

When the next worm comes out targeting Outlook, users of Eudora will be unaffected. This certainly doesn't increase security for organizations using Eudora because they could still be targeted by different attacks, but it does make automated attacks much less likely to be successful against systems that are not using the most popular version of a given software.

Similarly, even though the DNS is an Internet standard and there are many different DNS implementations, the vast majority of DNS servers (including many of the root servers) runs Berkeley Internet Name Domain (BIND). If an attacker were able to find a widespread problem with BIND, the DNS infrastructure could be seriously damaged. Verisign (a root name server operator) identified this as an issue and deployed a proprietary DNS server called ATLAS on its infrastructure. Although I don't like the idea of using code that hasn't seen broad security review in such a critical role, increasing heterogeneity for the Internet's DNS is a good thing. For more information, see the news article at the following URL: http://www.nwfusion.com/news/2002/133242_06-10-2002.html.

I'm not suggesting that organizations run out to migrate to OS/2 to increase their security, nor that you seek to add heterogeneous elements to your network. However, you should be aware of where homogeneity is helping you and where it might be hurting you.

Network Security Architectures
Network Security Architectures
ISBN: 158705115X
EAN: 2147483647
Year: 2006
Pages: 249
Authors: Sean Convery
Simiral book on Amazon

Flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net