Chapter 4. Network Access

Detection is critical to any security architecture. Sooner or later the enemy is going to compromise your organization, they have time and resources on their side. For effective detection, layers are critical. Intrusion-detection sensors, honeypots, and system logs play a key role in detection.

Lance Spitzner, Senior Security Architect, Sun Microsystems and Founder of the Honeynet Project

You are the CEO of a very young pharmaceutical company. You are gazing out the window of your large executive office, contemplating your upcoming IPO offering. Today, you're worth about $100,000 on paper. By next year when your top-secret new drug formula hits the market, you expect to be worth at least $5 million. Isn't life grand?

But wait. As you shift your attention to your e-mail queue, you notice a new security alert from your security group manager:

"INTRUDER ALERT. HACKER INTRUSION ON ADVANCED RESEARCH NETWORK."

With a quickly placed phone call, you learn that the hacker is running almost unattended through the network. Your experts know he's entered from an external connection, but no one can pin down which connection point he's used. Truth is, your network's grown so fast to keep up with your company's growth that no one really knows how many external connections there are. Your system administrators can track down the Internet connections. (Last year, you had one. This year, you have three.) But no one has any idea how many modem connections have been installed.

Sadly, that lack of knowledge is common. Just a few years ago, "remote access" for the average company was a few modems and maybe one connection to the Internet. Today, that same company might have a dozen connections to the Internet and hundreds of modem connections to the outside world.

Every day, new connections are being installed in offices and labs and employees are connecting from home. Customers requiring real-time data access need connections to your network too. In the rush to plug in, sometimes companies lose their ability to control external connections. As a result, the lines between the Internet, intranet, and extranet become blurred. It becomes hard or nearly impossible to tell where your network begins and ends.

Connecting to the outside world is like a snowstorm. It might begin with a few flurries, but it can quickly develop into a blizzard where you can't see beyond your own feet. If you don't control external connections, you can stumble or fall flat on your face fairly easily. Just consider...