End-to-End Security – ProCurve Style

End-to-End Security
ProCurve by HP
From the perspective of a CSO
by Wolf Halton

The larger players in network-appliance vending have begun to address the issue of complete end-to-end security. For instance, how do you keep a mobile computer from infecting your system, presuming you are not using a static addressing system. Wouldn’t it be great if there was an automated system that would check the new node for up-to-date virus protection and security patches, approved software and an approved and authenticated user? Wouldn’t it be great if the system would automatically update patches and AV, and if it was not possible to update the AV would warn the user that they were out of compliance and would be on a quarantined network segment until they had worked that out? And wouldn’t it be nice if it constantly monitored all nodes, in case somebody stuck a usb drive in with a sniffer program? Tall order, but there are several players in the game.
I went to a sales presentation by HP Procurve, held at the Atlanta Regional Microsoft offices. The event was billed as an “Exclusive Security Seminar. I got notice from one of the online publishers to which I subscribe. The follow-up was excellent. I received a phone call and two informational follow-up emails from the publisher, and two anti-RSVP emails from the Microsoft office. “Anti-RSVP”s are notes requesting response only in the event that you are not going to attend. Anti-RSVPs leave me with the impression that the people who aren’t coming are more important than the people who are coming.
An overarching issue in network security is the “M & M Effect”. Most network security is aimed at hardening the shell with perimeter firewalls and VPN tunnels so that trusted branch offices can communicate with the main servers. This is the M & M Effect because the network has a hard shell and a soft creamy center. The idea is that there is no need to protect inner LAN nodes from each other. The most-used method of separating inner LAN users from sensitive resources is Virtual LANs that segment the network. The next thing that is done is to install Intrusion Detection Systems. These are great, in theory, however can often be complicated to configure and administer.
Ways to Protect the LAN from its Users
V-LANs to segment users from sensitive resources
Software Firewalls on vulnerable machines. These are third-party firewalls, usually, as the Windows Firewall is not manageable.
IDS applications, watching for unusual network activity. These can be set up to watch all network traffic or to watch for unusual activity within a single machine.
IPS applications, which can respond to events fitting the list of threat definitions in their threat library.
Anti-SPAM engines on individual machines, that may catch spam that slipped by the perimeter SPAM applications.
Anti-virus applications that catch virus signatures that got past mailserver-based anti-virus, as well as user-self-inflicted spyware and trojans installed from web sites that the users visit.
Assuming these internal LAN and stand-alone applications worked 100% of the time they were in use, and assuming that they were configured properly at installation, we are still left with the issue of managing all of these disparate and distributed systems.
If I had a donut for every time I found a machine with expired anti-virus, spyware and outmoded firewall ACLs; security software applications installed but not configured, or no security at all; I would weigh 8000 pounds. This is an “expectation management issue.” Most people who use computers think they are like toasters with keyboards. They expect a computer to just work flawlessly, and they don’t expect to have to learn anything about their computer to use it adequately. Toasters actually come with instruction books, but almost as many people read those as read the instruction books that come with their computer. This is the same way they expect their cars to run. They know that there are people who know all about cars, but they do consider that race car engines are rebuilt after every race, and that there are whole categories of employment related to development and construction of the vrhicle they trust their life to every day that hasn’t had an oil change for 4 years.
They know there is a good deal of complexity that they could learn about related to their computer – in the same way that they know that auto manufacture and maintenance is complex – but the assumption is that in normal use their computer will work without all of this discovery and knowledge.
Management of an organization’s desktops and servers cannot be left to people with this mindset. Most organizations have traditionally employed technicians to run from computer to computer updating protection and making sure that the stand-alone machines have not become infected in the interval between service calls. This great tradition is meeting with issues of time and cost. This is a very expensive exercise program for technicians that does not provide acceptable protection against the growing number of worms and Trojans. The Sasser worm propagated across 80% of the Internet in less than eight hours. The cost of having enough 1st tier technicians to combat such speedy attacks is prohibitive. What we need is centralized management, so the tech can use their time more efficiently. The more IT departments are down-sized, the less of this running will be possible.
ProCurve has developed a standards-based, centrally-controlled switch system. This is their entry into developing an “adaptive network”. An adaptive network is not just a fancy DHCP server. Adaptive networks are able to identify new nodes on the network; scan their hardware, operating system and software to ascertain whether the new node should be given any access at all, and if it is deemed acceptable, to which resources it will be allowed access.
Cisco, Juniper, ImageStream, and LANDesk have developed similar systems. The monitor client on each client node is the linchpin of all of these systems. If the new node does not communicate with the central management application, then the only thing that can be done is to block all access or quarantine the new node until the client can be loaded and it can be scanned and made acceptable. Almost all of these node-discovery systems are designed for large and extra-large organizations. The individual node licenses are prohibitively expensive for smaller organizations. There are a few open-source projects to develop clients for node-discovery systems like this. Zabbix has been around for a couple of years, and recently Symantec has started an open-source discovery-client project. These ought to reduce costs of implementing such a system. ProCurve says their system is cost-effective in networks of as few as 50 desktops.
The real heart of the ProCurve system is the Network Access Controller 800. The NAC800 gives you granular control all the way out to the level of a single RJ-45 port on a switch (as long as it is a ProCurve switch). The NAC800 also hinders man-in-the-middle attacks between the NAC and the switch by setting up an encrypted data tunnel between the two ports involved.
The NAC800 uses access rules that are set at a single, central dashboard for all network access controllers. The dashboard works with firewalls and routers from some other manufacturers as well as all ProCurve firewalls and routers. This central control and interoperability suggests that you might not need to upgrade or replace as much hardware if you adopt the NAC800. VP John McHugh of ProCurve says the NAC800 and the data aggregation software is not intended to be a cure-all solution. He says no company has gotten that far and he doesn’t expect to see it any time soon.
Pros and Cons
Uh-oh!
The main drawback to the system is the central console runs only on a Windows Server platform, and so promotes vendor lock-in with not only ProCurve, but also Microsoft. A solution that could be compiled to run on other OS platforms would allow the users to choose the most secure platform. What happens if somebody manages to hack your NAC controller’s Server OS?
The second drawback is that it is a solution tuned for organizations with 50 or more desktops. Smaller organizations would not realize as much benefit.
Yeah!
The main argument in favour of the system is the reduction of some of the busywork related with maintaining all the stand-alone systems. Central control also reduces the complexity of managing individual switches and router ACLs.
The next argument in favour is that it is designed to be a clientless system, which means new nodes on the network do not need to have a client application installed to let the monitoring work.
André Kindness, CISSP, ProCurve Security Engineer, says the system will make use of Intel’s ID chip when it is more widely available, and this means potential threats can be detected and countered earlier. The Intel chip will tell a network its information whether the computer upon which it is mounted is switched on or not, as long as it is plugged into power and has a network connection.
It is standards-based, rather than proprietary including emerging standards 802.1x, 802.1ae and 802.1af
802.1x is an authentication protocol
802.1ae and 802.1af allow linking back and encryption of sessions between NAC and switch at OSI layer 2. This datalink-level encryption may be more secure than SSL as it operates at a more fundamental level. SSL operates at OSI layer 4.
It is surprising that ProCurve with the history of HP-UX and mainframe server manufacture, doesn’t offer its security software as source code for installation on UNIX/Linux servers. One clue to this mystery may be that ProCurve is the only global partner to Microsoft’s Technology Centers. These are labs in 14 cities around the world where ProCurve customers can load test software on ProCurve networking equipment on a Gigabit Ethernet network offering 802.1g WLAN, and 802.1x security on segmented V-LANs.
These are impressive lab facilities, but they are hosted on Microsoft premises, so the impression I got is that the network operating system is all Microsoft, all the time. Understandable and the arrangement will make it easier for ProCurve customers to see in real time how ProCurve will work with their Windows network requirements. This does set the frame of the discussion in such a way as to preclude any conversation about the inherent vulnerabilities in Windows platforms, and as such, it removes the possibility of a conversation revolving around the reduction of network security complexity by changing to a more secure operating system. Microsoft’s recent interest in Novell SuSE Linux may reverse this trend, and I am looking forward with interest to see how the next few years unfold.

About the Author:
Michael ‘Wolf’ Halton AB, MSc wolf@networkdefense.biz
Professional Speaker on topics of Internet Security, Linux adoption, Spam-relief strategies and Painless Grad-School Progress.
Writer on Security and Web Strategy. Recent work Computer Security and Penetration Testing, with Alfred Basta
CEO, Halton Security Institute – providing security consulting, web strategy, hardware and software configuration services, project management and guidance to clients in the medical, real estate and entertainment industries.