Part One: Perimeter Defenses
There are no phrases, places or words that inspire thoughts of uncrackable security more than “Fort Knox.” Officially known as the United States Bullion Depository, Fort Knox has long been regarded as the most secure facility in the world. When World War II broke out, not only were the Constitution and Declaration of Independence moved to the facility, but so were Queen Elizabeth’s crown jewels.
Since Fort Knox began guarding the nation’s gold in 1936, there have been no published robbery attempts. The facility is protected by layers of fences patrolled by soldiers armed with automatic weapons in close proximity to tanks and Apache helicopters. Many parallels can be drawn between the physical security at Fort Knox and network security best practices. Over the next several weeks, I will be discussing each of these parallels through a series of blog posts.
Let’s start our discussion by looking at perimeter defenses.
Firewall at the Border
When used outside of computer circles, the word “firewall” refers to a barrier designed to prevent fire from spreading from one compartment to another. Early deployments of network firewalls had a nearly identical purpose. Firewalls were created to keep network problems (like worms) from jumping from one network segment to another.
In enterprise networks, firewalls are deployed at the “border” between the network and the Internet (or other networks). Best practices require that firewalls start by blocking all traffic, and then “holes” are created allowing access to specific network resources and services. The access control lists (ACL) on firewalls have the ability to limit the resources that can be utilized by outsiders.
In physical security, these “holes” in the wall are known as gates. At the gates of Fort Knox there are armed guards screening entrants and protecting the exposed section of the facility. Firewalls in and of themselves do not have these guarding abilities. (In subsequent installments of this series, we’ll examine techniques and technologies that can shore up security at these “gates.”)
Network Access Control at the Edge
The border of the network is where outsiders attempt to gain access to resources. When internal enterprise users log into the network, they aren’t coming in via the border, they are obtaining access at the “edge” of the network. The edges of the network include internal network switches, wireless access points and virtual private networks (VPNs). The firewall protects against outsider threats, while network access control (NAC) protects against insider threats.
Insiders at Fort Knox would be screened for access by checking access badges (something they have), passwords (something they know) and biometrics (something they are). Once they have proven their identity (known as authentication), records are checked to determine whether they should be allowed on the facility, and which areas they should be able to access (this is authorization).
NAC solutions like Cisco’s Identity Services Engine (ISE) perform similar functions on devices as they attempt to come onto the network. ISE evaluates the host and user and grants access to select network resources. Risk can be mitigated by performing intelligent screening and authorization.
NAC, like firewalls, has limitations. Once a device is on the network, it may attempt to circumvent security and perform unauthorized actions. This is the same type of issue facing Fort Knox. The real threat to the facility is not by outsiders, it is by insiders who have been persuaded to do wrong.
The first lesson we can apply to our networks from Fort Knox is that we need to have secure perimeters. As we continue our discussions, we’ll see how additional lessons from the world’s most fortified vault can help reduce risks on our computer networks.