Opinion: Time for an updated approach to cyber security
- 11 December, 2015 02:00
The "massive” cyber attack on the Bureau of Meteorology computers served as a timely reminder for corporates and government agencies to dump the ageing approach use to protect their IT infrastructure.
Many of these organisations have been employing a 20-year-old approach when it comes to IT security.
We need a new approach to tackle cyber security — one where a protective shield prevents hackers from gaining access to a network.
Let’s look at the traditional approach to cyber security.
The most basic and common security scenario at most SME organisations is to simply implement a firewall with a Network Address Translation (NAT) point that allows both egress traffic to reach the Internet (usually unhindered) from multiple devices/computers within a private network and ingress traffic to be ‘redirected’ to servers behind the firewall, often unchecked.
NAT was introduced and became commonplace in the mid to late ‘90s as the World Wide Web began to take effect and the Internet was cut the cost of communications, with one consequence being a depletion of the IPv4 address pool.
NAT was the most popular answer (compared to IPv6) to dealing with address depletion, and provided the convenience of allowing port address translation or port redirection — which had the adverse effect of directly exposing protected servers to the Internet.
An alternative, newer approach to combat the complacency and convenience of using insecure port redirections is the use of service access points designed specifically to act on behalf of, and therefore protect, the business critical servers themselves that reside on the private network.
In the standard port address translation model, ingress traffic (in a stream of packets) is redirected to the specified server directly without critical prior execution or examination of the request as a whole, including the payload (reassembled packets to a full request).
Traffic payloads are likely to be encrypted which prevents thorough examination until it reaches the private target server — which is also likely to be the target of an attack. A breach occurs in trusted network space and can spread rapidly.
We’re advocating a new approach which would allow for ‘closed port’ protective measures in an organisation’s security policy.
With a closed port strategy, the service access point is moved into the cloud and all external access is handled at this point — the service access point is able to communicate with servers in the protected network by establishing a link with the selected servers in the private network.
Requests are executed on the service access point and subsequently forwarded into the appropriate private/protected service on the network behind a 100 per cent closed port firewall.
Traffic is able to reach these services because of a virtual network that provides connectivity originating from behind the firewall relying on network address translation to establish connectivity to the now-external service access point.
All traffic is handled, executed and scrutinised by the service access point before being allowed to traverse the virtual network.
This is effectively known as 'privatising the last mile', as the connection between the cloud service access point and the private network is done over a VPN-type scenario.
Because the service access point is now external and is the only point through which traffic may pass into the private network, any breach of the service access point is also external to the private network.
If the service access point is appropriately designed and configured, it should be next to impossible for the attacker to use it as an avenue of further attack against the private network.
This approach also means that it is far easier to determine what should be allowed into the private network (solicited traffic) and what should be blocked (unsolicited). This primarily comes down to the firewall (Network Address Translation) point being 100 per cent closed so no direct attack can be made against the private network.
It’s time organisations shifted their ideas on best-practise security measures. It is no longer a simple case of installing a firewall and hoping for the best. They need to be held accountable for their security practises and must understand that the simple firewall approach no longer works.
Security is complex no matter which way you look at it. It's what organisations use to improve their approach without having an appropriate budget akin to Fortune 500 companies that is important. I believe it’s possible to implement cost-effective solutions that re-invent the approach taken to securing networks.
Charlie Gargett is iWebGate’s global chief technology officer.